Professional Documents
Culture Documents
Vulnhub: Glasgow Smile 2: About
Vulnhub: Glasgow Smile 2: About
Vulnhub: Glasgow Smile 2: About
You have 2 free member-only stories left this month. Sign up for Medium and get an extra one
Enumeration
Let’s do nmap first and see what do we get.
2 de 19 6/11/20, 11:13 p. m.
Vulnhub: Glasgow Smile 2. The machine is design... https://medium.com/@muhammad.aliakbr98/vul...
Port 80 (Http)
When we get into the website we can see its blank like this with the GS2 new logo. The
page source also did not give us anything. So let's try to enumerate the directory.
Dirsearch
todo.txt
Wfuzz
We found joke.sh!
Inside joke.sh
What we can get from this script is firstly a new directory and also there is a cap file
somewhere. So let’s get that pcap file!
Wfuzz
Nice! we found the pcap file. So lets open that pcap using Wireshark. You can open it
like this.
wirehsark smileyface.pcap
5 de 19 6/11/20, 11:13 p. m.
Vulnhub: Glasgow Smile 2. The machine is design... https://medium.com/@muhammad.aliakbr98/vul...
smileyface.pcap
Did we get credentials? Let's try to decode it. Also, it saying drupal which means that
the directory that we found must be Drupal .
admin:<REDACTED>
Since we got all we need let's go to that directory that we found just now!
/Glasgow — -Smile2
Since we got a shell let’s get a reverse shell for a more comfortable shell.
Reverse Shell
By looking at the netstat we can see that there is port 8080 which is not open when we
nmap just now.
Netstat
Upload socat and do port forwarding. I will leave site that can help you on learn port
forwarding using socat. Let’s check the new port!
New Port
Page Source
It saying that if we forgot the password use the riddler application. Also we found an
LFI in page source. So lets try look at the passwd
/etc/passwd
Seems like it looks different from what we can get in our shell. So it can be this inside a
docker? But looking at the comment just now it saying nginx. Lets read the nginx conf
9 de 19 6/11/20, 11:13 p. m.
Vulnhub: Glasgow Smile 2. The machine is design... https://medium.com/@muhammad.aliakbr98/vul...
file.
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default.conf
/var/www/myplace/hereis/threatened/index.php
I will leave this part for you guys to enjoy the riddle :) Once we submit the real answer
we got the password!
Password
message.txt
jokerinthepack
burn
First, we can use beautifier to make the PHP script more readable. From what I
understand the script will read jokerinthepack and will save it in two variables. But
since we know that in message.txt the only keys that we need are
12 de 19 6/11/20, 11:13 p. m.
Vulnhub: Glasgow Smile 2. The machine is design... https://medium.com/@muhammad.aliakbr98/vul...
So right now we can focus on other's functions. Any strings that we input will be
encrypted using these keys which these keys will be split and each character will then
be converted as ord and will calculate the total.
gws Function
Encrypt Function
At first, I got difficulty in making it rights but after understand how it works it much
better. So here is my python script after converting from PHP.
Python Script
After test both script PHP and python and get the same output, its time to reverse
engineering! :) First I manually get the value for both keys and then if we look closely
the first character will be A and the end depends on the loop. The key also at first will
be key1 and the end depends also on the loop. So here the result!
Script run
GTFOBins make
COMMAND='/bin/sh'
sudo -u carnage make -s --eval=$'x:\n\t-'"$COMMAND"
Fifth User(Venom)
Since we do not know the user password we cant check sudo -l. So let's check on the
process first. To do that we can run pspy.
Pspy
We can see that there is a script python been running in the process. Also,there is a
text file for us to read. It saying that it automatically zip our personal folder .
help.txt
Got stuck on here for a while but then I remember that this is a python script. Maybe
there is zip library that been used. Using our past experience lets make a script with
that library and put a reverse shell inside the same directory of the script that been
runs.
If there is any suggestion please tell me or if there is something that I can improve also
please do tell me. Hope this writeup help anyone and let’s learn together :)
zip�le.py
H0j3n
Last User (Root)
You can support my writing and I would love to write more contents :)
You can check out my "Buy me a Co�ee"
www.buymeaco�ee.com
References
1. https://github.com/dreadlocked/Drupalgeddon2
17 de 19 6/11/20, 11:13 p. m.
Vulnhub: Glasgow Smile 2. The machine is design... https://medium.com/@muhammad.aliakbr98/vul...
2. https://www.cyberciti.biz/faq/linux-unix-tcp-port-forwarding/
3. https://www.linode.com/docs/web-servers/nginx/how-to-configure-nginx/
4. https://www.reddit.com/r/BatmanAr
/i_have_billions_of_eyes_yet_i_live_i
5. https://beautifier.io/
6. https://gtfobins.github.io/gtfobins/m
7. https://github.com/DominicBreuker
8. https://docs.python.org/2/library/zipfile.html
Inside Venom Directory
Inside the Venom directory, we found a lot of said binary and thus we can try running all of this
and see if we can escalate it.
Education Writing Social Media Life Self Improvement
gothamwillburn
From here what I understand is that batman contains a suid string and ghotamwillburn4 got a
suid binary that will cat batman.
Inside gothamwillburn4
Root.txt
Really enjoy this machine and Thank you to mindsflee for helping me a lot :) Thank you to my
friend AniqFakhrul aka ch4rm for helping me too!