Wednesday, November 14, 2012
Hackin' The Boss [Part 2]
Before diving into the injectable "id" parameter, I wanted to explore other options to potentially gain complete control over the target. This would in effect make finding the remaining flags quite simple. With that goal in mind, and a local saved version of the "test.php" configuration page (which was removed by this time, of course I kept a copy) it was time to start looking for potential methods of ingress.
After exploring multiple OSINT sources (Shodan, Exploit-DB to name a few), I wasn't able to find much promising literature. Perhaps then, if the webapps weren't the gateway I needed, something else that could provide me access. A quick nmap of common ephemeral ports indicated that, as expected, ports 80 and 443 were open. However, port 22 (SSH) was also open. Not a ton of additional information, but enough for nmap to fingerprint the OS. Next up, the excellent Metasploit front-end gui, Armitage.
With Metasploit updated, I loaded up Armitage and ran a msfscan against the target host. Selecting "find attacks" revealed a large number of potential exploits to try. Since I was behind my totally not-at-all suspicious VPN, it was to time fire everything at the CTF server. Alas, all automated attempts failed and no sessions were established. Oh well, it can't always be easy! **Note: Apparently, the original CTF was designed to be vulnerable to the php_eval() module found in Metasploit, apparently this particular setup was not vulnerable.**
My first plan thwarted, it was time to dump the database and comb for useful information (and flags!). With ye olde sqlmap up and running, I fed the parameter "id=" to the beast. Within a minute, the entire database had been dumped to my local hard drive and while watching the console print the results, I noticed a pretty interesting flag that appeared to have credentials! Unfortunately, the console has scrolled far too quickly for me to catch the details, so I started to dig into the dumped db information to retrieve what looked to be my golden ticket.
After a quick search, I found the flag in the "board.users" table of the database which contained a user/password combination. The next flag was found in "test.notes", and this seemed to be the only other flag present in the db dump. I now had 5/11 (at the time, thought to be 12) flags, MySQL database credentials, and what appeared to be a user/password combination. From previous nmapping, I knew that port 22 was open, so it was time to try and login with the recovered credentials.
With the provided Username/Password combo, I was able to SSH successfully to the CTF server. The home directory contained a single file, an ELF executable, which accepted a string as its parameters. Sensing the presence of another flag a hexdumped the file and found flag #6 (I should have just run a strings against the file, but I wanted to see the context). I moved to the base directory and found another text file labelled "flag". Boom, #7. At this point, I wasn't entirely sure where to look next, so I poked around until I got to /etc/php/apache2 and catted out the php.ini file. Therein was flag #8.
Since I had the MySQL database credentials, why not connect to the database and check for the presence of more flags? Upon successful connection and enumeration of the table names, several simple SELECT * FROM queries confirmed the 2 previous flags I had found, and an additional flag in "board.posts" which I had previously missed. And thus Flag #10 was recovered.
Unfortunately, I wasn't able to recover the last flag. Apparently there was a webpage with a very colorful, animated image with a flag embedded as a test of one's steganography skills. I had suspected this seizure inducing page hid a flag, but I never suspected steganography. Yeah, I completely missed that one (I would blame colorblindness, but that likely isn't an adequate excuse). Oh well, 10 of 11 Isn't too bad!
All in all, this was a lot of fun. If you haven't participated in a CTF event before, I would highly recommend it. Especially if the CTF server belongs to your boss. That makes it all the sweeter.