boromir

IP Address	Network	Ports
10.0.6.51	10.0.6.0/24	tcp: 80, 22

Target Overview

Websvn 2.6.0 - Remote Code Execution (Unauthenticated)(CVE)(ExploitDB)

Explanation

websvn < 2.6.0 allows for the execution of shell code using shell metacharacters. This allows for a unauthenticated remote execution of code.

Severity

Critical: 9.8

Remediation

The suggested remediation is to update websvn to a stable and patched version greater than 2.6.0 but ideally the latest release.

Privilege escalation via poor password practices.

Explanation

The apache authentication password hash was found and easily cracked due to the MD5 format. This password was shared not only by the boromir user but also the root user.

Severity

High

Remediation

The suggested fix is to encrypt any hashed passwords with strong encryption furthermore, Apache users, local users, and root users should not share the same password. Changing these to independent passwords is best practice.

Gaining access through fw-rivendell

• The password to elrond was found in the exploitation of fw-rivendell.

• An simple cronjob elevation allows root on fw-rivendell.

Recon

• Looking for IPs on the network.

• Port scan of boromir reveals tcp: 80, 20.

Exploitation

Gaining a foothold

• Forwarding port 80 in boromir to 8888.

• websvn 2.6.0 on boromir.

• Exploit used to gain a reverse shell to boromir.

• Running of script.

• Invocation of nc listener on elrond and receiving the reverse shell.

Privilege Escalation

• File containing hashed password.

boromir:$apr1$/dPEVRIP$33jd0o1KAzXVVJaSPDwCV/

• Cracked with found password hashcat. This password was used by both root and boromir.

• User flag

• root flag