Hack the Box Challenge: Falafel Walkthrough

In this Post, we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Hard

Task: find user.txt & root.txt file on the victim’s machine

Penetration Methodology 

Scanning

  • Open ports and Running services (Nmap)

Enumeration 

  • Enumerating Web Directory (Dirbuster)
  • Identify Web application vulnerability 
  • SQL Injection

Exploiting Web Application Vulnerabilities 

  • Login form SQL Injection
  • File Upload 

Spawning Shell

  • Injecting PHP payload (Metasploit)
  • Stealing SSH Credential
  • SSH login
  • Get user.txt

Privilege Escalation 

  • Cracking Frame-buffer Device (Cyber Forensic)
  • Escalated root shell
  • Get root.txt

Walk-Through 

Scanning

Since these labs are online available therefore they have static IP and its IP is 10.10.10.73 so let’s begin with nmap port enumeration.

From its scanning result, we found port 22 and 80 are open for ssh and http services.

So we explored target IP through the web browser and it put up a login page shown.

Enumeration 

When I didn’t found any remarkable things then I used Dirbuster for directory brute force attack. It put up so many files but /cyberlaw.txt looks more interesting so I browsed http://10.10.10.73/cyber.txt and put a message in front of me.

By reading this message, I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using an image upload feature. Moreover, there is some hint on the URL filter.

Then we try SQL injection on the login form but it gave an error “Wrong Identification: admin

Exploiting Web Application Vulnerabilities 

Then we make more efforts for SQL injection by using SQLMAP and used “Wrong identification” as a string to be passed at the time of login.

As result, it dumps the database name “falafel” now let’s extract the whole database information.

So we got users tables from inside it and it has username and password as shown.

As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.

As you can observe the highlighted md5 hash for the 32-bit string is same as above……………………….

With help of the following credential we login into admin dashboard and move to upload options.

Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown

Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.

Spawning Shell

Let’s create a PHP payload for uploading into the web site. We have to use the msfvenom command for generating PHP backdoor.

Now copy the code from *<?php….die(); and paste in a text file then as rajjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj.php.png (240 character) also start multi handler in a new terminal.

Let me make it clear to you, here the author has applied filter for identifying  240 character file which means your file name must contain 240 characters including extension.

As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.

Let execute it in the URL for obtaining reverse shell at Metasploit.

Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation. Further, we open passwd file and notice two system username i.e. yossi and moshe.

After making some more inspection we found a file connection.php from inside /var/www/html and receive database credential from inside it.

This is MySQL configuration file for MySQL where username is moshe and password is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful login we found the user.txt file from inside /home/moshe

Privilege Escalation 

After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of the video group then for Privilege Escalation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

Let’s have the contents of /dev/fb0 with help of cat command to capture the framebuffer raw data inside /tmp directory as scree.raw

So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension……………..

Now enter the following command to convert raw data into a .png image format

Then we opened screen.png and got the following image which was showing password: MoshePlzStopHackingMe! for user Yossi.

With help of above-enumerated credential, we have made SSH login successfully and then run following command for getting SSH RSA key.

Now copy the RSA key in a text file and named as key in your local machine. Also, give permission 600 to it. Then connect to ssh once again through above RSA file as given below:

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *