Saturday, October 14, 2017

Vulnhub Walkthrough: Bulldog 1

Download
https://www.vulnhub.com/entry/bulldog-1,211/

Goal
uid=0(root) gid=0(root) groups=0(root)

Walkthrough
Initial nmap shows ports open on 23, 80, and 8080


Nothing special on front facing site or notice page.  Also nothing in the source and 8080 is the same web app




Running the site against dirb reveals admin, dev, and dev/shell directories


The admin page reveals django admin login, nothing to use yet though


The dev directory reveals usernames we might use


and the link to the shell directory


Seems we need to authenticate to django before we can use the web shell


Looking at the source of dev directory reveals hashes for all the usernames


Running kali on a virt on my windows box, so switching to windows to run hashes against hashcat. This reveals two passwords that we can try against django


And we're in using nick:bulldog for credentials, but no privileges


Checking the shell directory, looks like we now have a restricted shell to only a few commands


However it seems we're in as user django


Searching around we find that we can access user bulldogadmin home directory and there is a hidden directory with two files


The note file reveals that the other file is a program that can give us root


As always I overthink these things and wasted a bunch of time on other possibilities, turns out we can run commands using echo and passing them to /bin/bash through a pipe


Needed a way to get the customPermissionApp off the system so I can take a look at it, so we copy it to the static web directory in order to download






Executing the program gives instructions and actually spawns a new shell. Nothing too use to get on the box though


Throwing it at strings actually reveals what we need, a password SUPERultimatePASSWORDyouCANTget


Using the found password we're able to SSH over port 23 as django


Simple sudo -i gives us root and the congrats.txt file


Another way to get root? The only other way I found was to copy customPermissionApp to tmp directory, make executable, and run to give root.  Not sure if that was it though.


Wednesday, October 11, 2017

Vulnhub Walkthrough: RickdiculouslyEasy 1

Download
https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/

Goal

130 Points
uid=0(root) gid=0(root) groups=0(root)

Walkthrough

Initial nmap on all ports reveals the following open ports: 21, 22, 80, 9090, 13337, 22222, 60000.  The scan finds two flags immediately, but let's verify to make sure we're not missing anything.





Connecting to FTP using anonymous we're able to download FLAG.txt, but unable to upload any files



First flag revealed


FLAG{Whoa this is unexpected} 
Points = 10
Overall points = 10

SSH seems fake as it is unable to connect, moving on



Checking out Morty's Cool Website, nothing interesting and nothing in source



Running dirb against finds some interesting paths



The passwords directory reveals new flag and another page



FLAG{Yeah d- just don't do it.} 
Points = 10 
Overall points = 20 

The passwords.html page is nothing special
 

But the source reveals a password winter 
 

Looking at robots.txt, it shows some interesting files are located in cgi-bin  

File root_shell.cgi is too good to be true 
 
 


File tracertool.cgi however looks promising 
 
 

Seems that command injection is possible and we get /etc/passwd 

After messing around with this for way too long, I found that it wasn't a way in. However I did find that that cat command just printed a cat and less needed to be used :)


Also found that the /etc/passwd file was false, as looking at /etc/group reveals the usernames we need; RickSanchez, Morty, Summer
 

We'll come back to user credentials after covering all these other open ports. 

Let's start with port 9090 in a web browser, which gives us another flag.  Nothing else to do as password field and submit button are missing

FLAG {There is no Zeus, in your face!} 
Points = 10 
Overall points = 30 

Next port is 13337, which we netcat to revealing another flag and nothing else  
FLAG:{TheyFoundMyBackDoorMorty} 
Points = 10 
Overall points = 40 

Next port is 60000, that holds a flag and no other commands work  
FLAG{Flip the pickle Morty!} 
Points = 10 
Overall points = 50 

Now onto port 22222, the real SSH port.  So we found a password 'winter' and we have a username 'Summer'....uh let's try that. BOOM, we have access and another flag
 


FLAG{Get off the high road Summer!} 
Points = 10 
Overall points = 60 

Looking around we have two more home directories; Morty and RickSanchezSince we know RickSanchez is part of the wheel group, let's start with Morty. 


We reveal two files so we sftp them off to kali


Looking at the file Safe_Password.jpg, looking good Rick :)  


Nothing special so we throw it at strings, which reveals the password for the zip


Using the found password we're able to unzip the file and reveal another flag and an interesting message

FLAG: {131333} 
Points = 20 
Overall points = 80 

Looking at RickSanchez home folder we find two folders.  Trying RICKS_SAFE we find an executable named safe, but it's unable to run so we sftp to kali


The other folder, obviously fake, but I had to look...




Back to the safe executable file, seems that it needs an argument to run.  Putting it to strings it seems that it's going to need that argument to decrypt the message


Sending all A's reveals the encrypted message


Looking back at the last flag and message, I try the number as the arguments or key.  With that the message is decrypted revealing another hint and flag

FLAG{And Awwwaaaaayyyy we Go!} 
Points = 20 
Overall points = 100 

So we know the parameters needed for user RickSanchez.  First we Google what band Rick was in, seems to be 'The Flesh Curtains'.  Next we use crunch to generate the 1 Uppercase character and 1 Digit, outputting to a file.  Last we append the word Flesh and Curtains to that created listed by using sed and outputting to two new files


Last we throw those files at hydra and we get the password on the second list


With that we're able to SSH as RickSanchez and with a simple 'sudo -i' we're root :)


Last flag is revealed giving us 130 points

FLAG: {Ionic Defibrillator} 
Points = 30 
Overall points = 130