/ pentest

Pentest attempt @ Stapler:1

Machine information @ VulnHub: https://www.vulnhub.com/entry/stapler-1,150/

Intelligence Gathering
root@kali:~# nmap -sn 192.168.56.1/24
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-12 15:07 +08
Nmap scan report for 192.168.56.100
Host is up (0.00026s latency).
MAC Address: 08:00:27:78:A3:3C (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (-0.11s latency).
MAC Address: 08:00:27:42:9B:00 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up (-0.11s latency).
MAC Address: 08:00:27:A1:F2:68 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.14 seconds

Identifying live ip addresses via netdiscover:

Currently scanning: Finished!   |   Screen View: Unique Hosts            
3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                    
____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
----------------------------------------------------------------------------
 192.168.56.100  08:00:27:78:a3:3c      1      60  PCS Systemtechnik GmbH                           
 192.168.56.101  08:00:27:42:9b:00      1      60  PCS Systemtechnik GmbH                           
 192.168.56.103  08:00:27:a1:f2:68      1      60  PCS Systemtechnik GmbH   
Port Scanning (Vulnerability Analysis)

I did a -sS (SYN Scan) on the vulnerable machine, yielding the following results. Note that nmap scans the top most common 1,000 ports for each protocol (out of 65,536), Nmap offical site quotes, "... finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports."

root@kali:~# nmap -sS 192.168.56.103
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-12 15:03 +08
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.00050s latency).
Not shown: 992 filtered ports

PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
139/tcp  open   netbios-ssn
666/tcp  open   doom
3306/tcp open   mysql

MAC Address: 08:00:27:A1:F2:68 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds

And then I performed an nmap scan on all 65,535 ports with OS detection, version detection, script scanning, and traceroute on -T4, an aggressive (4) speeds scans; assumes that you are on a reasonably fast and reliable network.

root@kali:~# nmap -T4 -A -p- 192.168.56.103
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-12 12:25 +08
Nmap scan report for 192.168.56.103
Host is up (0.00060s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.102
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found

123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   doom?

| fingerprint-strings: 
|   NULL: 
....
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 7
|   Capabilities flags: 63487
|   Some Capabilities: LongColumnFlag, InteractiveClient, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, Support41Auth, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, FoundRows, LongPassword, Speaks41ProtocolNew, SupportsCompression, ODBCClient, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: t_L\x16Cd\x06t\x0E\x1EJT	yni\x02PS\x07
|_  Auth Plugin Name: 88
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
....
MAC Address: 08:00:27:A1:F2:68 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
...
Host script results:
|_clock-skew: mean: 10h00m48s, deviation: 0s, median: 10h00m48s
|_nbstat: NetBIOS name: RED, NetBIOS user: (unknown), NetBIOS MAC: (unknown)(unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2018-06-12T15:37:21+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: ERROR: Script execution failed (use -d to debug)

TRACEROUTE
HOP RTT ADDRESS
1 0.60 ms 192.168.56.103
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 665.77 seconds


It is always worth a try scanning all ports. In this case, we found another service at port 12380 to play with!

Vulnerability Analysis

  • FTP (21)
    From the -A option scan we did, it ran the default nmap script and that covered the ftp-anon script. Anonymous FTP login allowed!
root@kali:~# ftp 192.168.1.147
Connected to 192.168.1.147.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.1.147:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (1.1214 MB/s)

The note reads "Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
"

  • netbios-ssn (139) - SAMBAAA
root@kali:~# smbclient -L \\RED -I 192.168.1.147 -N
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	kathy           Disk      Fred, What are we doing here?
	tmp             Disk      All temporary files should be stored here
	IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            RED

We've got the share names. We can get stuff, put stuff, etc. I downloaded the ls file in tmp and it contains:

root@kali:~# cat ls
.:
total 12.0K
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
-rw-r--r--  1 root root    0 Jun  5 16:32 ls
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ

And in kathy, I downloaded what I could get:

oot@kali:~# smbclient //RED/kathy -I 192.168.1.147 -N
WARNING: The "syslog" option is deprecated
OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Sat Jun  4 00:52:52 2016
  ..                                  D        0  Tue Jun  7 05:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 23:02:27 2016
  backup                              D        0  Sun Jun  5 23:04:14 2016

		19478204 blocks of size 1024. 16395856 blocks available
smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 23:02:27 2016
  ..                                  D        0  Sat Jun  4 00:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 23:02:27 2016

		19478204 blocks of size 1024. 16395856 blocks available
smb: \kathy_stuff\> get todo-list.txt 
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (20.8 KiloBytes/sec) (average 20.8 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> cd backup\
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 23:04:14 2016
  ..                                  D        0  Sat Jun  4 00:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 23:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Tue Apr 28 01:14:46 2015

		19478204 blocks of size 1024. 16395856 blocks available
smb: \backup\> get vsftpd.conf 
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (831.6 KiloBytes/sec) (average 588.4 KiloBytes/sec)
smb: \backup\> get wordpress-4.tar.gz 
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (12942.6 KiloBytes/sec) (average 12688.9 KiloBytes/sec)
smb: \backup\> 

to-do-list.txt says "I'm making sure to backup anything important for Initech, Kathy"

Then we have a sample /etc/vsftpd.conf file. I only took a snapshot of it which I think had some value to our test. It's mostly commented anyway.

# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

For the wordpress-4.tar.gz, I untar-ed/unzipped it and serve it on the web server. Seems like a clean source installation of Wordpress to me :/
Screen-Shot-2018-06-16-at-22.24.25

  • Unknown doom (666)
    Browsing the service directly using nc/telnet gave a hint that it's an image file.
root@kali:~# nc 192.168.1.147 666 > test.jpg
root@kali:~# exiftool test.jpg 
ExifTool Version Number         : 11.00
File Name                       : test.jpg
Directory                       : .
File Size                       : 11 kB
File Modification Date/Time     : 2018:06:16 22:26:14+08:00
File Access Date/Time           : 2018:06:16 22:26:18+08:00
File Inode Change Date/Time     : 2018:06:16 22:26:14+08:00
File Permissions                : rw-r--r--
File Type                       : ZIP
File Type Extension             : zip
MIME Type                       : application/zip
Zip Required Version            : 20
Zip Bit Flag                    : 0x0002
Zip Compression                 : Deflated
Zip Modify Date                 : 2016:06:03 16:03:08
Zip CRC                         : 0x8115df70
Zip Compressed Size             : 11434
Zip Uncompressed Size           : 12821
Zip File Name                   : message2.jpg
root@kali:~# unzip test.jpg
Archive:  test.jpg
  inflating: message2.jpg  

The image is another clueless hint... where is this going to lead us..
Screen-Shot-2018-06-16-at-22.27.43

  • HTTP (80, 12380)
    Using nikto and dirb on port 80 resulted to .bashrc and .profile downloadable.
    I didn't want to focus too much on one when automated scanner couldn't even pick up much so I moved on to port 12380.
root@kali:~# nikto -h 192.168.1.147:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.147
+ Target Hostname:    192.168.1.147
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2018-06-16 22:38:11 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.1.147' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2018-06-17 09:30:05 (GMT8) (39114 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Web Application Testing

Accessing the home page's HTML source gave us another clueless internal communication hint.

A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->
...style="background-image: url('data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAICAgMCAwQCAgQFBAMEBQYFBQUF...

I tried converting the base64 string to an image hoping that it would return another image but it turned out to be the background image of the index page.
Screen-Shot-2018-06-17-at-09.45.07
Moving on to HTTP request and response also gave us another clueless internal hint communication done using a HTTP Response Header of Dave.
Screen-Shot-2018-06-17-at-09.54.17
Nikto found a few interesting directories for us, two of which came from accessing robots.txt. I tried accessing robots.txt, /admin123123, /blogblog, and /phpmyadmin on HTTP but they didn't work! They only work on HTTPS!

Pentest attempt @ Stapler:1
Share this