ch4inrulz: 1.0.1 is an intermediate level CTF machine available at Vulnhub. The box was developed by ASKAR and released on 31 Jul 2018. It is considered useful because it emulates some of the most common attacks that happen in an almost every system.
Since this box has enabled DHCP, it will grab an IP address automatically and by a simple arp-scan we can easily identify our target IP address.
This is the result from arp-scan -l
With this simple scan, we now have our target IP address:192.168.138.102
Now we can enumerate the services running in this box by use of Nmap as follows:
We now have a list of all services running in this server.With port 80 open,we have a clue that a web application could be running on this box.
Let’s try and load the website:
Since nothing interesting appears in this page,I decided to enumerate the directory in this host. I used Dirb and I managed to get some directories, what caught my attention was the development and Api directories:
I loaded the API page and I discovered that the API expects a file parameter. I made an API call with my parameter as /etc/passwd as shown below:
Note:This was a GET request.
What if we try a POST request:
This worked and this was an indication that the file inclusion vulnerability can be exploited on this box and that a username is frank.
I decided to dig deeper into the directories to try find some credentials for the developer login page:
index.html.bak .
I utilised the following advice and logged in as frank
I Logged into the development area and managed to get this link to upload files:
Now we can take advantage of this upload section by uploading a reverse shell.
All the same we have a challenge since the file upload file presented here has some limitations. We can only upload images:
All the same we can backdoor an image and upload a shell.
Now lets use msfvenom to generate the code to add to the image using exiftool or any other tool of your choice:
I uploaded the image but another huge problem arose.
I had no clue on where the uploaded file was stored:
Since frank had indicated earlier that he loves patterns I made several guesses and I managed to get this path which gave me the location of the uploaded files:
Since now we have the path we can use the file inclusion exploit we found earlier to initiate a reverse shell as follows:
This is the connection I got back:
I now have a limited shell which allowed me to read one flag in the frank directory:
4795aa2a9be22fac10e1c25794e75c1b
Now is time to dig deeper and get the root shell.
I decided to enumerate the system more to check the kernel and OS versions as follows:
Here I noted the system was vulnerable to:
Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation
I took advantage of this and I rooted the system as follows:
Final thoughts:
This was one of my favourite boxes. We have learnt how to bypass file upload restrictions through image backdoors and also analyse directories in detail.
0 comments:
Post a Comment