Vulnhub: Glasgow Smile 2: About

Vulnhub: Glasgow Smile 2. The machine is design... https://medium.com/@muhammad.aliakbr98/vul...
Get started Open in app
40 Followers · About Follow
You have 2 free member-only stories left this month. Sign up for Medium and get an extra one
Vulnhub: Glasgow Smile 2

H0j3n Aug 6 · 7 min read
The machine is designed to be a DC tribute but also a kind of real-life techniques

container. You will find also a bunch of CTF style challenges. You need to have enough
information about Linux enumeration, PTES and encryption for privileges escalation.
1 de 19 6/11/20, 11:13 p. m.

Enumeration
Let’s do nmap first and see what do we get.
2 de 19 6/11/20, 11:13 p. m.
22 tcp open ssh

80/tcp open http
83/tcp open http
Port 80 (Http)
When we get into the website we can see its blank like this with the GS2 new logo. The
page source also did not give us anything. So let's try to enumerate the directory.
Dirsearch
3 de 19 6/11/20, 11:13 p. m.

So we got one text file which is todo.txt
todo.txt
By looking at todo.txt we know that there is an automatic script that could be an

extension of sh. Use the most popular wordlist! — rockyou
Wfuzz
We found joke.sh!
4 de 19 6/11/20, 11:13 p. m.

Inside joke.sh
What we can get from this script is firstly a new directory and also there is a cap file
somewhere. So let’s get that pcap file!
Wfuzz
Nice! we found the pcap file. So lets open that pcap using Wireshark. You can open it
like this.
wirehsark smileyface.pcap
5 de 19 6/11/20, 11:13 p. m.
smileyface.pcap
Did we get credentials? Let's try to decode it. Also, it saying drupal which means that
the directory that we found must be Drupal .
admin:<REDACTED>
Since we got all we need let's go to that directory that we found just now!
6 de 19 6/11/20, 11:13 p. m.

/Glasgow — -Smile2
First User (www-data)

We found a login page too and we can log in using the credentials. By looking at the
page source we know that this is Drupal 8. There is an exploit for this version and you
can check on the reference.
ruby drupalgeddon2.rb http://IP/Glasgow---Smile2
Since we got a shell let’s get a reverse shell for a more comfortable shell.
Reverse Shell
Second User (Riddler)

7 de 19 6/11/20, 11:13 p. m.
By looking at the netstat we can see that there is port 8080 which is not open when we
nmap just now.
Netstat
Upload socat and do port forwarding. I will leave site that can help you on learn port
forwarding using socat. Let’s check the new port!
New Port
It’s a login page. We also found something suspicious in page source.
8 de 19 6/11/20, 11:13 p. m.

Page Source
It saying that if we forgot the password use the riddler application. Also we found an
LFI in page source. So lets try look at the passwd
/etc/passwd
Seems like it looks different from what we can get in our shell. So it can be this inside a
docker? But looking at the comment just now it saying nginx. Lets read the nginx conf
9 de 19 6/11/20, 11:13 p. m.
file.
/etc/nginx/nginx.conf
It seems like it includes everything in /etc/nginx/sites-enabled/* . We can try

enumerate more on that directory. I found that there is nginx.conf and default.conf but
default.conf works on that directory. So we got another location.
/etc/nginx/sites-enabled/default.conf
10 de 19 6/11/20, 11:13 p. m.

By opening that index.php we found a question and a submit answer
/var/www/myplace/hereis/threatened/index.php
I will leave this part for you guys to enjoy the riddle :) Once we submit the real answer
we got the password!
Password
11 de 19 6/11/20, 11:13 p. m.

So lets login as riddler with that password and success!
Third User (Bane)

This one need our reverse engineering skills and it involves PHP which I’m really bad
with it haha. We are given 3 files that could help us on solving this.
message.txt
jokerinthepack
burn
First, we can use beautifier to make the PHP script more readable. From what I
understand the script will read jokerinthepack and will save it in two variables. But
since we know that in message.txt the only keys that we need are
12 de 19 6/11/20, 11:13 p. m.
Key 1: I make them laught a lot

Key 2: Because jokers are wild
So right now we can focus on other's functions. Any strings that we input will be
encrypted using these keys which these keys will be split and each character will then
be converted as ord and will calculate the total.
gws Function
The value will be used in encrypting new strings.
Encrypt Function
At first, I got difficulty in making it rights but after understand how it works it much
better. So here is my python script after converting from PHP.
13 de 19 6/11/20, 11:13 p. m.

Python Script
After test both script PHP and python and get the same output, its time to reverse
engineering! :) First I manually get the value for both keys and then if we look closely
the first character will be A and the end depends on the loop. The key also at first will
be key1 and the end depends also on the loop. So here the result!
14 de 19 6/11/20, 11:13 p. m.

