The goal of the VM is to gain root access on the machine. I found 2 ways to get into the machine.
I run nmap against the victim, and I find the port 22 and 80 open.
Since the port 80 is open, so I visit the URL http://192.168.212.102/ and I find a login form with the following message:
I spend a bit of time trying to get a SQLi, but in the meantime I run dirb and I find some interesting URLs.
I check the URL http://192.168.212.102/test.php, and this is what I get:
As a GET request the message comes back, so I write a small HTML page to send a POST request to the URL and see what happens:
I open the HTML page, add /etc/passwd as file path and submit, and the browser download a passwd file with the following content:
I get the source code for various pages (c.php, test.php, panel.php, show.php, add.php).
The file c.php has the following content:
Unfortunately these credentials can’t allow access on the ssh nor the web application.
I can see from the panel that a user can use 2 functionalities: add and show.
I see that the page show.php has the following source code:
So, using Burp I change the body of the request from POST to GET when visiting http://192.168.212.102/show.php and I see that there are 2 users on the system: “Jack” and “Capitain Barbarossa”, followed by some images.
I check the source code of the file add.php, and I get lucky. This is the source code of the file add.php:
Unfortunalely this doesn’t work, even if I post to panel.php I need to be logged in.
I get back to the URL scan, I get try again with a bigger wordlist, and this is what I get:
I see there’s PHPMyAdmin installed on the system, reachable from the URL http://192.168.212.102/phpmy/, also I get more information about the system through the URL http://192.168.212.102/in, which has a page with phpinfo() function showing the information of the system.
This looks a bit more clear. At this point I login to the PHPMyAdmin page and access to the system using the credentials from the c.php: billu:b0x_billu.
I try to get the output of some files or to write a PHP backdoor in one of the folders, but nothing works. Must be that apparmor is running on the system.
I check into the database ica_lab on the table auth, and I get the only user into the DB: biLLu:hEx_it.
Works like magic. I add a new user using the panel, and try to upload a malicious file in order to get a reverse shell.
I prepend the headers of a gif image in a file and append some PHP code to see if the system runs it. This is the content of my malicious image:
After various attempts, I can’t manage to execute the file in order to execute arbitraty code on the server using the upload functionality. So I move on for now.
I check for a vulnerability for the PHPMyAdmin version installed, and I bump into this exploit https://www.exploit-db.com/exploits/17514/ which is not for the version installed on the VM, but it leads me to the config file of the system.
I visit http://192.168.212.102/phpmy/setup/config.php and I see that this could generate a brand new config.inc.php file. At this point I check through the URL http://192.168.212.102/test.php the content of the file /var/www/phpmy/config.inc.php, and this is the content:
I try the credentials root:roottoor to login on PHPMyAdmin as root, but it doesn’t work. So I try those credentials to login through ssh into the system and it works.
Uhm…I check again the vulnhub link of the VM, and this is what it says in the description:
Ok, I pretend I don’t have root access, and I try harder through the web app.
I spend more time trying to find what I’m missing on the web app and I find out that the parameter load into panel.php has a LFI vulnerability:
This could be good, since I already found a way to upload an image with some PHP code, and this could be the way to execute it.
The following request shows me the output of the phpinfo() function within the file /var/www/uploaded_images/my_image.gif:
So, at this point I write another gif with a PHP backdoor:
I upload the image and I try again the same request, using the parameter cmd in get request, and this is what I get:
Ok, I’m www-data, now I get a reverse shell using the same method and I’m in.
First thing, I see that the version of netcat installed on the machine doesn’t allow execution, so I download it from my machine to the victim’s using the following request:
I double check that is downloaded and I give execution permissions to the file /tmp/nc.
Once this is done, I put my machine in listening on port 4444 and I use the following request to get a reverse shell:
Now that I’m in, I need to escalate privileges.
The version of Linux that is running on the machine is 12.04.5 with kernel 3.13.0, which is quite out-of-date:
I download the exploit reachable on the URL https://www.exploit-db.com/exploits/37292/, compile it on the machine and run it: