https://www.vulnhub.com/entry/wintermute-1,239/

I found this machines concepts interesting because it introduces pivoting techniques to access the ‘Neuromancer’ machine located on a different subnet. I will be showing the socat method of pivoting to ‘Neuromancer’ but its also possible to use Metasploit although I find this method for this particular lab setup to be annoying to work with.

Lab setup:

  • Straylight - 192.168.57.3 192.168.56.101
  • Neuromancer - 192.168.56.102
  • Kali - 192.168.57.5

First I will confirm my Kali machine cannot connect to ‘Neuromancer’

Straylight

Enumeration

Nmap results:

nmap -sC -sV 192.168.57.3

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-12 12:12 CDT
Nmap scan report for 192.168.57.3
Host is up (0.000065s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE         VERSION
25/tcp   open  smtp            Postfix smtpd
|\_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|\_Not valid after:  2028-05-09T18:08:02
|\_ssl-date: TLS randomness does not represent time
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|\_http-server-header: Apache/2.4.25 (Debian)
|\_http-title: Night City
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info: 
|\_  Logs: submit
| hadoop-tasktracker-info: 
|\_  Logs: submit
| http-title: Welcome to ntopng
|\_Requested resource was /lua/login.lua?referer=/
|\_http-trane-info: Problem with XML parsing of /evox/about
MAC Address: 00:00:20:50:96:D9 (Oracle VirtualBox virtual NIC)
Service Info: Host:  straylight

Using curl to enumerate ‘index.html’:

‘index.html’ forwards us to another page ‘xwx.html’. This will display some text mentioning ‘Neuromancer’ machine:

Service named ‘ntopng’ with valid default credentials ‘admin:admin’, located at port 3000:

Located at flows page we get possible directories ‘/turing-bolo’ & ‘/freeside‘:

Located at ‘/freeside‘:

Navigating ‘/turing-bolo’ on port 80. It will include files from the ‘bolo’ GET parameter. Next to that it will append ‘.log’ to the file included. This makes it impossible to include files like ‘/etc/passwd’, because the webpage will try to include ‘/etc/passwd.log’, which doesn’t exist. Null byte doesn’t seem to help either.

The ‘case.log’ file is how we indicate this:

Exploitation

If you remember from the nmap results we had postfix SMTP server running, with this information we know postfix has log files that will display data that we the attacker can control such as the Subject of the email. We can send this malicious email to the ‘www-data’ user to obtain RCE. You can find the log file locations from here.

Using telnet to interact with postfix to send the malicious php:

To initiate the php code I will add the ‘cmd’ parameter with a command:

Now that we have RCE, I will obtain a shell using a URL encoded payload:

Privilege Escalation

Searching for SUID we can see a ‘screen-4.5.0’ binary:

This is a commonly known vulnerable version of screen that can be exploited using this.

After running the exploit we have root on Straylight:

Post-exploitation

Important note pointing out a useful path on ‘Neuromancer’:

[email protected]:/root# cat note.txt 
Devs,

Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.

The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.

Anyways, we've deployed the war file on tomcat as ordered - located here:

/struts2\_2.3.15.1-showcase

It's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.

Regards,

Bob Laugh
Turing Systems Engineer II
Freeside//Straylight//Ops5

Using netcat to port scan our target IP:

Neuromancer

Pivoting with socat

I’m going to first redirect traffic on 2 ports, 8080 and 4444. Netcat told us a http server is present on the target system located at 8080 so I will try to access that first before the other ports found. 4444 is going to be redirected from ‘straylight’ to my local kali machine so if I want a reverse shell on ‘Neuromancer’ I can obtain that reverse shell connection on my kali machine because ‘straylight’ will act sort of like a ‘proxy’ for that shell connection.

