digitalworld.local: DEVELOPMENT Vulnhub Walkthrough

This is a very easy web-focused VM, done in the style of some OSCP/PWK lab machines. You can download it here.

If you have experience with web pen testing and Linux this should be a quick pwn, and if you’re new, it’s a decent first box to try.

Few tools are needed other than your browser, NMAP, and an SSH client.

Important!

This one failed to get an IP address from DHCP for me with VirtualBox. But it worked fine in VMWare Workstation.

Rabbit Holes Everywhere

There’s a bunch of little jokes, just like on some of the PWK lab machines. I’ll just stick to the things that worked in this write-up.

Open Ports

NMAP reveals several, but I’ll focus on SSH and the web server on port 8080.

Let’s start with the web server.

Web Server

digitalworld.local: DEVELOPMENT – Port 8080

The root page states “There are many projects in this box. View some of these projects at html_pages.” It also claims to be powered by “IIS 6.0” which we will find out later is nonsense.

Viewing the HTML source of the page reveals a hidden comment:

<!-- Searching for development secret page... where could it be? -->

<!-- Patrick, Head of Development-->

Navigating to /html_pages as suggested by the home page reveals what appears to be the output of a Unix-style directory listing.

html_pages

Attempting to manually view these file names from the web server root reveals that they all exist, but they are mostly trolling pages. One is worth reviewing further as we know we’re looking for a “development secret page.”

development.html has a short lecture on “security by obscurity” and then another hidden HTML comment:

<!-- You tried harder! Visit ./developmentsecretpage. -->

/developmentsecretpage/ directs us to patrick.php

patrick.php

Patrick’s page

Patrick tell us a bit of his back story on this page, including that he joined the company two years ago. There is a link to a sitemap which includes a “security notice” which we will review now.

Security Notice

This page includes an admonishment to employees for using crackable passwords consisting of dictionary words, and recommends a password style like P@ssw0rd1 instead. It also states that passwords expire in 30 days but employees are allowed to “cycle” through them.

Let’s remember this password style, and that Patrick has been with the company for two years.

That logout link?

Every page so far has had a logout link in the footer. Which is kind of odd since we’ve never actually logged in at any point.

Clicking it brings up a login form:

Good Tech login form

Any username/password combo at all is accepted, and then displays a very interesting PHP error message to the screen:

Deprecated: Function ereg_replace() is deprecated in /var/www/html/developmentsecretpage/slogin_lib.inc.php on line 335

Googling the PHP filename slogin_lib.inc.php brings up several exploits and vulnerabilities for a “Simple Text-File Login script.”

One of the most basic issues is that it keeps a list of usernames and unsalted password hashes in a plain text file that is usually web-accessible, named slog_users.txt

Navigating to this users list in our web browser reveals the following list of users:

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb
intern, 4a8a2b374f463b7aedbb44a066363b81
patrick, 87e6d56ce79af90dbe07d387d3d0579e
qiu, ee64497098d0926d198f54f6d5431f98

Password Cracking

I figured these would be dead simple to crack. I just pasted them into HashKiller which spits out the following:

Lazy password cracking

Testing these on SSH worked for intern but not the others.

Connecting by SSH

intern has a limited shell and can only run a few commands, one of them being echo.

Limited shell for the intern

Breaking out of jail

Googling “breaking out of limited shell” will eventually lead us to this command:

echo os.system('/bin/bash')

And it works.

Freeeeeedom

work.txt in the intern’s home directory mentions “Patrick’s start of the third year in this company!” Well, that supports the P@ssw0rd25 password we cracked above, assuming Patrick has been cycling his “secure” password monthly.

Speaking of Patrick, let’s try that password again now that we have an active SSH connection.

su patrick

Nice! So patrick was just disallowed from connecting by SSH remotely, but we were allowed to su to him once connected as a different user.

Priv Esc

sudo -l reveals that patrick can run vim and nano as root. Either of those will work for an easy root. Here’s the easier of the two:

sudo vim

Dropping to a shell from our sudo-launched vim

We can get a shell while in vim with the command :shell. It immediately drops us into a root shell, since vim was launched with sudo.

root shell

Other priv esc methods

  • Edit critical files using nano or vim such as the /etc/sudoers file or /etc/passwd
  • Use the lxd exploit that I went over in another recent CTF as Patrick is a member of the lxd group.

There may be other methods. I didn’t dig any deeper than this.

Thanks for the VM. I’ll try the other two in the series soon.


Did this post save you time, frustration, or money?


Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Comments are moderated. Please submit the form only once.