Rooting Orcus Walkthrough

Overview

Orcus is B2R virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • Orcus in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap

Vulnerabilities Exploited:

  • Backup misconfiguration
  • Password reuse
  • NFS Share misconfiguration

Reconnaissance

#netdiscover

Target VM IP Address: 192.168.8.102

Scanning

nmap

nmap -p- -A 192.168.8.103

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-24 13:14 EDT

Nmap scan report for 192.168.8.103

Host is up (0.00060s latency).

Not shown: 65519 closed ports

PORT      STATE SERVICE     VERSION

22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)

|   256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)

|_  256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)

53/tcp    open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux)

| dns-nsid:

|_  bind.version: 9.10.3-P4-Ubuntu

80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))

| http-robots.txt: 30 disallowed entries (15 shown)

| /exponent.js.php /exponent.js2.php /exponent.php

| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php

| /exponent_version.php /getswversion.php /login.php /overrides.php

| /popup.php /selector.php /site_rss.php /source_selector.php

|_/thumb.php

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Site doesn’t have a title (text/html).

110/tcp   open  pop3        Dovecot pop3d

|_pop3-capabilities: SASL RESP-CODES STLS PIPELINING AUTH-RESP-CODE UIDL CAPA TOP

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Not valid before: 2016-10-09T03:44:10

|_Not valid after:  2026-10-09T03:44:10

|_ssl-date: TLS randomness does not represent time

111/tcp   open  rpcbind     2-4 (RPC #100000)

| rpcinfo:

|   program version   port/proto  service

|   100000  2,3,4        111/tcp  rpcbind

|   100000  2,3,4        111/udp  rpcbind

|   100003  2,3,4       2049/tcp  nfs

|   100003  2,3,4       2049/udp  nfs

|   100005  1,2,3      47598/udp  mountd

|   100005  1,2,3      51949/tcp  mountd

|   100021  1,3,4      34636/udp  nlockmgr

|   100021  1,3,4      41196/tcp  nlockmgr

|   100227  2,3         2049/tcp  nfs_acl

|_  100227  2,3         2049/udp  nfs_acl

139/tcp   open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)

143/tcp   open  imap        Dovecot imapd

|_imap-capabilities: more LITERAL+ ENABLE have STARTTLS listed LOGINDISABLEDA0001 SASL-IR Pre-login capabilities LOGIN-REFERRALS IDLE ID IMAP4rev1 OK post-login

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Not valid before: 2016-10-09T03:44:10

|_Not valid after:  2026-10-09T03:44:10

|_ssl-date: TLS randomness does not represent time

443/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)

|   256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)

|_  256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)

445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

993/tcp   open  ssl/imap    Dovecot imapd

|_imap-capabilities: LITERAL+ ENABLE more have listed ID AUTH=PLAINA0001 Pre-login capabilities LOGIN-REFERRALS IDLE SASL-IR IMAP4rev1 OK post-login

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Not valid before: 2016-10-09T03:44:10

|_Not valid after:  2026-10-09T03:44:10

|_ssl-date: TLS randomness does not represent time

995/tcp   open  ssl/pop3    Dovecot pop3d

|_pop3-capabilities: SASL(PLAIN) RESP-CODES AUTH-RESP-CODE PIPELINING USER UIDL CAPA TOP

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Not valid before: 2016-10-09T03:44:10

|_Not valid after:  2026-10-09T03:44:10

|_ssl-date: TLS randomness does not represent time

2049/tcp  open  nfs_acl     2-3 (RPC #100227)

41196/tcp open  nlockmgr    1-4 (RPC #100021)

45279/tcp open  mountd      1-3 (RPC #100005)

51267/tcp open  mountd      1-3 (RPC #100005)

51949/tcp open  mountd      1-3 (RPC #100005)

MAC Address: 00:0C:29:D5:A5:B6 (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 – 4.9

Network Distance: 1 hop

Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

Host script results:

|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s

|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| smb-os-discovery:

|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)

|   Computer name: \x00

|   NetBIOS computer name: ORCUS\x00

|   Workgroup: WORKGROUP\x00

|_  System time: 2018-05-24T13:14:30-04:00

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

| smb2-security-mode:

|   2.02:

|_    Message signing enabled but not required

| smb2-time:

|   date: 2018-05-24 13:14:31

|_  start_date: N/A

 

TRACEROUTE

HOP RTT     ADDRESS

1   0.60 ms 192.168.8.103

 

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 110.21 seconds

Exploit path 1 for shell

Lets explore website in browser

No entry point to application. Lets use dirbuster to find other directories on server.

Found /backups/ directory.

Downloaded and decompressed backup directory.

Database credentials found.

Lets login to phpmyadmin with these credentials.

zenphoto database name suggest, there could be zenphoto directory as well on server.

zenphoto directory contain just framework, which is not installed. Using database credentials found in backups, i installed zenphoto and logged in. I enabled elFinder plugin to upload shell.

elFinder plugin is enabled. We can upload arbitrary files. Lets create “file.php”

and paste reverse-php-shell php code. Configure IP address of attacking machine as connection listner/handler . Files are uploaded in uploaded directory. Complete path becomes, http://192.168.8.103/zenphoto/uploaded/file.php.

In attacking machine, listen for nc connection on port 1234.

Copy link of file.php.

I will open file.php link in browser to execute php shell.

shell connection received.

breaking shell jail with:

python -c “import pty; pty.spawn(‘/bin/bash’);”

Lets read first flag.txt

Priv Escalation

nmap out shows NFS is enabled on target box. Since we have already limited shell, we can view /etc/exports expose /tmp over network without no_root_squash to anyone with read write access permission, infact very loose permissions.

If you are not familiar with setuid, setgid, sticky bit, these ar every helpful resources

On kali linux, lets confirm that NFS share is exposed. As you can see, /tmp is exposed.

By default showmount command is not available on kali linux, so i had to install nfs-common package.

#apt-get install nfs-common

Lets mount NFS Share.

Lets exploit setuid bit mechanism to get superuser privileges.

So, our shell.c code will set uid and gid to root at runtime. Will target linux box allow our shell to change to root uid? Yes, because no_root_squash option in /etc/exports. So, we will turn on setuid bit on excutable binary shell on kali linux inside nfs directory, and execute that root shell over server, with limited php shell.

Lets compile shell.c for 32 bit target linux machine. And, Turn on setuid bit with chmod 4777 and confirm if setuid bit is on with “ls -l”.

My kali machine is 64 bit, and Orcus VM is 32 bit. So, i had to install development environment for 32 bit architecture.

#apt-get install g++-multilib libc6-dev-i386

Here is link will help you to compile 32 bit binary over 64bit machine.

https://www.cyberciti.biz/tips/compile-32bit-application-using-gcc-64-bit-linux.html

Now, last step is to execute that binary shell over target box.

Congrats! We are root. Lets read flag.txt.

Conclusion:

This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s