Sunday, 12 June 2016

Holynix v1 challenge

I would like to present the Holynix v1 challenge write-up. This challenge is one of the two Holynix challenges.

Wow, only TCP 80 port? It is very comfortable situation of us. We know that the Apache 2.2.8 has assigned CVE-2010-0425 (Metasploit modules), but we want to be pro and we are going to conduct pentest manually. Let's browse the web application

OK, we know that we should find admin panel or something like that. We can see Login link, let's click on them

Great, I tried log in as admin without success but not without effect.

Great! Now we know that ltorvalds is a system administrator. I tried use SQL Injection against the panel and success! But we haven't got administrator account

The upload link looks attractive, let's try upload some file. Grrr, unfortunately I have got "Home directory uploading disabled for user alamo" information. Hmmm, in the Directory link we can find  a lot of emails (and probably usernames). In the Message link we can find corespondency which came likely from the IT department. Within the corespondency we can see "knockknock" word serveral time. I have got following result using sqlmap on the admin panel

Excellent! This is good news, because alamo user does not have privileges to upload any kind of file. Now we are able to find appropriate user to do thias action. We can find in the above table also who has privilege to upload some file. I have decoded the etenenbaum's password and log in, becuase he has privileges to upload file (logical value for upload is true).
Hmmm, I tried upload PHP backdoor, but it didn't upload the file to upload directory. Quite interesting... Let's try gzip the PHP file (for example <?php phpinfo(); ?>) and then upload it.
Good, the file has been uploaded, but upss in the upload directory is nothing (in particular our file :-/), that's not good news. I was researching a lot and finally I figured out that maybe the application has user's directory such as ~etenenbaum and ~alamo direcotiries and BINGO!
I launched our uploaded file and

Excellent! So actually we are able to upload PHP backdoor and obtain limited shell.

Great! Let;s try escalate our privileges.

So, we have several possibilities. I preffer:
1) Go to the /tmp directory
2) Copy the /bin/bash file to the /tmp directory
3) Grant root:root privileges to /tmp/bash file
4) Move (mv) /tmp/bash  to the /bin/tar file
5) Execute as root the /bin/tar file

Game over!