Saturday, January 14, 2017

Hackday: Albania Walkthrough

Here we are for a walkthrough of the Hackday: Albania and after booting it up in VirtualBox, I ran an NMAP scan that listed only port 22 open and a web server on port 8008. So when we browse to the webserver we are greeted with Mr. Robot...

I have no idea which language that is or what is says so throwing it in google translate gives us: "If I am, I know where to go," and it is in Albanian. Cool.

So, I check the source and there is a comment and I throw that into google translate as well, "Ok, Ok, but not here." Ok, the website is trolling me, ass. So I don't see anything useful from the source so I use dirbuster to see if there is anything else on this server. So, something came back a /js/ directory so I navigated to the page and found this...

The translation is loosely, "Is it right or is directory jerk." So, since /js/ is a directory, I decide to recurse on the /js/ directory with dirbuster and I find /js/external, /js/images/. /js/external has a directory /jquery/ which contains jquery.js and seems to be the external version of the jquery.js file if needed. /js/images has a list of icon sets in different colors. Could be something, but i'm not sure at this point. At this point, I'm kind of stuck so I decide to use another scanner, Nikto, and holy crap things appeared! Why? robots.txt. So I pulled it up on the web server...


A bunch of directories have been disallowed by the robots.txt file, however none of them are trivial to manually type, so I want to find a tool to that will scan these for me. I tried dirbuster and ZAP, but none seemed to do searches based off the robots.txt file. So, I google around and found wfuzz which seemed to do the trick. I had never used wfuzz before, so I fumbled through the usage and eventually saw this on the help file...


Which seemed to be exactly what I wanted (side note: I used wget to get a local copy of the robots.txt file and locally named it robots.txt). Then the results were...


This result is weird, so let's look at it. We found a new page!

So I navigated to /uni.../vulnbank and I see there is a client folder in the vulnbank folder. Again, I follow the path and end up at 'Very Secure Bank' client portal. Looks like some SQL injection is next. After trying some naive attempts at SQL injection, I decided that sqlmap would do this faster and better! Soooo here we go...sqlmap didn't give us great results, but username is vulnerable and it did get us the information that the back end database is MySQL. A good thing to know is that MySQL uses '#' as comments instead of '--' like I was using previously. So, I tried some more naive SQL injection attempts. Nothing worked. COME ON!

Since the username is vulnerable, I figured I'd try and brute force the username with "'#" (single quote, poundsign) appended to the end to trigger the SQL injection vulnerability. I searched kali and google for a good list of usernames and tried some to no avail. Finally, I resorted to the ol' faithful rockyou.txt. It worked. It found jeff and hobson as two users. So I tried both of their usernames appended with '# and they worked!




Ok, there is a submission form on the right side, let's submit a test case and see what happens. Once we submit a test case, we see the message "After we got hacked we our allowing only image files to upload such as jpg, jpeg, bmp etc...". I didn't try and upload an image yet, but obviously I need to try! I'm going to see if I can use the php shell in a jpg trick to get RCE.

AAAAnd boom! Meterpreter shell.



 Now that we have a shell, let's do some recon and escalate privs. First, I like to cat /etc/passwd and look for users...


So we found 'taviso', I decided to also check which groups he is in (meterpreter shell is not very stable but easily obtainable just by refreshing the ticket page in the web app) so I copied it to my local machine and I see the following...

He's in the sudo group! Awesome! So, continuing my reconnaissance, I realized I overlooked something about the /etc/passwd file...it's world writable. what.

Well, that makes everything much easier then. I decided to add my own root user.

 First, I created a password....it was 'password' as you can see. Next, I created the new user 'fabio'.

Since the file was editable, I simply said 'fabio' had a UID of 0 and a GID of 0, which means root privs!

Lastly, all I had to do was switch users to fabio...

This included getting TTY using python3 on the system. Now that I have root privs, let's finish this challenge.


There we go. I hope this helped you out! I realize there are many walkthroughs for this challenge and I hope mine gave you something you might not have received elsewhere while you were learning from this challenge. Full Disclosure: I had issues with meterpreter and getting running the 'shell' command inside of meterpreter because the VM had run out of memory. If you find you're running into a similar issue, try restarting the VM and it should fix that issue.

-Hack Responsibly. Hack Professionally.
Posted by at
Labels: , , , , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)