Vulnlab - Control (Chain) - 20/08/2023
Vulnlab Writeup
This is an experimental write-up that I did with AI, I trying to proof-read them as well as I can, but apologies if there are misstakes.
In this challenge, we are presented with two target machines, each offering a different attack surface. The journey begins with a reconnaissance phase, identifying open ports and services through scanning.
Initial Scanning and Discovery
For the intra machine, the open ports discovered were:
22/tcp
for SSH443/tcp
for HTTPS
On the os machine, the ports identified were:
22/tcp
for SSH80/tcp
for HTTP443/tcp
for HTTPS8443/tcp
8444/tcp
Gaining Initial Access
Exploring the os machine’s HTTPS service on port 443
led us to a wiki page hinting at the use of pydio
and osctrl
services. Within this page, we found some valuable information, including a potential default password Sum<redacted>
and a list of user accounts:
- Jimmy George -
j.george
- Ann Rodriguez -
a.rodriguez
- Adriana Larose -
a.larose
- Kara Leblanc -
k.leblanc
- Steven Thibodeau -
s.thibodeau
- Kurt Dagenais -
k.dagenais
- Ken Pare -
k.pare
- Yvon McBride -
y.mcbride
We extracted those users, from the revisions
of each page.
Utilizing the discovered password, we were able to authenticate as users y.mcbride
and k.dagenais
in the pydio
.
CVE 2023-32749
Leveraging CVE 2023-32749, detailed at Exploit Database, we escalated privileges by assigning an admin role to a newly created user. This vulnerability allows attackers to modify user roles, thus granting unauthorized access to sensitive cells within the application.
Extracting Sensitive Information
Within the administrative area, we intercepted a conversation mentioning the creation of a provision
user with the password TeiG6im<redacted>
for testing purposes on the os.control.vl
server. This information provided SSH access as the provision
user, from which we extracted the .ssh
folder for future use.
Pyio’s Chat
@Kara: I added this room to share scripts, outputs, documents for our osquery project and already added some documents.
Also, as discussed I created the provision user on `os.control.vl` with password `TeiG6imee<redacted>` so we can start using your temporary provisioning solution on the first servers for testing.
Database Access and Further Privilege Escalation
On the same machine, a PostgreSQL database was found listening on port 5432
. Accessing the database using the default postgres
user revealed the osctrl
database. Within this database, we targeted the admin_users
table to replace the bcrypt password hash of the admin user with a known hash for the password admin
, facilitating web system login.
UPDATE admin_users
SET pass_hash = '$2a$10$3.g.9xQtpwNpOxYsEXZX...xxMJcttMqcCw5i3imHBGJ6VJfFw41W'
WHERE id = 1;
Final Stages of System Compromise
The osctrl
system can be used to run arbitrary osquery
queries towards the enrolled nodes, with the following query we can list files in a given directory, this is going to be useful for enumerating files in the machine.
SELECT * FROM file WHERE path = '/given/path';
The osctrl
system allowed file extraction from enrolled nodes this feature is called “craving file”. Exploiting this feature, we extracted the .ssh
folder of the user kara
, which contained SSH keys. These keys provided access to the kara
account, which had sudo
privileges, allowing us to switch to the root
user.
Infiltrating the Intra Machine
Investigation on the intra machine revealed that the root
user’s authorized_keys
contained the provision
user’s private key.
The authorized_key
however can be run with only a few commands, stated in the command script in the authorized_keys
.
#!/usr/bin/bash
# (c) 2022-2023 by Kara Leblanc
#
# This is a temporary server provision wrapper for control.vl unix servers.
#
# For security reasons the provisioning ssh key is only allowed to run
# this script and not all commands on the machine.
# This script will only allow to run commands that are contained in special
# modules in the modules/ directory. Despite being highly secure there are
# probably better solutions to our problem but we need to evaluate them. We
# will therefore stick with this script for now.
set -- $SSH_ORIGINAL_COMMAND
if [[ -n $1 ]] ; then
module=$(basename ${1})
shift
if [[ -f /opt/provision/modules/$module && -x /opt/provision/modules/$module ]] ; then
exec "/opt/provision/modules/$module" "$@"
fi
fi
The executable commands are:
prov_osqd
prov_df
prov_uname
Among the executable commands, prov_osqd
stood out. This script, intended for enrolling systems, could be abused to execute a reverse shell by intercepting the curl
request for enroll.sh
and replacing it with a malicious script.
prov_osqd
script
#!/usr/bin/bash
if [[ -z $1 || -z $2 ]] ; then
echo "Missing options." >&2
exit 42
curl -sk https://os.control.vl/${1}/${2}/enroll.sh | bash
Exploitation Summary
To exploit prov_osqd
, the following steps were executed:
- Stopped the
nginx
service on the os machine. - Modified the
nginx
configuration to proxy traffic to a local Python server on port8000
. - Created nested folders on the Python server to mimic the expected path and placed a malicious
enroll.sh
script containing a reverse shell. - Triggered
prov_osqd
with arbitrary arguments, resulting in the execution of the reverse shell script.
This comprehensive approach allowed us to gain root privileges on the intra system.