Today I would like to present you a CTF5 walkthrough.
root@osboxes:~# nmap -sn 192.168.1.0/24OK, now we know IP target. Let's enumerate running services on this machine with Agressive Mode
Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-10 13:15 BST
[CUT]
Nmap scan report for 192.168.1.130
Host is up (0.00080s latency).
MAC Address: 00:0C:29:44:6B:32 (VMware)
Nmap scan report for 192.168.1.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.69 seconds
root@osboxes:~# nmap -sV -A -p- 192.168.1.130OK, we have got a lot of information about our target. I am pretty sure that we should begin penetration test from TCP 80 port.
Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-10 13:18 BST
Nmap scan report for 192.168.1.130
Host is up (0.00096s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7 (protocol 2.0)
| ssh-hostkey:
| 1024 05:c3:aa:15:2b:57:c7:f4:2b:d3:41:1c:74:76:cd:3d (DSA)
|_ 2048 43:fa:3c:08:ab:e7:8b:39:c3:d6:f3:a4:54:19:fe:a6 (RSA)
25/tcp open smtp Sendmail 8.14.1/8.14.1
| smtp-commands: localhost.localdomain Hello [192.168.1.101], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.2.6 ((Fedora))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Phake Organization
110/tcp open pop3 ipop3d 2006k.101
|_pop3-capabilities: LOGIN-DELAY(180) USER TOP STLS UIDL
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/0 rpcbind
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 32768/udp status
|_ 100024 1 60634/tcp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
143/tcp open imap?
|_imap-capabilities: completed OK SCAN ESEARCH THREAD=REFERENCES LITERAL+ MAILBOX-REFERRALS IMAP4REV1 SORT STARTTLSA0001 WITHIN UIDPLUS CAPABILITY CHILDREN LOGIN-REFERRALS SASL-IR MULTIAPPEND IDLE THREAD=ORDEREDSUBJECT BINARY NAMESPACE UNSELECT
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
| http-auth:
| HTTP/1.0 401 Authorization Required
|_ Basic realm=SWAT
|_http-title: 401 Authorization Required
3306/tcp open mysql MySQL 5.0.45
| mysql-info:
| Protocol: 53
| Version: .0.45
| Thread ID: 3
| Capabilities flags: 41516
| Some Capabilities: ConnectWithDatabase, Support41Auth, LongColumnFlag, Speaks41ProtocolNew, SupportsTransactions, SupportsCompression
| Status: Autocommit
|_ Salt: ~Z(W]MJkZb_85A)HljN*
60634/tcp open status 1 (RPC #100024)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/0 rpcbind
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 32768/udp status
|_ 100024 1 60634/tcp status
[CUT]
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a-6.fc8)
| Computer name: localhost
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: localhost.localdomain
|_ System time: 2016-04-10T04:22:33-04:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
[CUT]
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.55 seconds
Nothing special... I examine the web application clicking on each links and running dirbuster.
Also we are able to display Events
Hmm, we can see that /~andy/ path has i.e link to administration panel and we know that the application handle webmail.
Let's examine Administration Login
Unfortunately this admin panel is resistant to SQL Injection attack, but we know also that the application uses NanoCMS. Let's examine whether the NanoCMS has a public exploit.
I found something interesting
NanoCMS '/data/pagesdata.txt' Password Hash Information Disclosure VulnerabilityLet's try open the path
Good! Now we are able to crack MD5 hash of password. Finally I cracked the hash and I have got:
9d2f75377ac0ab991d40c91fd27e52fd MD5 : shannonSo, we know admin's credentials! Let's log in as admin to the admin panel.
Excellent! We are logged in. I am clicking on each links and for me, New Page and Pases & Options looks interesting.
My idea is to create our new page with reverse shell code.
OK, I execute
nc -nlvp 53and then
Great! We have got limited shell! I searched a lot of files and I found in /home/patrick/.tomboy/:
Root password is probably 50$cent.
Game over
