Posted in Penetration Testing, web app testing

Lord of the Root VM – Vulnhub

Lord of the Root VM – Vulnhub

After Droopy I was advised to try this one. Created by Kooksec – Thanks!

A lot of soul searching went on in this one. A lot of reading and doing it in between life tasks so it took me all weekend really.

A standard nmap scan throws up nothing but port 22 open (SSH). I tried so many variations of nmap scans to get past “All ports are open|filtered” I probably should have just tried logging into SSH.

SSH

Funnily enough I had just tried a VM that involved port knocking. Simple CTF I think it was. All ports were filtered too. Thought I’d hit it hard on this one.

I had to do some digging around for a few hours on Port Knocking.I created a bash script to automate port knocking using Hping3

Knocked on ports 1,2 & 3 from the hint in the SSH banner “Easy as 1,2, 3” I did try 80, 8080 & 9090 as they are usual VM ports. Not this time.

nmap

Logging on to the webpage gives us this.

webPic

Nothing of note here.

Viewing the source of the page reveals an images folder.

imagesDir

Naturally we want to check that there’s a robots.txt file.

404IMG

What’s this? Lets view source again to see what else we can find.

404TxT

I’ve done a lot of lower level CTF’s and they always use base64 to fool people. Let’s convert it.

echo “THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh” | base64 –decode

1base64

Ok, lets do the same. Now we’re getting somewhere!!

2base64

Looks like a useful link

webLogin

YAAY a login page!!

Basic SQLi injection didn’t work. Lets go to the trusty SQLmap and pull a request from Burpsuite like we did in a previous VM.

Using a saved request file from the url http://192.168.1.103:1337/978345210/index.php We can see what the DB type is.

I should note at this point that any SQLMap scan done on this site will be done under time based conditions. This means that it checks each character of the name of any DB or table and if it’s true it’ll wait a certain amount of time to try the next one. This varied in my tests. Most amount of time was 5 seconds. It took 10 mins to get this far.

WebappDB

The DB seems to be MySql and we’ve found the DB name, so lets dump the DB.

WebappDump

The resulting information from the command.

DBenum

It looks like we’re flying along nicely.

I tried to SSH into the server using all those accounts and only the ‘smeagol’ account would allow me in. However, we’re running as a normal user. I tried running an earlier priv esc exploit from another VM, however, that was unsuccessful

I needed to find out how to get to a root account. In an earlier scan to find the name of the DB I came across another DB name ‘mysql’ I suspected a system DB default to the server. Lets see what’s in it.

mysqlDBenum

Interested in the result here

mysqlTBLenum

Lets try and pull the details from the user table.

Of course everything we do is based on a time based attack so everything is working slowly.

I ran the command

mysqlTBLdump

This ran for a bit but seeing as I seen the results for columns User & Password I canceled the scan and tried to hit those directly.

 

mysqlUserPassworddump

Again this takes time to run on a time based attack. You can let SQLmap run it’s own polling interval. It’s worthwhile to let this do it to save on errors.

mysqlUPdumpResult

After a while things start to look good again. We’ve found the root user but with hashed passwords.

You get the option to crack the password hashes with SQLmap. I hit Yes to this. It ran pretty quick and found what I was after.

crackedHashes

We’ve found the ROOT password. ‘darkshadow’

I tried logging in over SSH with this, however, I got ACCESS DENIED. Crikey!!! That would have been too easy. It then dawned on me that this was not going to be that easy.

I floated around the net for a bit looking for hints. I touched a few walkthroughs that to be honest didn’t make much sense. Probably because I came in from a different angle.

loginMySql

I logged into MySql with the ROOT user I found in the other DB. I got in. Now what? Loads of other people were using their own scripts in Python and C, to do things with the SQL DB while logged in as ROOT however, I didn’t really understand all that yet. Bit above my level.

A few people mentioned in their blogs that there was an exploit available for priv esc in MySQL if MySQL was running as ROOT. I Googled around for a bit and found the information below.

Gaining Root Shell using MySql User Defined Functions

I admit I didn’t understand it at first from the site above. I sat for most of the day trying to get my head around it. They gave you clear instructions on how to do it, however, I don’t blindly just follow things I read on the net. An old Sysadmin thing I’ve yet to shake off.

Needless to say I followed this exploit to the letter and I was able to get root and find the flag. This VM probably was above what I’m learning at the moment, but, I wanted to give it a try.

Flag found!

Flag

I think it’s important to understand what you are running. From what I can gather, MySql was running as root so we inserted a shared function into a new database. Run it as root and get shell on the server. (In essence)

Summary

I haven’t completed the whole write-up for this, purely because after I found the root accounts, I felt like it was done by way of following a tutorial that someone else made. Yes I learned a lot, however, in the last post I fought hard filling in the blanks to find the goal to the end. This one felt odd when I found the flag. I had to go over it a few times and It’s still a little hazy to say the least.

Maybe this one was a tad more than I know just now, and that’s ok. It happens. In fairness I really don’t like using automated tools like SQLMap and Metasploit. I feel very disconnected from the test. I think in this case it was helpful to use SQLMap for such a complex query to cut done on time taken.

Never mind, onto the next one!!

Thanks again to Vulnhub for hosting VM’s in such a great environment for learning.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s