PriviaHub Cumhuriyet Machine Walkthrough

This article explains the walkthrough steps of the machine named “CUMHURIYET”, which is hosted on the PriviaHub platform and has been retired.

First, a scan was launched to detect the open ports on the machine and the current services running on the open ports.

As a result of the scan performed, it was detected that ports 80 and 443 are open, and that the “Apache 2.4.38” service is running on these ports.

Access to the web application running on the Apache service was obtained via the web browser over the open port 80.

When access was obtained, a user login page is encountered. To log in to the system, a user record must be created. For this, by clicking on the link indicated by “Create An Account”, access to the registration page was obtained and a user record was created.

After the registration operation was completed, access to the user panel was obtained from the login page.

After signing in, access was obtained to the page named “account.php” on the user panel. This page enables users to change their passwords.

During the password change, with the aim of intercepting the request data being sent at the moment the “Change Password” button is clicked, a local proxy application was started. After entering a new password value into the text boxes and clicking the button, among the request data arriving at the proxy application, the user_id parameter is striking.

The value “2” assigned to this parameter indicates the ID value of the user who is logged in to the system. When this ID value is changed, if the newly assigned value is the ID value of a different user, in that case when the request is sent, that user’s password will be changed. This security vulnerability is called IDOR (Insecure Direct Object Reference). The value 1 was assigned to the “user_id” value and the request was sent.

After the request was sent, in order to access the panel of the user whose password was changed, the username must be known. Since the ID value was assigned as “1”, it can be inferred that this account may be an “admin” account. On the login page, since an email address is requested, it can be inferred that the email address of the account with ID value 1 may be “[email protected]” or “[email protected]”. An attempt was made to access the panel by entering this email address together with the new password value into the text boxes.

As a result of the information entered being correct, access to the administrator panel was obtained.

On the panel, there is a web page that can be used to add a new page to the system. On this page, the first text box represents the name of the PHP file to be newly created, and the other text box represents the PHP code that will be placed inside this file. Consequently, a file containing PHP code that provides a session connection in order to execute commands on the machine can be created.

After the file name and the PHP code providing a session connection were entered into the text boxes, a page named “reverse_shell.php” was created. When this page is accessed, the listening mode started on the “Metasploit Framework” application will receive the request and a session connection will be obtained on the machine. In order to be able to execute commands over the session obtained, the “meterpreter” application, which is an effective tool developed for carrying out post-exploitation operations, will be used, and accessing this page will provide a meterpreter connection on the machine.

As a result of the access made to the page, the Metasploit application received the request and a meterpreter session connection was obtained.

The Apache service runs with the privileges of the local user account named “web” defined on the machine. For this reason, the meterpreter session was obtained with the rights and privileges of the user named “web”. However, the session connection obtained through the PHP file does not provide an interactive session, because this session is provided by a payload called “php/meterpreter/reverse_tcp” offered by the Metasploit Framework, and what can be done is limited by the capabilities of the PHP programming language. For this reason, a “.exe”-extension application file that will provide a meterpreter session was created on the Metasploit Framework, and a new listening mode was started using the payload called “windows/meterpreter/reverse_tcp”. The newly created file was uploaded to the machine over the obtained session and executed again. In this way, the listening mode running in the background captured the request and a new meterpreter session was obtained.

By accessing the desktop directory of the user named “web” via the meterpreter application, the “non-privflag.txt” file was obtained. However, the “privflag.txt” file in the desktop directory belonging to the “Administrator” account cannot be read, because the “web” user has low privileges. For this reason, the privilege escalation operation will be performed.

When the rights and privileges of the “web” user are examined, it can be seen that this user is a member of the group named “Administrators”.

As can be understood from here, the “web” user has administrator rights, but the Apache service runs with UAC (User Access Control) protection. For this reason, the meterpreter connection was obtained with low privileges. The next operation to be performed is to bypass the UAC mechanism and perform operations requiring high privileges with the “web” user. To bypass the UAC mechanism, the tool named Akagi, developed by “hfirefox”, can be used. This tool contains various UAC Bypass techniques, and depending on the operating system and Build number of the machine, the UAC mechanism can be bypassed using an appropriate method. After downloading the tool named Akagi from Github and compiling it, the operation to be performed is to upload the resulting executable file to the victim machine and run it by specifying an argument. Consequently, by running the Akagi tool together with a meterpreter payload that has been created, a new meterpreter session connection can be obtained with high privileges.

According to the operating system and Build number of the machine, using technique number 10 (the techniques are listed on the Github page), the Akagi tool was run together with a meterpreter payload previously uploaded to the machine. In this way, a new meterpreter session was obtained with high privileges.