Capture the flag (CTF)

Hacking IMF – CTFh

Sahil Dhar
February 8, 2017 by
Sahil Dhar

IMF is yet another awesome boot2root challenge hosted by Vulnhub where one needs to go through various web and some binary exploitation to fetch all flags.

Introduction:

IMF holds a total of 6 flags that one needs to fetch to complete this challenge. The difficulty level increases slightly at each flag. The VM emulates some restrictions/filtering both at the application and network level from real world scenarios and how easy it becomes for an attacker when bypassing the same. Also, this VM was released back in October 2016, I got to know about it while browsing vulnhub and found it interesting so thought to give it a try.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The VM can be downloaded from here

Phase 1 – Information gathering

We started by finding out the IP address allotted to the VM using following command:

netdiscover -i eth2 -r 192.168.56.1/24

We further started a full Nmap scan to find out any open ports/ services listening and find out only port 80 is open.

nmap -T4 -p- -v5 -n --open -oA IMF 192.168.56.101

While browsing the same in web browser, we are presented with the following page.

As this is a web application, we initiated a directory brute force to find out any sensitive files or hidden directories.

dirb http://192.168.56.101/ /usr/share/wordlists/dirb/big.txt -X .php

FLAG 1

While browsing the application manually, we found our first flag in an HTML comment in the contact.php file.

FLAG 2

As a part of our information gathering phase, we had also initiated content discovery option of a burp. While browsing through the sitemap, we came across some base64 encoded js files.

Upon decoding the name of one of the js files, we get partial contents of flag2. We then rearranged the names of js files decoded them back to plain text and got our second flag.

FLAG 3

The content of flag2 gives us a slight hint on how we can reach to flag 3. We browse the imfadministrator named directory and were presented with login panel as shown in below screenshot.

Before starting anything here, we checked the HTML source code and found comment shown in below screenshot. This gives us a good idea on username and SQL injections to bypass authentication will not work as the password is hard coded. Well, we take the username of roger's email from contact.php file and started a "password timing attack." At the same time, we started another dirb session on imfadministrator directory and found out that we might be facing a CMS after successful auth.

Well, the above brute force idea was a bummer. WE recently came across this cool authentication bypass while solving one of the online web CTF challenges; this exploits the way how strcmp function in PHP works. The strcmp will return 0 for the correct match and 1 for incorrect one, but it also returns 0 when it is unable to handle any error. i.e. if an array is compared with string in strcmp function, it will throw an error however the result will be zero. The same logic was used in imfadministrator login panel, and we were able to bypass it passing an array and got our third flag.

FLAG 4

After getting our third flag, we started browsing the admin panel and found two interesting links Upload report and Disavowed list. We browsed through both of them and didn't found anything.

We further tried to LFI in pagename parameter as it seems a valid candidate for that but didn't get any luck there too. We then checked that page name returned is not an actual page by browsing directly to disavowlist.php but got 404. This gave us an idea that this might be taken from the database. We checked for SQL injection and got an SQL error.

We fire up the sqlmap with the following command and found another page name from admin database.

python sqlmap.py –url http://192.168.56.101/imfadministrator/cms.php?pagename=disavowlist --cookie <PHPSESSIONID COOKIE> -T pages –-dump

We browse the page and get the following image with a barcode. We scanned the bar code and got our 4th flag.

FLAG 5:

The decoded contents of flag4 resulted in a filename uploadr942.php. We browse the file and were presented with image upload form.

Upon further investigating, it appears that server is feeding .gif files to PHP interpreter. We tried to upload our simple shell but were blocked with following error message.

Well, the application was performing static analysis on uploaded files to block any file with malicious keywords. We grabbed an obfuscated backdoor from the weevely tool and was able to bypass this restriction.

We dropped in a weevely session and got our 5th flag.

FLAG 6

The content of flag 5 decoded to agent services. I was not able to figure this out immediately at that time that it is referring to some service. After getting a weevely shell, I started browsing different directories looking for any possible clues to another flag. While browsing bin directories I came across two files access_codes and a binary file named agent.

Upon looking onto the contents of the access_codes file, we suspected it might be related to port knocking. We then looked into open ports on the system and compared the same with our Nmap Scan.

Well, we do have port 22 and 7788 open to all interfaces, but we were not able to access it directly. We then send a SYN packet to ports mentioned in the access_codes file and were able to access port 7788.

nmap -Pn -v5 -n -p 7482,8279,9467 192.168.56.101

We then connected to that port, and we were presented with same agent binary that we have seen earlier also the same process was running with root privileges. We needed an agent ID to login into IMF system. We tried with one of the port ID from access_codes but didn't get through.

We then searched for possible strings in binary and got to that the application is using a libc library function strncmp. So, the agent ID must be hard coded in binary. However, we were not able to figure that our using strings fetched from the binary alone.

Well, it was time to reverse engineer the binary and get the agent ID. There are many approaches to achieving this, but we will use the simpler one. As the binary was using a library function, so we used the ltrace utility to trace the call to function and got agent ID. яндекс

We entered the agent ID and were presented with the following menu.

Upon further analysis, we came to know option 3 is vulnerable to stack-based buffer overflow attack. As option 2 also takes input, but it was limited to 57 characters.

We confirmed the same using a large string buffer and was able to overwrite EIP and other areas of the stack. We further checked the security checks implemented in binary and got lucky enough as there were none.

We further created a unique pattern using gdb-peda's pattern create command and got offset at 168. We confirmed the same as shown in the following screenshot.

It was time to find any opcode in binary so that we can jump to our shellcode most easy way is to find JMP ESP. However the binary did not have any, so we settled with CALL EAX as CALL will eventually get resolved to JMP <address of eax>.

objdump -d binary/agent -M intel |grep -e "call.*eax" --color

For shellcode, we specifically choose custom reverse_tcp shellcode from shell-storm.org, as we have faced some issues with Metasploit's reverse_tcp shellcode earlier in one of the challenges. We adjusted the offsets and completed our final exploit as shown in the following screenshot.

We triggered the exploit, and a reverse shell was waiting for us at another terminal J.

We browse the root directory and got our 6th flag there and completed the challenge.

Flags:

  1. flag1{YWxsdGhlZmlsZXM=} - allthefiles
  2. flag2{aW1mYWRtaW5pc3RyYXRvcg==} - imfadministrator
  3. flag3{Y29udGludWVUT2Ntcw==} - continueTOcms
  4. flag4{dXBsb2Fkcjk0Mi5waHA=} - uploadr942.php
  5. flag5{YWdlbnRzZXJ2aWNlcw==} - agentservices
  6. flag6{R2gwc3RQcm90MGMwbHM=} - Gh0stProt0c0ls

References:

https://www.vulnhub.com/entry/imf-1,162/

http://php.net/manual/en/function.strncmp.php

https://linux.die.net/man/3/strncmp

http://www.portknocking.org/

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

https://null-byte.wonderhowto.com/how-to/slip-backdoor-into-php-websites-with-weevely-0175211/

Sahil Dhar
Sahil Dhar

Sahil Dhar is an Information Security Enthusiast having more than two years of hands-on experience in Application Security, Penetration Testing, Vulnerability Assessments and Server Config Reviews. He has also been acknowledged and rewarded by various organizations like Google, Apple, Microsoft, Adobe, Barracuda, Pinterest, Symantec, Oracle etc for finding vulnerabilities in their online services.