First let’s see what we got. I did a basic nmap scan:
It seems that an active IPS/IDS is present. I tried different nmap evasion techniques but those didn’t work, it said that all ports are filtered. I checked manually if port 80 is open or not than I fired up Nikto, nothing interesting.
Let’s watch those images. Voila, a little hint:
Okay, check that source code. Found an interesting line:
It looks like a hash or encoded string. I don’t know why, my first thought was that it is a base64 encoded string. I had to decode the string twice, and that gave me a username:password pair.
Did some investigation and found a CMS portal called IMPRESSCMS (clicked on Employee portal on initech.html). Let’s see if we can log in with our username/password pair. Login successful, nice. We have 3 messages in Inbox. Lets see the first:
I downloaded the keyfile located at the root of the website, and found out that this is a java keystore file. Read the 2 other messages but those didn’t help me too much. My first thought was proved itself, an active IDS/IPS is present. I searched for exploits related to impresscms but the one that could work were being trolled:
At this point I got stucked a bit. Tried dirbuster, different exploits, XSS vulnerabilities on CMS site but nothing. Tried to brute force the admin account, but no luck. Investigated the other pictures and sites deeper, nothing interesting. One option left on CMS site, check pgibbons profile. I found something interesting:
Published by Peter Gibbons on 2016/6/4 21:37:05. (0 reads)
Team – I have uploaded a pcap file of our red team’s re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I’m going fishing for the next 2 days and will not have access to email or phone.
Opened the pcap file, it contained data but I didn’t have a private rsa key to decrypt. WAIT! I have one! I had to export the RSA private key from .keyfile and then I was able to look what the heck happened:
Tomcat Manager running at port 8443 (https://192.168.110.140:8443/_M@nag3Me/html/ | login successful with wireshark credentials). What more the wireshark capture gave us a hint that we can run shell commands with the help of cmd.jsp. But where it is? It has been uploaded but the resource cannot be found, the author or a system service may deleted it. A little googling helped me at this part. I can upload any kind of war files and there is a cmd.war file on the internet (Laudanum) that seems to be the same. So I uploaded it, searched for netcat and made a reverse shell back to my kali box.
First I tried to exploit some Ubuntu 14.04 based kernel exploits but all of them failed. Finally gave up probing exploits, instead I sent LinEnum priv checker to the victim machine and did a quick investigation what permissions do I have.
MySQL login was successful without password with username root. Nice. I found Milton’s username and password hash in the database then tried to crack the password with oclHashcat. It was successfully recovered, I tried to change my user from tomcat to milton. It was successful. Another username and password was found but I can’t crack this hash within a reasonable time.
After that changing user from tomcat to milton find a “some_script.sh” file with following content: Nothing here.
Okay dig deeper. Really. Nothing in here…. After some time I found an init script in init.d folder(portly.sh). This little script redirect all traffic to portly scanner. Okay I will use this script to add milton into sudoers group at system startup.
echo “echo “milton ALL=(ALL) ALL” > /etc/sudoers” > /etc/init.d/portly.sh
After system reboot I rebuild my connections, did a quick sudo su with milton and voila, I captured the flag.