Saturday, October 14, 2017

Vulnhub Walkthrough: Bulldog 1


uid=0(root) gid=0(root) groups=0(root)

Initial nmap shows ports open on 23, 80, and 8080

Nothing special on front facing site or notice page.  Also nothing in the source and 8080 is the same web app

Running the site against dirb reveals admin, dev, and dev/shell directories

The admin page reveals django admin login, nothing to use yet though

The dev directory reveals usernames we might use

and the link to the shell directory

Seems we need to authenticate to django before we can use the web shell

Looking at the source of dev directory reveals hashes for all the usernames

Running kali on a virt on my windows box, so switching to windows to run hashes against hashcat. This reveals two passwords that we can try against django

And we're in using nick:bulldog for credentials, but no privileges

Checking the shell directory, looks like we now have a restricted shell to only a few commands

However it seems we're in as user django

Searching around we find that we can access user bulldogadmin home directory and there is a hidden directory with two files

The note file reveals that the other file is a program that can give us root

As always I overthink these things and wasted a bunch of time on other possibilities, turns out we can run commands using echo and passing them to /bin/bash through a pipe

Needed a way to get the customPermissionApp off the system so I can take a look at it, so we copy it to the static web directory in order to download

Executing the program gives instructions and actually spawns a new shell. Nothing too use to get on the box though

Throwing it at strings actually reveals what we need, a password SUPERultimatePASSWORDyouCANTget

Using the found password we're able to SSH over port 23 as django

Simple sudo -i gives us root and the congrats.txt file

Another way to get root? The only other way I found was to copy customPermissionApp to tmp directory, make executable, and run to give root.  Not sure if that was it though.

Wednesday, October 11, 2017

Vulnhub Walkthrough: RickdiculouslyEasy 1



130 Points
uid=0(root) gid=0(root) groups=0(root)


Initial nmap on all ports reveals the following open ports: 21, 22, 80, 9090, 13337, 22222, 60000.  The scan finds two flags immediately, but let's verify to make sure we're not missing anything.

Connecting to FTP using anonymous we're able to download FLAG.txt, but unable to upload any files

First flag revealed

FLAG{Whoa this is unexpected} 
Points = 10
Overall points = 10

SSH seems fake as it is unable to connect, moving on

Checking out Morty's Cool Website, nothing interesting and nothing in source

Running dirb against finds some interesting paths

The passwords directory reveals new flag and another page

FLAG{Yeah d- just don't do it.} 
Points = 10 
Overall points = 20 

The passwords.html page is nothing special

But the source reveals a password winter 

Looking at robots.txt, it shows some interesting files are located in cgi-bin  

File root_shell.cgi is too good to be true 

File tracertool.cgi however looks promising 

Seems that command injection is possible and we get /etc/passwd 

After messing around with this for way too long, I found that it wasn't a way in. However I did find that that cat command just printed a cat and less needed to be used :)

Also found that the /etc/passwd file was false, as looking at /etc/group reveals the usernames we need; RickSanchez, Morty, Summer

We'll come back to user credentials after covering all these other open ports. 

Let's start with port 9090 in a web browser, which gives us another flag.  Nothing else to do as password field and submit button are missing

FLAG {There is no Zeus, in your face!} 
Points = 10 
Overall points = 30 

Next port is 13337, which we netcat to revealing another flag and nothing else  
Points = 10 
Overall points = 40 

Next port is 60000, that holds a flag and no other commands work  
FLAG{Flip the pickle Morty!} 
Points = 10 
Overall points = 50 

Now onto port 22222, the real SSH port.  So we found a password 'winter' and we have a username 'Summer'....uh let's try that. BOOM, we have access and another flag

FLAG{Get off the high road Summer!} 
Points = 10 
Overall points = 60 

Looking around we have two more home directories; Morty and RickSanchezSince we know RickSanchez is part of the wheel group, let's start with Morty. 

We reveal two files so we sftp them off to kali

Looking at the file Safe_Password.jpg, looking good Rick :)  

Nothing special so we throw it at strings, which reveals the password for the zip

Using the found password we're able to unzip the file and reveal another flag and an interesting message

FLAG: {131333} 
Points = 20 
Overall points = 80 

Looking at RickSanchez home folder we find two folders.  Trying RICKS_SAFE we find an executable named safe, but it's unable to run so we sftp to kali

The other folder, obviously fake, but I had to look...

Back to the safe executable file, seems that it needs an argument to run.  Putting it to strings it seems that it's going to need that argument to decrypt the message

Sending all A's reveals the encrypted message

Looking back at the last flag and message, I try the number as the arguments or key.  With that the message is decrypted revealing another hint and flag

FLAG{And Awwwaaaaayyyy we Go!} 
Points = 20 
Overall points = 100 

So we know the parameters needed for user RickSanchez.  First we Google what band Rick was in, seems to be 'The Flesh Curtains'.  Next we use crunch to generate the 1 Uppercase character and 1 Digit, outputting to a file.  Last we append the word Flesh and Curtains to that created listed by using sed and outputting to two new files

Last we throw those files at hydra and we get the password on the second list

With that we're able to SSH as RickSanchez and with a simple 'sudo -i' we're root :)

Last flag is revealed giving us 130 points

FLAG: {Ionic Defibrillator} 
Points = 30 
Overall points = 130