CTF RED 1: Walkthrough

Sumber: https://readysetexploit.gitlab.io/home/vulnhub/red/

Di kali linux. Cek IP address Kali Linux

hostname -I

192.168.0.156 fddc:e149:a774::5b6 fddc:e149:a774:0:f944:23ee:7982:825

Cari IP address Red

netdiscover -r 192.168.0.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                                                                                                       
19 Captured ARP Req/Rep packets, from 19 hosts.   Total size: 1140                                                                                        
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
.....                                                                            
192.168.0.155   08:00:27:89:06:41      1      60  PCS Systemtechnik GmbH                                                                                  
.....

Mac address 08:00:* PCS systemtechnik tampaknya adalah MAC dari VirtualBox. Maka IP address Red kita dapatkan.

Port Scan Target.

sudo nmap -v --min-rate 10000 192.168.0.155 | grep open

Discovered open port 22/tcp on 192.168.0.155
Discovered open port 80/tcp on 192.168.0.155
22/tcp open  ssh
80/tcp open  http

Lakukan full port scan

nmap -v -sV -sC -oN nmap 192.168.0.155 -p-

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-09 22:28 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating ARP Ping Scan at 22:28
Scanning 192.168.0.155 [1 port]
Completed ARP Ping Scan at 22:28, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:28
Completed Parallel DNS resolution of 1 host. at 22:28, 0.01s elapsed
Initiating SYN Stealth Scan at 22:28
Scanning 192.168.0.155 [65535 ports]
Discovered open port 22/tcp on 192.168.0.155
Discovered open port 80/tcp on 192.168.0.155
Completed SYN Stealth Scan at 22:28, 2.68s elapsed (65535 total ports)
Initiating Service scan at 22:28
Scanning 2 services on 192.168.0.155
Completed Service scan at 22:28, 13.24s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.155.
Initiating NSE at 22:28
Completed NSE at 22:28, 1.02s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.07s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Nmap scan report for 192.168.0.155
Host is up (0.000096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 8d5365835252c4127249be335dd1e71c (RSA)
|   256 06610a49864364cab00c0f09177b33ba (ECDSA)
|_  256 9b8d90472ac1dc11287d57e08a23b469 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Hacked By Red – Your site has been Hacked! You\xE2\x80\x99ll neve...
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-generator: WordPress 5.8.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:89:06:41 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

NSE: Script Post-scanning.
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Initiating NSE at 22:28
Completed NSE at 22:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB) 

Hasilnya, target mempunya dua port yang terbuka,

   Port 22 running OpenSSH
   Port 80 running Apache HTTP

Kita tidak bisa berbuat banyak untuk SSH, oleh karena itu mari kita jajal web.

Coba akses Web

http://192.168.0.155/

Tampaknya wordpress, tapi dengan kondisi di hack.

Lihat source web (CTRL-U) Di awal source page akan tampak

<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//redrocks.win' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Hacked By Red » Feed" href="http://redrocks.win/feed/" />
<link rel="alternate" type="application/rss+xml" title="Hacked By Red » Comments Feed" href="http://redrocks.win/comments/feed/" />

Tampaknya redrocks.win adalah web yang menarik. Kita perlu set /etc/hosts agar ada host redrocks.win

vi /etc/hosts

Isi dengan

192.168.0.155   redrocks.win
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

Akses / Browse Web

http://redrocks.win/

Klik

Hello Blue!

Lihat source (CTRL-U). Ada clue menarik

• Ada kata2 "Looking For It?" kayanya seperti LFI - Local File Inclusion.
• Mr. Miessler yang mengupakan penulis Seclists di sebutkan.
• Juga di sebut "you won't be able to read anything"

Jika di satukan semua maka

• kemungkinan besar backdoor yang ada bukan shell backdoor biasa,
• tapi LFI.
• kemungkinan menggunakan PHP backdoors list karena WordPress berjalan di Apache PHP.

Coba di test menggunakan gobuster common PHP backdoors

apt update
apt -y install golang-go
go install github.com/OJ/gobuster/v3@latest
apt -y install gobuster

Coba ambil CommondBackdoors-PHP untuk di cek

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt

gobuster dir -w CommonBackdoors-PHP.fuzz.txt -x .php -u http://redrocks.win/ -o dir80.txt -z

Hasilnya,

===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://redrocks.win/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/02/10 01:54:59 Starting gobuster in directory enumeration mode
===============================================================
/NetworkFileManagerPHP.php (Status: 500) [Size: 0]
===============================================================
2023/02/10 01:55:12 Finished
===============================================================

Kita melihat ada file yang tidak normal NetworkFileManagerPHP.php

cek di google keyword

NetworkFileManagerPHP.php

Hasilnya,

Mungkin maksud Anda adalah: Network File Manager PHP.php

webshells/NetworkFileManagerPHP.php at master - GitHub
https://github.com › BlackArch › webshells › blob › Netw...
Various webshells. We accept pull requests for additions to this collection. - webshells/NetworkFileManagerPHP.php at master · BlackArch/webshells.

Tampaknya sebuah webshell.

Tapi berdasarkan hint yang kita miliki Red akan menggunakan LFI backdoor. Install seclists

sudo apt -y install seclists

atau yang lebih lengkap

wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
  && unzip SecList.zip \
  && rm -f SecList.zip

Mari cek menggunakan wfuzz,

wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ-test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt 

Hasilnya,

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://redrocks.win/NetworkFileManagerPHP.php?FUZZ-test
Total requests: 6453

=====================================================================
ID           Response   Lines    Word       Chars       Payload              
=====================================================================

000000017:   500        0 L      0 W        0 Ch        "ABBR"               
000000014:   500        0 L      0 W        0 Ch        "3DSecureStatus"     
000000016:   500        0 L      0 W        0 Ch        "A"                  
000000015:   500        0 L      0 W        0 Ch        "4"                  
000000013:   500        0 L      0 W        0 Ch        "3"                  
000000019:   500        0 L      0 W        0 Ch        "ACTION"             
000000003:   500        0 L      0 W        0 Ch        "12"                 
000000018:   500        0 L      0 W        0 Ch        "ACCESSLEVEL"        
000000001:   500        0 L      0 W        0 Ch        "1"                  
000000007:   500        0 L      0 W        0 Ch        "16"                 
000000012:   500        0 L      0 W        0 Ch        "23"                 
000000011:   500        0 L      0 W        0 Ch        "22"                 
000000006:   500        0 L      0 W        0 Ch        "15"                 
000000010:   500        0 L      0 W        0 Ch        "21"                 
000000002:   500        0 L      0 W        0 Ch        "11"                 
000000009:   500        0 L      0 W        0 Ch        "2"                  
000000008:   500        0 L      0 W        0 Ch        "17"                 
000000005:   500        0 L      0 W        0 Ch        "14"                 
000000004:   500        0 L      0 W        0 Ch        "13"                  

Lanjut,

wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ-test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hh 500

wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ-test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hc 404

Hasilnya,

Referensi

• https://readysetexploit.gitlab.io/home/vulnhub/red/