HACKDAY: ALBANIA
- Layout for this exercise:

1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine HackDay Albania
- HackDay Albania can be downloaded from here:
https://www.vulnhub.com/entry/hackday-albania,167/
- Once downloaded Albania and extracted with VirtualBox:

2 - ENUMERATION
- The IP for Albania is 192.168.1.21:


- Scanning with Nmap there are just two open ports, 22 for SSH and 8008 for HTTP:

- Connecting to the web server at port 8008:

- Google Translate helps us with Albanian language:

- Viewing the source, there is also another message in Albanian, telling us that this is not the right directory to search for information:


- Launching nikto against the web server at port 8008 we discover that there are 26 possible directories, all of them listed at robots.txt:

..................

- Going directly to robots.txt:

- All of the directories (except one) answer back with the same image:

- The translation of the message is doubtful:

- However, when going to unisxcudkqjydw the answer is quite different:


- Trying a possible vulnbank directory:

- Clicking client, finally we find something valuable like a login form:

3 - SQL INJECTION ATTACK
- It is immediate to check that the login form is vulnerable to some type of SQL injection attack, just by entering a quotation mark ('):


- Trying different SQL injections ... the result is invalid:



- Thinking on the fact that MYSQL queries are finished with ; and comments with #
https://www.techonthenet.com/mysql/comments.php
- Let's try this input injection:

- It works and the SQL injection is successful:

- Let's notice the interesting option of uploading files:

4 - REMOTE SHELL WITH WEBSHELL
- Let's try uploading a simple text file:

- The server says that only image files (jpg, jpeg, bmp, ...) are allowed:

- There is a list available of uploaded files:

- Now, why not uploading a webshell with the purpose of getting a remote shell? For instance, let's copy php-reverse-shell.php to the working local directory:

- Renaming to .jpeg extension:

- Adapting the webshell to our needs:


- Setting a listening Netcat session on port 4444:

- Uploading php-reverse-shell-php.jpeg:

- The upload is now successful:


- To run the webshell just click View Ticket:

- As a consequence a remote shell is achieved:


5 - PRIVILEGE ESCALATION BY EDITING /etc/passwd
- Finding a writable file we discover that /etc/passwd can be modified because it is "world writable":



- We can take advantage of this circumstance in two ways:
1) modifying an existing user's credentials
2) creating a new user with root privileges
5.1) modifying an existing user's credentials
- For instance let's focus our attention on the user taviso:

- Openssl helps creating an encrypted MD5 salted password, for instance being hello the salt and bye the password:

- Now, we must combine the /etc/passwd entry for user taviso and the recently created salted password, just replacing the x in this way:

- Creating a new file passwd by replacing the taviso entry of /etc/passwd with the last line of previous picture:

- Transferring passwd to Albania:


- Once the transfer is successful passwd is copied to /etc/passwd:


- Finally, SSH-ing to albania with new credentials taviso:bye

- Checking sudoer privileges we discover that taviso is able to run ALL commands:

- Getting a root shell:

- Also, instead of SSH-ing it could be possible to follow this procedure:

5.2) creating a new user with root privileges
- Using again openssl:

- Adding an entry for a new user whitelist and following the procedures in a similar way than 5.1 a), finally we have an /etc/passwd like this:

- whitelist is ready to start his login session:

- Improving the shell:

- Now it works, we check that we have successfully added a new user with root privileges:

6 - CAPTURING THE FLAG
- Going to the /root folder we can read flag.txt:

- Translating flag.txt from Albanian:

- About the last string:
