wakanda: 1 | Vulnhub Walkthrough

Wakanda is a new Vibranium market which is going to be online soon and my goal was to find the exact location of the mine by hacking all the way in. Developed by xMagass and hosted on Vulnhub, this machine packs a bunch of cool tricks.

Level: Intermediate

ran arp-scan to identify IP address of the target

Enumeration and Initial Foothold

Firing up nmap across the full TCP range, I found only one web application of interest, which announces the opening of the Vibranium market. I also noted the SSH service running on port 3333 which was non-default.

Detailed nmap port scan

Dirbusting or running nikto on the application was of no use and I was greeted with several zero size decoy files. I had to spend considerable time enumerating various entry points before I found the devil lurking in the HTML source. In HTML comments there was a parameter lang with value fr.

Dirbusting the application

Notice the lang parameter in the HTML comment

Visiting on to the URL to fr, I was greeted with a message in a different language (which I guess may be french). I wasn’t quite sure how to turn the situation to be more profitable. There weren’t any stronger entry points for me that came up in my enumeration and I knew I had to think out of the box. I started picturing how the developer might have implemented the application and did some enumeration around that.

Site when accessed with lang parameter

I identified that there was a file named fr.php in the application folder path. So I tried browsing to /?lang=fr.php and it wasn't working as expected but /?lang=fr works fine. Then I tried accessing /?lang=index and I got an internal server error(including the same file from itself will cause an error).

So I got a mental picture of what was running behind the scenes. Possibly developer was trying to append .php to the value we pass via the lang parameter and then trying to file include it (lang=fr becomes file_include(fr+.php)). I knew that was not going to be easy.

At this point I made two conclusions:

1. I can include only PHP files because of the “.php” append.
2. I knew only two PHP files (index.php and fr.php) at the moment and there was no benefit of executing them. I needed to retrieve the contents of these files someway so that I can look for something juicy.

Confirming the existence of fr.php

On including index.php within the index.php file, we get an error suggesting possible file inclusion

Abusing PHP Filters

PayloadAllTheThings is a nice repository which was of help in many past occasions and I found some nifty tricks for LFI(Local File Inclusion) there. Keeping above two points in mind I looked for techniques and found that I could use PHP filters to achieve my mission.

According to PHP official documentation, PHP supports four categories of filters.

• String Filters
• Conversion Filters
• Compression Filters
• Encryption Filters

Of the above, base64-encode filter from the conversion filter can be used to retrieve arbitrary server file through LFI. It is also possible to use zlib.inflate or bzip2.compress from the compression filters to retrieve server files without executing them. But I prefer to use base64-encode because of its ease of use.

Path to Shell

I used base64-encode filter to retrieve the contents of index.php and fr.php and decoded them. On the source code of index.php I found the much needed break, a password. I tried to SSH to the box for the user mamadou with the password and I got my initial access. But my shell was python. That was not a big deal and I spawned bash from python. First flag: d86b9ad71ca887f4dd1dac86ba1c4dfc

curl http://192.168.56.102/?lang=php://filter/convert.base64-encode/resource=index | head -n 1 | base64 -d

password in the PHP source code of index.php

SSH access as mamdou using above password

I figured out that, there was another account called devops apart from root user in the system. Keeping that in back of my mind, I enumerated the system and I found a hidden python file belonging to devops which was writable(.antivirus.py) to me. My first thought was that this was going to be periodically invoked by devops account.

I modified the python file with a reverse shell program, started a netcat instance and waited. In a minute or two I obtained my next level of access. Sometimes you just need to trust your instincts! Flag 2: d8ce56398c88e1b4d9e5f83e64c79098

World writable python file

Modify python with a reverse shell

Reverse connection as devops

Rooting the box

Further moving on with enumeration I found something very interesting, devops is allowed to invoke pip with sudo rights. I wasn’t sure on how to exploit it and I searched on it. It wasn't quite long before I saw fakepip exploit which helps to spin a root shell via pip.

I opened the setup.py file from GitHub and found that setup.py was invoking base64 decoded data via os.system function. I knew I just had to base64 encode my payload and substitute it there for the attack to work fine. And there goes the root flag: 821ae63dbe0c573eff8b69d451fb21bc

devops had sudo privileges on pip

source code of setup.py, we need to modify the base64 encoded data to insert our payload

Create a reverse shell payload and base64 encode it

save the modified payload and run pip on setup.py

sudo /usr/bin/pip install . --upgrade --force-reinstall

Root shell

Wakanda was cool! I got to learn few nice tricks out of this box and Wakanda stands out from the usual pattern of Vulnhub challenges in that respect. Btw @xMagass you didn't tell me the mine location, brother :)