The scenario is very simple: perform a penetration test on a company’s website, get root access and read the flag! For this Lab, I have set my Network Settings to “Host Only” Adapter. The virtual machine’s IPv4 address is 192.168.56.104. So, let’s initiate a port scan with Nmap. I used the following command which will perform a TCP SYN scan at the default ports and at the same time, it will find out the services running on its port. From the output, we can see that the host is running three services, SSH, HTTP and IRC at ports 22, 80 and 6667. By requesting the Web Server’s page, we can see something like this. The company website is located under 192.168.56.105/jabc/ What I did first was to run Dirbuster against the webpage, but no special results appeared. A further investigation to the company’s website revealed a hidden text saying: “Dear customer, For security reasons, this section is hidden. For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest Thank you.” By acting as mentioned, I ended up on a page which looks like this. On the bottom left corner, we can see that the document manager used the OpenDocMan of version: 1.2.7. By searching for vulnerabilities that apply to this version, I found out this one: OpenDocMan 1.2.7 – Multiple Vulnerabilities. Of course, the most interesting is the first one, the SQL Injection. By using Sqlmap, I managed to retrieve the available databases. $ sqlmap -u “192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user” -p add_value –dbs And the result:
The “jadc0ds” is the Database we want. I used the following command to list the Tables available: $ sqlmap -u “192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user” -p add_value -D jabcd0cs –tables
The most interesting Table is the “odm_user“. With the following command, we will list its columns. $ sqlmap -u “192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user” -p add_value -D jabcd0cs -T odm_user –columns
Finally, we can run: $ sqlmap -u “192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user” -p add_value -D jabcd0cs -T odm_user -C username,password –dump Which will give this output: We already know that the password for the guest account. I used Hashkiller – MD5 Decrypter to find out the plaintext password of the Webmin user. The result: b78aae356709f8c31118ea613980954b MD5 : webmin1980 At this point, we can recall that previously we found an SSH Service running on the vulnerable server. Let’s see if the Webmin username and password credentials will work there. $ ssh webmin@192.168.56.104 By using webmin1980 as password, we can successfully get a shell on the host machine.
For our own help, let’s use Python to access a pseudo-terminal. I used the following command: $ python -c “import pty; pty.spawn(‘/bin/bash’)” You can learn more about the pty library here. Now that we have successfully accessed the machine let’s see how we can perform privilege escalation to access the root account. The current user has no special rights.
I have covered the privilege escalation phase for this machine again at the “Privilege Escalation With Live Examples” article, but I will also go through it now. What I did first was to see the system information such as the kernel version. I did this with: $ uname -a Moreover, I also checked the distribution information with: $ lsb_release -a
One of the most popular Linux exploits for Privilege Escalation is the ‘overlayfs’ Privilege Escalation. We choose the one which matches our Linux Kernel version, and we attempt to run it against the vulnerable machine. To do this, I used GCC. As we are not allowed to write files to the current directory, I moved to the /tmp directory to paste into a file the exploit. $ cd /tmp What I did next was to create a new file called “exploit.c” and with VIM, I pasted the code of the overlayfs exploit. Then, I used GCC to compile the code. $ touch exploit.c $ vim exploit.c $ gcc exploit.c -o exploit $ ./exploit After the exploit execution, I was able to see something like this. Finally, the Flag was located under /root/flag.txt !
Wow, we have successfully found the flag! Thank you for your time, I hope you enjoyed reading this article and solving the Laboratory as much as I did!