Hello everyone, this is the second part of the myHouse CTF walkthrough. Here we will look at the various methods that we can use in order to collect flags and pwn the box.
So starting from the previous part where we performed an nmap scan to identify the open ports and the running services.
Going through the ports, which most are Apache servers, we find that most ports have the same landing page, example is HTTP port 443.
Right click on the page and view page sources and viola, first flag.
In my usual web application security assessments, this is always an inevitable step. So firing up dirb on the target, we get the following directories:
Enumeration is very key during web application security assessments. One could miss very important unattended directory which could be all you need for a successful exploitation.
Use different wordlists, a nice and comprehensive list of wordlists can be found in https://github.com/danielmiessler/SecLists
Checking the discovered directories we find two more flags.
As I was looking for a low hanging fruit to exploit, I did not perform comprehensive enumeration on the other ports that seemed to be running similar web application,
This is the port that seemed to be running a more interesting web application. On accessing this port on the browser, I instantly notice that it is kind of a blog.
After going through the blog posts, I quickly learn that they have an application called timeclock, which is running in the path /timeclock/.
The last blog post reads:
I made significant changes to the code of the timeclock software. Due to the changes I made, I stored a backup in /timeclock/backup/.
Posted 1 ye
ar ago by Administrator.
In my opinion that even made the task easier.
Checking the /timeclock/backup/ directory I find directory listing vulnerability which contains the backup file all.zip, and a common PHP backdoor browse_backups.php and a fourth flag.
Okay, so I started with the backup file, the main reason is that I enjoy reviewing source code, I promise you, you won't miss a thing in the code.
This backup contains the code for timeclock application.
Common things to hunt for in source code review:-
- Credentials (usernames, passwords, API keys)
- Business logic - Try to understand how the application works by picturing it as you go through the source code. This is a very import thing to look for as it could lead to several logical flaws which could greatly impact the application.
- Common vulnerabilities i.e. OWASP top 10
- Connections to other IP addresses, this could be used to discover channels for lateral movement.
Going through the source code, the obvious files that I check,
DB credentials in db.php
SQL injection in the login functionality, the application does not sanitize the username and password that is POST'd by user.
Next step, check the timeclock application to validate that this.
This is how I quickly and easily test SQL injection especially for POST requests or request with multipart Content-Type, or worst SOAP based POST data.
Intercept the login request using Burp Suite, here is a step by step guide to configure your browser to work with burp suite.
Copy the whole request into a text file e.g. login.txt.
Run sqlmap using the option -r and pass your request file, sqlmap will figure out the rest of the stuff.
And certainly there is an SQL injection at both points, the username and password field.
The cycle continues, look for credentials, secrets, API keys and DBs that belong to a different application.
Clear text passwords, this is dangerous.
Leads to admin access to the application.
We find a flag.
Road to $hell
In my day-to-day security engagements, most clients especially in the financial sector only see value of the penetration test, if you are in a position to prove that the access you got could lead to monetary loss, that's the purpose of the $.
For this challenge it was quite easy now that there is a backdoor already planted, all we need to do is to plant our better backdoor in order for a seamless interaction with the system.
Generate a weevely backdoor, host it using python -m SimpleHTTPServer and use wget on the web backdoor to retrieve the weevely backdoor.
Access it, and now we can proceed to post exploitation, which I bet was the whole purpose of the challenge, looking at how easy gaining code execution is on this box.
Before we proceed to post exploitation, we quickly go through the other services and check on whatever flag that we might have missed.
On post 8111, error page 404 has got a flag
On port 20000, it is a service that checks the health status of the docker containers, on accessing we find a flag.
That winds up part 2 of this three part series. In the last we are going to be looking at a very key phase of any penetration tests. The phase is post exploitation, the art and science of pwnage.