Writeups
  • Table of contents
  • 🦌Hack@10 2021 Writeup
  • 📰Hack The Box (HTB) Paper
  • 🦨ICA1 Vulnhub Writeup
  • 🐣Lazy Status Web Pentest
  • 🐃Pico CTF 2021 Writeups
  • 🐈‍⬛🐈⬛ 🐈⬛ UnderTheWire Century
  • 🕊️UnderTheWire Cyborg
  • 📍Battle Of 1337
Powered by GitBook
On this page

ICA1 Vulnhub Writeup

ICA:1 is a vulnhub machine available at https://www.vulnhub.com/entry/ica-1,748/.

PreviousHack The Box (HTB) PaperNextLazy Status Web Pentest

Last updated 2 years ago

Starting the ICA1 box willl greet us with a login page with details of the box ip address. Then, we go to our attack vm and use nmap to scan for open ports at that ip address.

From the nmap scan, we can see three open ports which are ssh, http and mysql. Since we dont have any details about ssh and mysql, we can visit the http website first.

It seems that the website is an older version of qdPM, a free open source web-based project management tool. Searching for qdPM 9.2 gave us results of an information disclosure exploit where anyone can access the website database login details by going to http://<target>/core/config.databases.yml.

Accessing the directory presents us with a databases.yml file. The connection and login details of website database was stored in that file.

From these details, we can login to the mysql database of the website. It seems that there are multiple database available in the mysql. Since I failed to find any important information in qdpm database, I proceed to use another database which is staff.

In staff database, I was able to get user information and password id that has been encrypted with base64. Considering there is no email in the names, it seems that it might be used for ssh login.

Since we does not know which password are for each users, we can use hydra, a powerful login cracker to brute force the ssh login. After decrypting all passwords, we save them into a file called pass.txt along with a file called user.txt.

Then we can use command hydra -L username.txt -P pass.txt 192.168.56.103 ssh to start the brute force process. The results gave us two credentials for the ssh login.

First, I tried to login as travis and was able to get the user flag.

Then I proceed to login as dexter and found a file called note.txt. The file stated that there is a vulnerable exploit in the system with a hint that the executable files are partially viewable.

Then I proceed to search for any executable setuid in the server using command find / -perm -u=s -type f 2>dev/null.

  • -perm is used to specify we are searching for files that hve permission.

  • -u=s specify we're looking for files owned by root.

  • and 2>dev/null is used to discard any errors.

From the results, we can see a file called get_access which seems to be the source of exploit. However when we ran the get_access executable setuid, it seems to not works and displays an error message.

Since the hint mentions that we can partially view the executables, we tried to run strings on the file.

From what we can see here, we can understand how the setuid executable works. It used cat command onto a file in root directory to display the error message. From that details, we can use a setuid priviledge escalation exploit which is known as path injection. Simply the steps are:

  1. Create a new file with name cat that will override the original cat file and open a shell when executed by root.

  2. Change permission to ensure everyone have rw access to file.

  3. Add the directory to $PATH.

  4. Run setuid executable.

After getting the root privilege, we can get the root flag by going to /root.

🦨