Quaoar vulnhub challenge

Back again with another vulnhub challenge,  the hackfest2016: Quaoar challenge found here. This challenge is definitely on the easy side of challenges with just three flags to get:

  1. Reverse shell into the server.
  2. Get root access.
  3. Get the root flag.

Simple enough so lets get to it.

booting up the vm gives you the ip address of the box so all we have to do is give it a scan with good old nmap.

# Nmap 7.40 scan initiated Fri Jun 16 20:08:35 2017 as: nmap -p- -A -sSVC -oN nmap-scan 192.168.1.37
Nmap scan report for 192.168.1.37
Host is up (0.00059s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
| dns-nsid:
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3?
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
MAC Address: 08:00:27:AD:E4:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

A bunch of ports open but the one we’re gonna focus on is port 80. Going to the site reveals just a couple of images, nothing special.

Now time for a nikto scan to see what it can find:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.37
+ Target Hostname: 192.168.1.37
+ Target Port: 80
+ Start Time: 2017-06-16 20:14:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 00:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wordpress/: A WordPress installation was found.
+ 8348 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2017-06-16 20:14:38 (GMT-4) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Awesome a wordpress install, lets see what’s on the site. Navigating to the site shows a single post by the user admin.

Now lets get onto the login page and try ton get into that account.
Before we get into brute-forcing the login page, lets try some weak passwords like password, password123, admin etc. Well what ya’ know, admin was the password, that was easy. So now that we are in lets take a look around and see if there is anything interesting.

Nope nothing interesting, so lets use the reverse shell by pentestmonkey get a reverse shell into the server. Setting up netcat and to receive the connection and boom I’m in.

So that’s flag one done. Looking around, the root folder is locked down so to get into it i need the root account. Snooping around,I happened across the wpadmin folder and the flag.txt file.

Flag: 2bafe61f03117ac66a73c3c514de796e

Awesome now on to the final two flags of the challenges. Trying various methods to get root got me nowhere. Then it hit me, this is a wordpress site with a database, therefore needs a username and password to get access to the database. So on to the wp-config file. Cating the file reveals the root username and password.

username:root
password:rootpassword!

Now time to spawn a shell and switch to the root user with the following command:

python -c "import pty;pty.spawn('/bin/sh');"

Now that we are root user, lets get the final flag which is most likely in the root folder.

Flag: 8e3f9ec016e3598c5eec11fd3d73f6fb

That’s it for this challenge, overall very easy and great for those looking to get into pentesting. Thanks for reading and stay classy.

Moxley

 

Vulnhub:USV-CTF

Back again, this time with having done the USV-CTF, which was fun and definitely challenging to get all 7 flags. So lets get into it.

I started of by doing my usual scan with nmap.

As you can see, their are a bunch of ports open:

  • 22 ssh
  • 80 http
  • 3129 http-proxy (why does a web server need a proxy?)
  • 3306 mysql
  • 4444 ftp
  • 21211 ftp

Accessing the webpage gives us a forbidden page, inspecting the page gives us nothing as well.

Trying to connect to the database wouldn’t take either. So far I’m getting nothing, so now I try to connect to the server via ssh. Whats this? A dragon?

wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB is an encrypted text in AES using ECB mode with the key xxxxx0000000xxxxxx  (http://aesencryption.net/). Boom my first flag of the challenge Italy Flag: 0047449b33fbae830d833721edaef6f1

After searching around for a while, I decided to fire up burpsuite and take a look at the headers for the site. In the X-XSS-PROTECTION header is the second flag (Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg==) Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb.

Time to back track a little, why is there a web proxy for this site? Then it hit me, use it as a proxy server. So in kali I added the proxy to the network (in the proxy settings) and had all the traffic go through the new proxy. Now I accessed the site and boom.

Ok so its a game of thrones inspired CTF. Firing up nikto and scanning the site reveals a bunch of stuff. Most importantly /blog/wp-login.php. Ok so we are dealing with a wordpress site. 

So lets go to /blog and see whats there. This takes you to a blog with a bunch of posts. Browsing through them until i came across the ‘I have a message for you’ post. Hmm ok, looking through the post reveals nothing, but hodor is highlighted so maybe its a username or directory?

Going to /blog/hodor reveals a hidden page with a link.

