Vulnhub - Development writeup
digitalworldlocal-Development
Author: Donavan
Nmap
There’s lot of information in nmap output. But let’s start with SMB.
SMB
There is a share named access
but we can’t login into it without any credentials. This mean we shouldn’t have started with SMB 😜😜
HTTP
It says that we can get a list of pages on html_pages
. So I visited http://192.168.184.130:8080/html_pages
This looks like the output of the ls -la
command or something similar.
On the /development.html
I found a comment to a so called secret page.
On visiting developmentsecretpage/
we get another link to /patrick.php
Following the trail I visited /developmentsecretpage/patrick.php
If we open the /sitemap
page we again see some stuff.
The /securitynotice
page contained some information about the passwords.
Since I had an idea of what password might be in play I clicked on the logout
option and then tried to login as patrick
and admin
but none of them work. Instead I kept getting error.
I googled that and found exploit-lfi-bug-when-a-inc-php-is-appended-to-the-file-name
After this I decided to look for an exploit on exploit-db and found Simple Text-File Login script (SiTeFiLo) 1.0.6 - File Disclosure / Remote File Inclusion. In there was a section called [0x03] Bug:[Sensitive Data Disclosure]
which showed a path called slog_user.txt
If we try to open developmentsecretpage/slog_users.txt
we get the credentials.
admin, 3cb1d13bb83ffff2defe8d1443d3a0eb
intern, 4a8a2b374f463b7aedbb44a066363b81
patrick, 87e6d56ce79af90dbe07d387d3d0579e
qiu, ee64497098d0926d198f54f6d5431f98
Since all the passwords are in md5
hash I used crackstation to crack them and was able to get the password for intern
and qiu
.
intern: 12345678900987654321
qiu: qiu
patrick: P@ssw0rd25
The qiu
login didn’t work on SSH but intern one worked.
User shell
We were logged in via SSH but the problem is that it was a restricted shell
meaning it had only few commands.
I tried running commands like /bin/sh
or /bin/bash
but I got kicked out 😡😡.
Then it clicked that if we can run command like echo
meaning we can open shell using os.system()
I ran echo os.system("/bin/sh")
and it gave me a proper shell and then I got a congrats
in local.txt
file.
Privilege escalation
Since we have the user shell now we can try to change user to patrick
since he’s the head of the department and might have more power.
I tried su patrick
with password as P@ssw0rd25
and it worked.
Then the first thing I checked was sudo rights
and patrick could run vim/nano
as root 😏😏.
I immediately searched gtfobin for vim
and found vim/sudo
So I ran sudo vim -c ':!/bin/sh'
to get a root shell.
Extra
There are other ways to root this machine.
Kernel exploit
I found a kernel exploit. I downloaded all the files, compiled them and actually good a shell as nobody
but I was able to cd
to /root
and get the flag.
To be honest I am not sure how it works but it does ;-)
With lxd container
I checked the /etc/group
file to found out that there’s a group named lxd
with patrick
in it.
I found a exploit related to lxd
on exploit db i.e Ubuntu 18.04 - ‘lxd’ Privilege Escalation.
Follow the steps in the exploit to get the alpine-v3.10-x86_64-20190730_0048.tar.gz
file.
This is a really nice machine with a beginner-intermediate difficulty. I really enjoyed it, especially finding other method to root it.
Thanks to Donavan for this machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.