Vulnnet - The End Game

SubD Enum - Typo3 CMS - Sqli - Password Cracking - File upload - firefox_decryption - OpenSSL Root Exploit

Initial Access

  • Only two ports were open - HTTP and SSH

  • Enumerating and Directory Bruteforcing port 80 - Gives us nothing

  • Adding the IP in our /etc/hosts file as vulnnet.thm and digging the subdomains gave us

  • blog.vulnnet.thm , api.vulnnet.thm , admin1.vulnnet.thm

  • Directory Bruteforcing the admin1.vulnnet.thm subdomain gave us /fileupload/ , /typo3/ endpoint - which confirms the backend runs typo3 CMS

  • Logging on to that, displayed a login page - Tried all sort of default credentials, nothing worked out

  • Visited the blog.vulnnet.thm subdomain - Displayed many blogs on that site, clicked on of thier blog and watched the requests which was going on the backend via Burpsuite

  • Found one wierd endpoint which was used to fetch the blog from the Internal server

  • Tried to modify the request from blog=1 to blog=10000000 or 2=2 , A successful SQL injection was spotted

  • Quickly ran SQLmap on the api endpoint, was able to dump the tables and columns

  • One wierd table was vn_admin, which had the username and password columns - chris_w and its hash were present

  • It was hard to crack that hash, din't know what was it also - Enumeration is the key !

  • Checked the other table blog - which had many columns, includes username and password

  • Dumped only the password field, and tried bruteforcing the chris_w's hash with these passwords using JohnTheRipper - Found one valid password

  • Logged into the typo3 CMS, as chris_w and started exploring the Dashboard

  • Found many functionalities within the CMS which was supposed to be authorized by the Administrator

  • Any kind of CMS, the first attack vector must be uploading files, and found this functionality called file_listing - which stored the uploaded file in our /fileadmin/user_uploads - which we found during the directory bruteforce

  • Tried uploading a .php file, but the CMS restricts us from uploading php files

  • Exploring the CMS again, reveals us another admin functionality which enables us to set the file_uploading filtering to none

  • Now when I tried uploading a .php file, it doesn't restrict

Lateral Movement and Privilege Escalation

  • After getting a shell on the box as www-data, we make the shell stable and start enumerating to become a user

  • After seeing /etc/passwd file, we get to know theres another user called system

  • We find a hidden directory called .mozilla, when enumerating that we can see that the user chris_w has many instances on the mozilla firefox browser

  • We transfer that to our local machine and dig more into it, on seeing the profile.ini file - we find that the user had many mozilla instances and replacing one of thier instances as thier default path - cracking the firefox credentials using this tool gives us the password (https://github.com/unode/firefox_decrypt)

  • When we try to log-in via ssh with these credentials - gives us the access as system

Root PrivEsc

  • Enumerating around the system's directory - found something interesting called Utils

  • Ran LinPeas.sh to find anything interesting - Our user has a capability set on the openssl that gives us permission to both the effective and permitted set

  • We will use an openssl engine to change our own user id to 0 which is the user id of root. Thus get a root shell

#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id)
{
  setuid(0); setgid(0);
  system("/bin/bash");
}

IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()

Reference

PreviousHackersVsHackersNextSurfer

Last updated