Wednesday, February 2, 2022

Bravery


BRAVERY

- Layout for this exercise:















1 - INTRODUCTION

 The goal of this exercise is to develop a hacking process for the vulnerable machine Bravery, from the VulnHub pentesting platform.

- Bravery can be downloaded from here:


- Once downloaded Bravery and extracted with VirtualBox:






















2 - ENUMERATION

- netdiscover helps to learn about Bravery's IP 192.168.1.26:

















- Scanning with Nmap:






















- There is a NFS (Network File System) server at port 2049, so command showmount shows information about it:







- Directory /var/nfsshare is shared and we can mount it at Kali:




















- Reading some of the files we don't find anything interesting:














- However this two files seem to suggest that the string qwertyuioplkjhgfdsazxcvbnm could be a valid password:










- Going inside directory itinerary:










- Exploring david:























- Scanning port 445 deeper:









































- enum4linux discovers two shared folders, anonymous and secured:










































- Also, two users named david and rick:

















- Accessing anonymous we find some directories, however there is nothing remarkable inside them:




















- Getting readme.txt:






- readme.txt informs us about the internal file-sharing system across SMB:





















- Connecting to folder secured as user David, and using password qwertyuioplkjhgfdsazxcvbnm:















- Getting all text files:











- Reading the files we discover some web pages:









































- So we get knowledge of webpages developmentsecretpage, devops, genevieve and also directortestpagev1.php:










































































- Clicking tabs Internal Use Only -> Knowledge Management we discover CuppaCMS:

































3 - EXPLOITATION 

- Looking for exploits related to CuppaCMS:


























































- The exploit allows to read /etc/passwd:

http://192.168.1.26/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd






















- Copying locally php-reverse-shell.php, renaming myshell.php and adapting it to our needs:













- Setting a Netcat listener at port 1234:





- Setting a SimpleHTTPServer at port 8000:






- Applying again the RFI, just by including this line at the browser:









- A remote shell is achieved:






















4 - PRIVILEGE ESCALATION

- Looking for SUID binaries we find /usr/bin/cp:














- Also, we detect that maintenance.sh is a cron job owned by root:















- Running maintenance.sh is denied:








- Now, let's create a exploit with Msfvenom:











- Setting a listener session:







- Creating the script new_maintenance.sh:







- Transferring new_maintenance.sh from Kali to Bravery:
















- Copying with cp:








- Waiting until maintenance.sh is run, a root shell is achieved:











5 - CAPTURING THE FLAG

- Reading proof.txt:


























at