Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Hacking IMF CTF

$
0
0

IMF is yet another awesome boot2root challenge hosted by Vulnhub where one needs to go through various web and some binary exploitation to fetch all flags.

Introduction:

IMF holds a total of 6 flags that one needs to fetch to complete this challenge. The difficulty level increases slightly at each flag. The VM emulates some restrictions/filtering both at the application and network level from real world scenarios and how easy it becomes for an attacker when bypassing the same. Also, this VM was released back in October 2016, I got to know about it while browsing vulnhub and found it interesting so thought to give it a try.

The VM can be downloaded from here

Phase 1 Information gathering

We started by finding out the IP address allotted to the VM using following command:

netdiscover -i eth2 -r 192.168.56.1/24


Hacking IMF   CTF

We further started a full Nmap scan to find out any open ports/ services listening and find out only port 80 is open.

nmap -T4 -p- -v5 -n open -oA IMF 192.168.56.101


Hacking IMF   CTF

While browsing the same in web browser, we are presented with the following page.


Hacking IMF   CTF

As this is a web application, we initiated a directory brute force to find out any sensitive files or hidden directories.

dirb http://192.168.56.101/ /usr/share/wordlists/dirb/big.txt -X .php


Hacking IMF   CTF
FLAG 1

While browsing the application manually, we found our first flag in an HTML comment in the contact.php file.


Hacking IMF   CTF
FLAG 2

As a part of our information gathering phase, we had also initiated content discovery option of a burp. While browsing through the sitemap, we came across some base64 encoded js files.


Hacking IMF   CTF

Upon decoding the name of one of the js files, we get partial contents of flag2. We then rearranged the names of js files decoded them back to plain text and got our second flag.


Hacking IMF   CTF
FLAG 3

The content of flag2 gives us a slight hint on how we can reach to flag 3. We browse the imfadministrator named directory and were presented with login panel as shown in below screenshot.


Hacking IMF   CTF
Hacking IMF   CTF

Before starting anything here, we checked the HTML source code and found comment shown in below screenshot. This gives us a good idea on username and SQL injections to bypass authentication will not work as the password is hard coded. Well, we take the username of roger’s email from contact.php file and started a “password timing attack.” At the same time, we started another dirb session on imfadministrator directory and found out that we might be facing a CMS after successful auth.


Hacking IMF   CTF
Hacking IMF   CTF

Well, the above brute force idea was a bummer. WE recently came across this cool authentication bypass while solving one of the online web CTF challenges; this exploits the way how strcmp function in PHP works. The strcmp will return 0 for the correct match and 1 for incorrect one, but it also returns 0 when it is unable to handle any error. i.e. if an array is compared with string in strcmp function, it will throw an error however the result will be zero. The same logic was used in imfadministrator login panel, and we were able to bypass it passing an array and got our third flag.


Hacking IMF   CTF
FLAG 4

After getting our third flag, we started browsing the admin panel and found two interesting links Upload report and Disavowed list . We browsed through both of them and didn’t found anything.


Hacking IMF   CTF
Hacking IMF   CTF

We further tried to LFI in pagename parameter as it seems a valid candidate for that but didn’t get any luck there too. We then checked that page name returned is not an actual page by browsing directly to disavowlist.php but got 404. This gave us an idea that this might be taken from the database. We checked for SQL injection and got an SQL error.


Hacking IMF   CTF

We fire up the sqlmap with the following command and found another page name from admin database.

python sqlmap.py url http://192.168.56.101/imfadministrator/cms.php?pagename=disavowlist cookie <PHPSESSIONID COOKIE> -T pages -dump


Hacking IMF   CTF

We browse the page and get the following image with a barcode. We scanned the bar code and got our 4 th flag.


Hacking IMF   CTF
Hacking IMF   CTF
FLAG 5:

The decoded contents of flag4 resulted in a filename uploadr942.php. We browse the file and were presented with image upload form.


Hacking IMF   CTF
Hacking IMF   CTF

Upon further investigating, it appears that server is feeding .gif files to PHP interpreter. We tried to upload our simple shell but were blocked with following error message.


Hacking IMF   CTF

Well, the application was performing static analysis on uploaded files to block any file with malicious keywords. We grabbed an obfuscated backdoor from the weevely tool and was able to bypass this restriction.


Hacking IMF   CTF

We dropped in a weevely session and got our 5th flag.


Hacking IMF   CTF
Hacking IMF   CTF
FLAG 6

The content of flag 5 decoded to agent services. I was not able to figure this out immediately at that time that it is referring to some service. After getting a weevely shell, I started browsing different directories looking for any possible clues to another flag. While browsing bin directories I came across two files access_codes and a binary file named agent.


Hacking IMF   CTF

Upon looking onto the contents of the access_codes file, we suspected it might be related to port knocking. We then looked into open ports on the system and compared the same with our Nmap Scan.


Hacking IMF   CTF
Hacking IMF   CTF

Well, we do have port 22 and 7788 open to all interfaces, but we were not able to access it directly. We then send a SYN packet to ports mentioned in the access_codes file and were able to access port 7788.

nmap -Pn -v5 -n -p 7482,8279,9467 192.168.56.101


Hacking IMF   CTF

We then connected to that port, and we were presented with same agent binary that we have seen earlier also the same process was running with root privileges. We needed an agent ID to login into IMF system. We tried with one of the port ID from access_codes but didn’t get through.


Hacking IMF   CTF

We then searched for possible strings in binary and got to that the application is using a libc library function strncmp. So, the agent ID must be hard coded in binary. However, we were not able to figure that our using strings fetched from the binary alone.


Hacking IMF   CTF

Well, it was time to reverse engineer the binary and get the agent ID. There are many approaches to achieving this, but we will use the simpler one. As the binary was using a library function, so we used the ltrace utility to trace the call to function and got agent ID.


Hacking IMF   CTF

We entered the agent ID and were presented with the following menu.


Hacking IMF   CTF

Upon further analysis, we came to know option 3 is vulnerable to stack-based buffer overflow attack. As option 2 also takes input, but it was limited to 57 characters.

Ethical Hacking Training Resources (InfoSec)


Hacking IMF   CTF

We confirmed the same using a large string buffer and was able to overwrite EIP and other areas of the stack. We further checked the security checks implemented in binary and got lucky enough as there were none.


Hacking IMF   CTF

We further created a unique pattern using gdb-peda’s pattern create command and got offset at 168. We confirmed the same as shown in the following screenshot.


Hacking IMF   CTF

It was time to find any opcode in binary so that we can jump to our shellcode most easy way is to find JMP ESP. However the binary did not have any, so we settled with CALL EAX as CALL will eventually get resolved to JMP <address of eax>.

objdump -d binary/agent -M intel |grep -e “call.*eax” color


Hacking IMF   CTF

For shellcode, we specifically choose custom reverse_tcp shellcode from shell-storm.org, as we have faced some issues with Metasploit’s reverse_tcp shellcode earlier in one of the challenges. We adjusted the offsets and completed our final exploit as shown in the following screenshot.


Hacking IMF   CTF

We triggered the exploit, and a reverse shell was waiting for us at another terminal J .


Hacking IMF   CTF

We browse the root directory and got our 6th flag there and completed the challenge.


Hacking IMF   CTF
Flags: flag1{YWxsdGhlZmlsZXM=} allthefiles flag2{aW1mYWRtaW5pc3RyYXRvcg==} imfadministrator flag3{Y29udGludWVUT2Ntcw==} continueTOcms flag4{dXBsb2Fkcjk0Mi5waHA=} uploadr942.php flag5{YWdlbnRzZXJ2aWNlcw==} agentservices flag6{R2gwc3RQcm90MGMwbHM=} Gh0stProt0c0ls References:

https://www.vulnhub.com/entry/imf-1,162/

http://php.net/manual/en/function.strncmp.php

https://linux.die.net/man/3/strncmp

http://www.portknocking.org/

https://null-byte.wonderhowto.com/how-to/slip-backdoor-into-php-websites-with-weevely-0175211/


Viewing all articles
Browse latest Browse all 12749

Trending Articles