Total Pageviews

Sunday, August 8, 2021

KIOPTRIX SERIES PENTEST : WalKthrough level [III]

 

KIOPTRIX LAB LEVEL [III]

 You can find all the penetration testing process of this machine, on the following video: 







Complete walkthrough, of the season content:

RECOGNITION PHASE:

NETWORK DISCOVERY:

We can use a couple of tools  in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol  as you can see below:








The other tool is  netdiscover, with the same concept but using an interface like parameter:






NMAP:

On this step, from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.

map -sC -sV -n -v 192.168.1.53 -oN target_nmap
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-10 20:57 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Initiating Ping Scan at 20:57
Scanning 192.168.1.53 [2 ports]
Completed Ping Scan at 20:57, 0.01s elapsed (1 total hosts)
Initiating Connect Scan at 20:57
Scanning 192.168.1.53 [1000 ports]
Discovered open port 22/tcp on 192.168.1.53
Discovered open port 80/tcp on 192.168.1.53
Completed Connect Scan at 20:57, 0.02s elapsed (1000 total ports)
Initiating Service scan at 20:57
Scanning 2 services on 192.168.1.53
Completed Service scan at 20:57, 6.03s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.53.
Initiating NSE at 20:57
Completed NSE at 20:57, 0.24s elapsed
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Nmap scan report for 192.168.1.53
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Initiating NSE at 20:57
Completed NSE at 20:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap


The conclusion of nmap scan is that we found the following open ports with the services:





EXPLOTATION:

On the exploitation phase we are going to check all services and versions that there are open on the victim machine.

22: shh


The service is alive and worked as expected, but we haven't the user and credential for access.

80: http



The other service is a web page on port 80 using http protocol it seems that we should exploit some vulnerabilities on this service in order to access to the target machine.

Webpage crawling:


 locate wordlist | grep directory | grep medium

/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
kali@kali:~/streaming/nmap$ wfuzz --hc 404 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://192.168.1.53/FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************
Target: http://192.168.1.53/FUZZ
Total requests: 220560
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                          
===================================================================
000000001:   200        38 L     190 W    1819 Ch     "# directory-list-2.3-medium.txt"                                                                                
000000002:   200        38 L     190 W    1819 Ch     "#"                                                                                                              
000000003:   200        38 L     190 W    1819 Ch     "# Copyright 2007 James Fisher"                                                                                  
000000004:   200        38 L     190 W    1819 Ch     "#"                                                                                                              
000000005:   200        38 L     190 W    1819 Ch     "# This work is licensed under the Creative Commons"                                                             
000000006:   200        38 L     190 W    1819 Ch     "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                  
000000007:   200        38 L     190 W    1819 Ch     "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                
000000008:   200        38 L     190 W    1819 Ch     "# or send a letter to Creative Commons, 171 Second Street,"                                                     
000000009:   200        38 L     190 W    1819 Ch     "# Suite 300, San Francisco, California, 94105, USA."                                                            
000000010:   200        38 L     190 W    1819 Ch     "#"                                                                                                              
000000012:   200        38 L     190 W    1819 Ch     "# on atleast 2 different hosts"                                                                                 
000000011:   200        38 L     190 W    1819 Ch     "# Priority ordered case sensative list, where entries were found"                                               
000000013:   200        38 L     190 W    1819 Ch     "#"                                                                                                              
000000014:   200        38 L     190 W    1819 Ch     ""                                                                                                               
000000145:   301        9 L      31 W     353 Ch      "modules"                                                                                                        
000000168:   301        9 L      31 W     353 Ch      "gallery"                                                                                                        
000000182:   403        10 L     33 W     323 Ch      "data"                                                                                                           
000000685:   301        9 L      31 W     350 Ch      "core"                                                                                                           
000000915:   301        9 L      31 W     351 Ch      "style"                                                                                                          
000001083:   301        9 L      31 W     351 Ch      "cache"                                                                                                          
000010825:   301        9 L      31 W     356 Ch      "phpmyadmin"                     

 

phpmyadmin access:


With default credentials: admin/void

but we only can access to information schema and not contains util information for our pentest purposes:



On the next step we are going to review the web content:


On the blog there are a couple of post and in one of them we found a new hostname the we should include in our /etc/hosts local attacker machine, for DNS resolution. 

cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali.home.kali.com      kali
192.168.1.53    kioptrix3.com
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Right now, we can access to the new web application using dns name resolution tat is hosted on the same target machine.



Searching over the web application with nikto for vulnerabilities :

nikto -host http://kioptrix3.com/gallery/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.53
+ Target Hostname:    kioptrix3.com
+ Target Port:        80
+ Start Time:         2021-08-10 21:16:45 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /gallery/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server may leak inodes via ETags, header found with file /gallery/db.sql, inode: 630988, size: 3573, mtime: Sat Oct 10 21:43:52 2009
+ OSVDB-3092: /gallery/db.sql: Database SQL?


It seems that the webpage is develop in PHP + HTML +CSS+ Js, and contains vulnerabilites, we know to that work with a mysql  persistence database.
And we can download the content of sql creation schema structure that we should hack.



But an other idea is review the CMS that host the webpage content in order to validate the vulnerabilities.



Powered by -- LotusCMS:

Exploiting LotusCMS without metasploit modules, using the OSCP style.

1. Review the knowledges exploits for this CMS on searchsploit tool .



The second, is an txt, file that explain the multiples vulnerabilities, and not contains the remote code execution vulnerability that we are looking for, but we found the following PoC:




We use that PoC , from our attacker machine in order to exploit the vulnerability. Of course we can't gain access but there are util information, about the CMS version and configuration structurere.



2. using this public exploit, on sh (bash version):

https://github.com/Hood3dRob1n/LotusCMS-Exploit

https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
(thanks to Hood3dRob1n)


We onbtain an automated RCE, exploit that spwan a reverse shell from the target machine to the attacker machine:



3. Review the webpage for recover information of users and credentials:


4. Access to database application schema with recover user/credentials using the previous phpmyadmin  service:


Galley database contains the information of hosted and hidden webpage: 
http://kioptrix3.com/gallery/


Dev_account tables contains information of develop users!!.



dreg

0d3eccfb887aabd50f243b3f155c0f85

         loneferret     5badcaf789d3d1d09794d8f021f40f0e


Crack passwords:

Crack the hash of stored user credentials using and offline dictionary attack, with hashcat and rockyou:



Access using ssh service:




Priviledge scalation:

On the privilege escalation process, we are going to review the binaries that the user loneferret could execute like root on the operative system:

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

And ht is an annoying web editor, that you can use over the linux terminal:

sudo /usr/local/bin/ht
Error opening terminal: xterm-256color.
export TERM=xterm         
loneferret@Kioptrix3:~$ echo $TERM
xterm
loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht


Open the file /etc/sudoers in order to modify it with a root privileges.


Save the file and magic:

loneferret@Kioptrix3:~$ sudo -l
[sudo] password for loneferret: 
User loneferret may run the following commands on this host:
    (ALL) ALL
loneferret@Kioptrix3:~$ 





And this is all for this lab level, I hope that you visit the next walktrough level[|V], on my next post in the same blog, [https://roadtooscp-f0ns1.blogspot.com/] and we'll keep in touch.

with kind regards, f0ns1

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...