Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Breach: 2.1

Location

https://download.vulnhub.com/breach/Breach-2_final2.1.zip

Description

Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way.
The VM is configured with a static IP (192.168.110.151) so you’ll need to configure your host only adaptor to this subnet. Sorry! Last one with a static IP ūüėČ
A hint: Imagine this as a production environment during a busy work day.
Shout-out to knightmare for many rounds of testing and assistance with the final configuration as well as rastamouse, twosevenzero and g0blin for testing and providing valuable feedback. As always, thanks to g0tmi1k for hsting and maintaining #vulnhub.
VirtualBox users: if the screen goes black on boot once past the grub screen make sure to go to settings —> general, and make sure it says Type: Linux Version: Debian 64bit
If you run into any issues, you can find me on Twitter: https://twitter.com/mrb3n813 or on IRC in #vulnhub.
Looking forward to the write-ups, especially any unintended paths to local/root.
Happy hunting!

Enumeration

The scan shows that port 65535 runs SSH. So I’ll start there.

There is some useful information here. There is an user called peter, he has a blog and the password is in the source.
“Welcome to Initech Cyber Consulting” suggest this is a reference to the movie “Office Space“. So peter would be Peter Gibbons.
I searched google with all kinds of queries containing “blog”, “peter gibbons”, “vacation” and “Initech”. Nothing helpful come back. After a long time I figured I maybe was overthinking the whole thing and tried what literally¬†was said in the banner. “The password is in the source“.
Password possibilities:
“in the source” –> nothing
“inthesource” –> bingo!

It worked. The only problem is, that the connection was closed immediately. I gave it another try, but the result was the same. So the username:password combination worked, but was closed immediately. This should have a function and I thought about some kind of portknocking function. So I started another nmap scan.

Webserver

My hunch paid off and this time port 80 was open.
logo

In the source code there is a comment.

After checking the existence of robots.txt (which wasn’t), I fired up dirb.

The blog that was mentioned earlier and a page called wysiwyg (what you see is what you get).
blog
tinyMCE.JPG
According to¬†the www TinyMCE is a platform independent web-based JavaScript HTML WYSIWYG.¬†TinyMCE enables to convert HTML textarea fields or other HTML elements to editor instances. After checking exploit-db both blogphp as tinymce are possibly vulnerable. Because there is a login page, I first try to get an error response…..nothing.

Cross Site Scripting

I return to the exploit-db page and start listing the possible expoits for blogphp. It seems there is a persistent XSS vulnerability. Normally XSS is useless in a vm (because of the lack of interaction). But because other options are running out and the picture of beef was quite clear, I’m going to try and hook someone (in this case something) with beef-xss.
When I follow the instructions about the vulnerability it would take not long before I hooked my victim (cool feature btw).
beef
It looks like I hooked Peter and he is using Firefox version 15. After checking exploit-db again, it seems that FF versions 5.0 until 15.0.1 are vulnerable and because of this vulnerability the AddonManager API can be invoked to silently install a malicious plugin. I also got his cookie for the grabs.

Creating the malicious URL

I fire up metasploit and searched for the exploit mentioned on exploit-db.
The one I can use is exploit/multi/browser/firefox_proto_crmfrequest with the firefox/shell_reverse_tcp payload.

Creating the Iframe

Next I’m going to use the created URL from metasploit and inject it inside an Iframe with beef.
iframe

Getting a command shell

Now that I’m in, let’s get a proper TTY shell and start the recon.

When I look at /etc/passwd it seems there are 3 users bill, peter and milton.
In the home dir of peter there is the shell script that’s responsible for the refreshing of the members.html page.
When I look for world writable directories I see there is another website in the form of /html2/ and it has an oscommerce directory in it.
When I use compgen -c I get a list of all installed applications. One of them is MySQL. Let’s try to find a file with some useful credentials.

MySQL

User root is set with no password. Let’s log in.

When looking at the content of the databases, I find some credentials in the oscommerce database.

After cracking the hash, the result is ’32admin’. Bit odd with the ‘:32’ behind it, which I needed to drop btw to get a successful crack. Maybe something with salting the password. Because I now have credentials for the oscommerce site, I’ll probably figure it out later on.
Finally I check sudo -l to check what peter can do on this machine. It turns out that peter can start and stop apache2 as root. Well, this will come in handy with the oscommerce site.

netstat.JPG
Netstat shows that ports 3306 and 2323 are listening on local host. Port 3306 is the default port for MySQL, but the interesting thing is port 2323.

Houston do you copy?

Coordinates? Where do they lead?
After I put the coordinates into Google Maps I was dropped right onto the¬†Houston Police Officers’ Memoria. But why and to what end? The coordinates were followed by a login. I needed an username and password. Off course I tried the found oscommerce credentials, but that didn’t pay off.¬†I checked Google for the combination “Office Space”, “Houston” and “movie” and according to the IMDB Trivia, Houston was where Peter lived. This couldn’t be a coincidence.

<18+filter>!@##$#%@!</18+ filter> Alright, that didn’t worked. But after a while (and a nice refreshing drink), it downed on me that there were other users on the machine. So let’s try those too.

I think I know whose stapler it is hahahaha.
stapler.gif
I know the question, just not the answer. But this riddle is scripted and it’s coming from the machine. So I need to find the script that is running this and extract the answer.

And there we got the answer.

Checking out Milton

That’s disappointing. Milton can’t use sudo.¬†After some time it looks like Milton as an user isn’t that useful. But why all this trouble? Because there was some form of port knocking in the beginning, I hoped that successfully telnetting to port 2323 opened another port.

OS Commerce

oscommerce.JPG
It looks like OS Commerce is running version 3.0 alpha 5. After a quick search it looks like there are plenty vulnerabilities for OS Commerce and for this version there is one in particular.

Let’s start with some basic enumeration and fire up dirb.

Because I already have the admin credentials from earlier on, I thought it would be a good time to use them.
admin.JPG
After several (a lot) of tries to get the HTML injection working, I focus on a different approach. Maybe it’s possible to alter an already existing file and create a backdoor. But when I try to alter one of the files I get an error ūüôĀ

Error: The product images directory is not writable: /var/www/html2/oscommerce/images/products

That’s not gonna work.¬†So I need a folder¬†that is¬†writable at¬†my level. When I check for some world writable folders¬†on the server in the /html2/ directory it seems there is¬†one.

Another reverse shell

To get a reverse shell I used the php reverse shell from pentestmonkey. But when I try to wget it, it arrives empty. To solve this problem, I compress the php file and give it another shot. This time it worked.
shell

Now I’m in as blumbergh (bill). First I switch to a proper TTY shell and then check with sudo -l what this account can do.

TCPDUMP

So this account can run tcpdump as root. I know it’s a packet capture program. But how this could help me get root I’m not sure. Thanks to a helpful site I learned¬†how to get root by abusing tcpdump when running it as root.

YEAH!!!! When I check the root folder I get the price for all this hard work!
flag

Conclusion

This was a very fun challenge and an enormous learning experience.
Thanks to mrb3n and all the people who have made this boot2root challenge one of the best so far.