Thursday, 23 June 2016

VulnOS v1 challenge

Hello all,
I would like to present you the first challnege from VulnOS series.
Our goal is to get root and find all the vulnerabilities inside the OS ! It is a ubuntu server 10.04 LTS.

Scanning phase without aggressive mode.

Non typical situation - a lot of ports are open. I prefer begin from quick verification, such as MySQL default account, NFS, etc, to deep penetration testing.

I was trying login to MySQL server using default credentials such as root:root, root:toor, root:password, root:mysql. Unfortunately without success.
I examined also NFS and I don't have good news...

Hmmm, ok so let's try play with OpenSSH. I conducted a lot of research and I found some exploit which is dedicated for OpenSSH <=5.3, but it doesn't work.

OK, now it is turn to web browsing.
The default web page looks as below

The source code does not contain also any juicy information. Clicking on link we are forwarded to

Hmmm, also nothing interesting. We should remeber that port 80 is not only one open http port.
Let's run dirbuster

The target uses Apache 2.2.14, which has assigned public exploit (CVE-2010-0425). Metasploit has auxiliary module dedicated for this version. But, we want to use metasploit only in case when there is no other way.
Dirbuster found that the web application has also phpmyadmin panel. So, le'ts try login using default credentials like a mentioned in the beginning of this post. BINGO!

We are logged in as root! That's very good for us. I tried load data from /etc/shadow but without success in opposite to /etc/passwd (probably not enough privileges).

Great! We have full list of system users. I tried, without success, create phpinfo file using outfile statement.
OK, let's check what we can retrieve from databases
In the Drupal6 database we can find

Good! but we have to crack these hashes.
In the mysql database we can find following credentials

Very, very good, because we have partially the same username as in the /etc/passwd file.
I cracked several passwords, for example for drupal6 password i drupal6.
So, let's focus on drupal

Nice! I have logged in using drupal6:drupal6 credentials. Now, we have to find place to upload our PHP backdoor.
In Administer I added to allow extenstion also php and phtml.
I created post and attach our PHP backdoor. Clicking on it...

Excellent! We have obtain limited shell! I examined OS of target and there is Ubuntu 10.04. Unfortunately every exploits doesn't work.
I spent a lot of time on looking for some "secret" file and
cat /etc/nagios3/htpasswd.users
Hmm this may be helpful. Let's try use John the Ripper to crack this password
Loaded 1 password hash (Traditional DES [128/128 BS AVX-16])
canuhack         (nagiosadmin)
Great! But unfortunately there is not exist nagiosadmin user. Let's add this password to our dictionary. In the /etc/passwd is user named hackme, so maybe we should use for some user password like a canuhackme?

Excellent! So, we should be able to login as vulnsadmin

and I moved to root directory

Game over!