Casino Royale Walkthough

So quite a bit of VM’s came out on VulnHub and one of the first ones on the list is Casino Royale, which you can find here. The difficulty of this VM is labeled intermediate but don’t let that get in the way of you doing it! After this, you’ll find it was a little easier than intermediate 🙂

What I used: Python 3, Wireshark, and Burpsuite

The most exciting part was going through the webapp and creating a PoC for it. So this will be more focused on the webapp and constructing a PoC and learning how interesting SQL injection can be and what not. For now, let’s knock out the boring stuff.

With a quick arp scan, I was able to quickly pick up what machine it was:

There were only four ports open on the machine, but the most interesting port is the webapp.

vsFtpd didn’t allow for anonymous logins and no credentials were available. I didn’t bother with port 25 at all and port 8081 did some function but wouldn’t do anything for me.

When you first get to the page, you see a pretty sick clip of James Bond.

One of the first things I did is use Nikto and Dirb to see if any interesting information will pop up:

The only items in robots.txt were the following: /cards and /kboard. None of those were fruitful for me. Index.php was an interesting item and we will get to that in a bit. Install was also interesting because usually you can do whatever you want as if it were your application; however, I didn’t get very far as I wasn’t able to create or overwrite the existing database.

There aren’t any fields to even try and make a new database. Although we didn’t get to do the install, it lead us to a very interesting directory and I will get into this in a bit.

I ran dirb against this and discovered the following urls:

A lot of the url’s discovered were pretty fruitless with the exception of install. Phpmyadmin didn’t have any default credentials and I’m pretty sure the phpmyadmin vulns need creds to exploit had it been vulnerable to anything.

Now to the fun part…Index.php

This looked interesting because you can pick whatever tournament results and view it so the first thing I do is see how the actual request looks like with my good friend Burpsuite! This is the request I got:

Those look like some values we can try for SQL injection or whatever so I ran that against sqlmap. After some time, I received the following output:

From here, you can begin to dump information you want like the current user, the current database, password hashes, etc. Pretty much anything your little heart desires.

Another interesting thing we saw was in /install. When I viewed the page source, I noticed a directory called pokeradmin. What do you see when you get there?

The request for this login page looks like this:

I ran that with sqlmap again and after some time, I was presented with some SQL injection payloads again, w00t!! 🙂

With this, I was able to dump information again but the best apart about this is when you submitted the payload…you BYPASS the login and become admin.

I refreshed the page and examined how the request looks like.

The interesting thing about this is the cookie. It is a valid admin cookie and it’s user controlled!

I poked around the admin side and found an interesting page:

This page gives me the username AND password to login to the website. Downside is they didn’t allow for me to SSH into the machine or login phpmyadmin. That’s alright though.

Another interesting thing about this is you are able to gain access to the machine via sqlmap’s –os-shell parameter. This is great because I wasn’t able to find any type of upload or whatever when I was browsing the site.

At this point, I wanted to make a PoC for this. The only thing I didn’t know how to do was upload a file via LIMIT ‘LINES TERMINATED BY’ method. I have read about the SELECT INTO method but I was not able to get that working or I am just too dumb for that. I’m still waiting for someone to teach me how to not be so dumb. What I did was learned how sqlmap did it by issuing the request and viewing the request in Wireshark. The game plan is to bypass the login to have access to admin area, grab the credentials because why the hell not, uploading our backdoor, and then issue commands to get RCE. Fuck yea!

To bypass the login, I took the payload from sqlmap and used the requests module with Python3.

What’s happening here is I am using requests session to keep the cookies for the remaining of the script. The payload is broken up by each ‘=‘ in the request, seperated by ‘&‘. The information from the post request is saved into s to print out the outcome of it. Now everything my script is doing will be through the admin.

Next thing to do was grab the credentials even though we don’t need them but screw it, why not 🙂

At line 1, I am getting the results from that page. I am using BeautifulSoup to parse the webpage to look for the Username and Password values and so far, we just have a lot of html stuff. As of now, it looks like this:

I can extract what I need by finding all the ‘tr’ tags and then iterating through the results. If the tag is ‘Username’ or ‘Password’, I can find the ‘input’ field and extract the values of username and password with it’s attributes. In this case, admin and raise12million. This took longer than it should have for me but oh well! The deed is done and looks clean af.

Next thing on the list is to write the backdoor into /var/www/html/pokeradmin/. After seeing how the payload is done and what the payload is, I used my own payload to save space and do it the way I want to since sqlmap rights payloads the size of novels…and I like coloring books.

Basically what SQLmap sends is:

The backdoor I made is small, simple, and straight to the point:

To issue commands, it is using the variable tooSick to grab base64 encoded commands. This is to be able to use spaces or ticks or whatever you want without anything breaking.

What this is doing is sending the payload with my hex encoded backdoor and making another request to my backdoor just to check the status on it. If the status code for my backdoor is 404, it’ll return None because it wasn’t uploaded; otherwise, my backdoor was uploaded successfully 🙂

Now that is all good, I create a fake shell to issue commands as if I am on the actual machine. All this is doing is taking input from the user and if the command is exit, we break otherwise it encodes my command in base64 and sends it to the machine and gives me the results.

I generated a 64 bit reverse shell using msfvenom and then transferred it to the target’s /tmp folder:

After doing so, I had a full shell on the target machine and all that was left to do was get root! The first thing I did was check to see if there were any interesting SUID binaries and found a pretty interesting one.

Hmm…well this should be interesting. I’m always down for breaking binaries!!

Guess I’m not breaking anything, unfortunately. The interesting thing is the error it gives you when you run it. It’s trying to execute a bash script called, but there isn’t one in the current directory….so I made one! All it’s doing is a whoami:

Well that was easy 🙂

All that was left to do is get root and read the flag!

The full PoC for this is below:

Leave a Reply

Your email address will not be published. Required fields are marked *