Hi guys, looks like I’m going crazy with this hack games :)
Since I’ve completed the first challenge of Acid server (which one day I will post, I’m feeling lazy and I want to go ahead), today I’m going to show you how I’ve completed the new chapter of Acid.
Again, thank to Vulnhub for keeping myself busy with all those challenges, and thanks to all the people that hosts new challenges.
This challenge involves hacking techniques and a bit of logic.
First step: INFORMATION GATHERING
The description provided on Vulnhub says that the machine will have an IP assigned automatically.
So, I’ve I’ve run the following command to discover the IP address of the victim machine:
Once discovered that that the victim’s IP address was 192.168.56.103 I’ve made a port scanning to check the victim’s open ports.
No. Just port 22 open. There could be a service that could be shown with a stealth scan. Then I tried again with this:
Much better. I’ve found a bunch of filtered ports that needs to be discovered.
Second step: VULNERABILITY SCAN
First thing that I’ve tried is to check if one of this ports are actually used by an application server.
Nothing, all the ports were filtered and either with telnet or curl I was retrieving a connection refused.
Last resort: open port 22, so ssh.
The welcome message says:
I love subliminal messages. It’s a reference to the port knocking.
In case you have no idea of what I’m talking about, then read more about how to hide ssh with port knocking, or just check this
So, I’ve run this command
P.S. If you’re using Virtualbox, please be sure that you’re using just Host-only Adapter, otherwise the knock will fail. Don’t know why, but as soon as I’ve changed it the port was open.
After knocking I’ve run nmap again to check what was changed, and this is what I’ve found:
Aaaaaand another port open, the 33447. What is it? I made a telnet connection and I’ve found out that it was an application server port.
I’ve opened it on a browser and this is what I’ve found:
Third step: WEB VULNERABILITY SCAN
Once I’ve found the webpage I’ve started looking for some web vulnerabilities.
The source code of the page had nothing strange, no “helping” page title, no cookies, just the background image. Since in the previous chapter of Acid the background image had some hidden hints, I wanted to check if there were something in the metadata of the image, or just in the image. Nothing at all.
So, Dirbuster has always been my friend.
That /bin folder looks cool, right?
This is what the page that I’ve seen on http://192.168.56.103/bin/
A login page. “Be Logical Here” was the head of the page.
I saw from the source that there wew a script into crack/js/index.js. From the scan there were also a folder called /bin/crack (strange that Disbuster didn’t find the folder js within).
Also I’ve noticed that there were also a file called /bin/crack/README.txt. It was a reference to a codepen, with this link.
Tried with SQL Injection, Blind SQL Injection. Nothing.
There were also /bin/dashboard.php,, and it was a page with a funny meme.
It was explicitely saying that I wasn’t authorized to access to that page.
After few attempts, I’ve decided to try with headers ;)
I’m a big fan of Firefox, and there are plugins that I’ve been using for ages. One of them is the add-on Live HTTP Headers.
And this is what I’ve done: replay the request of /bin/dashboard.php adding as referer the page /bin/includes/validation.php
So, I’ve clicked on the link and it has shown me the page /bin/l33t_haxor.php with just an image:
Fourth step: EXPLOITATION
I had a look at the source, and I’ve found
and guess what? It’s vulnerable to SQL Injection, but it’s a tricky one.
I’ve noticed that the page will return a message whenever I’ve added an id between 1 and 11, but I’ve got a SQL error when I’ve added just a ‘.
Did I mention that it’s a tricky one? Well, it is because whenever I’ve written a SQL Injection with a space or a + it returned an image saying HACKER DETECTED. So, I needed to use a SQLi Obfuscation technique to execute the query, or just use a SQL Scanner like sqlmap.
sqlmap is a great tool, and you can use tamper scripts for tricky queries like this one. Since the query was failing with spaces, I’ve changed the spaces with a comment using a tamper script called space2comment. On this website you can find a lot of tamper scripts for sqlmap.
So, this is the command I’ve used to exploit the query:
And this is what I’ve discovered:
Cool, something told me that maybe the secure_login database might be useful.
Believe me, it took a very long time to discover the right SQL Injection. This website helped me a lot.
To make your life easier, this is the SQL Injection that I’ve executed:
and this is what I’ve retrieved:
UB3R/strcpy.exe it’s a link, indeed I’ve downloaded the file strcpy.exe from http://192.168.56.103:33447/UB3R/strcpy.exe.
Looks like that the file is a PDF:
But when I was going to open the file, the suggestion of the right click on Kali was to “Open with Archive Manager”…and guess what?
This was the content of the file acid.txt:
The right track? I’ve just extracted the file. So, the file was containing another file within.
After a bit of analysis, I’ve started carving the file with foremost, and this is what I’ve found:
Bingo, two files extracted. This is the content of the file hint.txt:
And this is the content of the file Avinash.contact
From this file I’ve extracted the following informations:
Smells like ssh, also because I had no luck with the login page. So, ssh bruteforcer! The one that I’ve used is Medusa. So, I’ve created a list of users and a list of passwords with the informations retrieved:
Did you notice anything?
So, once I got in I’ve found a hidden file called .hint
I’m not quite the meaning of that, but one of my habbits is to check the history of commands of the user:
I carried on investigating on the /root folder, and then I’ve found the flag!
I must say that this CTF wasn’t so easy. It was pretty much different from the first chapter where the root password has always been under my nose :)
But it’s been challenging, and I had a lot of fun completing it :) Thank you Avinash.
As usual, for any information or comment, please do not hesitate to leave a comment.