Hacking Xmas
Day 12

jakec / dec 2020

Yesterday, we mentioned sshnuke, a script that leveraged a known vulnerability in the SSH protocol to give Trinity root access in The Matrix Reloaded. A lot of what we’ve talked about so far has been using the intended tools in a system to abuse it. Like what we did with SQL injection or brute forcing or packet inspection or even SUID binaries, those were all ordinary parts of a system, albeit taking advantage of their misconfiguration in some cases. But when you think of hacking, you probably think of some dork talking about creating a GUI interface using Visual Basic to track an IP address. In other words, custom-made, automated tools and other arcana passed down through IRC backchannels and dark web messageboards that can pop open a backdoor to a computer like a skeleton key. But that’s just the fantasies of TV writers and fanfic authors. The reality is a lot more laborious and a lot less cool.

Well, if you ignore Metasploit.

Of all the automated penetration testing toolkits, the Metasploit Framework is probably the most famous. It offers a relatively easy to use but comprehensive platform for exploiting vulnerabilities in target systems. After you’ve scanned your target and found any vulnerable programs it’s using, just take a peek through Metasploit’s massive database of already-scripted exploits, set a couple of parameters, and watch it pop a reverse shell for you.

So why isn’t everyone just blasting each other with Metasploit attacks? Well, in one sense, they kind of are. Every second, an infinite number of bots loaded with scripts to scan, enumerate, and exploit misconfigured systems are crawling the internet. Try connecting a deliberately misconfigured webserver to the internet and see how long it takes to get owned (my personal record: less than a day) (also, uh, don’t actually do this unless you’re deliberately setting up a honeypot.) It’s a wasteland of killer machines out there!

But also, Metasploit scripts are based on publicly known vulnerabilities, meaning they’re likely patched. It can save you a lot of time if someone has really set something up wrong, but as the average internet user, even basic principles will make you pretty safe from automated attacks like this. This is why it’s so important to keep your software updated. As annoying as it is to hit that “Restart Now” button, it’s a lot less annoying than some 14 year old who spent the afternoon figuring out Metasploit downloading all the photos on your hard drive.

Let’s run through the process.

First, we run nmap on the target and find out that it’s running webserver software Apache Tomcat version 9.0.17. When we search the web for “apache 9.0.17 exploit” we find CVE-2019-0232, a remote code execution (RCE) vulnerability. Great. We love an RCE. It says “When running on Windows with enableCmdLineArguments enabled, [you can bust the software open like a caramel-centred Easter egg.]” Let’s open Metasploit by opening a terminal and running:

msfconsole

And then search for an exploit using the vulnerability we found.

search tomcat enablecmdline

So Metasploit already has a script ready for us to use to exploit the webserver. To use the Metasploit module, we type:

use exploit/windows/http/tomcat_cgi_cmdlineargs

And then type options to show us the parameters we need to set to exploit the server. We need to given it an RHOSTS option (the IP of our target, i.e. the R(emote) Host) and a TARGETURI. This exploit uses CGI, which in a web context means Common Gateway Interface. It’s a method for webservers to interact with the actual operating system they’re hosted on. This can be incredibly powerful, but because it can also expose the operating system to the web, also very risky. (If you're curious, you can read more about how CGI works in CMNatic's writeup.) In order for our exploit to work, we need to set the TARGETURI parameter to a CGI script hosted on the server. By manipulating the way the CGI script talks to the operating system, our exploit will give us a shell as a system user. In other words, it’ll be like we’re logged in to the computer the server is hosted on.

First, set RHOSTS 10.10.151.122. Then set TARGETURI /cgi-bin/elfwhacker.bat. A couple of things:

First of all, just to spell it out, TARGETURI means the target uniform resource identifier, i.e. a link to where the "resource" (the CGI script we want to exploit) is located on the server. So if it's a link, why doesn't it look like "http://10.10.151.122/cgi-bin/elfwhacker.bat"? Why is it just the last half of that? When we talk about links and file paths, we think of them as either absolute paths or relative paths. An absolute path is a link to some source from ANYWHERE. No matter where you are in a folder or page, "http://10.10.151.122/cgi-bin/elfwhacker.bat" will always link to the same thing. A relative path like /cgi-bin/elfwhacker.bat will first take into account where you are in the folder structure. (It's important to remember that websites are really just a bunch of folders: 10.10.151.122 is a big folder with a cgi-bin folder inside it, then the elfwhacker.bat script is inside that folder.) Because we already told Metasploit what the target host is (set RHOSTS 10.10.151.122), it can use a relative path for the TARGETURI by appending it to that address. So we set the TARGETURI to /cgi-bin/elfwhacker.bat, but it's really going to "http://10.10.151.122/cgi-bin/elfwhacker.bat"

Second, where did "elfwhacker.bat" come from? How do we know it's there? Well, the challenge tells us! The challenge itself specifies that "To solve Elf McSkidy's problem with the elves slacking in the workshop, he has created the CGI script: elfwhacker.bat." So we can reasonably assume that it'll be stored in the default CGI folder, "/cgi-bin/". However if we didn't know any of that, we might've found it in an earlier stage of recon. For example, if we'd run dirbuster/gobuster as covered in earlier challenges, we would've found the /cgi-bin/ folder and from there found the elfwhacker.bat script ourselves. That's a more likely real world scenario; the challenge just saved us some time by telling us up front.

Then all we do is type exploit and see what happens.

“Meterpreter session 1 opened” means we’ve gained access. If we type ls to list the files in the directory, we see we’re now looking at the /cgi-bin/ folder with elfwhacker.bat and flag1.txt, which we need for today’s challenge. Run cat flag1.txt and we’re done.