Wallaby’s Worst Knightmare 1 – Walkthrough

Walkthrough of Wallaby’s Worst Knightmare 1 vulnhub challenge https://www.vulnhub.com/entry/wallabys-nightmare-v102,176/.

Walkthrough

A basic ping sweep finds the machine, throwing nmap at it yields 3 ports of interest.

A quick CVE search of the OpenSSH & Apache versions doesn’t show anything worth digging at further. The IRC port is filtered, so we know it’s there but not accepting connections at this time. A final poke at the SSH prompt shows it accepts username & password logins – something to come back to later for credential guessing.

Opening the webpage asks me for my name. After setting it I get a follow-up page with some hints and an option to start the CTF. Off we go then.
Screenshot from 2018 10 29 06 17 01

Poking around the webpage didn’t yield much of interest, so off to throwing a Nikto scan at it.

Scan makes directory traversal attacks look possible, trying to reload the web browser using the suggested path shows the host has become unreachable. Re-running the port scan shows the web server port has hopped to 60080 – odd?

Reloading the page gives me a new screen – it seems the port hop was intentional after the page detected a compromise attempt.

Re-trying the directory traversal attack flagged by nikto gave me two usernames – walfin & steven?.

After some more digging around I noticed the Nikto scan identified a parameter – ?page=. Throwing DIRB at this yielded:

Each of the pages with a size of 896 was a generic error message. This left the last three pages as being of interest. The pages at ?page=home & ?page=index had already been seen, leaving ?page=mailer.

Looking at the web page source gives me a second parameter:

First thought was to try SQL injection, unfortunately this went nowhere.

A little more experimenting shows the value passed in the mail parameter is run as a shell command on the server.

Using it to poke around the system showed the original password file I grabbed was fake (a nice mis-direction – the actual usernames are waldo and wallaby with there being a sopel IRC bot loaded) and the shadow file isn’t readable by the web server (no password cracking for me).

After finding nothing else obvious I moved onto getting a shell via using a packaged Kali webshell. For this exercise I used the php-reverse-shell and wget on the end host. Initial few attempts failed – in the end I gziped the file locally, pulled it over using wget on the target host and gunzipped it from there.

With that in place, shell.

User Waldo is logged in using tmux (which from a quick google in a screen like tool). Given the earlier hint, this seems a likely next target. Before that, a try at privesc.

I settled on the dirtycow 2 exploit. It compiled fine but first attempt at running it caused the virtual machine to segfault – ouch.

After a bit of tinkering I found it needed to be run in an interactive shell.

And with that we have root. To simplify accessing the other passwords I changed their passwords, then poked around and found the flag in the root directory.

Logging in as Waldo allows me to re-attach the tmux session and say hi to the bot.

Leave a Reply