Sat. Jul 4th, 2020

Pentesting Fun Stuff

following the cyber security path…

Wallaby's: Nightmare

Location

https://download.vulnhub.com/wallabys/wallabysnightmare.rar

Introduction

Level: beginner-intermediate
This is the first boot2root machine created by Waldo.
It’s the first part in a two part series. The creator was inspired by many VM’s from vulnhub.com and made this with different attack vectors. The machine will respond on how the ‘intruder’ tries to get in. Make a wrong move and some stuff gets moved around and makes the machine more difficult!
It was created for educational purposes and so people can have a little fun testing their skills in a legal, pentest lab environment.
Scenario: The intruder is breaking into a fictional characters server (named Wallaby) and tries to gain root without him noticing, or else the difficulty level will increase if you make the wrong move!

Getting Started

First I run a nmap scan to discover any open ports.

My first stop is the SSH server for some banner grabbing.

No useful banner here. Onward to the webserver.



Things are getting serious!
In the URL they made use of a parameter. When I change the parameter I get access to ‘/etc/passwd’.

Looks like there are two users: “walfin” and “steven?”.

Looks like this vector is gone. After another nmap scan it seems that port 80 is closed and another port has opened which runs the webserver.


Let’s see if the previous vulnerability is still active.

Looks like the LFI vulnerability still exists. Or so I thought.

Guess I’m being trolled here. Time for finding a new vector.
Because dirb wasn’t getting me anywhere I tried Wfuzz.

After checking some pages I got to the last one on my list which was the most promising one.


The parameter, commented in the source code, was vulnerable to arbitrary code execution.

Because it will be much easier to recon the system with a shell, I use a bash command to create a reverse shell.

Which I need to URL encode.

Look like there are 2 users and a IRC-bot.

It seems I have some sudo rights. For instance, I can change the firewall rules.

There is a rule that drops packets on port 6667. When I check my notes I see that there is a filtered port 6667 in my nmap scan  6667/tcp filtered irc.

After checking the networking it seems there is running an IRC local.

At first I tried to use a IRC client on the remote machine, but that didn’t work. So because I can alter the firewall rules I can try to flush the iptable and connect with the IRC port from my own machine.


After a few tries I get a channel with an user   Waldo and a bot.

With IRC there is an option to show the list of custom commands, because /help was an option for HexChat itself. The option is   .help.


Oh oh……busted! So it knows I’m not Waldo. I need to get Waldo out of the chatroom and replace myself with the waldo username. But how? I’ve tried the kick/ban options on this side. Didn’t work. So I need to deny its access from the other side……back to the firewall rules.

To set the correct rule I checkout a site which provides me with the answer I was seeking.

After a while waldo is gone……..the king is dead, long live the king!
With the   /nick command I change my nickname to ‘waldo’ and assume his place.

Time for another reverse shell. I use the same as before, but this time change the portnumber to 1337.

After this it was easy obtaining root.

Conclusion

This challenge was fun to do. The difficulty level didn’t change that much and after the first moment of being “caught” there wasn’t really a game changer. The machine did feel a bit “buggy” when I was trying to execute an arbitrary command and the system didn’t responded. After a reset of the machine and following the exact same steps I was able to get a better and smoother experience.
Thanks Waldo for making this VM. Hope to see more of your work in the near future.
 
 
 
 
 

2 thoughts on “Wallaby's: Nightmare

  1. I have doubt in the IP you start to Nmap!
    How you got this IP Address 192.168.171.4
    Sorry, I’m totally new to this field, please help

    1. Hi Yash,
      192.168.171.4 was assigned by the dhcp server.
      This is not an external IP address. So if you try to scan the same IP, you won’t get any good result.
      When you run the image on your VMware or Vbox it will get its own IP address. You can set the IP range yourself in the settings of your VM software.
      Good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.