This is the second machine that I have pwned for my OSCP preparation. Without further ado, let’s get into it!
First of all, our attacker machine has the IP address of 192.168.181.132.
Performing a host scan with nmap along with the -sn switch, our subnet, and outputting the results to a file with -oN switch. The results show that our target has the IP address of 192.168.181.148.
Then, performing a version scan with the -sV switch along with the default nmap scripts loaded with the -sC switch shows that the target machine has an SMB service, a web server hosted on port 8080 and has enabled ssh.
Going to the website hosted on the target reveals a development page. The page mentions that some of their projects are in /html_pages
Viewing the source code reveals that there is a secret development page.
Going to the /html_pages directory reveals several html pages.
/about.html reveals nothing of use.
config.html reveals nothing of use as well.
Within /default.html a sequence of 1’s and 0’s is displayed.
Converting the 1’s and 0’s shows the string, “HUH?”.
In /development.html shows a paragraph regarding unknown backdoors within web applications inserted by the IT administrators without the project team knowing. This may be a clue.
Viewing the source code of /development.html reveals the secret development page, /developmentsecretpage.
/downloads.html shows us the following images.
None of the images is of use.
However, the source code reveals a hidden test.pcap file which can reveal network-related information.
/login.html has nothing of use.
/register.html reveals a sequence of 1’s and 0's.
Converting the sequence of 1’s and 0’s from binary to ASCII values reveals the string “Surely development secret page is not that hard to find?”.
/tryharder.html reveals nothing of use.
/uploads.html displays a paragraph regarding upload vulnerabilities.
Finally, going into /developmentsecretpage reveals another page, patrick.php.
Within patrick.php, the page gives us the web server’s sitemap.
In sitemap.php, a few links are present.
The source code of patrick.php shows us a comment that the hyperlinks of the sitemap should be fixed. The page also shows the potential users that may be related to the challenge, patrick and intern.
securitynotice.php reveals that the target’s users are using weak passwords. This could be a clue that brute-forcing the password is possible.
At this point, there I thought there was nowhere else to explore on the website. So, I moved on to the pcap file.
/developmentsecretpage/directortestpagev1.phpWithin the pcap file, by following TCP connections, a stream reveals a page within the directory /developmentsecretpage/directortestpagev1.php.
/qinyi/motivation.htmlFollowing another stream reveals another page located in /qinyi/motivation.html. This page reveals nothing.
The last that was significant was the stream that reveals an SMB transmission which verifies the nmap scan that was done just now.
directortestpagev1.phpWithin /developmentsecretpage/directortestpagev1.php, reveals a page that is supposed to be presented to the director.
directortestpagev1.phpViewing the source code reveals that test.html is approved.
At this point I was stuck. However, viewing a writeup revealed that there was a link that I didn’t explore; /developmentsecretpage/sitemap.php?logout=1. With that said, a login page was presented.
Entering default credentials such as admin for the username as well as for the password shows a PHP error, ereg_replace on the page slogin_lib.inc.php.
CVE-2008-5763 (CVE Details, 2008)Searching up slogin_lib.inc.php reveals a CVE for it, CVE-2008-5763.
This exploit is an exploit that came out from CVE-2008-5763. Where the usernames and passwords can be accessed by the attacker.
As shown above, the passwords of the users seem to be hash values. Cracking those passwords with CrackStation and Hashes reveals the following passwords.
12345678900987654321 is the password for the user intern.
qiu is the password for the user qiu.
P@ssw0rd25 is the password for the user patrick.
Now that the web application is completely scanned through. The SMB service can now be enumerated with enum4linux.
Doing so reveals that the only user that is allowed to login is the user intern. However, logging in with the password that was gathered from the web application for the user intern reveals nothing of use.
However, using the intern’s credentials, ssh into the user’s account was successful.
However, the number of commands that were allowed was limited.
However, by inducing an error, it can be determined that the shell that was limiting the user’s actions was limited by a Python shell.
Knowing that the user can execute the echo command, and that the shell is limited by a Python shell, a shell can be spawn using the command shown above.
Doing that allows new bash shell to be spawned without any limitations. Using the ls command, user flag is now visible.
Using the cat command reveals the contents of the user flag.
Knowing that there is another user called patrick, the su command can be used to switch to the user patrick, with the password obtained through the web application.
Using sudo -l displays the programs the user can execute with sudo privileges. Looking at the listing, vim and nano can be executed with sudo.
Using GTFOBins, the command to spawn a root shell using is shown above.
Using that command gives the user root privileges.
Finally, the root flag located in /root/proof.txt is concatenated.
In conclusion, this challenge is fairly easy. However, I was in a hurry to find every information that I missed out some links which required me to search up a write up of the challenge to refer to. Even though I cheated on this challenge. I learned to review every link that was present as it may reveal some hidden information.
References
Details, C. V. E. (2008, December 30). CVE-2008–5763. Retrieved March 22, 2023, from https://www.cvedetails.com/cve/CVE-2008-5763/
Osirys. (2008, December 14). Simple text-file login script (sitefilo) 1.0.6 — file disclosure / Remote File Inclusion. Exploit Database. Retrieved March 22, 2023, from https://www.exploit-db.com/exploits/7444
sushant747. (n.d.). Spawning shells · total OSCP guide. Spawning shells. Retrieved March 22, 2023, from https://sushant747.gitbooks.io/total-oscp-guide/content/spawning_shells.html