Overview
Orcus is B2R virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.
Lab Setup:
- VMWare workstation for Virtual Machines
- Kali Linux VM in Bridge mode
- Orcus in Bridge mode
Tools Used:
- Kali Linux VM
- netdiscover
- nmap
Vulnerabilities Exploited:
- Backup misconfiguration
- Password reuse
- NFS Share misconfiguration
Reconnaissance
#netdiscover
Target VM IP Address: 192.168.8.102
Scanning
nmap
nmap -p- -A 192.168.8.103
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-24 13:14 EDT
Nmap scan report for 192.168.8.103
Host is up (0.00060s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
| 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
|_ 256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php
| /exponent_version.php /getswversion.php /login.php /overrides.php
| /popup.php /selector.php /site_rss.php /source_selector.php
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL RESP-CODES STLS PIPELINING AUTH-RESP-CODE UIDL CAPA TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 47598/udp mountd
| 100005 1,2,3 51949/tcp mountd
| 100021 1,3,4 34636/udp nlockmgr
| 100021 1,3,4 41196/tcp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: more LITERAL+ ENABLE have STARTTLS listed LOGINDISABLEDA0001 SASL-IR Pre-login capabilities LOGIN-REFERRALS IDLE ID IMAP4rev1 OK post-login
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
443/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
| 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
|_ 256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: LITERAL+ ENABLE more have listed ID AUTH=PLAINA0001 Pre-login capabilities LOGIN-REFERRALS IDLE SASL-IR IMAP4rev1 OK post-login
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) RESP-CODES AUTH-RESP-CODE PIPELINING USER UIDL CAPA TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
2049/tcp open nfs_acl 2-3 (RPC #100227)
41196/tcp open nlockmgr 1-4 (RPC #100021)
45279/tcp open mountd 1-3 (RPC #100005)
51267/tcp open mountd 1-3 (RPC #100005)
51949/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:D5:A5:B6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: \x00
| NetBIOS computer name: ORCUS\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-05-24T13:14:30-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-05-24 13:14:31
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.60 ms 192.168.8.103
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.21 seconds
Exploit path 1 for shell
Lets explore website in browser
No entry point to application. Lets use dirbuster to find other directories on server.
Found /backups/ directory.
Downloaded and decompressed backup directory.
Database credentials found.
Lets login to phpmyadmin with these credentials.
zenphoto database name suggest, there could be zenphoto directory as well on server.
zenphoto directory contain just framework, which is not installed. Using database credentials found in backups, i installed zenphoto and logged in. I enabled elFinder plugin to upload shell.
elFinder plugin is enabled. We can upload arbitrary files. Lets create “file.php”
and paste reverse-php-shell php code. Configure IP address of attacking machine as connection listner/handler . Files are uploaded in uploaded directory. Complete path becomes, http://192.168.8.103/zenphoto/uploaded/file.php.
In attacking machine, listen for nc connection on port 1234.
Copy link of file.php.
I will open file.php link in browser to execute php shell.
shell connection received.
breaking shell jail with:
python -c “import pty; pty.spawn(‘/bin/bash’);”
Lets read first flag.txt
Priv Escalation
nmap out shows NFS is enabled on target box. Since we have already limited shell, we can view /etc/exports expose /tmp over network without no_root_squash to anyone with read write access permission, infact very loose permissions.
If you are not familiar with setuid, setgid, sticky bit, these ar every helpful resources
On kali linux, lets confirm that NFS share is exposed. As you can see, /tmp is exposed.
By default showmount command is not available on kali linux, so i had to install nfs-common package.
#apt-get install nfs-common
Lets mount NFS Share.
Lets exploit setuid bit mechanism to get superuser privileges.
So, our shell.c code will set uid and gid to root at runtime. Will target linux box allow our shell to change to root uid? Yes, because no_root_squash option in /etc/exports. So, we will turn on setuid bit on excutable binary shell on kali linux inside nfs directory, and execute that root shell over server, with limited php shell.
Lets compile shell.c for 32 bit target linux machine. And, Turn on setuid bit with chmod 4777 and confirm if setuid bit is on with “ls -l”.
My kali machine is 64 bit, and Orcus VM is 32 bit. So, i had to install development environment for 32 bit architecture.
#apt-get install g++-multilib libc6-dev-i386
Here is link will help you to compile 32 bit binary over 64bit machine.
https://www.cyberciti.biz/tips/compile-32bit-application-using-gcc-64-bit-linux.html
Now, last step is to execute that binary shell over target box.
Congrats! We are root. Lets read flag.txt.
Conclusion:
This is great Boot2Root VM. Rooting this VM i learned and enjoyed a lot.
Zeeshan Sahi's blog 