Today we are going to take
another challenge Library2 which is a 2nd lab of the series Library. The credit
for making this VM machine goes to “Avraham Cohen” and it is a boot2root
challenge where we have to root the server to complete the challenge. You can
download this VM here.
Security Level: Beginner
Penetrating Methodology:
Scanning
·
Netdiscover
·
NMAP
Enumeration
·
Web
Directory Search
·
Burpsuite
Exploitation
·
Sqlmap
·
FTP
·
Shell
Upload
·
Netcat
Privilege Escalation
·
Obtaining
root password
Walkthrough:
Scanning:
Let’s
start off with the scanning process. This target VM took the IP address of
192.168.1.107 automatically from our local Wi-Fi network.
We used Nmap for
port scanning. We found that port 21 and 80 are open.
nmap -A 192.168.1.107
Enumeration:
As we can see port 80 is open, we
opened the IP address in our browser, but we didn’t find anything useful on the
webpage.
Firstly,
we tried dirb
in
default mode but didn’t find any directory. Then we looked with .php extension and got one directory /library.php
dirb
http://192.168.1.107
-X .php
After
accessing the URL http://192.168.1.107/library.php we got a webpage listing the name
of few countries.
We just
clicked on Netherlands and it didn’t give any information.
We
captured the request in burpsuite and thought country parameter might be
vulnerable to SQL injection, so we copied the raw request of burp into a text
file sql and used an asterisk (*) to pinpoint our point of target
but we didn’t get anything.
Then
we took a little help of the hint given by the creator of this machine on
Vulnhub and changed the request from GET
to POST.
You can
see in the image below the request has changed from GET to POST.
Exploitation:
Now
let’s use sqlmap on this new file.
sqlmap -r sql –dbs –batch –risk 3 –level 5
From the
results we found a directory named library.
Further enumerating the library database for
usernames and passwords.
sqlmap -r sql -D library –dump-all –batch –risk 3
–level 5
We found a
username globus and password AroundTheWorld for the ftp service.
We connected
to the target system through ftp using the above found credentials. We looked
here and there but couldn’t find anything useful, so what we did is we grabbed
a php-reverse-shell from /usr/share/webshells/php and modified the listener ip
as ours and named it as shell.php.
Then we
tried to upload it in the target machine using PUT command but we got access denied error.
ftp
192.168.1.107
ls
cd html
ls
put
shell.php
It seemed
there was some sort of file format filtering happening in the backend, we found
a work around for this filter by changing name of the script file from shell.php to shell.PHP
put shell.PHP
ls
chmod 777 shell.PHP
Now we
executed the shell by just browsing to the URL http://192.168.1.107/shell.PHP
and at the same time started a netcat listener on our Kali machine.
Privilege Escalation:
We
successfully got the netcat session with a limited user privilege. And after
little bit of directory traversing we found the password of root inside a file named welcome located in the /var/mail directory.
Then we
finally switched to the root shell
using su command and successfully completed
the challenge.
nc –lvp 1234
python -c 'import pty;
pty.spawn("/bin/sh")'
cd /var/mail
ls
cat welcome
su root
id
0 comments:
Post a Comment