Saturday, October 6, 2012

Fun subreddit and open wargame competitions; how I gained root to OHP #1

Recently I have been active on a subreddit called /r/HowToHack which consists of users posting different levels of hacking challenges for newbies and higher level skilled hackers to try their hand at. There is an IRC channel on the sidebar that I suggest going to, as it's fun an informational to be on.

The following write up can be found on the subreddit, as I originally posted it there when I won the OHP #1 wargame by gaining root access first.
How I gained root access:

When I posted I had root access in the IRC, I got called out on bullshit, but luckily for me I'm not a liar.
I was asked "which exploit did you run", and the answer might be shocking, but I did not run any exploit... and it was actually quite simple.

After reviewing the objective, it mentioned httpd, sshd, kernel, and cacti. I actually didn't know what cacti was until this, but a quick Google made it very apparent.

First I ran nmap to check out which services were running, which returned:

Not shown: 1670 closed ports

22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
199/tcp  open  smux
443/tcp  open  https
587/tcp  open  submission
631/tcp  open  ipp
914/tcp  open  unknown
3306/tcp open  mysql

I derped around with the ESMTP which quickly got boring, so I decided to try my hand at the sshd config but to no avail. The config files were readable, but didn't show me anything of use from my perspective, and were not writable by openhacker thus leaving me to find a different way.
I then went onto the webserver. A quick curl of localhost gives a funny quip by the server owner:

I came, I saw, I conquered.. my own server :)
Now go away please :)

Ha, hilarious. Anyway, I knew there had to be config files and I wanted to find them! So off I went. I ended up finding httpd configuration files, which didn't give me anything useful, but then I moved onto cacti...
I ended up in the /var/www/html/cacti folder, and ran an ls -al to see if any of these php scripts were runnable by me. They weren't. So what did I do? Started to cat them and view them. None of them gave me much of anything but a little insight into how cacti managed their sql and authentication. After rummaging through a few more files, I finally found a reference to other files, which prompted me to go into /var/www/html/cacti/include and start cating files there.
First I ran an ls -al and was giddy; multiple global configuration files! auth.php? Looks cool, but nothing... global.php? Let's cat that and see...

/* Default database settings*/
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cactiuser";
$database_password = "cactiuser";
$database_port = "3306";
$database_ssl = false;

Ouch, default creds to cacti in a fully readable file... but it's not root. They wouldn't leave root in a config file, right?

$ more config.php
/* make sure these values refect your actual database/host/user/password */
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "root";
$database_password = "%findityourself;]%";
$database_port = "3306";
$database_ssl = false;


[openhacker@server1 include]$ su root
[root@server1 include]#
[root@server1 include]# whoami
[root@server1 include]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Ouch ouch ouch.

So then I SCP'd the shadow and passwd file to my home computer for some john the cracker action for the rest of the passwords. Not like I really need them, right? I'll update this if I remember anything else (I'm currently at work so things may have slipped my mind or whatever) or when John is done cracking the shadow file.