I actually run one of these on my home network. This is actually running an instance of Pi-hole, a network-wide ad blocking mechanism that can be deployed on a raspberry pi. I used Dirb and DirBuster to enumerate all of the possible directories and came upon. I’m going to just briefly go over the web server since it is not the true exploit or the vulnerability that will be exploited. oA: output all formats (HTML, XML, GNMAP)Īfter the scan, the following ports are open:.Just like every other scan, we start with Nmap. This is a very high-level overview, it’s actually a bit more complex than that. The botnet program essentially went around the internet, brute forced or used dictionary attacks against machines it found, and if it found anything, infected the machine and reported back to a C2 (Command and Control Server). It took advantage of Default credentials of the Internet of Things (IoT) devices such as IP cameras, routers, thermostats, and raspberry pi’s. This is the botnet that took down the huge DNS service provider, DYN DNS. If you haven’t heard of it, cool Read This. Unless you have been living under a rock, you’ve heard of the Mirai Botnet. But, it’s also a very good learning machine for those just starting out in the penetration testing world, like myself! Before we get into the box itself, let’s take a look at some of the obvious indicators that this box gives hints to. The key takeaway for me was to start simple and build from there when testing stuff.Mirai is by far one of the most simple machines that has ever had the pleasure of being hosted on HTB. The hidden file was not so hidden in the /var/www directoryįiles in Bob’s home folder were readable, allowing the decryption of the secret message The filter that tried to protect against malicious code didn’t stop everything that an attacker could use Server was vulnerable to unrestricted file upload that led to remote code execution The steps that led to the exploitation were: This was another interesting challenge that seemed straightforward at the beginning but required more trial and error to solve. Nice twist on this file upload vulnerability! Report With this information, I made another simple script to see if I can get command execution on the target:ġ 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Because I could get code execution with a simple echo script, but not with the reverse shell. I navigated directly to where it should be (based on the cookie value), which in my case was at Īnd boom! The string “RCE possible” was displayed, which is exactly what I had my script outputting! The key takeaway here was that the file upload vulnerability was easily exploited by adding a double extension, but there was also a filter in place that flagged certain PHP code and prevented the upload. However, after successfully uploading it, my “cool image” wasn’t displayed at all, and it didn’t exist in the source either. png.php (something that I had tried before with the reverse shell and it got caught). And I finally managed to fool the application into uploading it by simply giving it a double extension of. Thought it might be deemed harmless enough if there is a filter in place. I remembered the mission briefing that stated this is a custom application and I thought there might be a filter that could catch the reverse shell, so I wrote a one line PHP script that simply echoes back a message. Now I know where to access my uploaded files, but I still couldn’t upload any PHP file. And when I looked at the image source, which I should have done in the first place, it looked like this: images/246f7045b13ca34bd0fb443a038605de.png. When uploading a correct image, I noticed a cookie was set: trypios=246f7045b13ca34bd0fb443a038605de. So I went back to the start and once again found out that something I had dismissed as unimportant would play an important role in exploiting the target. This error kept flagging all my other attempts (tried uploading with double extensions or keeping just the PNG magic number and rest PHP code). Then I tried again but this time I also changed the extension from PHP to PNG. This gave me an invalid file extension error. Next I uploaded a reverse PHP shell and changed the Content-Type header from application/x-php to image/png. Exploitįirst I uploaded a normal image which then gets displayed on the image.php page: Act like a pro and report any security flaws that you spotted around. So let’s see what’s on the web serverĪnd on the Info tab there is this very appealing request to report any vulnerabilities we may find with the site:ĭeveloper was really drunk while writting these code lines. Oh well, we knew from the challenge title that it was going to be web-based. 22/tcp open ssh syn-ack ttl 64 OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)Ĩ880/tcp open http syn-ack ttl 64 Apache httpd 2.2.16 ((Debian))Īs you can see, the box is pretty tightly locked.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |