Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…


As usual I’m starting with a port scan to get a list of open ports and running services.

For this scan I’m using the flags -T for speed, -sS for syn-scan (is run by default as root – but I’ll use it nevertheless), -sV for version of running service, -sC for a script scan of the Nmap scripting engine (NSE), -oN to get the result in a text file and final -p- for all 65535 TCP ports. UDP I skip by default as it takes a very long time to scan.

And this is the result of the scan. I omitted the -O flag which you can use to get an educated guess of the targeted operating system.
The response of the service behind port 80 is giving back that the port is open but nmap can’t determine what kind of service is running behind it.
When I try and direct my browser to it……it tries to connect, but doesn’t get any result.
So I use view-source: and as result I get the source code of the main page.
At the bottom of the page there is a comment which gets my attention:

Looks like bas64.

A password maybe? But where?
The site hosts a Joomla CMS. So maybe to find the default login page.
The only problem I face at the moment is that I thought the loading of the site was normal. But it isn’t!
It just runs a Joomla site and you need to get some information about getting in and secret.txt is one lead.
But the machine is just damn unstable. When looking at the forum it seems that the site runs fine with other users, but there is a lot of complaining about resetting the machine a lot and changing stuff like index.php……which will ruin it for others (as we all use the same machine).
So I need to suck it up and keep at it. Unfortunately I just ran a dirSearch scan and a joomscan and the box gets reset….again!!!!
This is no fun.
After a few tries it seems that the machine is running fine and the site is loaded properly.
Because I found something that could work as a password…I needed to find an username. Admin and Administrator didn’t work, so when checking the site there was a name: Floris.
This got me in as Super User.
And the machine gets another reset 🙁
I didn’t had much time to get a good look at my options, but it looked like I could edit the articles published on the site.
A next step would be to alter one of the articles and embed a reverse shell php script.
But a quick scan of the webserver shows the index.php is 0 byte. So maybe people are messing with the index.php and then reset the machine if it doesn’t work.
This is annoying.
Now that I know my initial scan was misguided by other hackers messing with the machine I ran a port scan again….and got a different result.

That’s more like it. So to get a working shell I just need to endure the endless resets on this machine.
After a while the machine seems to be stable and I use the creds to get into the admin console and enumerate the modules.
Because there was nothing useful I installed Simple file upload and after some modifications I was able to upload a working php script that gives me a reverse shell:

Now to get some better privs.

It looks like there is a file called password_backup in the /home/floris folder.
To be save I’ll copy it to a tmp folder and work from there on.

The first bytes of a file can give away its identity. When googling on 425a 6839 3141 5926 it showed that this was the typical header of a bz2 file.
The reason why file gave as output a ASCII file was because it was a hexdump of a bz2 file.

Now to decompress the file.

Another compression.

Gunzip needs gz as extension so I renamed the file first.

Another round of compression……getting a bit boring.
After another round of bzip2 decompressing and tar I got a txt file.

Aaaaaaaand the connection is lost due to another reset. As patiently as I am, I wait for another startup just to find out someone had corrupted the index.php. So no login possible.
Man this is getting really annoying. The machine doens’t look that difficult, but the many resets and the bungling of some people really makes it a challenge. I really don’t like giving up, but I have no idea how long this is going to be fun.
When the machine is reset again and seems to run stable I repeat the previous steps to get a reverse shell and su as floris with the found password.
I got some tty issues, but with python3 -c 'import pty;pty.spawn("/bin/bash");' that was sorted out quickly.

Finally….the first hash.
In the home folder there is a folder called admin-area which is a bit of a give-away.
Inside there are 2 files: input and report which are owned by root but can be  managed by floris.
The input file has a variable which directs to the localhost webserver. The report file is a http representation of that input.

Let’s try and point the input var to a more interesting file.

And there we have it. The root flag.
Can’t say I really liked this machine, but that was mostly because of the many resets.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.