Vulnhub’s DC-9 box
First let’s scan where our target resides on our network by issuing an arp-scan command.
┌──(root💀kali)-[~/Desktop/VulnHub/DC9]
└─# arp-scan 192.168.1.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d7:d3:5f, IPv4: 192.168.1.14
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.13 00:0c:29:be:a0:e7 VMware, Inc.6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.035 seconds (125.80 hosts/sec). 6 responded
Let’s do a quick port scan on our target using nmap
After we got ports on our target let’s try to do a more detailed scan using nmap version scan
It seems that we only have port 80 available and port 22 is under filtered state. Let’s try to Enumerate port 80 first.
Using AutoRecon, to automate our initial enumeration.
Autorecon with list down all report output to a folder and you just need to read it thoroughly and take note of interesting findings.
So far, we got the ff. information using the too.
- Directories and PHP files
- Apache httpd version
- Target is running on a Debian Server
Let’s try to vist Port 80 (Manually) :
One good habit when enumerating the port 80 is to redirect it to your burp and turn off the intercept of burp while wandering through the applicaiton.
We got an Excessive Information Dump on ‘Display on Records’ page.
and …. if you can see it below..
We got an interesting search box, let’s take note of that and continue to navigate through.
and we got a login page (can we bypass it?)
After we thoroughly checked or visited the application, let’s try to run ZAP tool to scan to the web application target. Since we didn’t really get a useful output on nikto via autorecon tool, this is will be a great backup or validator of your nikto results.
And ZAP has 9 findings and the most interesting part is the SQL injection vulnerability on search page.
Let’s try to use SQLMAP to speed up things a little bit, (I highly recommend that you also have to have an idea on how to manually perform SQLi on your targets) but first let’s try to intercept our request using BURP then save it and load it via SQLMAP.
- Let’s intercept the login and save it as ‘loginrequest’
2. Do the same on the search box and let’s save it as ‘searchrequest’
Let’s now use SQLMAP
So, now we we got that idea that SQL DB runs ‘MySQL’ and the vulnerable page is the search part. Let’s further exploit the search part and see what we can do further against it.
Let’s try to show the data bases using SQLMAP
We have 3 DBs identified : users, Staff and information_schema. Now, let’s figure out the tables inside those interesting DBs.
We have UserDetails table inside users DB, now, let’s dump the data inside that table.
It seems that we got credentials we can use along our way, don’t forget to take note of these creds.
Let’s do the same on the “Staff” table.
So, inside the “Staff” DB, we can find 2 interesting tables, StaffDetails and Users. Dump all those table data.
And we got an admin credential. We can try to use this either on application login screen or via ssh.
Let’s crack admin password using crackstation.net
Let’s try to login…
Logging in as admin:transorbital1 via ssh
We were not allowed to ssh on port 22, checking on our nmap scan again, we got “filtered” state on it.
Let’s try to login to web application.
So, we can only do so much using admin, like adding a record which seems not vulnerable, this left us with this ‘odd’ manage page that says ‘File does not exist’ — it seems to me that we can try to do a Local File Inclusion (LFI) attack.
Setting up our burp again and sending the request to intruder.
We start LFI with the basic “?file=” syntax, followed by our payload to try to include the /etc/passwd file.
Running the intruder attack.
we can see that the response length changed after the 4th attempt. Checking the said request, we notice that our LFI attacked succeeded.
Okay, from here, I spent a lot of time, enumerating my next move. Further research on a port 22 ssh filtered state, we learned that there were some kind of firewall rule applied on port 22, and since we really don’t have a firewall between our VMs, perhaps port 22 was hidden by a port knock rule. To check this, there must be some kind of a “knockd.conf” config file inside /etc folder. We use the LFI vulnerability to do this.
As we can see, we need to knock 3 ports 7469,8475 and 9842 first to open the port 22.
From here, we can’t use our admin credentials anymore since ‘admin’ username is not included on the /etc/passwd file
We can try the credentials we dumped earlier, and to speed up process we will use hydra.
Hydra provided 3 possible credentials we can use on port 22 via ssh. Logging in using our credentials provided by hydra.
After enumerating each user, that ‘janitor’ user has an unusual and interesting ‘folder’ on its home directory. Following these tracks, we found another file that contains notes of ‘passwords’ that were fond on post it.
Let’s create another password file and hydra again using the new password file.
So now we have a new credential foundf, let’s try to login again via ssh.
As we can see, user fred is in sudoers file and allowed to run the /opt/devstuff/dist/test/test file as root.
Let’s spend some more time to figure out what this file actually do.
After playing with it for a while, we figure out the the python file actually needs 2 input file, 1 is for reading which will be inserted on the 2nd file and 1 file as our base file which will be appended by the 1st file.
This is a great opportunity to insert a user to /etc/passwd file with root access privilege.
We created a user named backdoor with password as password and then we inserted or appended it to /etc/password file using the sudo test.
Then we switch to that user and get our prize.
And we got root!
Takeaways
- Be mindful of the state of ports on your scan.
- Filtered ports means that it was ‘firewalled’ or protected by some mechanism like port knocking.
- Port knocking is a good idea to secure your ports but once an attacker figure out the situation or combination, it can be easily defeated. Do not just rely on port knocking as your primary security.
- Add /etc/knockd.conf file to your checklist of must-look files.
- Do not become lazy on enumeration(note to myself), we actually have enumerate 4 accounts before we could escalate our privileges.
