Monday 11 April 2016

CTF5

Hi all,
Today I would like to present you a CTF5 walkthrough.

root@osboxes:~# nmap -sn 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-10 13:15 BST
[CUT]
Nmap scan report for 192.168.1.130
Host is up (0.00080s latency).
MAC Address: 00:0C:29:44:6B:32 (VMware)

Nmap scan report for 192.168.1.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.69 seconds
OK, now we know IP target. Let's enumerate running services on this machine with Agressive Mode
root@osboxes:~# nmap -sV -A -p- 192.168.1.130

Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-10 13:18 BST

Nmap scan report for 192.168.1.130
Host is up (0.00096s latency).
Not shown: 65524 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.7 (protocol 2.0)
| ssh-hostkey:
|   1024 05:c3:aa:15:2b:57:c7:f4:2b:d3:41:1c:74:76:cd:3d (DSA)
|_  2048 43:fa:3c:08:ab:e7:8b:39:c3:d6:f3:a4:54:19:fe:a6 (RSA)
25/tcp    open  smtp        Sendmail 8.14.1/8.14.1
| smtp-commands: localhost.localdomain Hello [192.168.1.101], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp    open  http        Apache httpd 2.2.6 ((Fedora))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Phake Organization
110/tcp   open  pop3        ipop3d 2006k.101
|_pop3-capabilities: LOGIN-DELAY(180) USER TOP STLS UIDL
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/0  rpcbind
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          32768/udp  status
|_  100024  1          60634/tcp  status
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
143/tcp   open  imap?

|_imap-capabilities: completed OK SCAN ESEARCH THREAD=REFERENCES LITERAL+ MAILBOX-REFERRALS IMAP4REV1 SORT STARTTLSA0001 WITHIN UIDPLUS CAPABILITY CHILDREN LOGIN-REFERRALS SASL-IR MULTIAPPEND IDLE THREAD=ORDEREDSUBJECT BINARY NAMESPACE UNSELECT
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
901/tcp   open  http        Samba SWAT administration server

| http-auth:
| HTTP/1.0 401 Authorization Required
|_  Basic realm=SWAT
|_http-title: 401 Authorization Required
3306/tcp  open  mysql       MySQL 5.0.45
| mysql-info:
|   Protocol: 53
|   Version: .0.45
|   Thread ID: 3
|   Capabilities flags: 41516
|   Some Capabilities: ConnectWithDatabase, Support41Auth, LongColumnFlag, Speaks41ProtocolNew, SupportsTransactions, SupportsCompression
|   Status: Autocommit
|_  Salt: ~Z(W]MJkZb_85A)HljN*
60634/tcp open  status      1 (RPC #100024)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/0  rpcbind
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          32768/udp  status
|_  100024  1          60634/tcp  status

[CUT]

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.26a-6.fc8)
|   Computer name: localhost
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: localhost.localdomain
|_  System time: 2016-04-10T04:22:33-04:00
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

[CUT]

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.55 seconds
OK, we have got a lot of information about our target. I am pretty sure that we should begin penetration test from TCP 80 port.




Nothing special... I examine the web application clicking on each links and running dirbuster.























Also we are able to display Events





















Hmm, we can see that /~andy/ path has i.e link to administration panel and we know that the application handle webmail.
Let's examine Administration Login












Unfortunately this admin panel is resistant to SQL Injection attack, but we know also that the application uses NanoCMS. Let's examine whether the NanoCMS has a public exploit.
I found something interesting
NanoCMS '/data/pagesdata.txt' Password Hash Information Disclosure Vulnerability
Let's try open the path

 Good! Now we are able to crack MD5 hash of password. Finally I cracked the hash and I have got:
9d2f75377ac0ab991d40c91fd27e52fd MD5 : shannon
So, we know admin's credentials! Let's log in as admin to the admin panel.

Excellent! We are logged in. I am clicking on each links and for me, New Page and Pases & Options looks interesting.


My idea is to create our new page with reverse shell code.






















OK, I execute
nc -nlvp 53
and then

Great! We have got limited shell! I searched a lot of files and I found in /home/patrick/.tomboy/:





















Root password is probably 50$cent.











Game over