Friday, December 7, 2018

HackDay: Albania


HACKDAY: ALBANIA

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine HackDay Albania

HackDay Albania can be downloaded from here:

https://www.vulnhub.com/entry/hackday-albania,167/


- Once downloaded Albania and extracted with VirtualBox:





2 - ENUMERATION

- The IP for Albania is 192.168.1.21:







- Scanning with Nmap there are just two open ports, 22 for SSH and 8008 for HTTP:





- Connecting to the web server at port 8008:






- Google Translate helps us with Albanian language:





- Viewing the source, there is also another message in Albanian, telling us that this is not the right directory to search for information:









- Launching nikto against the web server at port 8008 we discover that there are 26 possible directories, all of them listed at robots.txt:



..................




- Going directly to robots.txt:





- All of the directories (except one) answer back with the same image:





- The translation of the message is doubtful:





- However, when going to unisxcudkqjydw the answer is quite different:







- Trying a possible vulnbank directory:




- Clicking client, finally we find something valuable like a login form:






3 - SQL INJECTION ATTACK

- It is immediate to check that the login form is vulnerable to some type of SQL injection attack, just by entering a quotation mark ('):








- Trying different SQL injections ... the result is invalid:











- Thinking on the fact that MYSQL queries are finished with ; and comments with #


https://www.techonthenet.com/mysql/comments.php


- Let's try this input injection:





- It works and the SQL injection is successful:




- Let's notice the interesting option of uploading files:






4 - REMOTE SHELL WITH WEBSHELL


- Let's try uploading a simple text file:




- The server says that only image files (jpg, jpeg, bmp, ...) are allowed:





- There is a list available of uploaded files:




- Now, why not uploading a webshell with the purpose of getting a remote shell? For instance, let's copy php-reverse-shell.php to the working local directory:




- Renaming to .jpeg extension:



- Adapting the webshell to our needs:





- Setting a listening Netcat session on port 4444:



- Uploading php-reverse-shell-php.jpeg:




- The upload is now successful:






- To run the webshell just click View Ticket:





- As a consequence a remote shell is achieved:







5 - PRIVILEGE ESCALATION BY 
EDITING /etc/passwd

- Finding a writable file we discover that /etc/passwd can be modified because it is "world writable":









- We can take advantage of this circumstance in two ways:


1) modifying an existing user's credentials
2) creating a new user with root privileges


5.1) modifying an existing user's credentials

- For instance let's focus our attention on the user taviso:





- Openssl helps creating an encrypted MD5 salted password, for instance being hello the salt and bye the password:



- Now, we must combine the /etc/passwd entry for user taviso and the recently created salted password, just replacing the x in this way:




- Creating a new file passwd by replacing the taviso entry of /etc/passwd with the last line of previous picture:




- Transferring passwd to Albania:








- Once the transfer is successful passwd is copied to /etc/passwd:






- Finally, SSH-ing to albania with new credentials taviso:bye



- Checking sudoer privileges we discover that taviso is able to run ALL commands:




- Getting a root shell:





- Also, instead of SSH-ing it could be possible to follow this procedure:






5.2) creating a new user with root privileges

- Using again openssl:




- Adding an entry for a new user whitelist and following the procedures in a similar way than 5.1 a), finally we have an /etc/passwd like this:





- whitelist is ready to start his login session:




- Improving the shell:




- Now it works, we check that we have successfully added a new user with root privileges:





6 - CAPTURING THE FLAG


- Going to the /root folder we can read flag.txt:



- Translating flag.txt from Albanian:





- About the last string: