Today we are going to take on another challenge known as “DEVELOPMENT”. This is designed for
OSCP practice, and the original version of the machine was used for a CTF. It
is now revived and made
slightly
more nefarious than the original. The author of this
VM machine is “Donavan”. Our goal is to get flag to complete the challenge.
Download it from here: https://download.vulnhub.com/digitalworld/devt-improved.7z
Security Level: IntermediatePenetrating Methodology:
Scanning
·
Netdiscover
·
NMAP
Enumeration
·
Run http service
·
Web spidering
Exploiting
·
Remote File Inclusion
·
Ssh login
Privilege Escalation
·
Exploit sudo rights
·
adding new user
Capture the Flag
Walkthrough
Scanning:
Let’s start off by scanning
the network and identifying host IPs. As illustrated below, we can identify our
host IP as 192.168.1.104.
netdiscover
Time to scan the Target’s IP with Nmap.
nmap -sV
192.168.1.104
We can clearly see
from screenshot a few open ports e.g. 22(ssh),139(NetBIOS-ssn),
445(NetBIOS-ssn), 8080(http-proxy).
Enumeration:
Since
port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP
in browser. Here we
got
a clue about some html_pages. It could either be any Directory or a webpage.
So, let’s dig into the source code if we can find something useful. Here
they are talking about some Development secret page and Patrick is being mentioned,
he could be a user:
Now moving ahead, lets surf through the webpage mentioned earlier which
is html_pages .Here again we can see a few html files in which “development.html” could be of our
interest.
When you visit development.html, you can find a mention of “hackersecretpage”
nothing else seems useful.
Again we went through the source code of the same and found “./developmentsecretpage”
.This seems our secret page.
If you visit the page, it is confirming to be the Development secret
page and a PHP file link named ‘Patrick’.
If we visit the file link it opens a page with another file included
in it named ‘Sitemap’.
And when we visit /sitemap.php, we clicked on the embedded link stating
“Click here to logout” which turned out to be Login page.
Exploitation
We just tried random login credentials “admin” for both username and
password and 1234 that’s a success.
Here we are getting a short of error message on the top of the page. So
we Googled about it.
We found an exploit for the same listed on Exploit-db with the name of
“/[path]/slog_users.txt” which is vulnerable to RFI. Refer CVE code :2008-5762/63.
When we appended slog_users.txt file with our webpage
we found four users and their password hashes.
After decrypting the hashes, we got passwords in clear text for intern,
Patrick and qiu respectively but not for Admin.
Priviledge Escalation:
As we knew port 22 is open for ssh so here I try to login
into ssh using intern and we got access of ssh as
shown below. After that we found list of commands that are allowed to run here.
Then we check list of files using ‘ls’ as it was one of the allowed commands. We
found two text files here ‘local.txt’ and ‘work.txt’ but when we try to open them,
we failed.
?
ls
cat local.txt
Hmm! we got access of restricted shell where we can run
only few commands allowed by admin. So, to import proper tty shell, we can import
‘/bin/bash’ by using following command:
echo os.system(‘/bin/bash’)
cat local.txt
cat work.txt
Next, we try again accessing the same ‘local.txt’ file and
it just shows a congratulatory message, so we moved on to work.txt, here as
well it is showing we have to move further with user Patrick and we already knew
Patrick’s password.
NOTE: At first attempt, you will get an error SSH connection refuse,
therefore restart the Vulnerable machine to get connect with SSH.
After logging in as patrick, we check the sudo rights for
him where I found Patrick has ALL Users permissions including root user to run
vim and nano as shown below.
su patrick
sudo -l
In another terminal in my local machine I
have generated a new encrypted password: pass123 whose salt is ignite using
OpenSSL and copy the salt password.
openssl passwd -1
-salt ignite pass123
Next by providing sudo access to any editer(either vim or nano ) we
can read as well as edit any system file
which is restricted to access by any lower privilege user such as /etc/passwd
file.
Since Patrick has sudo rights which means he can modified the root files
too, therefore I decided to insert a new user with root privilege in the
/etc/passwd file.
sudo nano
/etc/passwd
As you can see in the screenshot below, we have added a user ‘RAJ’ and
with encrypted password and we have given all root privileges to it as well.
raj:$1$ignite$3etbJm9809Hz.K1NTdNxe1:0:0:root:/root:/bin/bash
Capturing the flag
What we are waiting for, lets login using raj. Here after listing the
content we found proof.txt file from inside root directory. we opened it using
cat and captured the flag.
su raj
ls
cat proof.txt
0 comments:
Post a Comment