Walkthrough Fuku

I have just finished another VM. The very annoying, but fun, machine called Fuku. As in Fuck you, I guess. It was designed to really mess with the challenger.

Okay, so let’s get started.

So after scanning the machine I saw that all ports were open. But only ssh port 22 was a real service. I tried a few basic password on it, but I got blocket pretty fast. I am guessing some fail2ban serivce. The rest of the ports just outputed a FUKU note. So they were just false positives. So I wrote a python-script to try out every port possible. But that wasn’t easy. First I wrote it to check for the return-length. But that didn’t return anything. So that we quite annoying. And I also added multithread to be able to check the ports faster:

from multiprocessing.dummy import Pool as ThreadPool
pool = ThreadPool(2)
results = pool.map(testPorts, minArr)

SO then I had to rewrite the script to make a get-request instead. Anyhow, I found the joomla service on port 13370 after a lot of work. And I ran joomscan on it and found a lot of vulnerabilities. Especially a vulnerability that creates a admin-user for you. So I did that. Here is the exploit I used: https://www.exploit-db.com/exploits/6234/

The page was in japanese, but it wasn’t that hard to create the admin-user. But once I was in it was really difficult to understand what was going on. I though I changed the language so many times. And I tried to change it. At one point I thought english had been removed completely just for the sake of FUKU. But in the end I found it.

Then came the next challenge. How to upload a shell. I tried to turn off all forms of editors to be able to insert php, but nothing worked. So I tried to enable ftp, but that didn’t work since that port was already in use. I tried to upload a shell through the media-uploads, but that blocked the code. So after some heacy googeling on how to run php I ended up installning the DirectPhp-plugin. This one: http://www.kksou.com/php-gtk2/joomla/directphp-plugin.php#download

So I uploaded my reverse-shell and got in.

The first thing I wanted to do was to spawn a shell:

$ python -c 'import pty; pty.spawn("/bin/sh")'
haha! FUKU! Only root can run that command.

That together with a few other commands was blocked. And since I couldn’t get a tty-shell I was unable to use sudo and su.

So I started to mess around with the mysql-database. Which was quite difficult without a tty-shell. It was really buggy. Oh yeah, I found the mysql-login credencials in configuration.php in /var/www/html. So I looked around in the databse fuku and found gizmos user. So I got the hash and cracked it with hashcat.

hashcat -m 11 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule

Only to find that gizmo used the same password to his user as for the database. sillyboy. So that was not so useful. There was also another admin-user and a admin-account in tacacs. “admin ht70zyjHsMl3A”.

So I transfered my enumeration-script and started enumerating. I found that it was a ubuntu-15.04 machine. So I figured to could try the standard overlay-exploits that work on quite a few ubuntus. But gcc was somehow blocked.

www-data@Fuku:/tmp$ gcc exp.c -o exp
gcc exp.c -o exp
haha! FUKU! Only root can run that command.

So I compiled the the exploit on my machine and then did a wget to transfer it. But it wouldn’t run since www-data lacked certain rights.

Then I got stuck for quite some time. ANd I cheated a bit, just to read the words chrootkit. So I found that program running and I looked for an exploit for it. And found this: https://www.exploit-db.com/exploits/33899/
Pretty crazy exploit. A incredible priv-esc exploit from a program that attempts to stop rootkits. So after a few trial and error with using the exploit I finally just wrote:

echo "echo root:adminadmin | chpasswd" > update

And then I logged in using ssh. But that was after going a bit crazy in trying to get a tty-shell for www-data. So that was it. I got root and the flag.

Yep, this is a flag. It's worth over 9000 Internet points!
Random keyboard smash: lkhI6u%RdFEtDjJKIuuiI7i&*iuGf)8$d4gfh%4

In the root-folder was all the programs and rools that I was blocked from using.

19700101      chkrootkit-0.49  flag.txt  g++-4.9  gcc-4.9  gcc-ar-4.9  gcc-nm-4.9  gcc-ranlib-4.9  ifconfig  mlocate    python     uname  whoami
change_ip.sh  cpp-4.9          fuku      gcc      gcc-ar   gcc-nm      gcc-ranlib  id              locate    portspoof  python2.7  which

Conclusion

I spent a lot of time writing the python-script. So that was a good learning-experience. Finding the chrootkit-was probably the hardest. I should have seen that it was a unusual service. All in all a really fun challenge! Thanks https://www.vulnhub.com/author/robert-winkel,190/ Robert Winkel for the machine! Frustrating but fun!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s