Friday, December 7, 2018
HackDay: Albania
HACKDAY: ALBANIA
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine HackDay Albania
- HackDay Albania can be downloaded from here:
https://www.vulnhub.com/entry/hackday-albania,167/
- Once downloaded Albania and extracted with VirtualBox:
2 - ENUMERATION
- The IP for Albania is 192.168.1.21:
- Scanning with Nmap there are just two open ports, 22 for SSH and 8008 for HTTP:
- Connecting to the web server at port 8008:
- Google Translate helps us with Albanian language:
- Viewing the source, there is also another message in Albanian, telling us that this is not the right directory to search for information:
- Launching nikto against the web server at port 8008 we discover that there are 26 possible directories, all of them listed at robots.txt:
..................
- Going directly to robots.txt:
- All of the directories (except one) answer back with the same image:
- The translation of the message is doubtful:
- However, when going to unisxcudkqjydw the answer is quite different:
- Trying a possible vulnbank directory:
- Clicking client, finally we find something valuable like a login form:
3 - SQL INJECTION ATTACK
- It is immediate to check that the login form is vulnerable to some type of SQL injection attack, just by entering a quotation mark ('):
- Trying different SQL injections ... the result is invalid:
- Thinking on the fact that MYSQL queries are finished with ; and comments with #
https://www.techonthenet.com/mysql/comments.php
- Let's try this input injection:
- It works and the SQL injection is successful:
- Let's notice the interesting option of uploading files:
4 - REMOTE SHELL WITH WEBSHELL
- Let's try uploading a simple text file:
- The server says that only image files (jpg, jpeg, bmp, ...) are allowed:
- There is a list available of uploaded files:
- Now, why not uploading a webshell with the purpose of getting a remote shell? For instance, let's copy php-reverse-shell.php to the working local directory:
- Renaming to .jpeg extension:
- Adapting the webshell to our needs:
- Setting a listening Netcat session on port 4444:
- Uploading php-reverse-shell-php.jpeg:
- The upload is now successful:
- To run the webshell just click View Ticket:
- As a consequence a remote shell is achieved:
5 - PRIVILEGE ESCALATION BY EDITING /etc/passwd
- Finding a writable file we discover that /etc/passwd can be modified because it is "world writable":
- We can take advantage of this circumstance in two ways:
1) modifying an existing user's credentials
2) creating a new user with root privileges
5.1) modifying an existing user's credentials
- For instance let's focus our attention on the user taviso:
- Openssl helps creating an encrypted MD5 salted password, for instance being hello the salt and bye the password:
- Now, we must combine the /etc/passwd entry for user taviso and the recently created salted password, just replacing the x in this way:
- Creating a new file passwd by replacing the taviso entry of /etc/passwd with the last line of previous picture:
- Transferring passwd to Albania:
- Once the transfer is successful passwd is copied to /etc/passwd:
- Finally, SSH-ing to albania with new credentials taviso:bye
- Checking sudoer privileges we discover that taviso is able to run ALL commands:
- Getting a root shell:
- Also, instead of SSH-ing it could be possible to follow this procedure:
5.2) creating a new user with root privileges
- Using again openssl:
- Adding an entry for a new user whitelist and following the procedures in a similar way than 5.1 a), finally we have an /etc/passwd like this:
- whitelist is ready to start his login session:
- Improving the shell:
- Now it works, we check that we have successfully added a new user with root privileges:
6 - CAPTURING THE FLAG
- Going to the /root folder we can read flag.txt:
- Translating flag.txt from Albanian:
- About the last string: