Categories

Archives

CTF Challenges

The Library:2 Vulnhub Walkthrough

Today we are going to take another challenge Library2 which is a 2nd lab of the series Library. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

Scanning

  • Netdiscover
  • NMAP

Enumeration

  • Web Directory Search
  • Burpsuite 

Exploitation

  • Sqlmap
  • FTP
  • Shell Upload
  • Netcat

Privilege Escalation

  • Obtaining root password

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.107 automatically from our local Wi-Fi network.

We used Nmap for port scanning. We found that port 21 and 80 are open.

nmap -A 192.168.1.107

Enumeration:

As we can see port 80 is open, we opened the IP address in our browser, but we didn’t find anything useful on the webpage.

Firstly, we tried dirb in default mode but didn’t find any directory. Then we looked with .php extension and got one directory /library.php

dirb http://192.168.1.107 -X .php

After accessing the URL http://192.168.1.107/library.php  we got a webpage listing the name of few countries.

We just clicked on Netherlands and it didn’t give any information.

We captured the request in burpsuite and thought country parameter might be vulnerable to SQL injection, so we copied the raw request of burp into a text file sql and used an asterisk (*) to pinpoint our point of the target but we didn’t get anything.

Then we took a little help of the hint given by the creator of this machine on Vulnhub and changed the request from GET to POST.

You can see in the image below the request has been changed from GET to POST. Copy this request in a text file on your attacking machine. 

Exploitation:

Now let’s use sqlmap on the file where we have copied the POST request in a text file.

sqlmap -r sql --dbs --batch --risk 3 --level 5

From the results, we found a directory named library.

Further enumerating the library database for usernames and passwords.

sqlmap -r sql -D library --dump-all --batch --risk 3 --level 5

We found a username globus and password AroundTheWorld for the ftp service.

We connected to the target system through ftp using the above-found credentials. We looked here and there but couldn’t find anything useful, so what we did is we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.

Then we tried to upload it in the target machine using PUT command but we got access denied error.

ftp 192.168.1.107
ls
cd html
ls
put shell.php

It seemed there was some sort of file format filtering happening in the backend, we found a work around for this filter by changing the name of the script file from shell.php to shell.PHP

put shell.PHP
ls
chmod 777 shell.PHP

Now we executed the shell by just browsing to the URL http://192.168.1.107/shell.PHP and at the same time started a netcat listener on our Kali machine.

Privilege Escalation:

We successfully got the netcat session with a limited user privilege. And after a little bit of directory traversing, we found the password of a root inside a file named welcome located in the /var/mail directory.

Then we finally switched to the root shell using su command and successfully completed the challenge.

nc –lvp 1234
python -c 'import pty; pty.spawn("/bin/sh")'
cd /var/mail
ls
cat welcome
su root
id

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here