Tuesday 24 May 2016

Gibson challenge

Hi,

Scanning
















Good, we have found our target. Now, we are able to scan a little deeper














Great! We have pleasure with no complex VM, because open are only two ports 80 and 22. I prefer examine web application.













Hmmm, it is strange for you also? Let's check what is in davinci.html











Probably it is some kind of hint. I am wondering about brute-force SSH, but don't know username and password both. In this case brute force would take a long time. So, let's run dirbuster
Hmmm, dirbuster found nothing interesting, I was trying perform brute-force, where username is davinci, but without success :-(
So, we should examine version of Apache Web Server and OpenSSH. As far as I know OpenSSH may be vulnerable to predictable PRNG. Damn it! It also gave me nothing interesting... Now I am pretty sure that /davinci.html MUST contain something helpful!
BINGO!









Probably username is margo and password is god, let's try via SSH log in.




















Excellent! We have got limited shell! Let's check what kind of action we are able to perform via sudo
 Quite interesting!
I have verified that we have pleasure with Ubuntu 14.04.03, so I know that exist local root exploit





Game over! Thanks

Summary:
As we can see the challenge was very easy and didn't require advanced hacking tools and skills. All what we needed was time.

PS. I am going to try to find another way to hack this machine

Second way - privilege escalation.
I was looking for details about convert Linux command and potentially vulns, and I have found CVE-2016-3714.
So , we are able to inject any shell command into convert syntax
Well, I have add write permission for root to sudoers file via
sudo convert 'https://example.com"|chmod +x "/etc/sudoers' out.png
 and I have changed part of content to
margo ALL= (ALL:ALL) ALL













We have got root again :-)