MetasploitCTF 10 of Hearts Walkthrough

This year I participated in the Rapid7 Metasploit Community CTF. I wouldn’t say it was beginner level, but it was fun none the less. For the CTF there were 15 png images for the flags. Each flag was worth 100 points. At the start of the event, each team was given a Kali jump box to attack from and two vulnerable machines (one Linux – one Windows) to exploit. You’d think that once a host is compromised, all the flags would be available to find. That wasn’t the case. Each exploitable service was running in its own container. If that service was compromised, then only the flag associated with it would be available. Anyway, ended up with only one flag and three shells. It seems kind of lame, but I learned stuff in the process so that makes it all worth it.

Setting up:

One of the most important takeaways from the event was learning how to set up a port forward for my browser. Previously, I had only used a VNC server to get GUI control and from there use a browser. I did that during the first day of the CTF and it was awful! The next day I looked for a better solution. Someone in the chat posted something about a -D command in SSH. I’m so glad they did! With the -D option SSH will allow dynamic port forwarding and it’s awesome!

Run the ssh command as normal and simply append the -D and a port number of your choosing at the end. This will open a listening port on your local host 127.0.0.1.

met1

Now configure a web browser proxy using the port.

Make sure to:

  1. Select the same port you put in the SSH command
  2. Use 127.0.0.1 as the host to connect to
  3. Select Socks 5 specifically – Using the “for all connections didn’t work for me”
  4. Remove any disable or ignore settings for 127.0.01

Also make sure that your proxy is enabled. I like using FoxyProxy but it works the same with the default browser options.

met2

 

The proxy can also work with BurpSuite. Just put the proxy setting for SSH in the user tab of Burp and point your browser proxy to Burp. It works amazingly well.

Ok now that our browser is setup, we need to find something to exploit. Running Nmap shows a lot of open services to poke at. For this walkthrough, I’m focusing on port 8080 running Apache Struts2.

met3

Let’s brows there with our cool new setup and see what it looks like.

met4

Yep it’s for sure running Apache Struts. Let’s see if Metasploit has any exploits for that. Doing a simple search for “struts” brings up a small list of options. I picked the most recent exploit listed.

met5

Since I had no idea if this exploit would apply or how it worked, I brought up the description by using the info command.

met6

met7

Well I don’t have the exact version of struts, but this exploit covers a wide range. It could still work. So I set the rhost and looked through the options.

met8

So this is the second time the redirect action was mentioned. Also, showcase.action was the default action brought up when we browsed to the page. This could work. The rport was already set, but the target information was set to auto. That doesn’t always work so I looked at the options.

met9

Then I manually set it to Linux. Once the target was set the default payload is set as well. Notice it’s not a reverse shell, but a command execution. I would have to supply the command.

met10

The first time I actually chose a ping command (ping -c 4 myIP) so that it would ping back on my own system. I did that because I didn’t think I’d be able to see the output of my command and by using ping, I could see if my command worked by capturing the pingbacks with tcpdump. It did, but this particular payload will also display the output of the command. So for this walkthrough I’m just going to use whoami.

met11

Now let’s execute it. Nope … Failed ☹

Notice how it mentions the Action? We know the target’s right, but we might need a different action.

met12

Going back to the browser and selecting the config tab enables the user to brows for various actions. That’s pretty helpful!

met13

Working my way down through the different actions I finally came to the help action.

met14

met15

When I clicked the link, I noticed that I was redirected to date.action. Hmmmm … this might work.

met16

So I set the action to help.action and tried again.

met17

Success and ROOT!

met18

So now that I have root command execution, I should be able to get a shell. There is one small issue. The semicolon (;) character is not allowed through this exploit. That takes away a lot of options for getting a reverse shell through this command … at least directly. The box does have netcat, but it’s missing the -e option to make things easy on us. Luckily there’s another way to abuse the presence of netcat. Using a first in, first out, named pipe it is possible to get the connection we need.

Since this command does contain semicolon characters, I put it into a file and downloaded it. I used nano to create the file and put in the code.

met31

Now I setup a python http server.

met25

Then I set my Metasploit command to run wget to download the file. Once the command was given, I could see the success broadcast to me in Metasploit.

met20

I could also see it on the HTTP server.

met21

In order to run the script, the permissions settings need to be set to execute. I just set it to 777 to make things easy on me, but in real life that’s probably a bad idea.

met22

There’s never any output from that command if it works so I assumed it did. Now I need to setup a listener. This also could have been done in Metasploit, but this way was just faster.

met23

Now I set the command in Metasploit to run the script. When I run it, it hangs. That’s actually a good sign.

met24

Going back to my netcat listener, I can see that I have a shell!

met25

I have a root shell!!

met26

Now I need to find the flag. Since I didn’t know what flag it was, I just started searching for files with the various card names. I was very happy when I got a hit on hearts. It also wasn’t very far away.

met27

Since this box had md5sum installed, I was able to get the flag hash and upload it for some points, but I also wanted to see it.

met28

While browsing around the website earlier, I found a docs directory. By putting the flag into the docs web directory I could now view and save it.

met29

There is the 10 of hearts in all its glory.

met30

So that was the 10 of Hearts challenge from the 2018 Metasploit CTF. While I didn’t get anywhere near the amount of flags I wanted to, it was still fun and I learned some really cool things. I can’t wait to read some of the other write-ups to see how close I was on some of the other flags.

-R3a50n

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s