Wallaby’s Nightmare

Wallaby’s Nightmare is a boot2root from vulnhub.com…

that employs quite a few tricks to getting root on it.  It can be downloaded from https://www.vulnhub.com/entry/wallabys-nightmare-v102,176/.  Let’s dive right in then.

Scanning the box revealed the following information:

As we can see, there’s a web server running on port 80 and ssh port 22.  Navigating to the web server, we’re greeted with the following:

Let’s register and get started.

A giant eye challenges us to get into “the great” Wallaby’s web server.  This should be fun.  I always like to begin web tests with a directory scan to identify hidden pages.

Hmm, that didn’t turn up much.  However, looking at the URL, we notice the “home” parameter being passed to the page.  Let’s scan that.

Results!  Haha!  At this point, unfortunately, I noticed that the web server seemed to have crashed.

I rebooted the server to no success.  I tried to scan again to see if a firewall was blocking something.

Ah… it appears that the server moved ports.  And the updated splash screen confirms this.

Thankfully, the results of our previous dirb scan were still valid.  Nothing really was interesting until the last site.

Blank pages intrigue me, especially when the source has comments.

It looks like the page has the functionality to send mail messages once the button is finished.  The page takes two parameters:

Parameter 1: the page

Parameter 2: a command to the mail function.

I wonder if we can send other commands…

Yep!  Putting in id instead of mail caused the id command to run and plop its output to the screen.

I wanted to make sure that I could run two commands, so I tested that as well.

After that worked, I used the handy reverse shell cheat sheet to get a basic reverse shell on the box.

I then ported over a meterpreter elf and used my basic shell to get a meterpreter shell with more features.

 

The most important thing I learned from OSCP was reconnaissance.  Never stop gathering data and taking notes.  So  I began investigating the box from the inside.  The netstat revealed that there were some ports open that didn’t turn up in my scan, specifically 6667.

This intrigued me because it appeared to be listening remotely as well as locally, so I suspected a firewall rule.  This suspicion was doubled when I rechecked the nmap scan and saw that 6667 was filtered.

After some more digging, I ran sudo -l to see what commands the web user could run as sudo.

Interesting… I could run iptables to allow access to the IRC server remotely and I could also run vim on one file as another user.

The first thing I did check the iptables rules to confirm my suspicion…

and then promptly flush the rules.

After connecting to the IRC server, I found one channel in use.  It was occupied by myself, Waldo, and wallabysbot.

I had seen that Waldo has irssi running in the process list explaining that user, but I was intrigued by wallabysbot.  After digging around in /home/wallaby, I found a hidden folder called .sopel

Reading more into sopel showed that it was a utility bot written in Python.

In the sopel folder was a python script run.py

It appeared to allow OS command execution as wallaby but only if the user was Waldo.  Unfortunately, waldo was in the IRC server, so we couldn’t just /nick Waldo.

So now our goal was to kick waldo out of the server so we could use the .run command in IRC and hopefully gain the privileges of wallaby.

Luckily, we had already seen that we could run one sudo command as waldo… vim!

My vim is weak, but I do remember that you can use :shell once in vim to go into a shell without exiting vim, so that’s precisely what I did.

This confirmed that I was indeed waldo.

My inelegant solution to kicking the user out of IRC was to kill the process that was running that was connecting to the IRC server.

Checking the user list back in the IRC server, and it was just me and wallabysbot.

I changed my nick to Waldo and attempted to use the .run module.

Success!

Next, I created another meterpreter payload and placed it in /tmp/ on the host.  Simply executing .run /tmp/shell2 and…

the shell!

As suspected, running sudo -l showed that wallaby had sudo permissions and I gained root.

All told, this was a very fun CTF.  Getting on the box was fairly straightforward, but getting root was tough.  I really liked the IRC quirkiness.

If you have questions or comments, let me know!

Leave a Reply

Your email address will not be published. Required fields are marked *