PwnLab VulnHub Walkthrough - Boot-To-Root

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hackersploit here back again with another video welcome back to the oscp prep series in this particular video we're going to be taking a look at phone lab from vonhub now this is a boot to root box so it's you know structured in a ctf style and it's quite easy although in my opinion it covers quite a few things uh in regards to getting your initial exploitation on a system and uh you know in so far as privilege escalation is concerned uh there are a few interesting things that i think this box highlights so the objective is to get the root flag and to do that you need to elevate your privileges uh to root so there's quite a bit of things or of uh stuff that i need to cover here now i just want to make something clear uh the structure that i go for in my ctf videos is to actually try and demonstrate uh how a vulnerability is exploited or why we're doing what we're doing and to sort of give you a bit of an idea as to what my methodology is when i approach a box all right so the first thing is of course to identify the target virtual machine ip address which i've done it's running on my local network and i've opened up the web server and it looks like a some sort of a content management system right if we take a look at the nmap results and you can actually you know take a look at the nmap scan configuration here it's uh you know fairly simple and gives me what i'm looking for so firstly we have a web server running on port 80 which i hope you can see i'll just zoom in slightly there there we are and that is running apache http 2.4.10 the interesting thing to point out here is that we're running debian all right so that gives us an idea as to what the operating system or what operating system we're dealing with we also get the http server header and the title the title tells us that this is an image hosting a website or a content management system for images right we also have rpc although rpc will not really give you anything uh you can try and enumerate rpc information using enum for linux i'll probably also be covering that as well in some later video we also have a mysql server which is interesting right we have a content management system and we have a mysql server so i hope you're making the connections that i am so for the mysql infoscript we can see it gives us information regarding uh the you know the version of mysql installed and the capabilities uh the various configurations and what is interesting to me is the salt but not really but the mysql native password plug-in which is you know used for authentication which again you know might give us an idea as to what hashing algorithm has been used to and to encrypt the passwords in the event we can get access right um so that's pretty much it for the ports that are open but as i said it looks like we're going to be dealing with the web application it's pretty obvious that that is the case right we don't have ssh access so that's another uh that's something that we can get rid of uh right off the bat okay so when we explore the web application i typically you know like to you know open up the robots.txt page and you know it tells us that that doesn't work i then try and perform some directory indexing or i try and detect whether the server does have indexing enabled so i can just you know run a test here or maybe upload which is uh you know in this case might give us something and indeed it does so you know there is some form of indexing for the upload directory and uh yeah so we know that this is probably where uh the images are stored uh but in order to learn more about this in the background i'm just gonna run a quick nicto scan so i'll just open this up and i'll zoom in and we'll run nicto and i'll just put in the server ip which is i think i should should know it by head there we are and we'll hit enter and let's explore the web application all right so it looks fairly simple we can view the source the source is fairly simple doesn't give us anything else it simply just gives us you know the various um the header which is uh has the home page the login page and the upload page right so nothing interesting there if we take a look at login you can see it's a you know straightforward uh login form we can try some we can try and enumerate some information from this using you know standard sql queries and that tells us login failed we also have the upload page which tells us that you must uh log you must be logged in to actually access the upload feature right so it's not that straightforward so it's clear that our objective is to try and find a way of logging in here now if we explore the uh the actual url bar here you can see that uh because this is designed in php we have the ability to specify a resource and it's doing this through the the page options so we can specify a resource on the web server so for example i can you know i can say test and what this will do is it opens up two types of attacks number one it opens up command injection attacks which allow us to actually you know if i concatenate that uh will not really concatenate if i just say i want to specify a new command and we know we're running linux and i type something like id well that that doesn't give us anything which is interesting right uh the other type of attack that this opens up is local file inclusion right and local file inclusion will typically be you know the the process of trying to explore contents of the web server or of the system itself and you know we might have that available so for example if i just try and say you know just try and access a directory there we can see some some form of interesting output here and the output of course is nothing which means there might be some sort of a filtering functionality in place which you know is interesting and of course we know that we're running php um so that's uh that's very interesting let's try and explore the um the web application with bub just so that we get an understanding of what's happening in the background all