Billu B0x is a relatively new machine that came on VulnHub. Created by Manish Kishan Tanwar, it surfaced on April 21st, 2017. It can be downloaded from https://www.vulnhub.com/entry/billu-b0x,188/
The objective is to break into the machine via a web application running on it and escalate user privileges.
Downloaded and fired up, it presents with a login screen with no other information at all apart from telling us it is an Ubuntu Machine, which we already know:
So, heading back to our attacking machine, Kali 2017.1, I run a simple command:
Now that we know the IP address of our target machine, let’s start by scanning it:
For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are two ports open:
- Port 22 – Used for SSH
- Port 80 – Used to serve a web application
Let’s head to its port 80 and see what’s the web application we are dealing with:
So, it looks like a custom page which is asking for a username and password. Looking at the source code of the page, I came across a really interesting line:
After trying the known combination of SQL Injection used to bypass login, all the attempts made were unsuccessful. Let’s head over to dirbuster and see what it has to offer:
So, the first interesting link I come across is /in.php. When opened, it gives us this:
Let’s keep it for now. This can come handy in future. The next link I come across is /test.php
When opened, this is what it says:
From the looks of it, it is safe to say that file is a variable sent via POST request and it may be vulnerable to LFI. Let’s give that a shot:
I will be sending the POST request by using a simple cURL command:
$ curl -X POST –data “file=/etc/passwd” http://172.16.92.136/test
It is vulnerable to LFI!
Now that things are heating up let’s take it up a notch. Since we know that index.php asks for username and password and a POST request is being made, it is safe to say that the rest of the PHP code would be in the same file. Since we just established that we have an LFI vulnerability, let’s see if we can exploit that to read the code of index.php.
For this, again, a cURL request would be sent:
$ curl -X –data “file=index.php” http://172.16.92.136/test
We can see that a file called c.php is being included in the code. Let’s hope it gives us what we are hoping for:
$ curl -X –data “file=c.php” http://172.16.92.136/test
Ethical Hacking Training – Resources (InfoSec)
And there you go, we have the credentials for the MySQL. Now the question arises, how to access it?
Heading back to dirbuster, I see that it has found another link /phpmy. After opening it, it takes us to PHPMyAdmin. Using the credentials:
- Username: billu
- Password: b0x_billu
We are able to log into PHPMyAdmin:
and using the credentials we found here, we can log into the web application as well:
However, we are nowhere close to getting into the server. All this time looking into the web application made me realize that it will not be the worst idea to try and call config.inc.php
Going back to our terminal, let’s hit another cURL request:
$ curl -X POST –data “file=/var/www/phpmy/config.inc.php” http://172.16.92.136/test
Finally, we have something concrete. Now using the credentials:
- Username: root
- Password: roottoor
We can now log into the server via SSH:
Alrighty then, we are in as root.