Wallaby's: Nightmare v1.0.2

[ vulnhub  boot2root  walkthrough  ]

Goal

uid=0(root) gid=0(root) groups=0(root)

Download

https://www.vulnhub.com/entry/wallabys-nightmare-102,176/

Walkthrough

Initial nmap shows ssh on 22, web on 80, and closed irc on 6667
alt text

Looking at the website and we need to enter a username to get started
alt text

Username was just to personalize, now some tips and off we go
alt text

Told we’re being observed, but we now have a path to use /?page=
alt text

Throwing the site at dirb yields some interesting results. Almost too interesting…
alt text

Going back to the website to check these results and it seems port 80 doesn’t work anymore
alt text

Another nmap shows that 80 moved to 60080
alt text

Back to the website on the new port 60080 and greeted with a new message
alt text

Running dirb against the site on the new port yields same results
alt text

Throwing nikto at the website reveals a possible way to read /etc/passwd
alt text

*snippet of nikto results

While all the results from nikto seem to reveal the passwd file…
alt text

Looking at the source it’s safe to assume it’s fake
alt text

Back to the dirb results, it seems most of them are just fake as it throws an already patched message
alt text

The contact page works, but shows nothing much and neither does the source
alt text

The mailer page works also and doesn’t show much…
alt text

However the source of the mailer page reveals a new path to work with /?page=mailer&mail=mail wallaby “message goes here”
alt text

After some time of messing with the path, it turns out we have LFI
alt text

Seems wget is working, so a reverse php shell is setup and ready to download
alt text
alt text

However after running it doesn’t seem to download as there is no data in the file
alt text
alt text

Looking at the access.log it seems to pull, but gets a 500 error
alt text

After some trial and error seems we need to chmod 777 the file and remove the .php extension in order for it to work
alt text
alt text

File is now showing data
alt text

Before we can get a shell we need to remove the old no data reverse.php file and copy the reverse file to include .php extension
alt text

After calling the reverse.php page we have a limited shell as www-data
alt text

Showing the true passwd file we see there are 3 users; ircd, waldo, and wallaby
alt text

Now we know irc is running, but we’re unable to interact with it. After some digging it’s revealed through ‘sudo -l’ that all users have the ability to use iptables with no password. We also see waldo has the ability to run vim on a specific file, which we’ll come back to later
alt text

Looking at iptables it does show port 6667 (ircd service) blocked to external users
alt text

So let’s delete that entry
alt text

An nmap against port 6667 reveals the service is now open :)
alt text

We’re now able to connect using irssi
alt text

Through /list it’s revealed that there is a channel #wallabyschat and joining shows two other users; waldo and wallabysbot
alt text

Hitting a wall, I went back to see if there were any clues in the file system. Seems the home directories for all three users (ircd, waldo, and wallaby) were available. Digging shows wallabysbot is using sopel, a python irc bot, with an interesting file run.py
alt text

Unfamiliar with sopel, I did a little reading. Seems you can get the available commands by using .help
alt text

Commands are then listed in a private message and run is shown…interesting
alt text

Running help on the command shows that I can do an ‘ls’ command, but doing so throws a message that I’m not waldo
alt text

Attempt to change nick to waldo fails as it’s already in use
alt text

Back to the limited shell, we see waldo has a session open on pid 770
alt text

After some time I remember the additional ‘sudo -l’ entry for waldo
alt text

So we can vim into a file which doesn’t seem like much, but we can execute commands within vim using :!command
alt text

So we can run commands as waldo within vim, we need waldo off irc, and we know the specific pid for the irc process …so let’s start vim as waldo and issue :!kill 770
alt text
alt text

After killing pid 770 we check to make sure the irc process is gone
alt text

We now change our nick in irssi to waldo with /nick waldo and with the ability to use .run we see that we’re wallaby
alt text

The .run command did not allow a lot, just one word commands with no options. However we’re able to run scripts. Creaing a test script, I’m able to download using wget, make executable, and .run processes the file
alt text
alt text
alt text

The script shows that it failed, however it did run. Knowing sopel uses python, I setup a python reverse shell…
alt text

Download using wget and make executable
alt text

Before running I setup my listener on 444 and after the comand ‘.run /tmp/pyreverse’…we have reverse shell as wallaby
alt text

First thing I check is what I can run as sudo and it’s everything with no password
alt text

The command ‘sudo -i’ gives me root and the flag.txt file :)
alt text

Written on January 8, 2017
Share on: