Monday, 11 July 2016

Kevgir 1 challenge


Kevgir has designed by canyoupwnme team for training, hacking practices and exploiting. Kevgir has lots of vulnerable services and web applications for testing. We are happy to announced that.

Scanning with aggresive mode all ports gives us following result
root@kali:/var/www/html# nmap -p- -A -sV


25/tcp    open  ftp         vsftpd 3.0.2
|_smtp-commands: SMTP: EHLO 530 Please login with USER and PASS.
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))

|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Kevgir VM
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      44879/tcp  mountd
|   100005  1,2,3      59451/udp  mountd
|   100021  1,3,4      44714/tcp  nlockmgr
|   100021  1,3,4      58080/udp  nlockmgr
|   100024  1          33372/udp  status
|   100024  1          38214/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1322/tcp  open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 17:32:b4:85:06:20:b6:90:5b:75:1c:6e:fe:0f:f8:e2 (DSA)
|   2048 53:49:03:32:86:0b:15:b8:a5:f1:2b:8e:75:1b:5a:06 (RSA)
|_  256 3b:03:cd:29:7b:5e:9f:3b:62:79:ed:dc:82:c7:48:8a (ECDSA)
2049/tcp  open  nfs_acl     2-3 (RPC #100227)
6379/tcp  open  redis       Redis key-value store
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1

| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
8081/tcp  open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Joomla! 1.5 - Open Source Content Management
| http-robots.txt: 14 disallowed entries
| /administrator/ /cache/ /components/ /images/
| /includes/ /installation/ /language/ /libraries/ /media/
|_/modules/ /plugins/ /templates/ /tmp/ /xmlrpc/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to the Frontpage
9000/tcp  open  http        Jetty winstone-2.9
| http-robots.txt: 1 disallowed entry
|_http-server-header: Jetty(winstone-2.9)
|_http-title: Dashboard [Jenkins]
36574/tcp open  mountd      1-3 (RPC #100005)
38214/tcp open  status      1 (RPC #100024)
40719/tcp open  unknown
43973/tcp open  ssh         Apache Mina sshd 0.8.0 (protocol 2.0)
44714/tcp open  nlockmgr    1-4 (RPC #100021)
44879/tcp open  mountd      1-3 (RPC #100005)
50921/tcp open  mountd      1-3 (RPC #100005)


Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: CANYOUPWNME, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   Computer name: canyoupwnme
|   NetBIOS computer name: CANYOUPWNME
|   Domain name:
|   FQDN: canyoupwnme
|_  System time: 2016-07-11T15:06:20+03:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

 I examined tcp 111 port, and it serves nfs.
root@kali:/var/www/html# showmount -e
Export list for
/backup *
But I cannot mount this directory to local path. So, let's try play with web applications. Default web page on 80 port looks as follow

Nice graph. Our target hosts several web applications, so it is not wise to enumerate each of them. We can find in nmap result that on 8081 HTTP is a web application which has assigned robots.txt and disallowed is in particular /administrator/.

Excellent! Joomla CMS! In the source code we can find information that this is version 1.5. We know that this version has wide known exploit.
Example :
1. Go to url :
2. Write into field "token" char ' and Click OK.
3. Write new password for admin
4. Go to url :
5. Login admin with new password
 OK, I did 1,2 and 3

Great! So, let's log in as admin. After that, we have to click on extenstions and edit one of them. Executing it we have got limited shell!

Great! Let's look at config file

Excellent! We found valid credentials and some secret.
I have examined thr target OS version and it is Ubuntu 14.04.3, so we know effective exploit dedicated for it.

Game over!

Second way to compromise our target
So, I decided to try harder with web application hosted on 80 port. I had run Dirb and I have got following result
---- Scanning URL: ----
+ (CODE:403|SIZE:289)                                                                                                                          
+ (CODE:200|SIZE:236)                                                                                                                        
==> DIRECTORY:                                                                                                                              
==> DIRECTORY:                                                                                                                              
+ (CODE:403|SIZE:294)                                                                                                                     
---- Entering directory: ----
We can see that there is /phpmyadmin/ directory. I have tried use default credentials to log in and BINGO! root:toor are valid credentials.
Unfortunately we don't have enough privileges to upload PHP backdoor via phpmyadmin and cannot read /etc/shadow using MySQL as well.