Hackday Albania

[ vulnhub  ctf  walkthrough  ]

Goal

root access + flag.txt

Download

https://www.vulnhub.com/entry/hackday-albania,167/

Walkthrough

Initial nmap reveals a web server running on 8008 and ssh on port 22
alt text

Website reveals Mr. Robot and a message that translates to “If I am, I know where to go ;)”
alt text

Checking the source code there’s a message that translates to “but not here”
alt text

Running nikto shows various directories found from robots.txt file
alt text

Browsing to the first directory listed, it prompts with the translated message “Is this a proper directory or a jerk” < LOL I hope that Google translation is accurate
alt text

With a lot of directories to go through, I decided to save the directories listed in robots.txt to a file and run through dirb
alt text

Running the directories through dirb reveals that /unisxcudkqjydw is a different size. So let’s try that…
alt text

Browsing this directory reveals another hint
alt text

Adding /vulnbank to the original URL reveals a directory listing
alt text

Clicking the client folder reveals a Very Secure Bank login page
alt text

With no known credentials, I setup burp suite to run a SQLi attack against
alt text

Quick turnaround and two possible payloads
alt text

Tested both on the username, and they both login as Charles D. Hobson
alt text

Scrolling over on the page reveals a place to upload files…
alt text

First thought was to upload a php reverse shell, but states that only specific image files are allowed
alt text
alt text

Simply adding .jpg to the end of the shell file and trying again results in…upload success!
alt text
alt text

Next I setup meterpreter, browse to the newly uploaded file and…BOOM limited shell!
alt text

Connected as www-data gives limited access so let the enumeration begin. First I see what is available in the /home directory…nothing. However it gives us a username taviso < i get it
alt text

Next checking /var/www/html it becomes obvious that all files are readable and belong to the user taviso. Browsing to the directory that provided access shows a config.php file
alt text

Viewing the config.php file gives us the mysql root password
alt text

Looking at mysql doesn’t provide much more information other than two logins to the site. Moving on…
alt text

Checking permissions on /tmp shows the obvious of full access and I upload both the python and bash linux privilege checker scripts. Seems python isn’t available, only python 3 and 3.5 which do not work with the python script. However the bash script works and pays off as it reveals /etc/passwd is writable!
alt text

Since I’m able to update any user, including root, I quickly check /etc/sshd_config file and it states that remote access isn’t available with password. Oh well…
alt text

So first I create a password hash using openssl
alt text

Using the meterpreter session, I download the /etc/passwd file and update root and taviso passwords
alt text

Back to meterpreter, I upload the updated file replacing the original and check to see it’s the newer version
alt text

Now with my own password set on taviso, ssh access to the system works. From there issuing su with the new password gives root access. In the root folder is a message that translates to “Congratulations, now launches report”. Also available is the file flag.txt with an MD5 hash of d5ed38fdbf28bc4e58be142cf5a17cf5 that decodes to rio
alt text

Written on December 1, 2016
Share on: