sunrise.html

<!DOCTYPE html>
<html lang="en">
<head>
        <meta charset="utf-8" />
        <title>Walkthrough: Sunrise CTF</title>
        <link rel="stylesheet" href="/theme/css/main.css" />
        <link href="/feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="nothing0x00 Atom Feed" />

        <!--[if IE]>
            <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
        <![endif]-->
</head>

<body id="index" class="home">
        <header id="banner" class="body">
                <h1><a href="/">nothing0x00  <strong>Reflections on Hacking, Information Theory and Random Ephemera</strong></a></h1>
                <nav><ul>
    
                        <li><a href="/pages/about.html">About Me</a></li>
    
                        <li><a href="/pages/contact.html">Contact</a></li>
                </ul>
                </nav>
<div id="submenu">
                    <ul>
                            <li class="active"><a href="/category/ctf.html">CTF</a></li>
                            <li><a href="/category/introduction.html">Introduction</a></li>
                    </ul>
                <div>
        </header><!-- /#banner -->
<section id="content" class="body">
  <article>
    <header>
      <h1 class="entry-title">
        <a href="/sunrise.html" rel="bookmark"
           title="Permalink to Walkthrough: Sunrise CTF">Walkthrough: Sunrise CTF</a></h1>
    </header>

    <div class="entry-content">
<footer class="post-info">
        <span>Wed 04 March 2020</span>
<span>| tags: <a href="/tag/ctf.html">#CTF</a></span>
</footer><!-- /.post-info -->      <p>The Sunrise CTF machine is the third in a series, two of which (Dusk and Nightfall) have already been discussed on this blog.</p>
<p>Let's get this party started!</p>
<p>Upon launch the machine was allocated 192.168.56.109 in the host-only DHCP.  Initial scanning shows the machine has ports 22,80,3306 and 8080 open.</p>
<p><img alt="initial_nmap" src="/images/sunrise/initial_nmap.png"></p>
<p>The SSH service on port 22 and the nginx server on port 80 seem, at first glance to be uninteresting. The MariaDB server on port 3306 blocks connections from the attacking machine IP.</p>
<p>The service on port 8080, however, seems to be the initial point of ingress. It is a Weborf server, with some interesting results being generated by nmap testing scripts.</p>
<p><img alt="weborf" src="/images/sunrise/weborf.png"></p>
<p>Within these results there are indications of a possible path traversal vulnerability, an exposed /html/ folder which may allow for assistance in navigation and indications that the server is using DAV with risky HTTP verbs, which may allow for a shell upload.</p>
<p>A quick search online confirms that the version of Weborf, 0.12.2, is vulnerable to path traversal. The exploit is explained at the link below:</p>
<p>https://www.exploit-db.com/exploits/14925</p>
<p>This vulnerability, due to the structure of the Weborf server, which is meant to share directories, allows for accessing directories and getting a directory listing. After accessing the /etc/passwd file two users were identified, weborf and sunrise.</p>
<p><img alt="etc_passwd" src="/images/sunrise/etc_passwd.png"></p>
<p>Using this method the /home/sunrise directory was accessed.</p>
<p><img alt="home_sunrise" src="/images/sunrise/home_sunrise.png"></p>
<p>From here the user.txt file was accessed.</p>
<p><img alt="user_flag" src="/images/sunrise/user_flag.png"></p>
<p>Next, the /home/weborf directory was accessed using the same method.</p>
<p><img alt="home_weborf" src="/images/sunrise/home_weborf.png"></p>
<p>The primary flaw of this method is that hidden files and directories are not displayed in the UI upon exploitation, but the contents will be displayed if called directly. To address this situation I grabbed a list of common hidden files from FuzzDB (UnixDotFiles) and deleted the leading / from each entry, then used ZAP (no Burp Pro on this machine) to fuzz for the files. This method identified the .mysql_history, .bashrc and .profile files, all of which are accessible through the UI.</p>
<p><img alt="found_files" src="/images/sunrise/found_files.png"></p>
<p>In the .mysql_history file there is an entry which reveals credentials; weborf@localhost:iheartrainbows44</p>
<p><img alt="mysql_history" src="/images/sunrise/mysql_history.png"></p>
<p>The MariaDB database is still rejecting the connection, so the next step is to use the creds to log in over ssh.</p>
<p><img alt="weborf_ssh" src="/images/sunrise/weborf_ssh.png"></p>
<p>After initial enumeration turned up nothing of substance, the login credentials for weborf were used to log into the database. In the database, in the mysql database's user table, were cleartext credentials for the sunrise user; sunrise:thefutureissobrightigottawearshades.</p>
<p><img alt="sunrise_creds" src="/images/sunrise/sunrise_creds.png"></p>
<p>These credentials were then used to log in through SSH.</p>
<p><img alt="sunrise_ssh" src="/images/sunrise/sunrise_ssh.png"></p>
<p>After logging in enumeration revealed that sunrise can only run the wine command as root with sudo.</p>
<p><img alt="sudo_wine" src="/images/sunrise/sudo_wine.png"></p>
<p>To elevate to root the first step is to generate an executable payload to run through wine. For this purposes msfvenom will be used in this context.</p>
<p><img alt="msfvenom" src="/images/sunrise/msfvenom.png"></p>
<p>A Metasploit payload handler is then configured and executed.</p>
<p><img alt="handler" src="/images/sunrise/handler.png"></p>
<p>A Python HTTP Server was started and the file was downloaded into /tmp on the target machine using wget.</p>
<p><img alt="wget" src="/images/sunrise/wget.png"></p>
<p>Finally the payload was run using sudo wine.</p>
<p><img alt="payload_run" src="/images/sunrise/payload_run.png"></p>
<p>The payload executes and the reverse shell is then caught by the handler, giving a Meterpreter shell running as root on the target machine.</p>
<p><img alt="shell_connect" src="/images/sunrise/shell_connect.png"></p>
<p>The root.txt file is then downloaded back to the attacking machine and displayed to the screen.</p>
<p><img alt="root_flag" src="/images/sunrise/root_flag.png"></p>
<p><img alt="root_display" src="/images/sunrise/root_display.png"></p>
    </div><!-- /.entry-content -->

  </article>
</section>
        <section id="extras" class="body">
                <div class="social">
                        <h2>social</h2>
                        <ul>
                            <li><a href="/feeds/all.atom.xml" type="application/atom+xml" rel="alternate">atom feed</a></li>

                            <li><a href="https://github.com/nothing0x00">github</a></li>
                            <li><a href="https://twitter.com/nothing0x00">twitter</a></li>
                        </ul>
                </div><!-- /.social -->
        </section><!-- /#extras -->

        <footer id="contentinfo" class="body">
                <p>Powered by <a href="http://getpelican.com/">Pelican</a>. Theme <a href="https://github.com/blueicefield/pelican-blueidea/">blueidea</a>, inspired by the default theme.</p>
        </footer><!-- /#contentinfo -->

</body>
</html>