Yogosha Christmas Challenge 2019 / HackBack

Hello everyone, We at @Yogosha wanted to have fun with our community and hunters around the world, that’s why we made for them a special challenge, first to enjoy playing and to learn new technical skills and secondly to give them the opportunity to earn their secret santa gift :)

Monday December 16, we launched the challenge, it was for a week

The idea for this challenge was designed to resemble the HackBack scenario, as someone Anonymous hacked into the corporate server and leaked client details, which the hunter should do, is just follow the hacker’s steps and investigate before the leak arrives :) easy right?

As we know Revenge is Sweet, But is it Legal? for our case YES

First step was already mention on the tweet, First challenge : Find it it was simple, follow the hashtag #yogoshachristmaschallenge, and find a twitter account.

Is he really a lazy hacker? I don’t think XD

Then you just have to read his tweet, one of them is to give a hint about the company he has targeted

It’s probably cutt.ly/something , well here you can just find the cracked result on a website like https://crackstation.net/ or just if we read his old tweet

His mention of his birthday which is already on his tweeter account info, after we collecting details about him, we can build a useful word list and break this hash 3f5089c0f9f45530f48aa03471f473ff0af999557bf78749d6d5de6c6b39632b which is his birthay 09031980 => 09/03/1980

Next , we can go to the real part after some OSINT, we can get the company url http:// 3.19.111.121 from the shorten links

Let’s start some recon stuff, by turning on nmap we will try to determine if there is another open port

The answer is YES, always a little RECON before you start moving quickly through the target will help you get details and information that can help you in the next step :)

After discovering two new ports, we can confirm that the ssh port is used for the aws instance, the second port looks like the good one 1337

By checking the port, we can get an output:

Looks like its 12 character password login service, if we are trying to brute force it will be probably the worst idea ever as it will never end.

So the best option is to try to think outside the box, the service text contain very slow version, so maybe it uses some functions that slow down password verification , for someone who is used to playing CTF or having love with crypto stuff, he will think about this type of attack that occurs almost everywhere Side Channel Attack https://en.wikipedia.org/wiki/Side-channel_attack

One of this attack called timing attack , where you can guess if your input correct or not depend on the time it take each char you send comparing to others which is the case here !

If we debug a little the first time, then by writing a small script, we will get the password which is pAsSwOrd159!

If we access using this password, we will get information about active sessions, whenever it gives us different users, what we can do here is that we can leak all users that we may have need in the future!

Then, if we go back now to the web application, we can find a simple page there without more information that lead us to another path.

Should sometimes use some tools, mine works fine (even after losing all starts because of changing my nickname on github: D)

We got useful information from the tool:

http://3.19.111.121/wp-content/
http://3.19.111.121/wp-login.php
....

We can now get an idea of what type of web application it is, Wordpress for sure!

If we do some enumeration (manual or using the wpscan tool), we can get what plugins already installed

1- advanced-custom-fields
2- akismet

Going to the ACF plugin, we find the zip file ACF.zip, so if we want to get more details, we can just compare this zip file with the original one https://www.advancedcustomfields.com/Downloads/

git diff ACF ACF_1

Give us some result :

As we see, there is a new Load_Hotfix() & Hotfix_update() function added by the hacker as a backdoor to the updates.php file ,with comment at the end // / server-status

It is a function which uses another real wordpress function to make a call, does he have a 0day on this function or what ??

Let’s start by debugging more, he just created a function called Load_Hotfix to confuse others with the real name ,look like he is trying to hide it, the function looks good but it has bad behavior .

-               if ($user === "noel" && $_GET['debug'] === "1") {
-                       $ACF_Hotfix = new ACF_Updates();
-                       $ACF_Hotfix->Hotfix_update($_GET['upd']);
-               }

This function only works if the user is logged in and the username is noel , it also checks the debug parameter if it is there, it will use another upd parameter and will call Hotfix_update() who will request specific URL!

Wait, was this hacker just a lazy pirate ?? are you sure for real!

Anyway, let’s move on, as we have already disclosed some users when we enter the 1337 service, one of these users called noel same name as this hacker is looking for!

Why don’t we just try to log in with this password? , we will first go to http://3.19.111.121/wp-admin/ but it was not accessible and redirects us to the index page, but we also assume to be hackers “hunter”, we can connect from here http://3.19.111.121/wp-login.php

And yes, we just got IN guys :), let’s check out what we can do with this pirate backdoor

By sending this http://3.19.111.121/?debug=1&upd=https://google.com we get this output result

Looks like we have SSRF Server Side Request Forgery here, but what we can do next?

As we was crawling the website , we notice that http://3.19.111.121/server-status gives us forbidden page, what if we can access it from the inside? :)

We have just disclosed information about old and the current request made on this app, we can also notice the onion domain bacq7ip6nzdyhb3o.onion which is the hacker domain where he stores information!

As its little difficult to scan or dig in the onion domain, why not try to de-anonymizing it,if you are interested in this kind of stuff, you can find more here https://github.com/AnarchoTechNYC/CTF/wiki/Tor

So, by just checking the nonexistent file like bacq7ip6nzdyhb3o.onion/something, we just leaked the real IP behind this domain :)

Yeah, so cool now we can start doing more things, if we are just trying to do some injection test on this login form we get errors

We just know it should be an xpath injection, let’s use it :)

Since we have the user / password, we can access this hacker website (we can also bypass it using a simple payload ` ‘ or 1=1 or ‘ ` ), but I like the hard way , it teaches a lot!

So now we get a result, looks like the html output of the tree tool

Checking this path http://3.13.238.49/bCkup/Target/172.28.13.37/payload/hack.txt we failed and nothing was there, but if we just check/robots.txt, we can see that it hides a folder that was badly rendered on the result of the tree due to a special character

User-agent: *
Disallow: /bāCkupē

And now we get access http://3.13.238.49/b%C4%81Ckup%C4%93/Target/172.28.13.37/payload/hack.txt

So nice Intro, he preparing some words for the leak which will look wil happen 01/01/2020 !

But if we check the URL again, it looks like he records the result by target as directory name, and this IP address looks like a local IP address for something, lets use SSRF, we need to check what is there

Lets read again this page, as he just starts to mention a few details, we can notice that it is talking about backup container, so this should probably be a issue there, need to find out what we can do with just a login mysql page, without credz!

Looking around on a mysql security issue, we found that we can abuse MySQL clients to get LFI from the server, which means that if we have created a mysql server and the client just connects to our server, we can inject another request like local data file request that means we will make the client read for us some file data :)

It’s like Hey client, please read the /etc/passwd file and send to it me I’ll see what I can do for you and yes, it will read the file as much as it can read it with www-data privilege.

We just setup our mysql server , and run this script on different port https://github.com/Gifts/Rogue-MySql-Server/blob/master/rogue_mysql_server.py

And yes , BOoooM !

We just got the flag by reading /etc/passwd!

Yogosha{4t_christma5_all_r0ads_Le4d_hOme}

See you , Hackers