Hacking Articles|Raj Chandel's Blog: Hack The Gemini Inc (CTF Challenge)

Gemini Inc has contacted you to perform a penetration testing on one of their internal systems. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

Download it from here.

Penetrating Methodologies

· Scanning (NMAP)

· Abusing web application for export injection vulnerability

· Exploit web application via html iframe

· Steal SSH RSA file

· Access tty shell through ssh login

· Enumerate file having SUID bit

· Privilege Escalation

· Get root shell

· Complete the task and capture the Flag.txt

Let’s GO000!!!

To scan our target IP we will use aggressive scan (-A)

nmap -p- -A 192.168.1.103 --open

As result, it figures out port 22 and 80 was open. Also found a directory /test2. When explored target IP through the web browser it put up following web page as discussed.

Then we explored /test2 where we read following message for admin and also look after at the URL given here.

Then at login form, we tried the hit-try method for login into the admin console and luckily at 5^th attempt we get successful login when we submit following credential.

Username: admin

Password: password123

After login into admin console successfully we check available action that can be performed by the administrator and here it shows following actions.

§ Edit profile

§ Export profile

So we execute export profile to observe what is in actually it is exporting but could not figure out from its output as shown in below image, therefore, we decided to capture its request.

Further, with help of burp suit, we try to capture its browser request and sent the Intercepted request into the repeater and here I saw the export script possibly gave us the user profile page admin in PDF format by a tool named wkhtmltopdf.

Security breaches if the web application does not filter the user’s input, the server is exposed to several loopholes Because the most common exposures on the web, is the possibility to download an arbitrary file from a server. This state establishes a critical security issue, as it provides an attacker the ability to download delicate information from the server. For example download /etc/passwd file and so on.

We can abuse the wkhtmltopdf and try to download delicate information. Here we have written the following code for the index.php script that redirects to the any requested file.

In order to transfer it into victim's machine, therefore, we launch PHP server for file transfer.

php -S 0.0.0.0:4444

We got a hint for export injection from this source: https://securityonline.info/export-injection-new-server-side-vulnerability/ and its bases we proceed for following steps.

Now go with Action -> edit profile

Then injecting the following HTML code inside the text filed given for the Display name

Now go with Action -> export profile

TERRIFIC!!!! It stands on our expectation and we have /etc/passwd file in front of us. here we can clearly observe UID GID 1000 for user: gemini1.

From nmap scan result we had seen there was a hint for SSH RSA key and we also knew the first username of this VM, therefore let’s try to export RSA file.

Now go with Action -> edit profile

Then injecting the following HTML code inside the text filed given for the Display name

Now go with Action -> export profile

Feeling Incredible J After observing the following result, download it quickly.

With help of downloaded RSA file connect to victim's VM via ssh.

ssh -i login_rsa gemini1@192.168.1.103

Then without wasting your time search for the file having SUID or 4000 permission with help of Find command for post exploitation.

find / -perm -u=s -type f 2>/dev/null

Here we can also observe an interesting file/usr/bin/listinfo having suid permissions. And after exploring this file we notice it probably running natstat and date. Hence we can escalate privilege by exploiting environment PATH Variable, you can take help of our article from here to know more about it.