Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Tornado Walkthrough

(Tips:LFI through alias, SQL Trunction Attack, Blind RCE, NPM to shell,Caesar Cipher)

Very interesting and hard (in my opnion) VM. Can be download here. It's my first time playing a machine with lots of new stuff, so I write this walkthrough for learning purpose.

Thanks the creator of the machine "catchme_75" from InfoSec Articles. And I also learned the writeup from Sys7em.


Nmap scan ports.

图片.png


On port 80 is the default page of apache, so we bruteforce the folders.

图片.png


Then bruteforce folders of /bluesky.

图片.png


In /bluesky/singup.php, we can sign a new user.

图片.png


And if we want to sing a user whose username is already registered, then server give alert message.

图片.png


Login as the new user, we can browse several pages: dashboard.php, about.php, port.php. Contact .php is unavailable. And port.php said maybe it has a LFI vulnerability.

图片.png


Check the source code of port.php, we see a comment.

图片.png


Here do have a LFI vulnerability, but not in any webpage ( I tested each page and failed).  The vulnerability is because of the server's config. Use user alias in url, we get the content of imp.txt.

图片.png


These look like user name of the dashboard. Althrough we can bruteforce the password of admin@tornado, but if we login, we can do nothing more. So I skipped this stip to save time.

In fact, the key one is "jacob@tornado". It's already registered, and it can not be brutefoced.  Here, we need SQL trunction. We change the maxlength limit from 13 to 15, and register with username "jacob@tornado l", that means, add a space and a char follow the username.

图片.png


Then we succeed login as jacob@tornado. And this time, the contact.php is valid, and the comment function appears.

图片.png


We input anything in comment, nothing happened. We input "id", also nothing happened. Buf if we input "id;sleep 5", and in burpsuite we can see the server repond after 5 seconds.

图片.png


Looks like it's a blind RCE. So let's get reverse shell.

图片.png


Now we are www-data, sudo -l.

图片.png


We need to escalate user using npm. I find the way from internet.

In /tmp, make a dir /tmp/shell, and go into the dir, then make a package.json as following

{
  "name": "shell",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "shell": "./shell.sh"
  },
  "author": "",
  "license": "ISC"
}

Create a shell.sh, which has only one line "bash", and make it executable.

图片.png

Run npm to get a new shell.

图片.png


In catchme's home folder, we upload id_rsa.pub in .ssh, change it to authorized_keys, now we can get ssh terminal.

In home folder, we find enc.py, which has an encrypted sting.

图片.png


There are no other ways to get root, but decrypt this string, we can get the root password. We can decode it at this site:http://rumkin.com/tools/cipher/caesar-keyed.php. What we need is just input different key with only on charactor: a, b, c, etc...  Until we get the correct password.


图片.png


BTW, if we read the enc.py carefully, we can find it's not that difficult. The most import codes are below. Input a letter as the encryption key, save in var "k", and do three things:

(1) letter "a" change to var "k"

(2) letter between "a" and var "k", minus 1

(3) letter bigger than var "k", no change.


图片.png



发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0