Happy New Year to all my readers!

There are many things on my personal roadmap for 2012! How about you ?

If you want to get certified in the penetration testing field (like me 🙂 ) you have to practice a lot since most of the best courses & exams like eCPPT and OSCP/E are practical exams! Therefor I am currently working on some hack-mes, one of them, which I’ve recently solved, is “HackademicRTB1” provided by ghostinthelab.

You can download the vulnerable VMware-Workstation image here: http://ghostinthelab.wordpress.com/

The goal is to read the key.txt file placed in the root directory. If you want to solve this Hackme by yourself, stop reading here!

My solution:

Before doing anything else do a little nmap action to find out if there are any other ports open (and therefor exploitable) beside the HTTPd one:

Port 80 is worldwide open running an Apache 2.2.15, since there is no public exploit available for this version and there is no other port open, you have to get in using a common web-attack. Have a look at the website itself:

There are two possible links, and et voila the “Uncategorized” is vulnerable to a classic SQL Injection:

Oh, this error message reveals that the site is running a WordPress – wp_categories is a typical WordPress – table. Let’s complete the SQLi by hand or using sqlmap and dump the userdatabase “wp_users” of wordpress:

Sqlmap automatically brute-forces the passwords. After some trial & error you’ll find out that the user “GeorgeMiller” is an administrative user. Since wordpress has got a fileupload function, this will be my key to access an interactive shell. Login to the WordPress wp-admin – backend with username “GeorgeMiller” and password “q1w2e3” and activate the upload-functionality (and do not forget to add the “.php” extension to the “allowed file extensions” list, so we can upload a shellscript):

There is a simple PHP reverse shell script delivered with Backtrack, which I will upload via wordpress for later usage. You can also use other shellscripts like C99 or R57, but this is a bit oversized for now:

That’s been quite simple until here. Now you just need to launch a netcat-session which will listening to the port defined in the “phpreverseshell_01.php” script:

and execute the reverse-shell script using your favourite browser, and et voila there’s the shell:

As you can see here the shell is run by the user “apache” which runs the httpd too. That’s basically ok, but we’re not allowed to list files within the /root/ directory:

So we need to get root-privileges somehow…Let’s check the kernel version…

…and now let’s have a look if there is a usable privilege escalation exploit for this version. After doing some googling:

Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit

The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS)
protocol implementation in the Linux kernel before 2.6.36 does not properly validate
addresses obtained from user space, which allows local users to gain privileges
via crafted use of the sendmsg and recvmsg system calls.

Looks usable :-)! Let’s download the exploit source to the target machine and compile it using gcc:

Launch it:

and finally, we’ve got our root shell and are able to read the contents of the key.txt within the /root/ directory:

There might be different ways to solve this Hackme. Feel free to comment them here.

HackademicRTB1 challenge solution
Tagged on:                 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.