[email protected]:/root# ss -tulpn
Netid  State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
udp    UNCONN     0      0         \*:56613                 \*:\*                   users:(("snmpd",pid=464,fd=10))
udp    UNCONN     0      0         \*:68                    \*:\*                   users:(("dhclient",pid=425,fd=6))
udp    UNCONN     0      0         \*:68                    \*:\*                   users:(("dhclient",pid=394,fd=6))
udp    UNCONN     0      0      127.0.0.1:161                   \*:\*                   users:(("snmpd",pid=464,fd=9))
tcp    LISTEN     0      5         \*:8080                  \*:\*                   users:(("socat",pid=13292,fd=5))
tcp    LISTEN     0      128       \*:3000                  \*:\*                   users:(("ntopng",pid=848,fd=13))
tcp    LISTEN     0      100       \*:25                    \*:\*                   users:(("master",pid=822,fd=13))
tcp    LISTEN     0      5         \*:4444                  \*:\*                   users:(("socat",pid=13299,fd=5))
tcp    LISTEN     0      80     127.0.0.1:3306                  \*:\*                   users:(("mysqld",pid=628,fd=20))
tcp    LISTEN     0      128    127.0.0.1:6379                  \*:\*                   users:(("redis-server",pid=489,fd=4))
tcp    LISTEN     0      128      :::80                   :::\*                   users:(("apache2",pid=32431,fd=4),("apache2",pid=32430,fd=4),("apache2",pid=32424,fd=4),("apache2",pid=32416,fd=4),("apache2",pid=32406,fd=4),("apache2",pid=32402,fd=4),("apache2",pid=32397,fd=4),("apache2",pid=32386,fd=4),("apache2",pid=32382,fd=4),("apache2",pid=652,fd=4),("apache2",pid=629,fd=4))
tcp    LISTEN     0      100      :::25                   :::\*                   users:(("master",pid=822,fd=14))

When we visit the website running on port 8080 we will see a tomcat web application. By using the web directory we found earlier in the note, we know the next attack vector.

Exploitation

This version of Apache Struts appears to be vulnerable to CVE-2017-5638. I will be using a python exploit from here.

When executed we get a reverse shell on ‘Neuromancer’:

Privilege Escalation

[email protected]:~$ cat ai-gui-guide.txt
Application for Neuromancer remote access interface includes:

-Maven    - /opt/
-Java jdk - /usr/lib/jvm/
-Tomcat   - /usr/local/tomcat/
-Struts2  - /home/ta/myWebApp/
          - war files are in /root. Update these ASAP to improve security.

Reduce installation of apps to ONLY what's needed, seucure configurations and follow app security best practices.

We will check the tomcat users located at '/usr/local/tomcat/conf/tomcat-users.xml':

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
Eng.,

Tomcat is still using basic auth. I encoded the password so the AI's security scans don't flag it.

Is this what Bob keeps talking about, "Security by obscurity?"

Ed Occam//Sys.Engineer I//Night City
"Harry, I took care of it" - Llyod Christmas
-->

  <role rolename="manager-gui"/>
  <user username="Lady3Jane" password=">!Xx3JanexX!<" roles="manager-gui"/>

<!--
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
</tomcat-users>

The password decodes to >!Xx3JanexX!< so now we have access to the ‘lady3jane’ user.

In the lady3jane home directory we see a shell script ‘custom-tomcat-chk.sh’:

#!/bin/bash
# Health check for Neuromancer (root) to execute every 3 minutes.
# ..the AI tells me it can maintain security, server health, etc w/o forced intervention,
# but I beg to differ...hence the cron script.

> /tmp/tomcat\_status.log

health=$(curl -m 5 -Is 127.0.0.1:8080 |grep HTTP/1.1)

case "$health" in

  \*200\*)
        echo "Tomcat is Up" > /tmp/tomcat\_status.log
        ;;
  \*)
        echo "Tomcat is down" > /tmp/tomcat\_status.log
        ;;
  esac

The script indicates a cron is running this script as root, but its not. This could possibly be a mistake but we have another route anyway.

The kernel is vulnerable to a local privilege escalation exploit so we can transfer that exploit using netcat.

First we will setup socat on ‘Straylight’ to redirect traffic from port 1337 to ‘Neuromancer’:

Now we will conduct a netcat file transfer but first we need to compile this exploit. Then on Kali we send the file to ‘Straylight’ port 1337:

Now we just receive the exploit and execute it and you should have root:

Credit goes to creosote for setting up a very well done introduction to pivoting scenario.