Categories
Crypto Stuff, ctf, OS, pentest, Uncategorized, Web Attacks

Now from John The Troll (CTF – Africahackon) – Key 2  we have gotten to be Chicken, so the next thing would be getting information about the system.

[+] Kernel
Linux version 3.13.0-55-generic (buildd@brownie) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015
[+] fstab entries
# /etc/fstab: static file system information.
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/sda1 / ext4 defaults 0 0
/dev/sda2 swap swap defaults 0 0
[+] Scheduled cron jobs
-rw-r–r– 1 root root 787 Oct 7 09:37 /etc/crontab
/etc/cron.d:
total 12
drwxr-xr-x 2 root root 4096 Jun 24 2015 .
drwxr-xr-x 77 root root 4096 Oct 7 09:41 ..
-rw-r–r– 1 root root 102 Feb 9 2013 .placeholder
/etc/cron.daily:
total 44
drwxr-xr-x 2 root root 4096 Jun 24 2015 .
drwxr-xr-x 77 root root 4096 Oct 7 09:41 ..
-rw-r–r– 1 root root 102 Feb 9 2013 .placeholder
-rwxr-xr-x 1 root root 15481 Apr 10 2014 apt
-rwxr-xr-x 1 root root 256 Mar 7 2014 dpkg
-rwxr-xr-x 1 root root 372 Jan 22 2014 logrotate
-rwxr-xr-x 1 root root 249 Feb 17 2014 passwd
-rwxr-xr-x 1 root root 328 Jul 18 2014 upstart
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Jun 24 2015 .
drwxr-xr-x 77 root root 4096 Oct 7 09:41 ..
-rw-r–r– 1 root root 102 Feb 9 2013 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Jun 24 2015 .
drwxr-xr-x 77 root root 4096 Oct 7 09:41 ..
-rw-r–r– 1 root root 102 Feb 9 2013 .placeholder
/etc/cron.weekly:
total 16
drwxr-xr-x 2 root root 4096 Jun 24 2015 .
drwxr-xr-x 77 root root 4096 Oct 7 09:41 ..
-rw-r–r– 1 root root 102 Feb 9 2013 .placeholder
-rwxr-xr-x 1 root root 427 Apr 16 2014 fstrim
[+] Environment
CURL_CA_BUNDLE=/opt/bitnami/common/openssl/certs/curl-ca-bundle.crt
GS_LIB=
USER=daemon
LDAPCONF=/opt/bitnami/common/etc/openldap/ldap.conf
SHLVL=4
HOME=/usr/sbin
SSL_CERT_FILE=/opt/bitnami/common/openssl/certs/curl-ca-bundle.crt
OPENSSL_ENGINES=/opt/bitnami/common/lib/engines
FREETDSLOCALES=
_=/usr/bin/python
MAGICK_CONFIGURE_PATH=
OPENSSL_CONF=/opt/bitnami/common/openssl/openssl.cnf
PATH=/opt/bitnami/varnish/bin:/opt/bitnami/sqlite/bin:/opt/bitnami/php/bin:/opt/bitnami/mysql/bin:/opt/bitnami/apache2/bin:/opt/bitnami/common/bin:/sbin:/usr/sbin:/bin:/usr/bin
MAGICK_CODER_MODULE_PATH=
MAGICK_HOME=
FREETDSCONF=
PWD=/opt/bitnami/apps/wordpress/htdocs/wp-content/themes
[+] World Writeable Directories for User/Group ‘Root’
drwxrwxrwt 2 root root 40 Oct 7 09:40 /run/shm
drwxrwxrwt 3 root root 60 Oct 7 09:41 /run/lock
drwxrwxrwx 2 root root 4096 Oct 7 12:22 /opt/bitnami/mysql/tmp
drwxrwxrwx 2 root root 4096 Oct 7 12:22 /opt/bitnami/php/tmp
drwxrwxrwt 2 root root 4096 Nov 13 2015 /var/tmp
drwxrwxrwt 4 root root 4096 Oct 7 13:02 /tmp
drwxrwxrwt 2 root root 4096 Oct 7 09:41 /tmp/.ICE-unix
drwxrwxrwt 2 root root 4096 Oct 7 09:41 /tmp/.X11-unix
[+] SUID/SGID Files and Directories
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 69120 Feb 12 2015 /bin/umount
-rwsr-xr-x 1 root root 94792 Feb 12 2015 /bin/mount
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 36936 Feb 17 2014 /bin/su
-rwxr-sr-x 3 root mail 14592 Dec 3 2012 /usr/bin/mail-touchlock
-rwsr-xr-x 1 root root 47032 Feb 17 2014 /usr/bin/passwd
-rwsr-xr-x 1 root root 32464 Feb 17 2014 /usr/bin/newgrp
-rwxr-sr-x 1 root utmp 421768 Nov 7 2013 /usr/bin/screen
-rwxr-sr-x 3 root mail 14592 Dec 3 2012 /usr/bin/mail-unlock
-rwxr-sr-x 3 root mail 14592 Dec 3 2012 /usr/bin/mail-lock
-rwsr-xr-x 1 root root 41336 Feb 17 2014 /usr/bin/chsh
