Performing a Pentest and CTF on a Virtual Machine
Dec 06, 2019
3 minutes
For this coursework we were to find vulnerabilities in a system and explain how they could be mitigated, along with solving a murder mystery in the system, which required finding and decoding a range of files.
There was a file in the database folder named Database.db
, this could be opened using sqlite
and with the command SELECT * FROM Users
, you could find personal information on the users, such as passwords.
This could simply be mitigated by not providing the file to users. Further mitigation though would be to hash passwords and redact credit card information.
There was a program that could be used to get details about a Bitcoin wallet. However the password input for this was vulnerable to buffer overflow by inserting a password of 64 characters, followed by \0x01
, this overwrites a the variable to decide if the password is correct from 0 to 1, allowing you to see the private key.
This could be mitigated using fgets
rather than gets
as fgets
allows you to limit the number of characters you take in, for example to 64.
For the program described above, simply reading it in terminal exposes both the password and private key. The password should be stored as a hash, and the inputted password then hashed and compared to it. The private key should also be encrypted, using the password as the key to decrypt it.
By simply moving up the filesystem with cd
, a user can then move into any of the other accounts. This could be mitigated with file permissions by creating a group for each user, and setting that user group to only own the files within their directory. This could be done using chmod
Running cat /etc/passwd > passwords.txt
allows you to save the passwd
file for cracking. This can then be transferred to another computer with forensic tools and John the Ripper can be used to get the passwords of all the users. This could be mitigated with pwconv
to use a shadow file instead of /etc/passwd
. Also using more secure passwords and hashing algorithms would make it more difficult to reverse the hashes.
By running nmap
, it is revealed that port 8888 is open. Getting access to this using netcat
gives you a shell which it is revealed is a root shell.
This is mitigated by removing a script to open up this shell, which is located at /etc/init.d/jess.sh
. Using a firewall to ensure no unspecified ports are open would also prevent this happening in the future.
Using the string %2e%2e%2f
at the end of the URL you can go up a level in the system, this can be used repeated to move around the filesystem, allowing for use of other exploits detailed here, such as one on /etc/passwd
This can be mitigated by using regular expressions to prevent the typing of this or similar strings. The webserver could also be set up inside a chroot jail so that the website views its own directory as the root directory of the computer and can’t move outside that.
On the login page providing the username ' OR 1==1 --
and clicking login allows you to log in as root. Prepared statements should be used here to insert the login information so the username and password can’t be run as code.
By editing the boot command to run init=/bin/sh
, you will get a root shell. A password should be added to GRUB to mitigate this.
The database program runs the input command you give it, so by running the command ./Backup "; $SHELL # "
it will replace the current command with a command to open the shell as root.
Using the file operations in C would be much better suited here rather than running a system command