right so i'll fire up burp suite and i will give that a few tests here all right so you know i'll just start that up yes i want to leave the wizard and i'll start burp suite there and we'll just make sure that the intercept option is is actually enabled sorry that's proxy intercept is on and we'll just refresh the page and just take a look at what a request looks like all right so we can see that a request uh is is fairly simple in in so far as the parameters are involved we have the php session id uh which i think if we send to decoder let's see if we can actually decode this it probably won't give us much uh yeah it doesn't give us anything it's not even in base64 i don't know why i did that but anyway um so you can see we don't have anything else let's try and explore some of the other pages right so i'll just forward that and we'll try and explore the login page all right so the login page again um for some reason it's still giving us the uh the the the actual uh directory specification there which i'll get rid of so nothing special there we'll just for that again and i'll uh you know just try and refresh that uh yeah we don't get anything s4 in so far as the uh the accept parameter is concerned we we can see that it accepts html xhtml xml xml so on and so forth all right that's all for that as well and let's try upload all right it's always good to try and explore the upload page uh it doesn't give us a list of extensions allowed which is fine we probably could view the source here if we try and click on upload i'll just disable the intercept option here and click on upload we view the source and yeah we don't get no we don't get anything right so let's try and explore local file inclusion now local file inclusion as i said uh can will really depend on the target operating system and filters now in this case we know we're running a lamp stack so linux apache mysql php so in the case of php what would typically happen or a technique that is typically used is the ability to actually have a php filter right and a php filter will essentially filter the contents of a particular php page or a script and the way we can check for this is if we actually just use the php filter option here instead of specifying the directory outright and try and explore the content of pages in much depth or to try and see if it brings up anything of use all right so to explain more about lfi uh you can see that uh we'll just give you a brief description here so remote file inclusion is when you know file is loaded from a remote server and you essentially can access files on the on the root or on the system itself in our particular case we're dealing with a filter right so again you can take a look at all of the various the various ways of of trying to access an important directory like the etsy password directory which is usually a test you have the ability to encode it as well so for example we can test this out and let's see if this actually displays anything but in our particular case we can see that it really uh sorry let me just go back a step here it really isn't displaying anything which is why i'm sort of saying there might be a filter because you can see where the results should be displayed uh you know it should actually be displaying that so that's interesting if we scroll to the bottom here it actually explains it quite well so there we are we have lfi and rfi using php wrappers so again we can use the php filter and convert the a particular resource on the website for example the index page we can actually convert it to base64 so for example php filter convert base64 encode and then we specify the resource and then we'll get the base64 encoded version of that web page which we can then uh we which we can then decode quite quite easily because it is base64 so i'll just open up cyber chef so that we can actually test this out right so i'll say open up cyber chef there we are and uh in the meantime let's actually take a look at the nicto results all right so the nicto results give us some interesting uh results so wow we actually have a config.php file there we are so uh what is a config.php file in the context of a lamp stack well a config.php file is used to actually configure how the web application will run what a user is allowed to do what they're not allowed to what they're not allowed to do any extensions or modules that are being used and it can also contain database ids and passwords now you know in most cases this should not actually be allowed to be read uh by you know public users or users should not actually be able to access this so let's see if this file actually exists on the web server which again could give us something interesting so i'll say you know config dot php right on we'll hit enter and again it doesn't give us anything which might explain or you know again push us towards the fact that we may have a filter here all right so let's actually try using the php filter here and encode um one of our pages let's start off with the index page right so i'll get rid of that there and we can actually use the config page first just to see what that contains so we have the config page we hit enter and it looks like that works and that gives us the base64 encoded uh content of the web page so we can now take this into cyber chef and you know i'll just say from base64 uh we want to decode it right so we paste that in here and we get what appears to be database credentials so we get the server which you know localhost we have we get the database credentials for the root user we also get a password and the database the actual database in question which is called users so what this means is uh which again is why i pointed out that when you're dealing with a content management system there's a high probability that there's going to be a database because you need a place to store credentials um so that means that this content management system is utilizing the database and it's getting the credentials from the config page uh from from the actual configuration page right so uh what we can do is we can actually