Downloading the file gives you a zip file with an image in it. Extracting it gives the third flag (UG9ydHVnYWwgRmxhZzogYTI2NjNiMjMwNDVkZTU2YzdlOTZhNDA2NDI5ZjczM2Y=) Portugal Flag: a2663b23045de56c7e96a406429f733f

.

Browsing through the site again, I came across a password protected post.

Using the cewl tool to generate a password list from the website. Here I had to cheat a little as I couldn’t get a password cracker to crack the password, which is Westerosi. The fourth flag is here (UGFyYWd1YXkgRmxhZzogNDc2MWI2NWYyMDA1MzY3NDY1N2M3ZTYxODY2MjhhMjk=) Paraguay Flag: 4761b65f20053674657c7e6186628a29.

Hmm this page has a nice little clue, ‘The mother_of_dragons has a password which is in front of your eyes’. mother_of_dragons seems like a username, this site has a login page (/blog/wp-login.php). The password for the username in front of your eyes. Trying this on the login page got me nowhere. So what else can I use this for? Ahhh yes ftp login. ftp <ip> 21211 with the username and password mentioned above. listing the directory will show you two files readme.txt and note.txt (which is hidden). Opening the readme.txt file says theres a hidden file (note.txt).

Open the note.txt file.

Hmm ok, if your a fan of game of thrones then you will know that Daenerys doesn’t have any children but three dragons,  Drogon,Viserion,Rhaegal. So the password must be a combination of these. Back to the blog there is a post by Daenerys, clicking on that post and looking at the url gives you the wordpress username mother_of_dragons. Now onto the wordpress login page, using wpscan to bruteforce the page, the password ended up being RhaegalDrogonViserion. Now that we are in the control panel for the wordpress site, time to snoop around.

After a while of snooping I came across the fifth flag in the user profile for Daenerys (VGhhaWxhbmQgRmxhZzogNmFkNzk2NWQxZTA1Y2E5OGIzZWZjNzZkYmY5ZmQ3MzM=) Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733.

Now onto the 6th flag. Using the pentestmonkey reverse shell (basic set up can be found in my mr.robot walkthrough). After getting a reverse shell and poking around for a while I couldn’t find anything until I cd ~ (http user home) and ls -alt revealed reward_flag.txt which gives you the sixth flag (TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=) Mongolia Flag: 6b49c13cccd91940f09d79e142108394.

Now onto the home stretch. The winterfell_messenger file has a set group id permission, which immedidately reminded me of the pwnlab challenge which had the same thing. This should give us the permissions  of the file creator, which in this case is root. Executing the file gives a no such file or directory error. So basically we have to create a fake cat file that will execute the file. To do this echo “/bin/sh” > /tmp/cat, chmod 777 /tmp/cat to make it executable and now add the path to the PATH variable export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin. Executing the file gives us root.

ls -alt the directory to reveal all the files gives us the seventh flag (U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA==) Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34.

However you can’t just use the cat command because we altered it, now we have to call of cat directly by using /usr/bin/cat .flag.txt.

And that’s it for this challenge. Thanks for reading.

 

Vulnhub-Pwnlab:Init walkthrough

This weeks post, as the title suggest, is my walk through of Pwnlab:init by Claor. This challenge is a boot2root with a single flag to capture. The goal is get into the system and gain root privileges. This was no easy task and I got stuck multiple times while going through this. But that’s the point of these challenges, to push yourself and learn new techniques.

So with the intro out of the way let’s get started.

First lets do an nmap scan of web server.

Ok so the scan revealed multiple things:

  1. A web site is being hosted on this machine.
  2. It has a mysql database.
  3. rpcbind is open.

So lets go and take a look at the site. It seems to be an image hosting server, you need an account to login and host files. Trying some basic SQL injection got me no where, so I whipped out nikto and scanned the server.

A couple of really interesting things came up with this scan as well:

  1. No XSS protection.
  2. /images directory.
  3. /config.php file found, which may contain passwords.

The XSS vulnerability can’t help us with this challenge so we’ll forget about it. But the image directory and config.php file are good starting points. After trying to find the specific php version the site was using, I decided to move on to specific exploit types. The page= variable in the URL, gave me the idea that the site may be vulnerable to some sort of injection. This lead me to Local File Inclusion (LFI).

Thanks to idontplaydarts, the filter command gave me the ability to download some files the system is hosting. So naturally I tried to get the config.php file.

