CyberSecLabs "Unroot" Machine - Finally a User named after me!

Hey everyone!  Today we will be working on "Unroot" from CyberSecLabs (https://www.cyberseclabs.co.uk/labs/beginner-labs).  This is a neat machine that showcases a serious developer misconfiguration and oversight, with a final privilege escalation mechanism that gives you a first hand experience on a newer vulnerability.  I'm trying to get this out before I showcase it live (the machine won't be released for a few hours after this).  So let's get started!

Scanning

Let's kick things off with our Nmap and Nmap -A scan.  

nmap 172.31.1.17

nmap -A -p22,80 172.31.1.17

We have SSH running as well as a web server, which is pretty straight forward.  Let's head to the enumeration phase to learn more.

Enumeration

If we navigate to the IP address of the web server we are met with a phpMyAdmin login page.  Basic credentials were unsuccessful, so let's do some directory busting to see if we can find anything else in the address.

python3 dirsearch.py -u 172.31.1.17 -e php,cgi,html,txt,exe -x 400,401,403 -r -R 3 -t 100

We discover a bunch of different directories, but the one that stands out is the /dev/ directory.  If we check that out, we get a directory menu.

Dev directory menu

If we click on info.php we get the basic PHP information window.  

php info window

However, if we traverse to ping-test.php we get a page that has a user input option that we can use to send pings, and possibly other commands.  The ping-test function is common in development so that developers can test functionality and connectivity.  Human error is also possible, and these pages can be forgotten about.  

ping page

Exploitation

We can test functionality of the page first by simply using it for what it's meant to do. Let's insert our own IP address and try to ping ourselves.

Ping test

 Now that we have determined it functions correctly we can do some research to determine if we can exploit it.  

php ping exploit search

There is in fact a way to exploit this functionality by using Linux commands, prepended by a semi-colon (;).  Let's try that quick.

Remote Code Execution ;id

We can successfully issue commands through the use of the ping function vulnerability.  Perhaps we can use grab a reverse shell to the machine.

PHP reverse shell command

Left - nc -nlvp 5555; Right - Reverse shell command seen above

We now have shell access to the machine.  Let's see what we can do.

sudo -l command

So in full disclosure, the coming exploit you may not have ever seen before, and it's challenging to research.  Above you will see the highlighted portion.  What is different than your typical sudo privileges is the "!root" parameter.  This parameter means that you don't want the user to execute anything as root.  However a vulnerability was discovered in this functionality that allows a basic command parameter to be issued that will "sudo bypass" the settings.  

sudo security bypass

So if we issue a command using a negative value for our user, it will treat it as root.  Let's see an example in the machine.

sudo -u#-1 /bin/sh -i

The command is ran with sudo, user is -1, and we are telling it to interact in a shell as that user. Again, this is a neat and new exploit, and by no means are you going to see it right away.  That's ok.  I recently learned about it elsewhere.

All we have left to do is to grab the user and root flag and we are done.

user and root.txt flags

 Final Thoughts 

This machine is a lot of fun.  The ping function is mostly a remnant of the past, however newer developers may find themselves using it and forgetting to remove it.  The sudo security bypass privilege escalation is a neat thing to see in real time here in the lab, and would be completely devastating if Sudo hasn't been updated on the target machine.  I hope this guide has helped you learn something today, and I hope to see you again soon.