This is a vulnerable virtual machine from a platform called Vulnhub. You can download it, import it to a hypervisor (e.g Virtualbox, VMware, virt-manager, etc), and hack it. I’ll be using virtualbox, since it works best according to the author.

Recon

IP address: 192.168.56.101

In the port scan, we can see the services SSH, HTTP and MySQL are running. SSH is a fairly new version (current: 9.4) and walking the webapp would come later. I wanted to manually enumerate the mysql service first.

nmap -sV -p 3306 --script=mysql-* 192.168.56.101

Valuable service information. But… valid login with empty password for all those users? doubtful. I was proved correct trying to login with mysql -h <ip> -u <user>

There was nothing that really stuck out to me as a lead. So I moved on to viewing the webapp on port 80.

I ran gobuster on the base URL using a popular wordlist from seclists in the Web-Content directory (https://github.com/danielmiessler/SecLists). Here are the directories gobuster found:

/images (Status: 301)
/index.php (Status: 200)
/uploads (Status: 301)
/css (Status: 301)
/template (Status: 301)
/core (Status: 301)
/install (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/check.php (Status: 200)
/sf (Status: 301)
/readme.txt (Status: 200)
/robots.txt (Status: 200)
/backups (Status: 301)
/batch (Status: 301)

I spend a bit of time going through all the directories looking for leads. But I eventually landed on the /core/config directory that contains MySQL database credentials leading me to the initial foothold.

Initial Foothold

I found two different routes of exploitation by leveraging my access to the MySQL database.

SSH credentials found in staff database
Changing the password to the qdPM admin account, adding a new admin user, and then leveraging built in functions of the qdPM webapp to get a reverse shell on the www-data service account

Route one: SSH credentials

In the above screenshot, I was able to find the database containing SSH users and base64 encoded passwords, which I copy/pasted into individual files to use for password cracking with Hydra.

It was pretty easy to figure out the passwords were base64 encoded just based on the format. So I scripted up a little loop to decode them all and output them to a file.

Get Sud0nym’s stories in your inbox

Join Medium for free to get updates from this writer.

for i in $(cat dbcreds); do echo $i > $i.txt; base64 -d $i.txt >> pass.txt; echo >> pass.txt; rm $i.txt; done

From here, I was able to use both the users and password lists to start running a dictionary attack on the running SSH service.

As you can see in the above screenshot, I was able to compromise two different user accounts. I logged into both of their accounts, just to take a peek at their home directories. In Dexter’s we find a note about another potential vulnerability, and in Travis’ we see the “user flag” (a common practice in simulated environments as a ‘proof’ of low-level access)

Route two: reverse shell

I found the following values in the qdPM database in the configuration table:

The screenshot above shows the qdpm admin email and password to log in to the web application. There *was* a different password in the database, but I changed it because I wasn’t able to crack it with any of the wordlists I had. You can do this by running the SQL command

update configuration set value '<New WP-PHP hash>' where id=2

I created the new WP-PHP hash using this website

After I updated the admin password, I logged in to the qdPM web application using those credentials, and created a new administrator account.

Using that new admin account pwned , I created a new project and uploaded a php reverse shell in the attachments section.

When doing a box, I often get caught up in playing the blackhat so I’ll leave nasty messages for the theoretical admins lol XD

And so with the reverse shell uploaded, visiting /uploads/attachments will show the reverse shell attachment that we can execute by clicking on it

For brevity’s sake we can stop this attack route here. There is a way to escalate your privileges from www-data to one of the other users, but we can continue the privesc section utilizing the users we already have access to.

Privilege Escalation

Using Dexter’s SSH credentials, we see a note he left that says in note.txt:

So I searched for suid binaries using the command find / -perm -u+s 2>/dev/null. This command searches for any executable that can be run as root by a non-root user.

The very first binary seemed to be what we’re looking for. But if we run it, we get an error:

Running strings against it tells us that it is running the cat binary to output system.info

So I created a new cat binary in the tmp folder with /bin/bash inside, exported it to $PATH, re-executed the suid binary and got root.