DEF CON 22 is just a couple of short weeks away and there’s sure to be some CTF fun there, so there’s no better time to brush up on the basics. At Vulnhub, you’ll find a ton of boot2root challenges that cover a wide range of security vulnerabilities.
This challenge from the people at Pentester Labs is quite simple – based around cross-site scripting and using MYSQL write file permissions, the goal is to achieve remote code execution.
While the official write-up is detailed and somwhat elegant, we all approach these problems in different ways, and with different tools and techniques. Mine is dirty, but it gets the job done – and while we are going to achieve code execution as per the goal, we’re going to get our bonus points by escalating to root as well.
Let’s get started.
The VM is sitting at 192.168.20.227 so let’s see what services are available:
Starting with HTTP:
Looks like a basic blog, with a comment section and an admin portal. Clicking on the Admin link sends us to the login page, and we know this is a XSS challenge, so the obvious place to start is on the comments form which contains the fields Title, Author and Text. Going for the most basic of basic XSS tests, we pop <script>alert(‘XSS’)</script> straight into the Text field and get confirmation that the site is indeed vulnerable to XSS:
The assumption here is that there is an administrator who at some point will review the posted comments on the site, and with a XSS vulnerability, we have a chance to steal his session cookie value and use it to log into the site as the admin.
First the PHP code:
Let’s run a local web server to host this PHP an grab the cookie when the victim views our blog post. There are lots of ways to do this, here’s my way:
We can now import this cookie using whatever tool we feel like using (for me, it’s the Cookies Manager+ addon for Iceweasel) which allows us to cruise through into the admin area under a pre-authenticated session. Now we can create, edit or delete blog posts, but not much else. Clicking around the newly available links gives us some URLs referencing PHP objects – possible SQL injection. Injecting a single quote into the edit.php id function confirms this:
We also get the document root path for the site too, which may come in handy. Time to fire up sqlmap and see whether it’s base scan gives us anything before moving on to manual probing:
…and so on. We get a set of credentials for the admin user, which allow access to the blog admin page (which we already have anyway via our cookie theft), so that’s not particularly useful. The only other user hash found is for a system maintenance account which is unlikely to be easily crackable or useful. Moving on.
We want to upload a PHP shell and based on the description of this boot2root, it’s likely going to be possible via the FILE privilege inside mysql. We already know the document root, so let’s try to upload our PHP shell to the classes directory:
No dice. We don’t have write privs for that directory. But using Burp’s spider function we’ve found another directory called css, so let’s try that one:
No warning output from sqlmap, so let’s check to see if our PHP shell is now available…
It is indeed, and we confirm code execution is possible, so we’ve met the requirements of the challenge! Now it’s time to earn our bonus points by getting root. Checking the local password file highlights a local account named user:
Recalling our nmap scan at the beginning, we remember ssh is also running…and now we have a valid username. Let’s see if we can brute-force an SSH login for this account:
Well it took a while, but we managed to brute-force our way in using the credentials user:live. So now that we have a shell on the box, let’s get on there and see what kinds of privileges we have:
Interesting. The absence of an error message during validation suggests this user has sudo access…