VulnHub Casino Royale Walkthrough

casino0

Today we’re going to walkthrough Casino Royale from VulnHub. This was a really fun box to work through and very relevant to people working there way to OSCP. It was actually a lot harder to get into the box than to escalate privileges once there. If you’d like to see a video walkthrough of it, you can find it here.

As usual, I start off with a Nmap scan – nmap -sC -sV -v 192.168.136.136 -oN map1

casino1

There’s already a lot of information here to check out. FTP is usually interesting, but in this case anonymous login is not allowed. We’ll come back to that later. Let’s check out the websites first. I’ll start with the one on 8081.

casino2

casino3

Ok to this site is interesting, but it doesn’t seem to do anything. Note the collect.php. That will be valuable later. We’ll move on to the main site on port 80.

casino4

Alright, so Bond is raising his martini. Let’s check out a couple of those directories nmap pointed us to.

casino5

Kboard is just some flavor. Let’s check out cards.

casino6

Just more flavor, but in color this time. Let’s look for some more directories with gobuster.

Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.136.136

casino7

Gobuster found some new things to investigate. We don’t have any user names or creds for phpMyAdmin, so let’s check out install.

casino8

Ok now we’re getting somewhere. It looks like a low version so let’s see if it’s vulnerable.

casino9

It is vulnerable and once executed, will give admin access to the site. Before we can try it out, we’ll need to find the login page. The pokerleague/pokeradmin/configure.php path doesn’t exist, but pokeradmin does. Putting in configure.php gives us a redirect to index.php. Anyway, we found the login page.

casino10

There are a couple ways to get the exploit to work. The simplest way is to paste the exploit into the URL. Like literally replace the URL with the javascript code.

casino11

 

When you paste it in it will get rid of the javascript portion so you’ll have to retype that. The other way to do it is to use the web developer tools. There’s a command line section that the script can be written in. It doesn’t like copy and pasting either, so you’ll have to allow it or just type it in.

casino12

Once you hit enter, the cookie will be set which will allow you to just bypass the authentication page. Please note that you’ll have to go back to the configure.php page, not the index.php page.

casino13

Once in, you’ll see a reference to a domain name. Add that to the /etc/hosts file. Looking at the Manage Players section gives us a list of user names. One of them has an email link.

casino14

 

Let’s look at some of the info tabs (especially Valenka’s).

 

casino15

In her profile is a link and another reminder to update your hosts file. Let’s visit the site and see what’s there.

casino16

casino17

It’s a blog site with Snowfox CMS. At the bottom of the page is a big hint that we should send a malicious link to Valenka soon. Before that, let’s see if there are any vulnerabilities with snowfox.

casino18

 

casino19

Once again, the site is vulnerable and sounds like it will fit our scenario. To make this work we’ll need to do a few things.

  • Create a webpage with the modified exploit to fit our scenario
  • Send an email to Valenka with the link to the exploit page using a name from the user list in the subject
  • Login with our newly created admin user.

So we’ll start off by creating a web-page. Here I made one called exp.html and put it in my /var/www/html directory. Then I started my apache server by using systemctl start apache2. I had some trouble getting this exploit to work properly. My assumption is that my initial password was too short and was getting rejected. Once I made it longer, it seemed to work fine.

casino20

Now that our web-page is up, we can send our malicious email. Remember the smtp server on port 25 from the nmap scan? Now we’re going to use it.

casino21

casino22

I used netcat, but telnet will work just as well. Obanno was the only user that worked for me. I couldn’t get Le to work even though that was the most logical choice. Anyway, you can watch your logs at /var/log/apache2/access.log to see when/if Valenka hits your web server. Once she does, you can login with the user name and password you set in the exploit.

casino23

Once in, check out the users page inside the admin dropdown.

casino24

Then look at Le’s account. Inside you’ll find a new link.

casino25

Let’s check it out.

casino26

Not much here, but let’s look at the source.

casino27

Here it gives a couple of hints on how to move forward. I wasn’t sure what they were talking about with the curl request so I did a google search on XML post request exploit. It brought me to this page about XML External Entities (XXE) and then I realized why they had the funky capitalization in the comments.  It also gives a hint about the FTP account which will come into play soon.

casino28

 

This blog has an excellent write-up on XXE. The code they use is exactly the same as in the casino-royal blog site. The only confusing part for me was what to actually send. The XXE blog gives the curl command and code you’ll need, but I was still confused. Once I understood what the exploit was doing, I realized I needed to make some modifications.

First off, the file you create must be called xml.txt or it won’t work.

