(Tips:LFI through alias, SQL Trunction Attack, Blind RCE, NPM to shell,Caesar Cipher)
Very interesting and hard (in my opnion) VM. Can be download here. It's my first time playing a machine with lots of new stuff, so I write this walkthrough for learning purpose.
Thanks the creator of the machine "catchme_75" from InfoSec Articles. And I also learned the writeup from Sys7em.
Nmap scan ports.
On port 80 is the default page of apache, so we bruteforce the folders.
Then bruteforce folders of /bluesky.
In /bluesky/singup.php, we can sign a new user.
And if we want to sing a user whose username is already registered, then server give alert message.
Login as the new user, we can browse several pages: dashboard.php, about.php, port.php. Contact .php is unavailable. And port.php said maybe it has a LFI vulnerability.
Check the source code of port.php, we see a comment.
Here do have a LFI vulnerability, but not in any webpage ( I tested each page and failed). The vulnerability is because of the server's config. Use user alias in url, we get the content of imp.txt.
These look like user name of the dashboard. Althrough we can bruteforce the password of admin@tornado, but if we login, we can do nothing more. So I skipped this stip to save time.
In fact, the key one is "jacob@tornado". It's already registered, and it can not be brutefoced. Here, we need SQL trunction. We change the maxlength limit from 13 to 15, and register with username "jacob@tornado l", that means, add a space and a char follow the username.
Then we succeed login as jacob@tornado. And this time, the contact.php is valid, and the comment function appears.
We input anything in comment, nothing happened. We input "id", also nothing happened. Buf if we input "id;sleep 5", and in burpsuite we can see the server repond after 5 seconds.
Looks like it's a blind RCE. So let's get reverse shell.
Now we are www-data, sudo -l.
We need to escalate user using npm. I find the way from internet.
In /tmp, make a dir /tmp/shell, and go into the dir, then make a package.json as following
{ "name": "shell", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "shell": "./shell.sh" }, "author": "", "license": "ISC" }
Create a shell.sh, which has only one line "bash", and make it executable.
Run npm to get a new shell.
In catchme's home folder, we upload id_rsa.pub in .ssh, change it to authorized_keys, now we can get ssh terminal.
In home folder, we find enc.py, which has an encrypted sting.
There are no other ways to get root, but decrypt this string, we can get the root password. We can decode it at this site:http://rumkin.com/tools/cipher/caesar-keyed.php. What we need is just input different key with only on charactor: a, b, c, etc... Until we get the correct password.
BTW, if we read the enc.py carefully, we can find it's not that difficult. The most import codes are below. Input a letter as the encryption key, save in var "k", and do three things:
(1) letter "a" change to var "k"
(2) letter between "a" and var "k", minus 1
(3) letter bigger than var "k", no change.