Reverse Pyton Script
Let's try run with the encrypted message we get!
Script run
We got another password and this must be bane’s password!

15 de 19 6/11/20, 11:13 p. m.
Fourth User (Carnage)

When we try sudo -l we found out that we can run make with carnage permission. By
looking at GTFOBins we can escalate that part.
GTFOBins make
COMMAND='/bin/sh'
sudo -u carnage make -s --eval=$'x:\n\t-'"$COMMAND"
Fifth User(Venom)
Since we do not know the user password we cant check sudo -l. So let's check on the
process first. To do that we can run pspy.
Pspy
We can see that there is a script python been running in the process. Also,there is a
text file for us to read. It saying that it automatically zip our personal folder .
16 de 19 6/11/20, 11:13 p. m.

help.txt
Got stuck on here for a while but then I remember that this is a python script. Maybe
there is zip library that been used. Using our past experience lets make a script with
that library and put a reverse shell inside the same directory of the script that been
runs.
If there is any suggestion please tell me or if there is something that I can improve also
please do tell me. Hope this writeup help anyone and let’s learn together :)
zip�le.py
H0j3n
Last User (Root)
You can support my writing and I would love to write more contents :)
You can check out my "Buy me a Co�ee"
www.buymeaco�ee.com
References
1. https://github.com/dreadlocked/Drupalgeddon2
17 de 19 6/11/20, 11:13 p. m.
2. https://www.cyberciti.biz/faq/linux-unix-tcp-port-forwarding/
3. https://www.linode.com/docs/web-servers/nginx/how-to-configure-nginx/
4. https://www.reddit.com/r/BatmanAr
/i_have_billions_of_eyes_yet_i_live_i
5. https://beautifier.io/
6. https://gtfobins.github.io/gtfobins/m
7. https://github.com/DominicBreuker
8. https://docs.python.org/2/library/zipfile.html
Inside Venom Directory
Inside the Venom directory, we found a lot of said binary and thus we can try running all of this
and see if we can escalate it.
Education Writing Social Media Life Self Improvement
Get the Medium app
gothamwillburn
18 de 19 6/11/20, 11:13 p. m.

From here what I understand is that batman contains a suid string and ghotamwillburn4 got a
suid binary that will cat batman.
Inside gothamwillburn4
So we can escalate using cat binary since it is not secure.
echo "bash -p" > cat

chmod 777 ./cat
export PATH=/tmp:$PATH
After that just run the gothamwillburn4 and finally we rooted!
Root.txt
Really enjoy this machine and Thank you to mindsflee for helping me a lot :) Thank you to my
friend AniqFakhrul aka ch4rm for helping me too!
19 de 19 6/11/20, 11:13 p. m.

Vulnhub: Glasgow Smile 2: About

Uploaded by

Copyright:

Available Formats

You might also like

Vulnhub: Glasgow Smile 2: About

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vulnhub: Glasgow Smile 2: About

Uploaded by

Copyright:

Available Formats

Vulnhub: Glasgow Smile 2. The machine is design... https://medium.com/@muhammad.aliakbr98/vul...

Get started Open in app

40 Followers · About Follow

Vulnhub: Glasgow Smile 2

The machine is designed to be a DC tribute but also a kind of real-life techniques

1 de 19 6/11/20, 11:13 p. m.

22 tcp open ssh

3 de 19 6/11/20, 11:13 p. m.

So we got one text file which is todo.txt

By looking at todo.txt we know that there is an automatic script that could be an

4 de 19 6/11/20, 11:13 p. m.

6 de 19 6/11/20, 11:13 p. m.

First User (www-data)

ruby drupalgeddon2.rb http://IP/Glasgow---Smile2

Second User (Riddler)

It’s a login page. We also found something suspicious in page source.

8 de 19 6/11/20, 11:13 p. m.

It seems like it includes everything in /etc/nginx/sites-enabled/* . We can try

10 de 19 6/11/20, 11:13 p. m.

By opening that index.php we found a question and a submit answer

11 de 19 6/11/20, 11:13 p. m.

So lets login as riddler with that password and success!

Third User (Bane)

Key 1: I make them laught a lot

The value will be used in encrypting new strings.

13 de 19 6/11/20, 11:13 p. m.

14 de 19 6/11/20, 11:13 p. m.

Reverse Pyton Script

Let's try run with the encrypted message we get!

We got another password and this must be bane’s password!

Fourth User (Carnage)

16 de 19 6/11/20, 11:13 p. m.

Get the Medium app

18 de 19 6/11/20, 11:13 p. m.

So we can escalate using cat binary since it is not secure.

echo "bash -p" > cat

After that just run the gothamwillburn4 and finally we rooted!

19 de 19 6/11/20, 11:13 p. m.

You might also like