Friday, December 9, 2016

[VulnHub] HackDay: Albania

A good old nmap script scan grabs robots.txt from the HTTP server and displays its contents for us.

The first few directories I visited gave me an interesting little philosoraptor meme in Albanian. Google Translate tells me this says "Is this a proper directory, or are jerk." Interesting.

Looking at the directories in list form, two things become clear:
1. The creator of the VM is a fan of the Billy Madison VM (/exschmenuating/).
2. All the directories are in alphabetical order with the exception of /unisxcudkqjydw/.

Going to the directory in Firefox...

Yep. I eventually ended up at "/unisxcudkqjydw/vulnbank/client/login.php" and was greeted with a login page.

Trying some basic SQL injection techniques, I got a promising error message.

I decided to play around with some basic payloads and quickly had success using a username of "test' || 1=1;#". Not only did I get in, but I also became €25,000 richer! Somewhere, a Nigerian prince is proud!

Uploading the plain old "php-reverse-shell.php" file didn't work. However simply adding the extension ".jpg" allowed me to upload the file. Once uploaded, I simply clicked "View Ticket" and I get a beautiful reverse shell.

I immediately notice a user "taviso" in the home directory, but I couldn't find an easy password. It also soon became clear there weren't going to be any kernel exploits either. After an hour or two of searching, I eventually go ahead and reference g0tm1lk's privilege escalation guide which lead to me checking file permissions in the /etc/ directory. I found /etc/passwd to be writable.

Now that I knew I could edit /etc/passwd, I decided to simply edit the password of the "taviso" user, since this user was in the sudo group. First, I copied and pasted the contents of the /etc/passwd file into a file onto my attacking machine's web server root. I then created a password hash using openssl.

Then I simply placed the new password hash where the "x" is located in the /etc/password file next to the user "taviso."

I then used wget to download the newly created passwd file onto the target machine and replaced the old passwd file. Logging in to taviso had worked and I was able to become root!

Overall, I quite enjoyed the VM, specifically the privilege escalation part, and I definitely enjoyed the humor sprinkled throughout. I would definitely recommend this VM to you if you hadn't just read the spoilers.