After Droopy I was advised to try this one. Created by Kooksec – Thanks!
A lot of soul searching went on in this one. A lot of reading and doing it in between life tasks so it took me all weekend really.
A standard nmap scan throws up nothing but port 22 open (SSH). I tried so many variations of nmap scans to get past “All ports are open|filtered” I probably should have just tried logging into SSH.
Funnily enough I had just tried a VM that involved port knocking. Simple CTF I think it was. All ports were filtered too. Thought I’d hit it hard on this one.
I had to do some digging around for a few hours on Port Knocking.I created a bash script to automate port knocking using Hping3
Knocked on ports 1,2 & 3 from the hint in the SSH banner “Easy as 1,2, 3” I did try 80, 8080 & 9090 as they are usual VM ports. Not this time.
Logging on to the webpage gives us this.
Nothing of note here.
Viewing the source of the page reveals an images folder.
Naturally we want to check that there’s a robots.txt file.
What’s this? Lets view source again to see what else we can find.
I’ve done a lot of lower level CTF’s and they always use base64 to fool people. Let’s convert it.
echo “THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh” | base64 –decode
Ok, lets do the same. Now we’re getting somewhere!!
Looks like a useful link
YAAY a login page!!
Basic SQLi injection didn’t work. Lets go to the trusty SQLmap and pull a request from Burpsuite like we did in a previous VM.
Using a saved request file from the url http://192.168.1.103:1337/978345210/index.php We can see what the DB type is.
I should note at this point that any SQLMap scan done on this site will be done under time based conditions. This means that it checks each character of the name of any DB or table and if it’s true it’ll wait a certain amount of time to try the next one. This varied in my tests. Most amount of time was 5 seconds. It took 10 mins to get this far.
The DB seems to be MySql and we’ve found the DB name, so lets dump the DB.
The resulting information from the command.
It looks like we’re flying along nicely.
I tried to SSH into the server using all those accounts and only the ‘smeagol’ account would allow me in. However, we’re running as a normal user. I tried running an earlier priv esc exploit from another VM, however, that was unsuccessful
I needed to find out how to get to a root account. In an earlier scan to find the name of the DB I came across another DB name ‘mysql’ I suspected a system DB default to the server. Lets see what’s in it.
Interested in the result here
Lets try and pull the details from the user table.
Of course everything we do is based on a time based attack so everything is working slowly.
I ran the command
This ran for a bit but seeing as I seen the results for columns User & Password I canceled the scan and tried to hit those directly.
Again this takes time to run on a time based attack. You can let SQLmap run it’s own polling interval. It’s worthwhile to let this do it to save on errors.
After a while things start to look good again. We’ve found the root user but with hashed passwords.
You get the option to crack the password hashes with SQLmap. I hit Yes to this. It ran pretty quick and found what I was after.
We’ve found the ROOT password. ‘darkshadow’
I tried logging in over SSH with this, however, I got ACCESS DENIED. Crikey!!! That would have been too easy. It then dawned on me that this was not going to be that easy.
I floated around the net for a bit looking for hints. I touched a few walkthroughs that to be honest didn’t make much sense. Probably because I came in from a different angle.
I logged into MySql with the ROOT user I found in the other DB. I got in. Now what? Loads of other people were using their own scripts in Python and C, to do things with the SQL DB while logged in as ROOT however, I didn’t really understand all that yet. Bit above my level.
A few people mentioned in their blogs that there was an exploit available for priv esc in MySQL if MySQL was running as ROOT. I Googled around for a bit and found the information below.
I admit I didn’t understand it at first from the site above. I sat for most of the day trying to get my head around it. They gave you clear instructions on how to do it, however, I don’t blindly just follow things I read on the net. An old Sysadmin thing I’ve yet to shake off.
Needless to say I followed this exploit to the letter and I was able to get root and find the flag. This VM probably was above what I’m learning at the moment, but, I wanted to give it a try.
I think it’s important to understand what you are running. From what I can gather, MySql was running as root so we inserted a shared function into a new database. Run it as root and get shell on the server. (In essence)
I haven’t completed the whole write-up for this, purely because after I found the root accounts, I felt like it was done by way of following a tutorial that someone else made. Yes I learned a lot, however, in the last post I fought hard filling in the blanks to find the goal to the end. This one felt odd when I found the flag. I had to go over it a few times and It’s still a little hazy to say the least.
Maybe this one was a tad more than I know just now, and that’s ok. It happens. In fairness I really don’t like using automated tools like SQLMap and Metasploit. I feel very disconnected from the test. I think in this case it was helpful to use SQLMap for such a complex query to cut done on time taken.
Never mind, onto the next one!!
Thanks again to Vulnhub for hosting VM’s in such a great environment for learning.