I have just finished another VM. The very annoying, but fun, machine called Fuku. As in Fuck you, I guess. It was designed to really mess with the challenger.
Okay, so let’s get started.
So after scanning the machine I saw that all ports were open. But only ssh port 22 was a real service. I tried a few basic password on it, but I got blocket pretty fast. I am guessing some fail2ban serivce. The rest of the ports just outputed a FUKU note. So they were just false positives. So I wrote a python-script to try out every port possible. But that wasn’t easy. First I wrote it to check for the return-length. But that didn’t return anything. So that we quite annoying. And I also added multithread to be able to check the ports faster:
from multiprocessing.dummy import Pool as ThreadPool pool = ThreadPool(2) results = pool.map(testPorts, minArr)
SO then I had to rewrite the script to make a get-request instead. Anyhow, I found the joomla service on port 13370 after a lot of work. And I ran joomscan on it and found a lot of vulnerabilities. Especially a vulnerability that creates a admin-user for you. So I did that. Here is the exploit I used: https://www.exploit-db.com/exploits/6234/
The page was in japanese, but it wasn’t that hard to create the admin-user. But once I was in it was really difficult to understand what was going on. I though I changed the language so many times. And I tried to change it. At one point I thought english had been removed completely just for the sake of FUKU. But in the end I found it.
Then came the next challenge. How to upload a shell. I tried to turn off all forms of editors to be able to insert php, but nothing worked. So I tried to enable ftp, but that didn’t work since that port was already in use. I tried to upload a shell through the media-uploads, but that blocked the code. So after some heacy googeling on how to run php I ended up installning the DirectPhp-plugin. This one: http://www.kksou.com/php-gtk2/joomla/directphp-plugin.php#download
So I uploaded my reverse-shell and got in.
The first thing I wanted to do was to spawn a shell:
$ python -c 'import pty; pty.spawn("/bin/sh")' haha! FUKU! Only root can run that command.
That together with a few other commands was blocked. And since I couldn’t get a tty-shell I was unable to use sudo and su.
So I started to mess around with the mysql-database. Which was quite difficult without a tty-shell. It was really buggy. Oh yeah, I found the mysql-login credencials in configuration.php in /var/www/html. So I looked around in the databse fuku and found gizmos user. So I got the hash and cracked it with hashcat.
hashcat -m 11 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule
Only to find that gizmo used the same password to his user as for the database. sillyboy. So that was not so useful. There was also another admin-user and a admin-account in tacacs. “admin ht70zyjHsMl3A”.
So I transfered my enumeration-script and started enumerating. I found that it was a ubuntu-15.04 machine. So I figured to could try the standard overlay-exploits that work on quite a few ubuntus. But gcc was somehow blocked.
www-data@Fuku:/tmp$ gcc exp.c -o exp gcc exp.c -o exp haha! FUKU! Only root can run that command.
So I compiled the the exploit on my machine and then did a wget to transfer it. But it wouldn’t run since www-data lacked certain rights.
Then I got stuck for quite some time. ANd I cheated a bit, just to read the words chrootkit. So I found that program running and I looked for an exploit for it. And found this: https://www.exploit-db.com/exploits/33899/
Pretty crazy exploit. A incredible priv-esc exploit from a program that attempts to stop rootkits. So after a few trial and error with using the exploit I finally just wrote:
echo "echo root:adminadmin | chpasswd" > update
And then I logged in using ssh. But that was after going a bit crazy in trying to get a tty-shell for www-data. So that was it. I got root and the flag.
Yep, this is a flag. It's worth over 9000 Internet points! Random keyboard smash: lkhI6u%RdFEtDjJKIuuiI7i&*iuGf)8$d4gfh%4
In the root-folder was all the programs and rools that I was blocked from using.
19700101 chkrootkit-0.49 flag.txt g++-4.9 gcc-4.9 gcc-ar-4.9 gcc-nm-4.9 gcc-ranlib-4.9 ifconfig mlocate python uname whoami change_ip.sh cpp-4.9 fuku gcc gcc-ar gcc-nm gcc-ranlib id locate portspoof python2.7 which
I spent a lot of time writing the python-script. So that was a good learning-experience. Finding the chrootkit-was probably the hardest. I should have seen that it was a unusual service. All in all a really fun challenge! Thanks https://www.vulnhub.com/author/robert-winkel,190/ Robert Winkel for the machine! Frustrating but fun!