by Oana Stoian
This write-up is for Billu-b0x CTF machine hosted on Vulnhub https://www.vulnhub.com/entry/billu-b0x,188/ This is one of those challenges focused on real-world technical vulnerabilities and this is why I like it.
In my setup, the machine is using 172.16.100.86 IP address and I started with a nmap scan:
Not very much useful info, so we continue to do a bruteforce for directories using dirb with some common dictionaries, and we get interesting results with:
dirb http://172.16.100.86/ /usr/share/dirb/wordlists/big.txt
So we have some new things to play with… a phpmyadmin instance and other files, like http://172.16.100.86/test which is returning us a “promising” error message:
A “file” parameter… a “file path” … hmmm this could get us to a LFI. Couple minutes later after some tries, we have a nice working LFI:
POST /test HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
HTTP/1.1 200 OK
Date: Fri, 23 Jun 2017 10:41:46 GMT
Server: Apache/2.2.22 (Ubuntu)
Content-Description: File Transfer
Cache-Control: must-revalidate, post-check=0, pre-check=0
Content-Disposition: attachment; filename="passwd"
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
This LFI wont get us to a code execution (yet), but at least we can learn important things about the system, we can read the web application’s code and find sensitive data.
We use these credentials to connect to phpmyadmin application. In the database, we discover the credentials to the main web application:
Now that we have access to the web application we start investigating it for new vulnerabilities…there is an upload form but after some tries and errors we look at the code through the LFI and realize that this won’t get us to command execution. Being stuck for a while we start reading the code of the application’s files and we get another LFI in panel.php. Now things can go to the “right” direction…we have an upload form which is allowing us to upload image files and we have a “good” LFI – you know, the kind that includes your files content into a PHP code file. We upload our crafted image file which has php code injected into it and run the code through the LFI:
Time to have a shell, righ? Well..not that fast, but anyway here it is:
Having the shell we start enumerating the machine, running Linenum ( https://github.com/rebootuser/LinEnum ) is always a good ideea. After short time we realize that this machine has very few services, no juicy data home folders…no permission issues, so kernel exploitation could be the fastest way to root. We grab an exploit for http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html and bingo! I am (g)root! 🙂
This was a nice vulnerable machine, good example of web exploitation and chaining exploits together. Thanks to the author @indishell1046 and of course thanks to our friends from @vulnhub !
568 total views, 2 views today