6Days Lab – VulnHub #2

6Days is another VulnHub VM which is a bit harder than the [PRIMER],but here we go.I started off with netdiscover to discover my victim IP.Screenshot from 2016-08-26 14-49-54Then I ran nmap to search or open ports.
Screenshot from 2016-08-26 14-50-53
I immediately started scanning port 80 with nikto to see if I can find anything useful.Sadly nothing was helpful.The filtered proxy will come in handy later.
Screenshot from 2016-08-26 14-52-23Since nikto didn’t help me I navigated to the site iteself and was greeted with a nice webpage.I actually like the design and everything.
Screenshot from 2016-08-26 15-03-47
I tried the discount code.It expired.
Screenshot from 2016-08-26 15-04-04
I thought this was the perfect situation for SQLi but the IPS stopped me.
Screenshot from 2016-08-26 15-04-16
While checking out the source of index.php I noticed something very unusual.The image was actually being loaded from a PHP script called image.php
Screenshot from 2016-08-26 15-04-37
I intercepted the request via Burp and found the PHP source.SQLi was confirmed but IPS was making it impossible.

This slideshow requires JavaScript.

I also got the credentials for MySQL but they weren’t of any use since the MySQL port wasn’t open.
Screenshot from 2016-08-26 15-07-57
I read the /etc/passwd file and found out that the user andrea is using a custom shell,which redirects it’s output to /dev/null.This makes it so that when we type a command we can’t see any output.Let’s keep that in mind.

This slideshow requires JavaScript.

Having nothing else to do,I tried double-encoding the URL and amazingly enough it worked.I didn’t get blocked by the IPS.
Screenshot from 2016-08-26 15-27-14
Since I knew the database name I used the proxy to do manual SQLi.Oh,and also I guessed the table and column names.I had no clue about those.Pure luck.
Screenshot from 2016-08-26 16-02-18I tried SSH’ing to the box with the credentials and it worked.
Screenshot from 2016-08-26 16-02-47Remember the /bin/andrea sandboxed shell? All we had to do is redirect the output again to stdout.I used python to spawn my sh shell.
Screenshot from 2016-08-26 16-10-54Since the goal is to execute flag and I needed to be root I looked up some privilege escalation exploits for Linux 3.13.0 Ubuntu and ran a SimpleHTTPServer module for Python.
Screenshot from 2016-08-26 16-12-40I used wget to download the source and gcc to compile it.I got root.Now all we have to do is execute the flag.
Screenshot from 2016-08-26 16-12-55
Voila! Done.
Screenshot from 2016-08-26 16-15-18
That’s all for today folks,I hope you enjoyed.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s