(command= php://filter/convert.base64-encode/resource=config)

This gave me a base64 encoded version of the config.php file. So now all I have to do is decode it and boom, their’s the password for mysql.

So let’s login to mysql and poke around.

And there they are, password hashes (or so I thought). After looking around trying to find what type of hash was being used I realized that the passwords weren’t hashed at all, just base64 encoded again (note the == at the end of each password). So decoding them got me the following:

Now I have three users to login as. Now how will I log in? I could cheat a little and just login from the vm, but that doesn’t sound like fun. So instead I opted to use the pentestmonkey reverse shell. I tried uploading the file straight to the server but that wouldn’t work.

So instead of guessing what file-types are accepted, I downloaded the upload page using the filter command. After decoding the page and browsing through it, some conditions had to be meet before the file was accepted and uploaded.

  1. It had to be a jpg,jpeg,gif or png file.
  2. The MIME type had to match.
  3. No multiple extensions, so no shell.php.gif

Once the file was accepted it would have its name replaced with an md5 version and upload to /upload directory. To get this to work take the reverse shell file, change the extension to .gif instead of .php and add GIF98 to the top of the file. Then upload the file to the server and browse to the /upload directory to see that the file has been uploaded.

After getting the file to upload, now I have to get it to execute. That is where I ran into a brick wall, I could not get it to execute. After hours of research and trying different things (using burpsuite to get it run as straight php, using null byte etc.) I decided to cheat and look at one of the solutions. It turns out the lang variable set in index.php is vulnerable to LFI. So after setting up netcat first (nc -lvp <port>) we can exploit the LFI. You also need to be logged in for this to work.

First install tamperdata ( I used tamperdata, it’s the easiest way, you could use burpsuite or zap as well). Then start tamperdata and refresh the page. It’ll ask you if you want to submit, abort or tamper, click tamper. Then in the cookie section, remove the everything and enter lang=../upload/<filename>, with filename being the name md5 version of uploaded shell name. Presto, now I have a reverse shell.

Cat the passwd file to see what users are available and there are the same users found in the mysql database. Now load up a shell with python -c “import pty;pty.spawn(‘/bin/sh’);”, su to user kent and enter the password we got before and boom we are in. Since this is a boot2root, lets see who has root privileges.

We’ll no surprise really, only one root user, root. After poking around for a while as user kent I found nothing so decided to try the next user down the list mike. However that was a no go.

Hmmm that’s a little suss. Lets try user kane.

Okay sweet we’re in as user kane, lets see what he has in his home directory. Whats msgmike? cat the file gives us a bunch of garbage, but looking at the permissions of the file you’ll notice an s variable. What’s that you ask? We’ll after a little research, it turns out to be the directories setgid (set group id) bit is set and executable.

Since it’s executable, I decided to run it.

Damn an error. But we now know that it needs cat to execute its contents. So cd into the tmp directory and echo “/bin/sh” > cat and chmod 777 cat to give it the right permissions. This again is where I ran into a brick wall and cheated a little. Turns out I needed to set the PATH correctly. So export PATH=.:$PATH fixed that.  Then execute msgmike again and bam we become user mike.

cd to /home/mike and ls the directory we get msg2root. Hmm whats that? Again cating the file will only give you a screen full of garbage so using strings I was able to find out that it asks for some text, echo’s it back to the console and appends it to messages.txt. (strings prints out only the printable strings from a file).

Looking at the file permissions, it belongs to root as well.

Since the file does not validate the input, using ;/bin/sh returns a shell and since the file executes as root, the shell is also root.

Now that we have a root shell, cd into the root directory and cat flag.txt

.

And that’s it.

Overall this was a challenging vm for me, but so much fun and really learnt a lot in the process.

Thanks for reading through, until next time, stay classy.

Vulnhub-Mr.Robo

I know its been a while since I last posted but I’ve been super busy with work, uni and life in general. Now that everything has settled down (for the moment) its time to get back posting on a regular basis. This post, as the title suggest, is a walk through for the Mr.Robot CTF created by the user Jason.  I didn’t find this challenge to difficult, but did need some help at certain points. Enough rambling lets get started.

For this CTF there are 3 flags to capture, with each one increasing in difficulty. First of lets scan the vm with nmap. (nmap <ip-address> -p- -sSVC -A)

As you can see, port 80 and 443 are open, meaning theirs a website being hosted. Navigating to it reveals that its just the promotional site used for the show Mr.Robot. After going through the site and getting nothing out of it, I decided to scan it using nikto. (nikto -host <ip address>)

Hey whats this, robots.txt, lets take a look.

JACKPOT!!

Found key 1: 073403c8a58a1f80d943455fb30724b9.

Looking into fsocity.dic, looks like a dictionary file used for brute forcing login pages. Looking closely at the nikto output, the wordpress login page is found. Knowing that this vm is based on the show, I started manually typing in character names as usernames. Lo and behold, username elliot works (that saved me some time brute forcing the username).

Now that we have a username, I used wpscan to brute force the login page with the dictionary file we got earlier. (wpscan –url <ip address> –username elliot –wordlist fsocity.dic). This attack will take some time, so you might want to do something else while you wait. After wpscan is done, it should spit out the password ER28-0652 (FYI is elliots’ badge number at all safe).

After logging in to the site and poking around, I found nothing of use, this is where I got stuck so I ended up using Snooze Security video to get to the next step (he also had some great links in the description that I used later on). Basically he used pentest monkey reverse shell to get into the system, but make sure you add the following to the top of the php file, edit it with your machines ip address and what port you want to use, zip it and upload it through the wordpress plugin section:

/*
Plugin Name: reverse shell
Plugin URI: https://google.com
Description: reverse shell
Version: 1
Author: reverse shell
Author URI: https://google.com
Text Domain: reverse
Domain Path: /shell
*/

source for the above http://pastebin.com/GMwhCDtm, credit goes to Snooze Security.

Now that the file is uploaded don’t click activate just yet, you need to set up netcat to listen for incoming traffic on the port you specified in the file with the following command nc -vlp <port number>.

Once setup, hit activate and netcat should have been triggered and you now have a reverse shell. If for what ever reason netcat looses the connection, just run the command again and and refresh the web page.

After again snooping around the system I came across the robot directory with key-2-of-3.txt and password.raw-md5. Using cat on the key gave me permission denied but not on the password file.

Copying that hash and pasting it into google, the first link gave me abcdefghijklmnopqrstuvwxyz as the password.

(source: md5hashing)

Sweet now that I have the password, lets switch to user robot.

Nope, not going to be that easy.

After researching how to spawn a terminal from a shell, pentest monkey came to the rescue again. Spawning a terminal with the python command python -c “import pty;pty.spawn(‘/bin/sh’);”.

Now we switch user, enter the password (also change the password to something easier to type) and boom we are now user robot. Cat the key file and we are almost done.

Key 2: 822c73956184f694993bede3eb39f959.

Now on to key 3. Using the find command gave me nothing so I now have to manually search through the directories to find key 3. Did so until I ran into the root folder which did not let me in. So now I have to escalate my privileges to root to gain access into the directory.  After trying a bunch of the commands from Reboot user, I came across one that worked, nmap –interactive, which you can read more about here. From what I understand it’s an interactive shell where you can pass nmap commands into.

After launching the interactive command, enter h and it will give you the help screen. ! gives the user the ability to pass shell commands, so why not just launch a shell with !sh. With  that we are now root. cd into the root directory and cat the final key.

key 3: 04787ddef27c3dee1ee161b21670b4e4.

That’s it for this vm. It was so much fun doing this and taught a lot new tricks that I’ll use in other CTFs.

Until next time, stay classy internet.

web for pentesters 2 mass assignment

For this post I’ll be going through the mass assignment examples in web for pentesters 2. Mass assignments takes advantage of how some programming frameworks allow a programmers to bind HTTP request parameters to variables. The attacker abuses this by sending request parameters to the system in hope of overwriting existing code parameters. OWASP have a great write on how it works for different languages and how to protect against it.

This walk through will show you have to exploit this flaw using a web proxy. These examples takes advantage of the mass assignment flaw found in ruby.

Example 1:

So first off load up the example page then the proxy of your choice, make sure its setup to intercept the traffic.

Then sign up as a regular user.

Once the request has been sent, go to your proxy app.

In the GET request add the parameter &user[admin]=1 after the parameters. 

Example 2:

Same as above, I think i may have done the first example a little wrong :S

 

Example 3:

This example follows the same steps as before, except instead of user[admin]=1 to get admin, you add user[company_id]=2 to gain access to company 2’s secret data.

That will be it for now, hopefully by next week I’ll have either the captcha examples done or the randomness issues example done.