AdSense

Tuesday, February 5, 2019

Shocker


SHOCKER

- Layout for this exercise:





1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine Shocker, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Shocker's IP is 10.10.10.56:




- Scanning with Nmap:




- Scanning deeper ports 80 and 2222:




- Connecting with the browser:





- Dirbusting the web server we find a /cgi-bin folder:



- Dirbusting specifically /cgi-bi for extensions .php, .txt and .sh:




- Downloading user.sh:








3 - EXPLOITATION

- The vulnerability CVE-2014-6271 explains how to exploit the mod_cgi and mod_cgid modules in the Apache HTTP Server:






- We will follow to ways to exploit the vulnerable machine Shocker:

3.1 - Python exploit

- This Python exploit provides a remote shell, just setting up some parameters as explained at the instructions:

https://www.exploit-db.com/exploits/34900







- Copying the exploit locally and giving execution permissions:






- Providing these parameters and running the exploit:

  • payload=reverse
  • RHOST=10.10.10.56
  • LHOST=10.10.14.22
  • LPORT=4321
  • pages=/cgi-bin/user.sh











3.2 - Metasploit

- There is a Metasploit module associated with this vulnerability (also known as Shellshock):





- Launching Metasploit and using this module it is easy to get a Meterpreter session:





- Spawning a shell:





4 - CAPTURING THE 1st FLAG

- Reading user.txt:







5 - PRIVILEGE ESCALATION

- We are lucky because current user shelly has very powerful sudoer privileges:







- Now user shelly is able to run a Perl script (as root) that yields a root shell:





6 - CAPTURING THE 2nd FLAG

- Reading root.txt:








SolidState


SOLIDSTATE

- Layout for this exercise:






1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine SolidState, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu



2 - ENUMERATION

- SolidState's IP is 10.10.10.51:




- Scanning all ports with Nmap there are 6 open ports:



- Connecting with the browser:



- Scanning deeply those 6 open ports:




- So the James Remote Admin 2.3.2 application is running on port 4555, what is vulnerable to this exploit:


https://www.exploit-db.com/exploits/35513



- Reading the content we discover default credentials root:root :




3 - EXPLOITATION


- The connection to port 4555 using credentials root:root is successful:





- HELP lists available commands:



- Listing users:





- Resetting passwords:




- Now, using these new passwords let's connect to the POP3 service running on port 110:




- users james, thomas and mailadmin don't have messages to be retrieved:




- user john has and interesting message from james, where they talk about user mindy's credentials:



- However, the most interesting task is to retrieve user mindy's two messages:








- At the second message we can read the password P@55W0rd1!2@


- Using this password to try an SSH connection for mindy:



4 - READING THE 1st FLAG

- Reading user.txt:




5 - PRIVILEGE ESCALATION

- However this shell is no very powerful because a lot of essential commands are restricted:




- To start a Privilege Escalation process let's copy locally the script of the 35513 exploit, where the payload can be modified according to our own interest:



- Giving execution permissions:





- Setting a Netcat listening session after the modified payload:





- Running 35513.py against SolidState's IP:



- So to get the payload executed we need that somebody logs in, for instance user mindy:





- As a consequence there is a reverse shell that can be improved successfully:





- This shell allows more commands than the previous one:

 


- At this point let's look for any process being run by users either mindy, james, ...:







- It seems that a process inside folder /opt is being run with root privileges, and going there we discover that 
tmp.py is owned by root and sldo it is world writable:




- Reading tmp.py:





- Modifying tmp.py so that a shell is remotely spawn:








- After 3 minutes a root shell is spwan:





- Checking that tmp.py is scheduled as a crontab job every 3 minutes:






6 - CAPTURING THE 2nd FLAG

- Reading root.txt: