This is the second machine that I have pwned for my OSCP preparation. Without further ado, let’s get into it!
First of all, our attacker machine has the IP address of 192.168.181.132
.
Performing a host scan with nmap
along with the -sn
switch, our subnet, and outputting the results to a file with -oN
switch. The results show that our target has the IP address of 192.168.181.148
.
Then, performing a version scan with the -sV
switch along with the default nmap
scripts loaded with the -sC
switch shows that the target machine has an SMB
service, a web server hosted on port 8080
and has enabled ssh
.
Going to the website hosted on the target reveals a development page. The page mentions that some of their projects are in /html_pages
Viewing the source code reveals that there is a secret development page.
Going to the /html_pages
directory reveals several html pages.
/about.html
reveals nothing of use.
config.html
reveals nothing of use as well.
Within /default.html
a sequence of 1’s and 0’s is displayed.
Converting the 1’s and 0’s shows the string, “HUH?”.
In /development.html
shows a paragraph regarding unknown backdoors within web applications inserted by the IT administrators without the project team knowing. This may be a clue.
Viewing the source code of /development.html
reveals the secret development page, /developmentsecretpage
.
/downloads.html
shows us the following images.
None of the images is of use.
However, the source code reveals a hidden test.pcap
file which can reveal network-related information.
/login.html
has nothing of use.
/register.html
reveals a sequence of 1’s and 0's.
Converting the sequence of 1’s and 0’s from binary to ASCII values reveals the string “Surely development secret page is not that hard to find?”.
/tryharder.html
reveals nothing of use.
/uploads.html
displays a paragraph regarding upload vulnerabilities.
Finally, going into /developmentsecretpage
reveals another page, patrick.php
.
Within patrick.php
, the page gives us the web server’s sitemap.
In sitemap.php
, a few links are present.
The source code of patrick.php
shows us a comment that the hyperlinks of the sitemap should be fixed. The page also shows the potential users that may be related to the challenge, patrick
and intern
.
securitynotice.php
reveals that the target’s users are using weak passwords. This could be a clue that brute-forcing the password is possible.
At this point, there I thought there was nowhere else to explore on the website. So, I moved on to the pcap file.
Within the pcap file, by following TCP connections, a stream reveals a page within the directory /developmentsecretpage/directortestpagev1.php
.
Following another stream reveals another page located in /qinyi/motivation.html
. This page reveals nothing.
The last that was significant was the stream that reveals an SMB transmission which verifies the nmap
scan that was done just now.
Within /developmentsecretpage/directortestpagev1.php
, reveals a page that is supposed to be presented to the director.
Viewing the source code reveals that test.html
is approved.
At this point I was stuck. However, viewing a writeup revealed that there was a link that I didn’t explore; /developmentsecretpage/sitemap.php?logout=1
. With that said, a login page was presented.
Entering default credentials such as admin for the username as well as for the password shows a PHP error, ereg_replace
on the page slogin_lib.inc.php
.
Searching up slogin_lib.inc.php
reveals a CVE for it, CVE-2008-5763
.
This exploit is an exploit that came out from CVE-2008-5763
. Where the usernames and passwords can be accessed by the attacker.
As shown above, the passwords of the users seem to be hash values. Cracking those passwords with CrackStation and Hashes reveals the following passwords.
12345678900987654321
is the password for the user intern
.
qiu
is the password for the user qiu
.
P@ssw0rd25
is the password for the user patrick
.
Now that the web application is completely scanned through. The SMB
service can now be enumerated with enum4linux
.
Doing so reveals that the only user that is allowed to login is the user intern
. However, logging in with the password that was gathered from the web application for the user intern
reveals nothing of use.
However, using the intern’s credentials, ssh
into the user’s account was successful.
However, the number of commands that were allowed was limited.
However, by inducing an error, it can be determined that the shell that was limiting the user’s actions was limited by a Python shell.
Knowing that the user can execute the echo
command, and that the shell is limited by a Python shell, a shell can be spawn using the command shown above.
Doing that allows new bash shell to be spawned without any limitations. Using the ls
command, user flag is now visible.
Using the cat
command reveals the contents of the user flag.
Knowing that there is another user called patrick
, the su
command can be used to switch to the user patrick
, with the password obtained through the web application.
Using sudo -l
displays the programs the user can execute with sudo
privileges. Looking at the listing, vim
and nano
can be executed with sudo
.
Using GTFOBins, the command to spawn a root shell using is shown above.
Using that command gives the user root privileges.
Finally, the root flag located in /root/proof.txt
is concatenated.
In conclusion, this challenge is fairly easy. However, I was in a hurry to find every information that I missed out some links which required me to search up a write up of the challenge to refer to. Even though I cheated on this challenge. I learned to review every link that was present as it may reveal some hidden information.
References
Details, C. V. E. (2008, December 30). CVE-2008–5763. Retrieved March 22, 2023, from https://www.cvedetails.com/cve/CVE-2008-5763/
Osirys. (2008, December 14). Simple text-file login script (sitefilo) 1.0.6 — file disclosure / Remote File Inclusion. Exploit Database. Retrieved March 22, 2023, from https://www.exploit-db.com/exploits/7444
sushant747. (n.d.). Spawning shells · total OSCP guide. Spawning shells. Retrieved March 22, 2023, from https://sushant747.gitbooks.io/total-oscp-guide/content/spawning_shells.html