Safetech Blog - Security Tips and Tricks


by Oana Stoian

Billu-b0x Write-up

This write-up is for Billu-b0x CTF machine hosted on Vulnhub https://www.vulnhub.com/entry/billu-b0x,188/ This is one of those challenges focused on real-world technical vulnerabilities and this is why I like it.

In my setup, the machine is using 172.16.100.86 IP address and I started with a nmap scan:

nmapRunning nikto on the web server will get us the following information:

 

niktoJPG

 

Not very much useful info, so we continue to do a bruteforce for directories using dirb with some common dictionaries, and we get interesting results with:

phpmy

 

So we have some new things to play with… a phpmyadmin instance and other files, like http://172.16.100.86/test which is returning us a “promising” error message:

test

 

A “file” parameter… a “file path” … hmmm this could get us to a LFI. Couple minutes later after some tries, we have a nice working LFI:

This LFI wont get us to a code execution (yet), but at least we can learn important things about  the system, we can read the web application’s code and find sensitive data.

Reading through PHP files code, in c.php we discover the credentials for the mysql database:
c

We use these credentials to connect to phpmyadmin application. In the database, we discover the credentials to the main web application:

auth_db

 

Now that we have access to the web application we start investigating it for new vulnerabilities…there is an upload form but after some tries and errors we look at  the code through the LFI and realize that this won’t get us to command execution. Being stuck for a while we start reading the code of the application’s files and we  get another LFI in panel.php. Now things can go to the “right” direction…we have an upload form which is allowing us to upload image files and we have a “good” LFI – you know, the kind that includes your files content into a PHP code file. We upload our crafted image file which has php code injected into it and run the code through the LFI:

 

Capture2

 

Time to have a shell, righ? Well..not that fast, but anyway here it  is:

 

perl_shell

 

Having the shell we start enumerating the machine, running Linenum ( https://github.com/rebootuser/LinEnum ) is always a good ideea. After short time we realize that this machine has very few services, no juicy data home folders…no permission issues, so kernel exploitation could be the fastest way to root. We grab an exploit for http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html and bingo! I am (g)root! 🙂

root

 
 
 
 
 
  
 
 
 
 
 
 
 

This was a nice vulnerable machine, good example of web exploitation and chaining exploits together. Thanks to the author @indishell1046 and of course thanks to our friends from @vulnhub !

167 total views, 3 views today





Leave a Reply

Your email address will not be published. Required fields are marked *