BlackMarket

Getting right on it, today we’re doing BlackMarket, a VM on VulnHub by Ace bomber.

I load up the VM, run a basic net-wide scan to find it, then an intense scan to see what services it has available:

 

The most interesting ports right off the bat are 21(FTP) and 80(HTTP).  I start with the website just to see what I’m dealing with and am presented with a login page:

I start up dirbuster and let that run in the background while I try tossing some basic default login creds at it without success.  I also check out the page source, find flag number 1, and decode the base64 within it:

 

This is apparently a Bourne Trilogy reference, so I find a wiki about Operation Treadstone, and make a wordlist of it using cewl:

 

I use Burp Intruder to quickly run through the list, but still come up empty handed.  The thing to notice here is that the error code is weird enough to be unique (Thanks friend.):

After plopping that into Google, I end up at this github page with what looks like the same thing being hosted on the VM.  Lo and behold, the username/password combo of supplier/supplier allows me to log in:

I’m now presented with what looks like a marketplace screen where I can edit and add items, their pictures, prices, etc.:

I mess around with this for a little while and am able to bypass the picture upload restrictions, but according the the source code from the github found earlier, the files are still being renamed and there’s not much to be done about that.  Going back to the dirbuster scan, it looks like there are some interesting results:

I navigate to each of the 302’d directories and find a SquirrelMail install and also find that as long as I’m logged in as supplier, I can access the user directory as well as the admin directory.  I can even make changes to users as if I were the admin.  No privilege separation!  After poking around the edit user functionality for a while, I notice an interesting parameter get passed when editing a user:

The interesting parameter is “id=7” here.  This id changes depending on the user, which means that I can probably edit the password for what I assume is the admin at user id=1.  I change the id to 1 in the POST request:


Looks like the site was ok with the change, now to attempt to login:

It worked! I also obtained flag 4!  Wait….what happened to flags 2 and 3?  Decoding flag 4 gives the following:

 

Not too helpful.  I poke around with the admin account for a bit, but it seems to have all the same access that supplier had.  I guess the decoded output was right.  Thinking back to the method I used to gain access to the admin account, I wondered if there was a potential SQL inject point in that parameter.  With that in mind, I copied the post request into a text file and fired up SQLMap:

 

Nice!  I’ve got a working SQL injection point, albeit an incredibly slow one.  The next step is to dump the databases to see what we’re working with:

Ok, the BlackMarket database is there and also whatever eworkshop is.  I end up dumping the entirety of both databases and find a few interesting things:

  1. Flag number 3! (Where the heck is flag 2?)  It was in its own table called flag under BlackMarket:
  2. The BlackMarket user/hash table.  I couldn’t crack the admin, bladen(lol), or jbourne accounts within a reasonable time frame, so I gave up on that.
  3. In the eworkshop database, I found some login information that didn’t actually work anywhere:

     

So at this point I’m a bit stuck.  I couldn’t log into squirrelmail, there was a mention of an eworkshop site that I haven’t found, and I don’t know jbourne’s password.  I step away for a bit and I remember flag 4 said something about email access, so I log in again.  That’s when it hits me:  “email access ?????” is literally telling me his password.  So I try to log into squirrelmail using jbourne/?????:

I’m in!  In the drafts folder I find a message:

So I’ve found flag 5 which decodes to:

 

As well as some ciphertext.  Studying the recurring patterns a bit, I’m pretty sure this is a substitution cipher.  I toss it into a substitution solver I found on the internet and am presented with:

 

So another mention of workshop.  Hmm, ok.  I append kgbbackdoor to the big.txt list and let dirbuster chew on that for a while in the background.  Nothing.  I determine that there’s enough talk about eworkshops to generate a wordlist with crunch for it:

 

I append this new list to the big.txt list and try my luck with dirbuster again:

Success!  I found the workshop site in the directory vworkshop, the backdoor directory, a backdoor, and the flag!  What a haul!  This is flag 6 and decodes to:

 

I navigate to the backdoor.php file and am presented with what appears to be a 404:

Checking out the page source, however, reveals that there is an incomplete login form here that only asks for a password.  I try a few passwords with no luck.  Based on the message I found in squirrelmail, I download the PassPass.jpg file:

running strings on the file shows some text appended to the end of the file:

I try passing this number to the form with no luck.  It’s an odd number so I can’t convert it from hex to ASCII.  I try a billion different things and am stumped.  I end up reaching out to Ace Bomber to see what he has to say about it.  While I waited on his reply, I decided to put together a list of names from the wiki from earlier and try my hand at the FTP server:

Oh hey! I got some valid creds!  I check out the ftp server, and wouldn’t you know it, there’s a message with flag 2 in it:

Wow.  That would have made finding the workshop a tad easier.  Oh well!  Flag 2 decodes to:

Ace bomber has gotten back to me at this point and tells me to convert the number to its hex representation first.  It suddenly clicks.  I don’t know why I didn’t think to do that. The conversion path:

 

So the next step is to fix the form one last time:

Put the password in the hidden field, and click the submit button I added to the page:

Success!  At this point I want shell.  So I click the Network link, send myself a shell, and use python to make a nicer bash experience:

I poke around for a little while to see to see if there are any apparent priv esc opportunities here and nothing seems to be sticking out at me.  I run uname -a and paste it into google.  Try a few exploits, none of them seem to work out of the box.  Then I give the trusty DirtyCOW exploit a shot:

Root! And of course, the VM crashes shortly after.  Until  next time!