Friday, December 23, 2016

[VulnHub] Tr0ll: 1

Starting off, an nmap script scan displays a few things of note. The FTP server allows anonymous access and shows an interesting packet capture file. Also, a "secret/" directory was found in robots.txt which, judging by the name of the VM, is surely not the right rabbit hole.

Sure enough, visiting the directory...

Gr8 b8 m8. After logging in to the FTP server and downloading the "lol.pcap" file, I take a closer look in Wireshark. It looks like a capture of a useless FTP session. However, halfway down I found something of interest.

Visiting the newly found "sup3rs3cr3tdirlol/" in the webserver, I found a file called "roflmao."

Upon further inspection, it appears to be a binary, and after executing it, I see what appears to be a memory address of some sort.

My first instinct was to use edb-debugger to perhaps find something to do with the address mentioned in the executable. Fortunately, I didn't waste much time (20 minutes lol) because after pasting the address in to the web browser...

Yeah... Anyway, I find what looks like a username list and a password list (Pass.txt) in the respective directories so I decide to go ahead and start brute forcing SSH. It took me awhile, but "Pass.txt" is literally the password for the "overflow" user.

Within minutes, I can tell escalation is going to be annoying because I'm getting kicked off seemingly randomly and my "/tmp/" files keep getting deleted. I figure this is the work of a cron job, so I take a look at "cron.log."

Taking a look at the file, I see this is indeed what is removing my tmp files.

I also see this file is writable, meaning I can simply create a setuid binary and give it root permissions and I should be good. I create a simple setuid C program and compile it in the tmp directory.

Then I modify the script to give the file root permissions and set the setuid bit.

After "ls -al"-ing a few times, I see the file permissions change and I'm able to execute the program and become root!

This was a very fun VM and it did actually remind me of working in the OSCP labs. I look forward to making time for Tr0ll 2.

Friday, December 9, 2016

[VulnHub] HackDay: Albania

A good old nmap script scan grabs robots.txt from the HTTP server and displays its contents for us.

The first few directories I visited gave me an interesting little philosoraptor meme in Albanian. Google Translate tells me this says "Is this a proper directory, or are jerk." Interesting.

Looking at the directories in list form, two things become clear:
1. The creator of the VM is a fan of the Billy Madison VM (/exschmenuating/).
2. All the directories are in alphabetical order with the exception of /unisxcudkqjydw/.

Going to the directory in Firefox...

Yep. I eventually ended up at "/unisxcudkqjydw/vulnbank/client/login.php" and was greeted with a login page.

Trying some basic SQL injection techniques, I got a promising error message.

I decided to play around with some basic payloads and quickly had success using a username of "test' || 1=1;#". Not only did I get in, but I also became €25,000 richer! Somewhere, a Nigerian prince is proud!

Uploading the plain old "php-reverse-shell.php" file didn't work. However simply adding the extension ".jpg" allowed me to upload the file. Once uploaded, I simply clicked "View Ticket" and I get a beautiful reverse shell.

I immediately notice a user "taviso" in the home directory, but I couldn't find an easy password. It also soon became clear there weren't going to be any kernel exploits either. After an hour or two of searching, I eventually go ahead and reference g0tm1lk's privilege escalation guide which lead to me checking file permissions in the /etc/ directory. I found /etc/passwd to be writable.

Now that I knew I could edit /etc/passwd, I decided to simply edit the password of the "taviso" user, since this user was in the sudo group. First, I copied and pasted the contents of the /etc/passwd file into a file onto my attacking machine's web server root. I then created a password hash using openssl.

Then I simply placed the new password hash where the "x" is located in the /etc/password file next to the user "taviso."

I then used wget to download the newly created passwd file onto the target machine and replaced the old passwd file. Logging in to taviso had worked and I was able to become root!

Overall, I quite enjoyed the VM, specifically the privilege escalation part, and I definitely enjoyed the humor sprinkled throughout. I would definitely recommend this VM to you if you hadn't just read the spoilers.