Hello again. This is my second post about CTF challenge that I have explored. It is a guide for newbie to learn about CTF. This is my second time trying a challenge in a CTF environment.
Description: This box is OSCP style and focused on enumeration with medium exploitation. The goal is to get root. It does not require any bruteforcing. A proper hints are given at each step to move ahead.
The steps: A summary of the steps required in solving this CTF:
- Getting the target machine IP address by using arp-scan
- Getting open port details by using the Nmap Tool
- Identifying vulnerability in running application
- Running brute forcing on parameter value
- Enumerating subdomains
Identify The Target
Step 1: ARP Scan Tool
Identify the target machine's IP address. We are running the Vulnhub box in virtual machine, also in the same network (NAT configuration). So Arp-scan tool is used for this purpose. The output of the command can be seen in the following screenshot.
sudo arp-scan -l
Scan Open Ports
Step 2: NMap Discovery Tool
Find the open ports and services available on the target machine using NMap. The results can be seen in the following screenshot.
nmap -sV -sC -p- 192.168.61.128
So, the results tell Port 80 and 3306 are open. The ‘-sV’ is for version enumeration. While the '-sC' is for script scanning by using default script provided by NMap. I also used the ‘-p-’ option for a full port scan. It is important to conduct a full port scan during the pentest or solve the CTF for maximum results.
Webserver Enumeration
Step 3: Enumeration
Since port 80 is open, let's see what is displayed on the webserver. Enumerating will be start from here. The response from the webserver can be seen below.
Next, check the page source to find something intriguing. After I went through a few files, the js/main.js file came up with something interesting.
Now a valuable information is shown on this file. SeedDMS, a document management system (DMS) version 5.1.22.
Search For Exploits and Vulnerabilities
Materials were collected:
- Git repo: https://sourceforge.net/projects/seeddms/files/seeddms-5.1.22/
- Exploit: https://www.exploit-db.com/exploits/47022
RCE was identified for version 5.1.10. This will be use as a reference for the remote command execution later.
Analysing
Running DirB scanning brings me nothing. However, when I look at the structure of the SeedDMS in the repo, they have a proper structure of working. There are directories of which ‘conf’ contains the configuration of the web app.
As we can see, I found /conf directory with forbidden message for the directory. This is because a .htaccess file that restricts directory browsing. This can be seen from the repository that I've given above.
After that, lets visit the path on the target.
I found the database server’s username and password. So let's login to the server.
mysql -h 192.168.19.131 -u<username> -p -D<database_name>
Next, show the tables.
SHOW TABLES;
Only one table without prefix ‘tbl’ which is "users". So let's find out.
SELECT * FROM users;
There was a login credentials of one user on the target. However, I don’t have the name of the user and a shell to log into. So I try to log into the web app (default page). Since I have access to the database, I update the password of the administrator. *I did not decode the old password*
SELECT login,pwd FROM tblUsers;
The password is encrypted in MD5 hash. We can use MD5 tools that are available online to make a new password. I will use BurpSuite Decoder to encode a new password. My new password for this admin is going to be 'admin'.
Then, I update the admin password in mysql.
UPDATE tblUsers
SET pwd='21232f297a57a5a743894a0e4a801fc3'
WHERE login='admin';
Lastly, I logged in to http://192.168.61.128/seeddms51x/seeddms-5.1.22 using the new admin password.
Exploiting The Target
Remote command execution
SeedDMS is for managing documents. After exploring the website, I found there is a feature to upload files. So I try to upload a web shell and execute it.
Firstly, a port need to be open to listen an incoming connection. I will use a netcat command to listen on port 9001
nc -nlvp 9001
I will use PentestMonkey PHP Reverse Shell. I modified it with my IP and port.
Check the exploit on https://www.exploit-db.com/exploits/47022
After that, navigate to 'Add document' on the dashboard. Then, there will be an option to upload a file.
After uploading the file, check the document ID corresponding to the file uploaded. This is required for exploit.
Now go to "http://yourtargetip/seeddms51x/data/1048576/"document_id"/1.php" to get a reverse shell.
http://192.168.61.128/seeddms51x/data/1048576/4/1.php
Netcat is currently receiving connection on port 9001. The reverse shell is working.
Privilege Escalation to Root
Next step, on the same netcat command window, type in
python3 -c 'import pty;pty.spawn("/bin/bash")'
to spawn Interactive Terminal (Python)
I will go through /etc/passwd file to see registered user that has access to the system.
grep bash /etc/passwd
If you remember that I've went thru mysql database, there is an info for saket user including the password. I'm going to use this account for next step.
su -l saket
Next, check the user Saket permission.
sudo -l
This user has access to all. So root privilege is very possible! Now I just need to enter the command to escalate me to root shell.
sudo su -l
Finally, I gained the root privilege!
The end.
Thank you for reading!
Comments
Post a Comment