Whitelist: HackDay: Albania

HACKDAY: ALBANIA

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine HackDay Albania

- HackDay Albania can be downloaded from here:

https://www.vulnhub.com/entry/hackday-albania,167/

- Once downloaded Albania and extracted with VirtualBox:

2 - ENUMERATION

- The IP for Albania is 192.168.1.21:

- Scanning with Nmap there are just two open ports, 22 for SSH and 8008 for HTTP:

- Connecting to the web server at port 8008:

- Google Translate helps us with Albanian language:

- Viewing the source, there is also another message in Albanian, telling us that this is not the right directory to search for information:

- Launching nikto against the web server at port 8008 we discover that there are 26 possible directories, all of them listed at robots.txt:

..................

- Going directly to robots.txt:

- All of the directories (except one) answer back with the same image:

- The translation of the message is doubtful:

- However, when going to unisxcudkqjydw the answer is quite different:

- Trying a possible vulnbank directory:

- Clicking client, finally we find something valuable like a login form:

3 - SQL INJECTION ATTACK

- It is immediate to check that the login form is vulnerable to some type of SQL injection attack, just by entering a quotation mark ('):

- Trying different SQL injections ... the result is invalid:

- Thinking on the fact that MYSQL queries are finished with ; and comments with #

https://www.techonthenet.com/mysql/comments.php

- Let's try this input injection:

- It works and the SQL injection is successful:

- Let's notice the interesting option of uploading files:

4 - REMOTE SHELL WITH WEBSHELL

- Let's try uploading a simple text file:

- The server says that only image files (jpg, jpeg, bmp, ...) are allowed:

- There is a list available of uploaded files:

- Now, why not uploading a webshell with the purpose of getting a remote shell? For instance, let's copy php-reverse-shell.php to the working local directory:

- Renaming to .jpeg extension:

- Adapting the webshell to our needs:

- Setting a listening Netcat session on port 4444:

- Uploading php-reverse-shell-php.jpeg:

- The upload is now successful:

- To run the webshell just click View Ticket:

- As a consequence a remote shell is achieved:

5 - PRIVILEGE ESCALATION BY EDITING /etc/passwd

- Finding a writable file we discover that /etc/passwd can be modified because it is "world writable":

- We can take advantage of this circumstance in two ways:

1) modifying an existing user's credentials
2) creating a new user with root privileges

5.1) modifying an existing user's credentials

- For instance let's focus our attention on the user taviso:

- Openssl helps creating an encrypted MD5 salted password, for instance being hello the salt and bye the password:

- Now, we must combine the /etc/passwd entry for user taviso and the recently created salted password, just replacing the x in this way:

- Creating a new file passwd by replacing the taviso entry of /etc/passwd with the last line of previous picture:

- Transferring passwd to Albania:

- Once the transfer is successful passwd is copied to /etc/passwd:

- Finally, SSH-ing to albania with new credentials taviso:bye

- Checking sudoer privileges we discover that taviso is able to run ALL commands:

- Getting a root shell:

- Also, instead of SSH-ing it could be possible to follow this procedure:

5.2) creating a new user with root privileges

- Using again openssl:

- Adding an entry for a new user whitelist and following the procedures in a similar way than 5.1 a), finally we have an /etc/passwd like this: