Falafel was one of my favorite machines on Hack The Box. Thanks to it I have learn many new tricks for the web part. The privilege escalation part was very exotic! Now I propose you my solution :D.
First of all we run this command for port enumeration of the system:
There are ports: 22 and 80 open, for ssh and web services. Open the browser and type 10.10.10.73 for see the web page:
Mmmm there is a link login, let’s open it and see the login web page:
The first thing that we can try is see if there is a SQL injection vulnerability. For test it, we can insert the following string as username:
and we press login button with random password. The web page answer is: Wrong identification: admin, wait a moment, but we have not insert “admin” in login form → there is SQL injection! 😀
Now, we have two ways:
- The first way is to use sqlmap software for dump of the db, but with this we do not learn anything!
- The second way is to write a script for passwords dump!
But how work the login form?
In normal condition, an user type your username and password and click “login”.
The server first detect if the username is present in the database with a SQL query, and after that detect if the password entered match with the password of the user with another SQL query. Ok, but what happen if we type ‘ or 1 = 1 as username? The SQL server query probably will be like this:
Then, the db will return all users because the query is ever true. After that, if the query has returned users, then the php code verify if the password type is correct, but obviously there isn’t any match and then return “wrong identification: admin”, but why admin? Maybe because he is the first occurence in users table.
How use this vulnerability for dump a password? If we write: “admin’ and password like ‘X%’ — “, the SQL query will be like this:
that means: “give me an username like admin and password that starts with X”. If there are a match, the login page response “wrong identification: admin” otherwise “Try again..”.
Below there is a script for this purpose:
Yeah, the dumped hash is:
But there isn’t any match in crackstation.net 🙁 .
Maybe there is another user in the system.. We adapt the script for search another user and then dump his password!
The other user is “chris”, therefore insert him in our script and run it:
And crackstation.net output:
Cool 😀 ! Now login with chris and password juggling:
The first thing that appear is a hint in profile page of chris. Chris is a juggler, and his hobby (pen tester) sometimes are in common.. Maybe there is a vulnerability connected with juggler? Yes, this vulnerability is PHP juggling type! If you want know more about it, visit this Owasp link: https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf.
If we search in Google “PHP juggling type”, we found this page, where there is a magic number for the admin hash password! Yeah, this number is: 240610708, if we use that in the login form with user “admin” we can enter in the admin page!
Yeah, in the admin panel there is an upload image form. We can try to upload a crafted image with code php, and run it for enter in the server, but how? This upload form accept only image with extension png or jpeg, and not php, but the web server run code php only if the file has php extensions! How bypass this check? Let’s examine the request with Burp for see what happened.
Mmmm, for upload an image, the web server use wget command. How it work? Wget download a file and save it with the name specified in the url. What happens if we write a big url?
Yeah, we have bypass the check of extension because the OS system of the server not allow to save files with a big extension and then wget must cut the name of file for save it. Now we have an our script on the server, with a reverse shell get on this site: http://pentestmonkey.net/tools/web-shells/php-reverse-shell.
Perfect, now we are in the system as www-data user! Next step is privilege escalation. Examining the system, we can see that there are two users: moshe and yossi, and examining the files of web site we can see that there is a file called “connection.php”, in this file there is the moshe credential for database, that are the same of system account!
We have used this credential for ssh, and now we are in the system as moshe. Now we can get the flag user.txt ;). Next step is to switch in yossi account, but how? Examining the system with Linenum script, we can see this particular:
moshe and yossi are in different group that means that there are different permissions on the system! An important group for moshe is “video” that it allow moshe to read the file “/dev/fb0”. This file is a representation of the system screen. We can open it with the following script (get in this site) :
this script open the “fb0” file and convert it in a png image. But there is a problem, the parameter of the script is a resolution of the system. What is falafel resolution?
For get this parameter we can read this file:
where video2.data is the fb0 file. The result is:
Cool! Now we enter in the system as yossi. Next step is get root;). This step is easier because we know the yossi’s groups. An important group is “disk” because allow yossi to read all filesystem in the disk sda1, then yossi can also read all files of root! We can use this command for get root.txt:
or, if we want a shell, we can get ssh key of root:
Now we are administrator on falafel system 😉