Today we are working on a boot-to-root called Nezuko 1 from Vulnhub.com. This box is rated Easy/Intermediate by its creator, @yunaranyancat. Let’s get to work.
Initial Enumeration
After getting our VM set up in VMWare Player we start with nmap scans.
We have ssh, standard http, and https on port tcp/13337. Having recently gotten burned on a CTF by missing a banner-grab, I first attempted to ssh to the box in case it has info in the banner, but in this case I didn’t learn anything. I moved on to http enumeration and first checked port 80. All we see in the browser is the disturbing image I pasted above along with the text, “ Welcome to my site. I didn’t put anything yet. Please come back again later - nezuko”. The /sample folder indicated that there is “nothing here”, but robots.txt has something that looks potentially interesting. Alas, when we decode the text we find nothing helpful. Maybe it is time to take the hint and move on.
Webmin
If we access port 13337 in our browser we go straight to a Webmin login page.
I googled for default creds to Webmin, but what I found didn’t work. We don’t have too much information beyond a possible user (nezuko) for other login creds, but we do know from our nmap scans that we are accessing MiniServ (Webmin) 1.920 so we can search for unauthenticated exploits on this version of the Webmin software. I usually start with exploit-db.com.
The first exploit that I highlighted is a simple shell script, but it gave me a “not vulnerable” result when I ran it. The second option is a Metasploit module that gives us unauthenticated remote code execution. This looks quite interesting, however I wanted to look for an alternative because 1) I prefer to avoid Metasploit, if possible, for those of us who may have aspirations toward the OSCP cert, and more importantly 2) my Metasploit is currently broken due to some Ruby gem issues that I can’t figure out. :-P
If we examine the exploit-db entry we find that our unauthenticated RCE issue is logged as CVE 2019–15107. Googling “CVE-2019–15107 github” leads us to an interesting looking python script to exploit this vulnerability.
I downloaded the python script and immediately entered python hell. The script was written in Python 1, so I initially tried to run it it with the “python” interpreter, but got an error that we are missing module “requests”. I tried to install requests with pip, but was informed that requests already exists in python3. To run the script in python3, I located all the print statements and added parentheses, which is the bare minimum of syntax fixes that may be required for python3. However, the script was still giving me a type error at this if statement.
I have little doubt there is a simple and elegant fix to this error, but my python skills need some serious help and I couldn’t immediately find a solution. What I did was to essentially eliminate the conditional, print out the entire response from the http request, and sift through the lengthy response. It was clunky, but it worked. Here is the code that I modified.
To test the script we run it and try the “id” command.
I’ve cut out most of it, but buried in the response is the output of the id command, which confirms that we do in fact have RCE!
Hopefully your next thought would be to use the RCE to get a reverse shell. I ran the script with a ‘which nc’ command and got confirmation that netcat is running on the box. I launched my netcat listener and reran the script with our basic netcat rev shell command.
And we get a shell! Don’t forget to upgrade your shell with python.
User Enumeration
I began my enumeration in user nezoku’s home directory.
I first grabbed nezoku’s private key (id_rsa) from the .ssh directory to see if I could get ssh access to the box, but I still needed a password. Moving on, the file nezuko.txt gives us some ASCII art and the user1 flag.
The directory from_zenitsu is very interesting, not to mention a bit creepy. It appears that some kind of cron job run by root writes a text file to that folder every 5 minutes. This could be something to use later.
If you download pspy64 to the box and run it, sure enough you will find the script that is making these files. Also note the process is running as root (UID=0).
The script is in user zenitsu’s home directory, so let’s check that out. We get the user2 flag (not that it matters, but shouldn’t only zenitsu be able to read that?) and also see the to_nezuko folder.
We can see the shell script is definitely the one that is putting messages in nezoku’s home directory. However, we need to be user zenitsu to modify the script to our advantage.
User privilege Escalation
At this point, I decided to download my favorite enumeration script, linpeas.sh, and run it on the box. Linpeas had several findings, but one in particular interested me.
That is a password hash for user zenitsu directly in /etc/passwd! We can copy just the password hash to our box and try to crack it with hashcat. It doesn’t take too long for hashcat to get a hit.
From here, we simply su to zenitsu with our cracked password.
Escalation to Root
Now that we are user zenitsu we can modify the script that is running automatically as root. Since we already know a netcat rev shell will work, let’s try getting a rev shell as root.
Make sure you specify a different port that your initial rev shell. Launch your netcat listener, wait for a few minutes, and…
We get our root shell! Did you do anything differently on this box? Do you have a cleaner fix to the python exploit? Drop me a message and let me know. Thanks for reading!
