Mission : Get the root flag on `Acid` which is a deliberately vulnerable virtual machine hosted at https://www.vulnhub.com/. The virtual machine can be downloaded at https://www.vulnhub.com/entry/acid-server,125/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !
Detailed Steps for getting root:
A nmap scan of the box reveals only one service running on a non default port. It seems that there is only this http service running on the box.
Upon accessing the http service on the port 33447 we are presented with a "Welcome to the world of acid" webpage.
Acid Page |
Our first instinct it to always view the source code of the page to see if there is anything interesting and sure enough we are lucky as in this case we find a hidden comment - "643239334c6d70775a773d3d". It seems that its in hex . We convert hex to ascii to get "d293LmpwZw==" . The == sign at the end tells us that its base64 encoded. We are quickly able to decode the string as wow.jpg. ! Lets see if we can use this image later.
We also see that the page title is "/Challenge" which tells us that such a folder may exist on the webserver. When we visit the /Challenge folder on the webserver we see a login page prompting for an email address and password. We cant do much now so we use dirbuster against the webserver. Our dirbuster tells us there are some interesting files and folders on the webserver.
Dirbusting /Challenge directory |
We also interact with the login page via the burp suite to understand better the way the form interacts with the backend webserver. We can see that the form converts the password into a hash using a api from the includes javascript files namely sha512.js and forms.js. We try to look into these files and see that these files are infact part of a php login system called "phpSecureLogin" https://github.com/peredurabefrog/phpSecureLogin. It seems that the project has been abandoned but we find that the github page (https://github.com/peredurabefrog/phpSecureLogin) lists default credentials (email : test@example.com Password: 6ZaxN2Vzm9NUJT2y ) built into the login system. We use it and we are successfully able to bypass the login screen !
Login form showing the includes javascript files |
Once we login we have a look at all the files that are listed by the dirbuster. When we view the cake.php we see that the page title changes to /Magic_Box hinting that there may be something with that name on the webserver.
It seems that we dont have the permission to view the /Challenge/Magic_Box directory but we run a dirbuster against it to see if it reveals anything.
Dirbusting /Magic_Box directory |
We are able to find a bunch on interesting files such as low.php, tails.php , command.php etc. It seems that command.php is a console that allows us to ping another IP. We suspect a command injection vulnerability here and hence besides providing a IP address we provide another command such as "id" with the assumption that the backend code will not sanitize the input and not limit execution to a single IP address command.
Command injection |
Sure enough we can see that our code is being executed.
Once we can execute code on the server we attempt to get a reverse shell. We reference the reverse shell cheat sheet http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and select the perl reverse shell after checking that nc though installed does not support the -e option. To be able to use the perl reverse shell we must url enocde it and also since the length of the IP address field is set to max 200 we need to intercept the request in burp before forwarding it to the webserver.
Burp intercept |
Sure enough we get our low priv shell !
Privilege Escalation :
Escalating privileges on the box takes quite a long time. Once we have a low shell we peep into all the file present in the Challenge and Magic box directories. We see that the box is running a MySQL service and the file psl-config.php contains the database password.
In the database we check the secure_login database to find a few users and their password hashes and password salts. We are able to crack the hashes ( saman & Vivek) but since the passwords are salted we wont be able to crack it. At this point we give up on the database. We slowly follow the priv escalation guide https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ till we finally see an interesting file on the box via enumerating all the files for the user acid and user Vivek on the box.
The pcap file is interesting and we download it and open it in wireshark. We guess that we should look into the TCP communication captured on the network interface and hence set the wireshark filter to the same. Then we follow the TCP stream to see the data exchanged in the session. And sure enough we get our next clue.
Looking at the message we guess the user saman password. Also always check if the user is in the sudoers list. This gives us root !