Hi all, this was a really interesting and “hard” box. Took me around 10 hours to pwn it. Let’s pwn it!
You can find the machine there > Presidential
Enumeration/Reconnaissance
Let’s start always with nmap.
1 |
|
When we visit the website we can see this in top left corner : contact@votenow.local
That’s probably the domain. Since the anatomy of an email address is this:
1 |
|
Let’s add it to /etc/hosts
:
192.168.1.14 votenow.local
Let’s run gobuster
on it now.
1 |
|
Nothing interesting. /config.php
is empty. Here i stuck for lot of hours then i tried to brute force extensions but gobuster
doesnt support extenstion file. Only wfuzz
can help here:
1 |
|
Perfect /config.php.bak
has some database creds in:
1 |
|
But how we can use them?? Since we have a domain votenow.local
we can search for subdomains.
1 |
|
Let’s add it to /etc/hosts
:
192.168.1.14 datasafe.votenow.local
shell as apache -> admin | exploiting vulnerable phpmyadmin version
Now we can see phpmyadmin running there:
We can use creds here votebox:casoj3FFASPsbyoRP
& we’re in! Under users
table we can see a username and an encrypted password, let’s crack it with john (takes some time):
1 |
|
Now if we try to login with SSH we cant:
1 |
|
We need to find another way to get access.. let’s check phpmyadmin version:
Let’s search for possible exploits:
1 |
|
Here we go.. let’s check it:
1 |
|
Perfect we can spawn a shell! We will make target download our bash file , chmod it and then run it. Let’s create it:
1 |
|
Let’s send this SQL query:
1 |
|
Now we need to find our Session ID:
Now to execute our payload we need to visit this URL:
http://datasafe.votenow.local/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/session/sess_$yoursessionid
We have shell:
1 |
|
Now we can switch to admin:
1 |
|
admin -> root
Now privesc to root is simple, we have to exploit system capabilities.
Linux capabilities are similar to SUID, we can limit user’s permission and much more. Let’s start by scanning the file system for files with capabilities.
1 |
|
tarS
seems perfect.. it has the cap_dac_read_search
capability. We can bypass file read permission checks so we can read whatever file we want. ;) Let’s read the root’s SSH private key.
1 |
|
Let’s read the flags:
1 |
|
That was an amazing box! :)