6Days is another VulnHub VM which is a bit harder than the [PRIMER],but here we go.I started off with netdiscover to discover my victim IP.Then I ran nmap to search or open ports.
I immediately started scanning port 80 with nikto to see if I can find anything useful.Sadly nothing was helpful.The filtered proxy will come in handy later.
Since nikto didn’t help me I navigated to the site iteself and was greeted with a nice webpage.I actually like the design and everything.
I tried the discount code.It expired.
I thought this was the perfect situation for SQLi but the IPS stopped me.
While checking out the source of index.php I noticed something very unusual.The image was actually being loaded from a PHP script called image.php
I intercepted the request via Burp and found the PHP source.SQLi was confirmed but IPS was making it impossible.
I also got the credentials for MySQL but they weren’t of any use since the MySQL port wasn’t open.
I read the /etc/passwd file and found out that the user andrea is using a custom shell,which redirects it’s output to /dev/null.This makes it so that when we type a command we can’t see any output.Let’s keep that in mind.
Having nothing else to do,I tried double-encoding the URL and amazingly enough it worked.I didn’t get blocked by the IPS.
Since I knew the database name I used the proxy to do manual SQLi.Oh,and also I guessed the table and column names.I had no clue about those.Pure luck.
I tried SSH’ing to the box with the credentials and it worked.
Remember the /bin/andrea sandboxed shell? All we had to do is redirect the output again to stdout.I used python to spawn my sh shell.
Since the goal is to execute flag and I needed to be root I looked up some privilege escalation exploits for Linux 3.13.0 Ubuntu and ran a SimpleHTTPServer module for Python.
I used wget to download the source and gcc to compile it.I got root.Now all we have to do is execute the flag.
That’s all for today folks,I hope you enjoyed.