use these credentials let me just open that up we can use these credentials to log in or to attempt to log into the mysql server i'm not entirely sure as to whether it may support remote logins uh let's do that right now so we will i'll just open up a new tab so we don't confuse that so mysql the user is root uh sorry that is the user is root and the password we will specify ourselves the host is 192.168.1.155. we hit enter paste in the password which i think i copied i'm not really sure why that did not copy uh but we can just uh you know paste it in there and it doesn't seem to be uh to be pasting that uh let me just paste that again there we are fantastic so we're able to log in and uh you know if we say show databases um that tells us we have the users table so we can then say use users which is where the credentials are most likely going to be stored and we we can say show the tables for this particular database and we only have one table which tells us you know it's called users so we can then dump the contents of this entire uh of this entire table by saying uh select everything from the table users and we hit enter and we get user credentials here which most likely are for the web application but may also be used in privilege escalation so we have three users we have kent mike and kane all right so let's we can see that this is base 64 which is interesting which again we can decode quite easily so let's try the password for kent and let's see if we can decode it successfully so i'll just get rid of the content there and we can paste this in and it looks like we get what appears to be a legitimate uh credential or a password for that matter um so let's try and log in so the user is kent i'll go back in here we'll hit login and that is kent and we can paste that in there hit login and it looks like that that works and we can now upload images which is i'm guessing where we can try and upload our our php reverse shell i'm not really sure whether there are filters but uh we i'll actually take you through that process as well all right so uh we have so far gotten uh some credentials for the web application we can now try and um we can now try and uh and and upload our reverse shell so let's try and do that all right um so the reverse shell i think i already have it downloaded here there we are so we'll just uh copy php reverse shell into our current directory sorry um the actual reverse shell the php file there we go php reverse shell now that's my bad that's a directory and we're looking for the php file and we'll just copy it in here and we'll change the name to just shell.php or something generic all right so move shell.php to sorry reverse shell my pad and why making these mistakes so reverse shell.php to shell dot php and we can now try and access the content and modify the shell to our liking so shell.php i think i should have this configured to my ip already although i think i should check that so i'll just check my ip it is yeah that is correct so i think i should have that set up correctly and the ip set to one two three four which is fine it um yeah everything looks fine so we can use this all right so um let's try and upload this and let's see what type of output we get so we're gonna go into browse and documents and we'll click on vuln hub here so phone lab and we'll open up we'll just say shell.php open that up hit upload and it tells us what i was expecting so not loud extension please upload images only all right so uh this is interesting uh let's try we of course try to intercept the requests that are being sent to the web server but let's try and use the local file inclusion technique here to actually get the contents of the upload page right so we can see whether we have any specifications regarding the extensions that we can upload in the form of images right so um we can say that is upload i think the page is just called upload hit enter we get the content there and i'll just paste this in here and that should give us an idea of what we can and can't do all right interesting so we can we get the code right away and then of course because the php code is um is filtered this is uh what we missed out on so the upload directory as we guessed is upload um the file extension uses the file name dot and then image info and it uses the actual extension that we specify um so we can see that um there's the there's a white list option here for the file extensions um so let me see if i can find that right so we i think i saw that there we are the white list array is jpg jpeg gif and png all right so let's test out and see whether a png file will work okay and i'll also turn on burp here so i'll just go to upload one more time and i'll make sure that burp is enabled and intercept is set to on i'm just going to browse and specify the shell again uh sorry i actually need to rename that to uh so move shell.php to shell.png and we can just move it like so and we can then browse for the png file and hit open right and i think we'll have to execute it manually so let's hit upload and we get the request we can see uh for the actual content we know that that is multiplied that there's a multi-part form data but for the content type we get uh image png so let's see if that works we go back it gives us an error let's see if that actually uploaded um upload i'll just for that sorry and that does not look like it's working all right so it looks like it's not working with png files uh one quick way of actually bypassing this is using the i'll just refresh this page here is through using image headers which i think might be the case here so we can try and change the actual extension uh the extension to either a jpeg or a um ajpg or any or a gif file which and in this particular case we can actually try uh but a quick way of by or a quick way of bypassing this is a little tick a little trick sorry is to actually include a you know a file format or an image format header that will essentially tell the web server that this is this type of file and you know you can go ahead and upload it so let me just take you through that all right so to actually bypass any you know any upload filtering uh a great way as i said is to include the gif header or the gif header uh gif is a file format and i think we can actually find it online so gif uh header i don't think that'll you know give us uh anything because that's way too vague of a statement i'll just accept the risk and continue there we are uh gif file format header i think in the way it looks like we have the signature format so there we are that that's the actual format here um so uh this one right over here so we need to include this within our shell and we we can preserve the same extension the php extension i can actually just modify the file now so shell.png it's still the php content all we need to do is include that particular header at the top there and this will specify you know that this is a a gif file and of course we'll trick the web server and let's actually try and see whether that works right now so i'm just gonna i think we have that disabled but we can actually just try it out really quickly and see if that works social.png upload and it just gives us a random image there which doesn't have a source so let's try and access the upload directory and it looks like it actually uploaded our file or our shell and it gave it a different name which again makes sense when we explored the code the actual source code for the upload form it actually changes the file name but maintains the the file um the file extension all right so let's try and execute this i'll just open up a quick reverse shell here we'll just say netcat nvlp1234 that's the port we set up our listener on and we'll try and execute that to the web server and we should get a shell and we don't all right no need for worry there this is this is one of the reasons i really like this box because uh nothing is ever as simple as it looks okay so it doesn't execute it with this error is pretty standard regardless of whether it has been executed or not we can take a step back here i'll just refresh the page and we can take a look at the the the actual source code for the index file right to learn more about the web application so we'll use the same the same technique here and try and bypass that so you know i can just say for example let's just use the login here um so we'll convert the index file which i don't think we need the yeah there we are so that actually gives us the contents of the index file and i'll get rid of that and paste that in there and uh yeah it looks like we get a you know additional information that we didn't get so number one just at the top here we can see that we it tells us that multilingual support has not been implemented yet and language files can be specified through the cookie and can actually can actually point towards a language file or a language.php file so you can see it says lang setcookielang that's the actual attribute name for the cookie to allow you to specify a language file so what's happening here is multilingual support is being implemented and can actually be used but the language files uh need to be specified manually all right and we can we can actually exploit this and set our cookie we can actually use the the we can actually modify our cookie to uh to actually execute the reverse shell that we uploaded and this can be done through the lang cookie attribute right so one more time i think we need to explore the web application and just let's see what's going on here um so i'll just go back home and we can then try and see what's uh what's going on exactly but before i do that i just want to nail down the actual image name because we're going to need it for the line cookie so i'll just copy that and we know it's under upload right and i just want to note this down so i'm just going to open up a text editor here and we'll paste that in there so that is the actual directory there so this is under upload and yeah that looks about right okay let's open up burp again and we can try and modify this and let's see whether it executes want to make sure my listener is still running it is and i'll just set intercept to on and it will refresh this and it looks like we have the cookie option so we can get rid of the php session id which might log us out because it may be storing uh it you know it's used for identity um you know because we actually logged in so we can say lang is equal to and we can then specify the uh we can then specify the actual file here so upload and uh we can then paste that in there and i'll just get rid of that double forward slash and hit forward and we don't get anything there are we specifying the correct directory it looks like let's try that again no harm in trying that again and a lang is equal to my bad let me just get rid of that again um so line is equal to let's try two directories up uh or back sorry and then we specify uh upload and let's forward that again and we get our reverse shell fantastic all right so we've uh we've been able to get our reversal it we give this a um a you know a bash well not a bash but a just a normal shell here with no job control and our current user id is www data which makes sense because we exploited the web server so there's no surprises there so really quickly what i can try and do is we can try and spawn a tty shell so we can use python and we can just say c import and well we can actually just make that a single quote so import and then we specify pty and pty dot spawn and then we can spawn uh you know a bash shell here so bin uh bash and um i think we should be able to get one i'm not sure whether python is installed you should probably run that first and we get a bash shell which means we had python this whole time and we can you know try and enumerate some information here so cat etsy issue we know we're running debian8 all right some kernel information you name a we can see it's running 3.16 and it's a 32-bit system which is fine um let's try and enumerate the users on the system so cat etsy password and it looks like we have the same users in addition to one more called john because i think we had kent mike and kane from the database let's try and uh and elevate our privileges using their credentials so uh we don't have access to any of them so i'll just try and uh you know decode and we can try and see whether we have access to them but if we take a closer look yeah they both have legitimate shells that they can access although we're not guaranteed access through these passwords because these are only used for the web application so this is the password for the user let me just confirm that again that is for the user kent right so we'll say uh kent will switch to the user kent provide his password and we get access to the user kent all right now kent i don't think has any uh you know any pseudo privileges um so you can say sudo apt update and we don't have that so we don't have sudo install which is fine uh permission denied all right so i don't think we have permissions for the user um for the user can so let's try and access another user on the system which is mike right and we also need to decode his password i should have done this before but anyway uh there we are we also get his his credentials so the user mike um and we'll say switch user to mic with enter authentication failure which means that is the in that's an incorrect password more or less let's try the last user just so that we know what we're working with which in this case is kane um we'll try and log into kane sorry that's here by the way let's actually check out the home directories because we haven't done that so we have john kane let's see we can access john um you know we can access kane we are we only have access to kent so let's try kent first we have any files in here that could be useful uh nothing there no bash history so yeah let's try and access kane all right and i'll paste in the password there did we actually copy the correct hash um let me just make sure that is done because i don't think we decoded it there we go so let's copy the password for kane and i'll paste that in there and we get access to kane so let's explore his home directory and it looks like we get a binary well let's actually verify that message mike um yeah it is a binary and uh we don't get anything else all right so let's try and execute it so message mic and it gives us a command that failed so cat a home mic message.txt it uses it's using the cat utility to display the message stored in homemic message.txt all right so let's try and analyze or let's see how this works so strings we can actually try and uh see how this is working because it looks like a standard executable and we should be able to get uh some um some information regarding how it works um so we can see that um there we are so it uses a cat it uses the cat utility to to to actually give us uh the message here and um the reason why it didn't work um let's actually take a look at our environment variables if we take a look at our environment variables uh we can see we have the shell is bash user kane apache log and the path is set to user local buy uh use a local bin use local bin um and yeah so i i think what we can do is we can leverage the cat utility uh we can actually create our own so sort of like our own and set our path uh to our own user directory with our modified cat binary and then that cat binary uh well we know that this file doesn't exist firstly because the our path is currently set to the to the actual directory where the binaries are stored uh even though you know we have we always have access to the cat binary we know that this uh this message right over here that tells us that file is uh we can't access that file let me see if i can find that here there we are so no such file or directory exists we know that this file doesn't exist because it would have displayed it so we can leverage this here or the cat binary here we can replace it with our own and the way to do that is to actually um change our path right so we can change our path to something like um to our home directory and we can then create our our cat binary our own that is going to be malicious so we can say you know echo we can just say we want uh some we want a reverse shell well not a reverse shell but we want a shell so bin we can get a standard shell session here and we can then output that to cat right so we have the cat binary there that we just created we now need to change our path environment variable so export path to and then we say home and kane we're currently logged in as the user cane right we hit enter and now if we run message mic um we can see that permission is denied uh chmod plus x and uh cat so we don't have access to that so chmod is not allowed permission denied we copy this to the temp directory so we can copy cat to the temp directory so tmp we don't have the copy command that's weird for some reason this seems to have ruined my shell that's i actually know why that's the case that's because uh we actually changed our environment variable um of the path variable so i'll just export well i don't think we'll be able to do that right now but what we can do is we can just say you know we can just exit from this and uh go back to the user kent right and we can just try and log in again to kane i think that should work although i'm not entirely sure i should have actually changed the permissions earlier sudo kane uh there we are and paste in deposit for kane uh cannot open we know the commands are working now so we can say chmod plus x to give it executable permissions and we say mod plus x cat and we just check out the environment variables again we need to change them one more time so export path to home kane right and now we should be able to run this hopefully and a message mike hit enter and we type in id well that doesn't work it simply gives us a um it doesn't look like that works here so we might have an issue let's try and explore this a little bit more um those commands aren't working uh so we're calling uh in the user kane all right so we're currently in the user kane uh let's try and spawn a bash shell here so again python c import and we're importing a pty so pty