Proving Ground Play — Potato
After almost completing ALL the hosts on Offensive Security’s Proving Grounds Practice, I decided to start going through the boxes on Proving Grounds Play AKA VulnHub, which is where I found POTATO.
Rated as INTERMEDIATE difficulty by the community, I also found it relatively easy but it forced me to do some research about PHP which is why I thought the box justified a Write-Up.
As per usual we can start the enumeration process by performing an Nmap scan for ALL open ports by running the following command:
sudo nmap -p- — open -vv 192.168.98.101
Once the scan completes we notice that the host listens on port 22,80 and 2112 we can perform more in-depth enumeration of the open ports by running the following command.
sudo nmap -p22,80,2112 -sC -sV 192.168.98.101
Having found the open ports we can start enumerating them further manually.
FTP on Port 2112
Based on the Nmap scan results above we can see that the FTP Service on Port 2112 allows anonymous authentication and also has some files for us to investigate. Further based on the privileges we DON’T have write privileges so we wont be able to upload anything, however its something I always test.
In order to grab the files follow the steps below:
- ftp <IP ADDRESS> -p 2112
- Specify “anonymous” as the Username
- Specify <ANYTHING… No I mean anything> as the password
- To list the files use “ls -la”
- To get the files “get index.php.bak” and “get welcome.msg”
Lets see what clues we can find in the files we downloaded. The index.php.bak file has some very valuable information and we can only assume that this was a backup copy of something we are yet to find on Port 80 (HTTP) through manual enumeration.
File contents Below:
Some interesting items to note in the file:
- Its clearly a type of PHP authentication page
- There is a password specified as “potato” ($pass= “potato”) but the comment also clearly states it should be changed, lets hope they ignored it.
- The PHP page makes use of “LOOSE” PHP Comparisons i.e. == and not === (Strict)
We can now continue manual enumeration of Port 80 (HTTP)
HTTP on Port 80
Now that we have some clues to work with, lets continue to enumerate the HTTP Services hosted on Port 80.
To start, lets browse the site itself using your browser of choice (NOTE: Check out Brave Browser if you’re not using it yet).
The screenshot below shows the home page hosted on http://<IP ADDRESS>/
Unfortunately not much to go by, so let’s go ahead and brute force some directories.
PS, if you’re not using FFuF you’re not Fuzzing Fast enough Fool. I can seriously recommend FFuF, it’s awesome not only for directory enumeration, but also for testing other vulns such as LFI / RFI / SQLi / XXE /XSS and what the …. ever else PLUS RECURSION!!!!!!!! Go On, Get Some GitHub — ffuf/ffuf: Fast web fuzzer written in Go
So to enumerate some directories and files lets use the following command:
ffuf -c -ic -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://192.168.98.101/FUZZ -mc all -fc 404 -e .html,.php,.cfg,.txt -recursion
Lekker (Thats afrikaans for “nice”) Command Breakdown below
- c === Colour output
- ic === Ignore wordlist comments
- w === Wordlist to use
- u === URL to enumerate
- mc === Which HTTP Codes to Report
- fc === Which HTTP Codes to Filter i.e. 404
- e === File extensions to enumerate
- recursion === Recursively enumerate directories i.e. add a new FFuF job for discovered directories
My command breakdown is “lekker” but whats MORE “lekker” is the fact that we also found a new web location that might just be what we’re looking for namely /admin/
Lets proceed to http://<IP Address>/admin
Now that looks like something worth exploring further, so lets review the Page Source by right clicking on the page and selecting
Page Source is displayed below:
The /admin/ page’s source code looks very similar to the code we found in index.php.bak, so we can only assume that the same methods and and vulnerabilities exist in the code within /admin/index.php.
Now that we have a better understanding of the host, and its various pages, lets start to exploit the host.
Now admittedly PHP is not my strong point so I spent quite some time trying different things like manually setting the cookie, brute force attacks on the page using the admin user, further directory enumeration but nothing else was found which led me to researching the actual PHP authentication mechanism.
From my research I found that PHP has two comparison modes namely:
- LOOSE ==
- STRICT ===
Further research revealed a host of vulnerabilities related to PHP’s comparison model and a method called “TYPE JUGGLING”. For anyone interested in Web Application Pentesting should spend some time reading about Type Juggling, a good place to start is the link below:
This is also where I found my way past the /admin/ page by means of a PHP specific authentication bypass.
Lets take a look at some code from index.php.bak
if (strcmp($_POST[‘username’], “admin”) == 0 && strcmp($_POST[‘password’], $pass) == 0)
If we look at the above code it essentially checks the following;
- Has “admin” been specified as the username then == 0
- Does the Password specified match the variable “$pass” then == 0
Now because we control the “ $_POST[‘password’]” value we can replace the input with whatever we want.
So instead of Posting “password=notThePassword” we can submit an array such as “password=”. PHP translates POST variables like this to an empty array which in turn translates to NULL, which translates to 0 OR ==0.
In order to executer the attack we will make use of good-ole Burpsuite.
- Start by capturing the actual login in Burpsuite and send it to repeater
2. Now that we have the request in Burpsuite> Repeater we can manipulate the various parameters in order to exploit the Vulnerability.
In order to exploit the vulnerability modify the “password=<SPECIFIED PASSWORD>” value in burpsuite repeater to “password=” and “send”
Once you hit send you will notice the Response welcoming you to dashboard.php, but also as per he code below, a cookie is also set to the actual value of $pass meaning we now also have the applications admin password.
setcookie(‘pass’, $pass, time() + 365*24*3600);
Now that we have access what can we do, lets take a look at the dashboard page
Going through the various functions, there’s not much to do, User shows an admin user, Date shows the Hosts’ date, Ping, well that pings google’s DNS (184.108.40.206) awesome, HOWEVER, Logs has some additional functions we may be able to leverage.
Let’s see what that request looks like in Burpsuite by capturing a request to get log_01.txt and then as per the previous steps, send the request to repeater.
The important part to notice is the “file” value, I’m convinced we can grab some sensitive information by changing the request to something like ../../../../../etc/passwd let’s test.
Modify the request as per below
Well what do you know we managed to get the contents of /etc/passwd and more importantly some moron left a password in the /etc/passwd file
Now that we have a username “webadmin” and a password hash, let’s get cracking… get it… cracking… lekker.
Lets start by understanding what type of password hash were dealing with by using the following command:
echo ‘<INSERT HASH HERE>’ | hashid -m -j
The above message tells us its an MD5 hash and we can use the Mode 500 for hashcat to crack it.
- echo ‘<INSERT HASH HERE>’ > hash.txt
- hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt
OR If John is your friend
john — format=md5crypt — wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Now that we have a username and a password lets use it to ssh to our target using:
ssh <USERNAME>@<IP ADDRESS>
LEKKER, we have access.
Now that we have access to the host, lets start performing local enumeration with the intent of local Privilege Escalation
We can start to see what sudo privileges we have by running the following command:
As you can see we are allowed to run /bin/nice as root on file located in /notes/*
In order to escalate our privileges lets create a local shell script that executes /bin/bash
- echo ‘#!/bin/bash’ > /tmp/privEsc.sh
- echo ‘/bin/bash’ >> /tmp/privEsc.sh
- chmod +x /tmp/privEsc.sh
Now we can exploit the misconfiguration vulnerability by executing the following command.
sudo -u root /bin/nice /notes/../tmp/privEsc.sh
And thats a wrap!
I thoroughly enjoyed this box, please see link below to get access to Offensive Security’s Proving Grounds https://www.offensive-security.com/labs/