Second, the casino-royal site gives you some very helpful hints. Unlike the blog page, which uses consistent naming conventions, casino changes the variable names. These must be updated in our PoC code as well.

casino29

In the end, the code should look like this

casino30

The given curl command should work now.

curl -d @xml.txt http://casino-royale.local/ultra-access-view/main.php

The output should contain the /etc/passwd file and we now have file read access to the system.

casino31

Here we can also see the custom ftp user. Since they said the password was easy, let’s try to brute force it with hydra.

hydra -l ftpUserULTRA -P /usr/share/wordlists/fasttrack.txt ftp://192.168.136.136

casino32

It doesn’t take very long to come back with the password bankbank. Let’s login and see what’s there.

casino52

 

Hmmm … main.php looks familiar. Let’s try battle2root.html on the Client Access: ULTRA page and see what happens.

casino33

Ok so we know that this ftp directory is accessible from the web and we can actually see the entire directory view from the web if we just view the root of the page.

casino34

If we try to upload files, most will be rejected. Apparently, there are some file restrictions in place. One type that is not restricted is perl.

Let’s upload a perl webshell and see if it works. Doing a locate on webshell in Kali will reveal a directory with some perl webshells ready to go. I’m using the one called perl-reverse-shell.pl but renaming it to pshell.pl for short.

We don’t have to modify it, but we do have to give it at least read/execute permissions after we upload.

casino35

Now when we go to the site we should see our file.

casino36

Now let’s try to execute a command.

casino37

It works! Now that we have command execution, let’s try to get a real shell.

We can tell that python is installed by issuing the command which python. The command is successful so let’s upload a python reverse shell.

casino38

Using the (one line) command this way, I’ll have to make it bash script, change permissions, and then run it. We can also just upload it as a python file and run it as python.

casino39

I started a python http server (python -m SimpleHTTPServer 80)  and used wget in the browser to transfer the file.

casino40

Then I started a netcat listener (nc -nlvp 7777) and ran the python script.

casino41

Once ran, I had a shell!

casino42

That took a lot of work, but we finally have access to the box. Let’s upgrade our shell with python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

We’re going to be manipulating code so you’ll also want to:

Ctl z                            to background the session

stty raw -echo        (enter)

fg                              (enter)

This will give you tab auto complete, up arrow history, and ability to ctl c without killing your shell.

At this point, we can do a locate on config.inc.php. This is the file that stores phphmyadmin passwords. It shows up in a few places, but eventually we get Valenka’s user password.

casino43

It turns out that this is irrelevant as switching to her user account is actually less helpful than staying in www-data. That will become apparent later. If you were savvy enough to guess the location at the XXE stage, you potentially could have used phpMyAdmin to get a shell and skip the ftp portion.

At this point, you can search around the file system looking for interesting things, running privilege escalation scripts and whatever post exploitation things you like to do. One thing I noticed is that I didn’t see any scripts relating to the port 8081 that we found at the beginning.  So I did a locate on collect.php. It’s in the opt/casino-royal directory which you also could have easily stumbled upon.

Let’s see what it does.

casino44

This script calls a python script that’s also in this directory. Let’s look at that one.

casino45

This opens a data log that displayed the message when we clicked the run data collect button. Let’s look at the file permissions for these scripts.

casino46

Here’s where the domino’s start to fall. We have write access to casino-data-collection which is called by collect.php which is triggered by hitting the website button. Since le is the only person with execute permissions our assumption will be that if we inject a shell into casino python script, and press the collect button, we can get back a shell as le. Let’s give it a shot! Nano doesn’t work so we’re stuck with vi ☹ It’s a good thing we upgraded our shell or vi would be more of a pain than normal.

 

Remember the python script we used earlier? Well we get to use it again here (make sure to change the port number). Exit with :wq!   😊

casino47

 

Now we set up a netcat listener (nc -nlvp 8888) and press the button.

casino48

Awesome! We are now le. This is a good time to upgrade your shell with python again.

Now we have more privileges with the scripts that are in this directory

One thing I forgot to mention earlier is that I ran the mi6_detect_test as www-data.

casino49

It seemed to output some connections using netstat.

As le, we have access to a new script call run.sh and when we run it look what happens.

casino53

 

Notice any similarities? The detect script is calling run.sh. The main difference is that the detect script is running as root! Just like before, if we change the code in run.sh with shell code, and run the detect script, we should get root. Let’s fire up vi one more time and put in our code.

Since this is a bash script, our oneliner will work better.

casino50

Now we start a listener one more time (nc -nlvp 9999), and run ./mi6_detect_test

casino54

ROOT!

 

Inside the root folder is a flag folder containing a bash script. Run it for the reward.

casino51

casino55

And that was Casino Royale! I thought this was a great box to work on and I learned some new hacking techniques (which is always the goal). Hopefully the walkthrough was helpful.

-R3a50n

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s