Tuesday, 5 July 2016

Breach v1 challenge

Hello all,
I would like to present you Breach:1 challenge write-up.
First in a multi-part series, Breach 1.0 is meant to be beginner to intermediate boot2root/CTF challenge. Solving will take a combination of solid information gathering and persistence. Leave no stone unturned.

Scanning phase
Nmap scanning all ports consume a lot of time, probably our target has a lot of open ports. So, let's try enumerate the most common ports.

I was trying play with ftp/21 and ssh/22 but in spite of fact that these ports are open, we cannot connect to it. Maybe the best idea will be bagin from website.

This is default web page. I run dirb, so

Nothing interesting... Let's display source code of default page
The red string looks interesting, isn't it? For me it is someting encoded via base64. I decoded the string twice and I have got
It looks like a some credentials. I clicked on the picture in the default web page and I was redirected to
 Great! We can see links to Employee portal for example.

Very good! We see that we can use our retireved credentials from base64 string and try to log in to the panel.

We have to find some opportunity to upload reverse shell script. I click on several links and I found

That's very important information, because before I found in my messages information that administrator deliver us to Java keystore file on /.keystore location. Now we should be able to do something useful.
Let's try obtain SSL Certificate from the keystore file.and then we will need to decrypt Wireshark packet using obtained certificate.
I decrypt the *.pcap file and

Wow! Do you know what it mean? Let's do that!

Maybe *.pcap file contains valid credentials.

Great! We have to decode the string using base64 decoder and we will get

Excellent! Let's try and....

Amazing! Now we are on a good way to upload reverse shell war file using Manager. Execute it and..

We have got limited shell! I have found in one of the *.php file that valid credentials for MySQL is root:<blank> so I have logged in and find something useful :)

I've cracked the MD5 hashed string and I have got milton:thelaststraw. I was trying a lot of ways to escalate our privileges - without success... I was trying use some known exploit and find any useful file... Hmmm, to be honest I don't know what now... I examined web application again and I downloaded each pictures from /images directory and unexpected BINGO!

Maybe it is something like a password? Let's verify it

so, let's check what we can do as a root

User blumbergh may run the following commands on Breach:
    (root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh
Quite interesting, isn't it?