-rwxr-sr-x 1 root crontab 35984 Feb 9 2013 /usr/bin/crontab
-rwsr-xr-x 1 root root 46424 Feb 17 2014 /usr/bin/chfn
-rwxr-sr-x 1 root shadow 54968 Feb 17 2014 /usr/bin/chage
-rwsr-xr-x 1 root root 68152 Feb 17 2014 /usr/bin/gpasswd
-rwxr-sr-x 1 root shadow 23360 Feb 17 2014 /usr/bin/expiry
-rwxr-sr-x 1 root mail 14856 Dec 7 2013 /usr/bin/dotlockfile
-rwsr-xr-x 1 root root 155008 Mar 12 2015 /usr/bin/sudo
-rwxr-sr-x 1 root ssh 284784 May 12 2014 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 19024 Feb 12 2015 /usr/bin/wall
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
drwxrwsr-x 6 root staff 4096 Jun 24 2015 /usr/local/share/xml
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/xml/schema
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/xml/declaration
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/xml/misc
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/xml/entities
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/ca-certificates
drwxrwsr-x 7 root staff 4096 Jun 24 2015 /usr/local/share/sgml
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/sgml/dtd
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/sgml/declaration
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/sgml/stylesheet
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/sgml/misc
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/sgml/entities
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/share/fonts
drwxrwsr-x 4 root staff 4096 Jun 24 2015 /usr/local/lib/python2.7
drwxrwsr-x 2 root staff 4096 Nov 13 2015 /usr/local/lib/python2.7/dist-packages
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/lib/python2.7/site-packages
drwxrwsr-x 3 root staff 4096 Jun 24 2015 /usr/local/lib/python3.4
drwxrwsr-x 2 root staff 4096 Jun 24 2015 /usr/local/lib/python3.4/dist-packages
-rwsr-xr-x 1 root root 440416 May 12 2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
-r-sr-xr-x 1 root root 9532 Nov 13 2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 Nov 13 2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 10344 Feb 25 2015 /usr/lib/pt_chown
drwxrwsr-x 2 root staff 4096 Apr 10 2014 /var/local
drwxrwsr-x 2 libuuid libuuid 4096 Jun 24 2015 /var/lib/libuuid
drwxrwsr-x 2 root mail 4096 Jun 24 2015 /var/mail
-rwxr-sr-x 1 root shadow 35536 Jan 31 2014 /sbin/unix_chkpwd
[+] Installed Tools
/usr/bin/awk
/usr/bin/perl
/usr/bin/python
/usr/bin/gcc
/usr/bin/cc
/usr/bin/vi
/usr/bin/find
/bin/netcat
/bin/nc
/usr/bin/wget

The above information helps us abit in articulating an attack based on what we have and it narrows down to the following possibilities:

– Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
– Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
– CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
– CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
– MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
– open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
– open-time Capability file_ns_capable() – Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c

This however did not work on any count so we had to resort in improvisation for the trolling has peaked.

What we were seeing was not all real for instance the kernel information. 

In the next article we deal with the improvisation.

Leave a Reply

Your email address will not be published. Required fields are marked *

February 2024
M T W T F S S
 1234
567891011
12131415161718
19202122232425
26272829