Safetech Blog - Security Tips and Tricks


by Oana Stoian

Fuku Writeup

There are lots of ways for exploiting Fuku, a machine which is not so easy to compromise – at least not for the patienceless, as it has some interesting defense mechanisms – some of them you will discover below, some of them  I’ll let you discover 🙂

Today, I’ll show you my way.

 

First of all, a scan to discover all opened ports is needed…so I used nmap.

nmap -A -SV -v -p- 172.16.100.61

nmap

 

 

 

 

 

 

 

 

 

 

 

It seems that all ports are opened.

Trying with netcat on some random ports reveal that the messages returned are very similar on each of them, only the reported version of Apache varies a little:

It is clear that this machine is configured to mislead and make an attacker’s life harder when trying to discover running network services.

While nmap seems useless, it is time to use other alternatives.

Thinking that there are good chances the vulnerable machine could run some  web application, I had fired-up wfuzz, and the only “unusual” part this time is that we will not fuzz directories and files, but ports instead:

wfuzz

After some time of waiting we got our port: 13370

Another tool for port scanning is amap, known as the first tool to perform application protocol detection. While superseded by nmap with years, as the amap’s authors mention “ in some circumstances amap will yield better results, but these are rare”, I gave it a chance:

amap -b1q 172.16.100.61 1-65535 | grep -v FUKU

fcefheda

Amap proved to be very useful and helped me identify the open ports where nmap and other scanners failed.

On the host the port 13370 is running an web application which is easily identified as Joomla CMS.

joomla

One thing to be noted also is that in robots.txt, a file cought my attention – flag.txt with the following contents:

flag

After a quick look-over we can see that the web application is using a plugin for playing media content, HD FLV player which has known vulnerabilities described in:

https://www.exploit-db.com/exploits/35220/

https://www.exploit-db.com/exploits/33673/

Also, after running joomscan tool against the website, another vulnerabilities are revealed that could be exploited, for example:

joomscan

I decided to go further with HD FLV Player exploit first, to see if this will give me access to the system.

According to exploit-db technical details this Joomla component suffers from multiple SQL injection vulnerabilities, so we will fire up sqlmap to see if this instance of HD FLV Player is exploitable.

After some time of waiting finally we have some usernames and hashes from the joomla database:

hashes

 

Now, let’s crack the hashes… we will use for this the hashcat password cracking tool with rockyou dictionary.

In short time, the password for gizmo user is identified: sillyboy.

We take our chances and try to authenticate on Joomla adminstrative panel with this credentials and ….bingo, we are lucky 🙂 … gizmo is Super Administrator.

joomla_user_superadministrator

Following our path to gain full control over the machine, we need to obtain remote code execution, which is an easy job having full privileges on Joomla Control Pannel.

One way to achieve this is to insert some custom PHP code into one of the default theme’s files.

joomla_theme

Now, as we can execute commands on the operating system, we’ll open a reverse shell.

After some failed tries with netcat, we are forced to use an alternate mode to open a reverse connection. Following the excellent blog post of Bernardo DameleReverse shell one-liners (http://bernardodamele.blogspot.nl/2011/09/reverse-shells-one-liners.html) we will use Perl method to get our shell:

Now that we have shell access to the vulnerable machine, we’ll need to find a way to escalate our privileges to root.

After some time spent enumerating various system information, we found out that an unusual process is being runned by root.

chkrootkit

Looking for some known vulnerabilities of chkrootkit tool, we found that indeed there is an easy exploit that might help us gain root.

All we need to do is to create a file /tmp/update , place our commands here, and wait for some time to be executed as root by chkrootkit.

There are many ways to obtain root access, one of them being to replace root’s password hash in /etc/shadow with the hash of a password that we know.

After some time of waiting, 5 minutes or so, we try to login over ssh as root with our known password and…….yesssss, it works 🙂

Now all we have to do is to list the content of flag.txt file which resides in /root directory:

roooooooot

 

1,612 total views, 1 views today





Leave a Reply

Your email address will not be published. Required fields are marked *