pty dot spawn and we'll just spawn a simple bin bash sorry about that and we hit enter well we made a mistake there uh just terminate that and let's get our listener again we have to do that all over again uh which i think should be fairly simple we just need to set the line flag so let me just repeat that one more time and i'll get back to you all right so i'll just uh check the path again once again of course we need to do that again so export uh path and we'll just say home kane right and um that should be good now and we say message mike that should give us our shell session here and uh again we can just i'll just spawn a reverse shell sorry that is the password there let me just copy this here we want to type that out over and over again python not found that doesn't look right so let's go into the user home because uh that doesn't seem to be working um what about the environment variables yeah that doesn't seem to be working as well interesting that uh yeah i should have actually spawned a normal shell session because uh the default shell is set to is set to bash right so let me just repeat that process again um so i think i should be able to exit from here so kane and we just say you know message mic and uh there we are and then i'll just spawn a shell session if we can actually access that but before i do that let me just check the home directory um home list that doesn't look like it's working environment variables nope that doesn't work as well do we have access to the user mic that still doesn't work interesting uh so let me just spawn a shell session um all right so uh what i did is i actually discovered the issue i was specifying uh you know a simple shell instead of a bash session so i modified the cat binary that we created and essentially specified the executable which is uh you know bash and uh i've you know enabled the permissions and we can now run message mic i've also set up the path correctly message mike and looks like we have access to the user mic right now so environment variables uh we don't have access to that so it looks like we still have the issue now uh for the user mic um in the sense that we we can't actually access any we can we can actually run any commands by try and run any other commands it looks like the environment variables for the user mic have also been um have also been changed for some reason which is uh which is slightly weird so let's take a look at this closer all right so again to sort this all you need to do is just export the path um you know and set it to to the standard path where you can get all the binaries that can allow us to navigate right so i'm just going to navigate to my home uh sorry to my home directory for the user mic i should be able to do that it looks like it's still set to the path as well so um let me just list out the environment variables let's see you can see the home is still set to home cane but i don't think we need to change that right now we can access the um the actual account for mike and we have a new binary which is message to root all right so let's try and execute this message to root and see what we get so we need to enter a message for the root user so we can hit test and it simply echoes back what we actually you know put out so this looks like a simple uh we can actually just and we can just analyze what's going on in the background so message uh to root uh with strings and let's see what's happening uh you know once we specified so we can see uh message for root and then it echoes out whatever we printed but we can actually we we provide the string here and that is displayed under root messages or that is actually echoed out to root messages.txt and we the the actual uh we can we can actually enter this as um as a second variable if you wish uh if you wish to call it that or uh the actual input variable uh so the first input variable is taken up by um by echo so we can echo and then specify another command however we can also use this to run another command so for example we can spawn a a shell session so i just i can i think we can actually test this out so message to root right and then we just hit uh you know the message itself so we can hit test and then i can say bin sh hit enter id and it looks like we have root access there's only one way to check that out and we have the flags of flag.txt and congratulations uh we have successfully elevated up elevated our privileges all right so yeah that's a fairly i would say a fairly decent challenge especially dealing with binaries but these were fairly simple binaries that didn't involve any reverse engineering of sorts uh simply understanding how how some of these binaries were designed and you know quick way of actually analyzing that is to is to view the strings uh you know it's a fairly simple way of seeing what's going on in the background and uh and getting you know essential commands that give you a hint as to what these scripts are or what these binaries are doing uh in our case uh we have modified the you know where we have played around with the environment variables and various binaries so the privilege escalation part might not be that realistic but overall the web app the web exploitation phase was uh what was really the core aspect of this particular uh box so that's pretty much gonna be it guys thank you very much for watching if you have any questions or suggestions leave them in the comment section and i'll be seeing you in the next video [Music]

Info

Channel: HackerSploit

Views: 12,813

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, ethical hacking, vulnhub walkthrough, vulnhub tutorial, vulnhub vmware setup, vulnhub so simple, vulnhub review, vulnhub kali linux, vulnhub funbox, vulnhub basic pentesting 1 walkthrough, vulnhub active directory, vulnhub android, vulnhub basic pentesting 1, vulnhub basic, vulnhub buffer overflow, vulnhub beginner ctf, vulnhub boxes for oscp, vulnhub oscp, oscp prep, vulnhub pwnlab, vulnhub pwnlwab walkthrough

Id: Q85ku046Q_E

Channel Id: undefined

Length: 41min 2sec (2462 seconds)

Published: Fri May 07 2021