Saturday, February 25, 2017

Nightmare on Wallaby Street - Vulnhub Walkthrough

Here we are again doing some friday night hacking! I haven't posted in awhile (been crazy busy) so I wanted to unwind and relax with a good vulnhub box. I decided I'd work on Wallaby's: Nightmare. Let's dive right in.



This is the first page you see on the web server. Is this part of the CTF?


I decided to enter my name and see what happens...


Alright, well looking at the top of the page, it looks like it could have a LFI vulnerability. So, let's check...


Yup, definitely does, we can get /etc/passwd....can we get /etc/shadow?


DAMMIT. Ok, well...onto the next steps...Let's check the network scan again.


Looks like there is an open TCP port on 60080 (possibly HTTP because it ends with 80?) As you can see above based on poorly timed screenshots on my part, we found the new webserver.


After running dirbuster and getting nothing, I tried using the same path as the previous webserver and look! The same LFI vulnerability still exists!


Let's poke around the system and see what we can find...lol...I got banned...



So, now it's time to brute force this page parameter. I decided to use dirb and the syntax was super nice. The command I ran was: "dirb http://192.168.6.140:60080/?page= /usr/share/dirb/wordlists/big.txt" (no quotes). It returned the following pages.


And now we check them out! The contact page gives us a fake email address, the home and index page is the same home page, cgi-bin/ didn't work, and blacklist is the banned page I showed you earlier. The mailer page seems to hold some valuable information thought (in the comments).



Let's try these parameters in the HTML comment.




Oh hello there command injection! I messed around with the mail <name> "test" input and tried LFI (not seen above) and finally tried command injection and it worked. Let's use this to get a shell on the box. Using the php reverse shell provided by pentestmonkey on kali (/usr/share/webshells/php/php-reverse-shell.php) I was able to get a limited privilege shell on the target.



After a bit of research on the machine looking for privilege escalation opportunities, I found that sudo -l gave www-data opportunities to act as waldo using Iptables. 



So, let's see what we have to play with in Iptables. It looks like there is a rule preventing us from talking to ircd and if we remember from our port scan, port 6667 was filtered. So, now that we've deleted that rule, let's try and interact with the port.



We know port 6667 is IRC and we found an irssi script in waldo's home directory. So I installed irssi and used it to connect to the victim system. 




So now, we're going to play around on this irc chat and see what happens. We found a '/list' command that showed there is one chat room called 'wallabyschat' and we used '/join wallabyschat' to join that chat room.



It looks like wallaby has a bot in here. I don't remember seeing that on the box, so I'm going to go look back there again. After doing a quick search on the internet for IRC bots and searching in wallaby's home folder, I found the answer. Sopel.



Looking in the modules directory we find a run.py module. It seems to allow us to run commands in the irc chat, but only if we're Waldo. 


As expected, we're not waldo and we aren't able to run commands. I apologize for the next section, I went through without taking screenshots so, you'll have to excuse the lack of pictures while I explain what needed to be done to be able to be waldo.

If you recall from the sudo listing, we could access iptables, but we could also access vim with a certain document. The certain document is important to allow anyone to use the sudo command, but there is nothing in the document we need to change. Vim has a feature that allows us to execute commands using :!<command>. So, we find the process that is running tmux from the irssi.sh script and we kill it. I believe it was 790, but don't quote me on it. After we kill that process, we are able to change our nickname on the irc chat to waldo and thus run commands.

Here we can see that the .run command worked in the irc chat.


Next we set up a local listener and use the python reverse shell to get a shell on the box as wallaby. We simply put the python command in the irc chat and catch the reverse shell connection with netcat and we're good to go!


Sudo seems to be part of this challenge so let's check the sudo permissions as wallaby.


Wallaby can use sudo with no password to do anything it wants, so we are basically done! We run one command to officially get us root and we can cat the flag. We run 'sudo su root' and enjoy our new root shell.


Now with our root shell, we cd to /root and cat the flag.txt and thus we are done!


This was a fun challenge and I really like the use of IRC to facilitate the privilege escalation. Thanks for writing it and I look forward to the second part!