Wednesday, September 26, 2018
IMF
IMF
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine IMF.
- According to the author's description IMF contains a number of flags starting off easy and getting harder as the hacking process progresses, so that each flag gives a hint for the next flag.
- IMF can be downloaded from here:
https://www.vulnhub.com/entry/imf-1,162/
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Using netdiscover to find the IP that corresponds to IMF:
- Scanning with Nmap:
- So there is just one service available, the web server at port 80. Let's connect directly via a browser:
2 - FLAG 1
- Examining the source of the script contact.php we find a reference to flag1:
- Storing and decoding with base64:
- So we have the 1st flag: allthefiles
3 - FLAG 2
- Also, at the same script contact.php we find 3 lines of characters ending up with ==, what gives a hint that it might be another encoded base64 string:
- Storing the characters and decoding with base64, we find a recursive reference to flag2:
- Storing and decoding with base64:
- So we have the 2nd flag: imfadministrator
4 - FLAG 3
- When trying the string achieved at the 2nd flag as a folder for the web server we get a login form:
- Viewing the source:
- Somebody called Roger gives us a message about SQL and a "hard-coded password".
- Having a look at the Contact Us tab we are offered 3 different potential usernames:
- Let's study the different responses from the server when using rmichaels, akeith or estone as usernames and any other random password:
- For rmichaels we have an answer of "invalid password":
- For akeith we have an anwser of "invalid username":
- For estone we have an anwser of "invalid username":
- We conclude that rmichaels is a valid username, although we don't know yet the password.
- However, at this point we know that the server is using the language PHP (contact.php), and Burp can help us to analyze what is happening when entering credentials at the login form.
- Let's use Burp to intercept the login process using rmichaels as username and an arbitrary password:
- First thing to do is to store the cookie value for later usage:
- Now, let's review the characteristics of the PHP strmcp() function.
- strmcp() compares two strings, returning 0 if they are equal; however, it also returns 0 if one the arguments is a string and the other one an array, like explained here:
http://danuxx.blogspot.com/2013/03/unauthorized-access-bypassing-php-strcmp.html
https://marcosvalle.github.io/ctf/php/2016/05/12/php-comparison-vlun.html
- We can take advantage of that circumstance by modifying the parameter pass to pass[] (an array):
- Forwarding, the authentication is bypassed:
- Storing and decoding we get the flag3: continueTOcms
5 - FLAG 4
- Following the advice at flag3 let's continue by clicking IMF CMS (after disabling Burp's interception):
- Enumerating the potential databases with sqlmap and option --dbs:
- Searching for tables at database admin:
- Dumping the content of admin -> pages:
- The result of the dump shows that under pages there is another hidden folder called tutorials-incomplete. Let's check it:
- At the lower left side of the picture we can find one QR code. Isolating and decoding it with xing we get the flag4:
- Storing and decoding flag4:
- The script uploadr942.php leads us to a very interesting uploading page:
6 - FLAG 5
- Let's try some uploads to learn whether there is any type of restriction of filter about the format of the uploading files.
- First, we learn that uploading a PHP file is not allowed:
- However, the same script adding the string GIF89 and renaming with the .gif extension is accepted:
- Viewing the source, there is a string that refers to the successfully loaded file:
- Trying to visit the /uploads folder we notice that it is forbidden, but it means that at least we know of its existence:
- We are able to confirm that the file has been successfully uploaded to /uploads:
- Now, let's try to execute some commands remotely from the brower.
- For instance, who is our user:
- Where we are:
- Listing the content of the folder /uploads we detect the presence of the text file flag5_abc123def.txt:
- By the way, the rest of the content corresponds to other uploaded files during previous trials, as well as the current valid test.gif script.
- Reading flag5_abc123def.txt we find the flag5:
- Storing and decoding with base64, we find that the flag 5 is agentservices:
7 - FLAG 6
7.1 - Locating the agent service
- Now, the flag 5 agentservices should be our passport to the final root access.
- Searching for some agent service, it seems that it works at port tcp/7788:
- Locating the executable agent:
- Checking permissions for agent:
- Running it, and Agent ID is required:
7.2 - Port knocing
- Looking for more interesting content at /usr/local/bin we find an access_codes file:
- Reading access_codes, it seems like a port knock sequence:
- While port 7788 is filtered by default ...
- ... after executing command knock (following the information provided by access_codes) the port 7788 is open:
7.3 - Running the agent service
-Setting a Netcat listening session on port 7788:
- Connecting with Netcat from Kali to IMF's port 7788, where agent service is running:
- Let's transfer agent to our local machine:
- The transfer is successful:
- What type of file is agent:
- Giving execution permissions and running locally agent:
- Entering an invalid Agent ID like abcde:
- Let's ltrace our program, entering an arbitrary ID:
- It is noticeable that the function strncmp compares string abcde with string 48093572.
- Shall this be the valid Agent ID? The answer is yes:
7.4 - Getting a remote limited shell with weevely
- weevely is is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.
https://tools.kali.org/maintaining-access/weevely
- Using weevely let's generate a PHP script called prueba with the password secreto:
- Reading prueba:
- Adding GIF89 to the top of the script and renaming with the extension .gif:
- Now, it is time to upload prueba.gif to IMF:
- The upload is successful, and the server sends back a code referring to the uploaded script:
- Launching weevely from Kali, we achieve a low privileged remote shell at IMF:
7.5 - Privilege Escalation
- The final step will to exploit the executable agent with the goal of getting a root shell will be done in short.