Categories
Capture the Flag Walkthroughs

Wintermute – Straylight


Well, we meet again. I’ve been working on this vulnerable machine for a few weeks. I didn’t have as much time to focus on it completely. Honestly, this is probably the capture-the-flag that I’ve had the most fun completing because it involved some pivoting to a network unavailable to my machine. The theme was also helpful in creating some custom wordlists. I’m going to split this walkthrough into two parts; otherwise, this post would be rather long. Straylight is the machine that is visible to my attacker machine. Neuromancer is not. So, the second post will contain Neuromancer in the title. Like the machines before it, these machines came from Vulnhub [https://vulnhub.com] with many thanks to [creosote]. Without further ado, let’s get started.

Passive


I began my research for this vulnerable machine a little differently than the previous two machines. Since creosote mentions the book, Neuromancer, in his description, I decided to visit the Wikipedia page to build a custom wordlist based around the book’s plot.

After that, I resume my usual process of monitoring the amount of traffic sent from my machine to the target machine. If you want to see how I monitor my own traffic, you can check out my previous blog posts at https://cipherhound.com/blog/fowsniff/ or https://cipherhound.com/blog/enter-the-matrix/. After taking note of the headers received from the target machine, I moved on to checking the site in the browser.

The initial landing page was a quote from the book and the javascript on the next page displayed text similar to the plot. I examined the source code of the two pages, but could not find anything that gave me additional information. Using my smaller custom wordlist, I decided to use DIRB to scan Straylight for any directories that I couldn’t see from my vantage point. DIRB is a web content scanner that can be used as a dictionary attack against web servers. It’s useful in finding available or hidden directories.

Active


As you can see above, my wordlist allowed me to find a directory based on a space habitat for the wealthy in the book. Although it was a new directory and I was excited to have found possible new information, I was left frustrated as it did not lead me any further in my pursuit to compromise the machine. I performed a more comprehensive scan using DIRB, but I had no luck. On a side note, the larger wordlist provided with DIRB found the “/freeside/” directory as well. I decided to perform a full port scan on the target machine. This scan gave me more information about a SMTP mail port on the target machine and Mongoose httpd running on port 3000. Mongoose is a cross-platform lightweight embedded web server designed by Cesanta.

After navigating to the Mongoose port, I was happy to find an installation of ntopng, an encrypted network traffic probe designed to provide the user with insight into traffic flows, available with default credentials on the login page. Logging in as admin allowed me to see interfaces on the machine and web flows. If I had not known beforehand, the “interfaces” dashboard would have provided me with information about the machine’s second interface on an unavailable network. The “Flows” dashboard directed me to another directory available on Straylight: “/turing-bolo/”.

Following the plot of the book, this page provides a form with which to find information on known enemies of the Tessier-Ashpool Company. Using BurpSuite on this page identifies a possible local file inclusion vulnerability on the “bolo” GET parameter.




Vulnerability Analysis


I noticed that the files that were being pulled by “bolo.php” were in the same directory and all ended in log. Using “/var/www/html/turing-bolo/riviera” in the “bolo” parameter still populated the page with the information about Riviera so “.log” must have been appended to the name. If I could inject PHP code into a log file readable by the web user, I could use local file inclusion to create a webshell to Straylight. Unfortunately, I could not read the web logs. However, I remembered that Straylight had an open SMTP port with Postfix. Usually the Postfix log is located at “/var/log/mail.log”.

Exploit


Connecting to the SMTP port and using the available VRFY command to inject PHP into the mail log allowed me to verify that the code would be executed on the “bolo.php” page. Using this information, I was able to leverage that vulnerability into an exploit that would grant me limited privileges on the target machine.

Post Exploit


I spent a LOT of time looking for a way to escalate my privileges on Straylight. I searched for cronjobs that could be running with higher privileges that I may be able to modify. I searched for users and files that were owned by more privileged users that were writable. I was close to giving up. I was stuck so I searched for help and found something on screen-4.5.0.

According to the bug, screen-4.5.0 is vulnerable because the logfile created when using the “-L” flag is created with root privileges. The proof of concept exploit uses this information by creating a “/etc/ld.so.preload” file. This file is a replacement for the LD_PRELOAD environtment variable which is a user-supplied list of libraries that the user wishes to load before any other. This allows a user to replace calls to real functions with calls to their own functions. Since this is a security threat, LD_PRELOAD ignores preload paths with slashes if the ELF binaries have setuid/setguid bits set and only loads libraries in standard search paths if they have those bits set as well. The “/etc/ld.so.preload” workaround assumes that if a user can write to the “/etc/” directory, then the user already has root privileges; screen-4.5.0 does this for the attacker. In the second image, the exploit builds a constructor that is loaded when the “/tmp/rootshell” binary is called. It changes the file’s ownership to root, sets the executable bit, and “removes” the “/etc/ld.so.preload” file. In the third image, the “/tmp/rootshell” exploit is built with root privileges and “/bin/sh” is called. Finally the exploit is executed and “/tmp/rootshell” is called; loading the library, contstuctor, and launching the shell. I needed to make a few small changes to the exploit for my sanity. I modified the “screen” call with absolute paths to the vulnerable version.

After sending the exploit to Straylight via a netcat tunnel, we can execute the exploit. Getting root grants me access to information that can be used when pivoting to Neuromancer.

Thanks for taking the time to read my post about Straylight. It’s still one of my favorite vulnerable machines. In my next post, I’ll write about pivoting to Neuromancer.

As usual, I offer a big thank you to creosote for creating this vulnerable machine!

Photo by Alex Knight on Unsplash