AdSense

Saturday, February 2, 2019

Europa


EUROPA

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Europa, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Europa's IP is 10.10.10.22:




- Scanning with Nmap:




- Going deeper with the scanning:




- So there are two domains that should be added to the /etc/hosts file:





sslyze is also able to find both domains:











- Connecting to admin.portal we have a Login form:






3 - EXPLOITATION

- The exploitation process consists of two steps:

3.1 - Database exploitation

- Let's start by exploiting with sqlmap any potential database at Europa:

sqlmap has different options to be used, for instance:











- Launching sqlmap against Europa's administrator portal we find two databases:






- Going deeper with database admin and dumping all available information:






- Decrypting the password, what is common for both users:




- Now we can login successfully to the admin-portal console with admin's email and his password SuperSecretPassword! 





3.2 - PHP code exploitation

- Once logged in, the Dashboard has got a Tools tab:





- Going to Tools we find a VPN generator script:





- Intercepting the VPN generation with Burp:







- So there is a parameter called pattern, what is used by the preg_place PHP function in this way:





- One of the modifiers is the /e feature, what has been deprecated in later versions of PHP because of its associated vulnerabilities:









- As said before, the modifier e is the origin of this vulnerability:




- Here is another interesting explanation about this vulnerability:


http://www.madirish.net/402


- So basically what modifier e does is to evaluate the subsequent string as PHP code.

- We can take advantage of this circumstance to handle the user input by adding the e modifier to the pattern parameter:




- Going to Burp and sending the input to the Repeater let's try to read /etc/passwd:









- Now, creating a shellcode with Msfvenom:




- Encoding as URL format:






- Adding to Burp request:




- Setting a listener session:




- Finally, launching the Burp Repeater we achieve a shell reverse connection:







- Improving the shell:





- The current user is www-data:





4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- Looking at the crontab jobs, there is one task called clearlog running every minute by the user root, what can be interested to be exploited:




- Reading clearlogs:




- So what we need to do is to replace content of logcleared.sh with an exploitation code of our interest. 

- By the way, logcleared.sh does not even exist at the moment, so it must be created from the scratch:




Msfvenom comes again to our help, now using a different port than before:




- Setting a listener session at port 6666:





- Echoing the exploit to logcleared.sh:





- The script is successfully created:




- Giving running privileges:




- Now, if we don't wait the crontab time period and execute the script by ourselves it happens that the shell is run by www-data (not by root) so we have a low privilege shell:








- However, stopping the last session, launching a new one, and waiting the crontab task until logcleared.sh is run by root we finally achieve a reverse root shell:





6 - READING THE 2nd FLAG

- Reading root.txt: