[VM Completed on Nov 11, 2016]
First thing I'm going to point out is that this was the first machine I rooted in awhile. My wife gave birth to our first child in March and I stepped away from all this. So I was a little rusty, but things started to work once I sat and thought about it. Here we go!
So the VM is set to DHCP and after a quick scavenger hunt, I found it. So naturally nmap is the next step. Since these aren't production systems, I just do a generic, lazy, full blown nmap scan to make sure I don't miss anything.
So it's running a webserver at port 8008. Let's open up Firefox and see what is there.
Okay. So we have some Albanian language. I threw that into Google Translate to see what I can make of it. Being bilingual myself, I know Google Translate isn't the best at translating word for word. But I figured it would give me a rough translation:
Miresevini Welcome Ne qofte se jam UNE, e di se ku te shkoj ;) If I am, I know where to go;) OK ok, por jo ketu :) OK ok, but not here :)
Alright... So this has something to do with Mr. Robot. Well, lets see what dirb finds.
Nothing unusual here. There is a robots.txt file which I'm certain at this point is the connection with Mr. Robot. Let's grab it.
Oh fun! Lots of crazy directories. Most of them had this picture.
This roughly translates to:
a eshte kjo direktoria e duhur apo po harxhoj kohen kot Is this a proper directory or are jerk
Well then... Something got lost in translation. Am I a jerk or is the server a jerk? ... Let's keep moving. Eventually I landed on this page.
Is there any vulnbank in there?
Hey! Looky here. A very secure bank. I better transfer to this bank. Looks unhackable. It's right in the title that it is a secure bank, right?
Time to try some fuzzing.
So according to this, I wasn't completely blind to sql injection here. I got one message back saying,"mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php". I know there is some input santization here. It doesn't like boolean input, so any of the AND/OR statements in mysql won't work. This part took me quite awhile to figure out. I had to reread some OSCP stuff. When you don't use this stuff everyday, you forget things. Anyways, what eventually got me in was this:
The %20 is url encoding for a space. So "admin'%20#", is really "admin' #". What this statement does, is comment out anything that comes after the username lookup part of the MySQL statement. So it bypasses the need for a password.
Looking at the first page after logging in, I can clearly see an option to upload a file. So I tried uploading a php reverse shell and no luck.
Well then... how nice. They told me the file types they accept. So for the heck of it, I changed the extension from .php to .jpg. It looks like the previous attempts at uploading the .php file worked but it didn't do anything.
Time to start my netcat listener and success! Got my low level shell.
So time to snoop. First I checked what tools were available to me.
Python 3 was installed so I figured I would give myself somewhat of a better shell to work with here.
Time for enumeration. First things I check are kernel, home directories, and files that have world wide read, write, and execute permissions.
From this output, I've determined that it's running a fairly new kernel. I couldn't find any direct exploits that I could leverage. I know there is a user by the name Taviso. So there might be something good there. Lastly, the very important /etc/passwd is writable by anyone. So that makes things very interesting.
Well. I figured if I could switch user to Taviso, I might be able to push further into becoming root. Knowing this is an Ubuntu system, simply sudoing to root as Taviso might work. In this case, if I can input my own password for Taviso in the /etc/passwd file, it would be simple to do this. On a side note, in the OSCP course, changing the user's passwords was usually frowned upon. Yes, it was a viable vector, but it wasn't the take away Offensive Security was looking for. So this my first time doing this type of attack. It may seem rudimentary as a basic attack vector, but it's new to me. It's not that I never thought about it during my OSCP time in the labs, it just wasn't the OSCP way. ;)
Since I'm not in a fully functional shell environment, I can't just nano or vi the /etc/passwd file and input that I need. I'll need to overwrite the file with a little bash script. But first, I must generate my own password hash into the /etc/passwd file.
Then I put it in this little script to overwrite /etc/password. Notice the "" around EOF, this is so the text in red doesn't get lost in shell variables. (Click to enlarge)
Upload to the server using wget in /tmp/ and give it execute rights. Run the script...
Check to see if the changes were made properly.
The changes worked. Time to su as Taviso and then sudo su with Taviso's password to see if root appears.
Woo! Box rooted! Now to check root's home directory to see if there is anything in there.
As expected, a txt file with a hash for the ctf. More Albanian that roughly translates to:
Urime, Congratulations, Tani nis raportin! Now beings the report! Flag hash: d5ed38fdbf28bc4e58be142cf5a17cf5
Moral of the story here is: be sure to sanitize the user input.
I had a lot of fun doing this. Hopefully I can keep this up. It's good exercise for the brain. Always learning new things and new ways to break a machine.