Friday, November 12, 2021

Development

DEVELOPMENT

- Layout for this exercise:














1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Development from the VulnHub pentesting platform.

- Development can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

- Once downloaded Development and extracted with Vmware:

















2 - ENUMERATION

- netdiscover helps to identify Development's IP 192.168.1.21:



















- This machine seems to have different potential solutions, however I will stick to the walkthrough that I have used to resolve it, mainly the web server at port 8080 and SSH service at port 22.

- Scanning with Nmap:

















- Scanning deeper port 8080:










































- Connecting to the web server at port 8080 we learn about html_pages:























- Browsing html_pages there is a Linux directory list:






















- Most of those web pages are just distractions of the hacking process, however development.html holds interesting information:






























- Viewing the source it seems that /developmentsecretpage is the right way to follow:
























- Connecting to /developmentsecretpage:


















- Clicking Patrick's:
































- Clicking Click here to log out we find a login form:

















3 - EXPLOITATION

- Trying any credentials the login works, for instance abcde:abcde:



















- The page shows a PHP error message about a deprecated function that leads to a vulnerability related to slogin_lib.inc.php:





































- Looking for a related exploit we find this File Disclosure/Remote File Inclusion:



























- Trying the exploit we find credentials for 4 users:













- Decrypting the hashes:



































- So the new credentials are:

intern:12345678900987654321
patrick:P@ssw0rd25
qiu:qiu


- After trying unsuccessfully SSH for patrick and qiu, the only account that works is intern:








































- However the shell is not working fine, because just some commands are allowed:













- Following this instructions we can improve the Lshell and get rid of the limitations:








4 - CAPTURING THE 1st FLAG

- Reading local.txt:








5 - PRIVILEGE ESCALATION

- User intern has no sudoer privileges:







- However user patrick's sudoer privileges allow him to use editors like vim and nano:



















- The strategy to achieve Privilege Escalation will be to edit /etc/passwd adding a line with root credentials for a new user.

- First, let's create the hash for the new user whitelist:qwerty:







- Inserting the corresponding line at the bottom of /etc/passwd:





- Finally, switching to user whitelist we have a root shell:









6 - CAPTURING THE 2nd FLAG

- Reading proof.txt:





















at