Wednesday, September 26, 2018

Milnet


MILNET: 1


- Layout for this exercise:






1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Milnet.

- Milnet can be downloaded from here:

https://www.vulnhub.com/entry/milnet-1,148/

- Once downloaded and extracted with VMware:




- Milnet shows that its IP is 192.168.1.14


2 - ENUMERATION

- Confirming that the IP is 192.168.1.14 with netdiscover:





- Scanning with Nmap:




- Scanning deeply the HTTP server:




- nitko helps to enumerate the web server, for instance we learn about the existence of the page info.php:





- Connecting to the web application:





- From info.php we learn that the directives allow_url_fopen and allow_url_include are on, what could lead to a potential RFI (Remote File Inclusion) vulnerability:








- Testing Milnet with OWASP ZAP we confirm the existence of the RFI, actually at the page content.php and the parameter route.












3 - EXPLOITATION

- The next step will be to exploit Milnet taking advantage of the RFI vulnerability  at page content.php, for instance uploading and executing remotely a reverse shell exploit like the well known php-reverse-shell, provided by Kali:




- Adapting the exploit to our needs and renaming to myshell:






- Now, with the purpose of uploading and executing myshell remotely at Milnet, let's open a connection with Burp. 

- For instance, from the three available tabs of the navigation menu let's access with Main:




- Intercepting the connection with Burp we detect the presence of the route parameter:




- Opening a web server at port 8000, so that myshell can be uploaded from Kali to Milnet:




- Setting a Netcat listening session at port 4444:




- Now, let's change the route parameter to our PHP reverse shell, and then Forward with Burp:







- myshell is successfully uploaded and executed at Milnet:






- Le'ts notice that an extension .php is added by default by the web application, so that is the reason because we renamed the exploit to just myshell (without .php), otherwise we would be uploading something like myshel.php.php

- Anyway, the consequence is a successful limited remote shell:





4 - PRIVILEGE ESCALATION

- Exploring Milnet we find the folder longman:






- Going into SDINET there are a lot of text files related with Information Security:





 - Exploring crontab we find a backup script, run (with root privileges !!) every 1 minute:




- Reading backup.sh we learn that /var/www/html is packed with tar and compressed with a .tgz format:




- However, let's notice that the tar command ends up with a suspicious wildcard *

- The command tar can used the wildcard * for differente purposes:

https://www.gnu.org/software/tar/manual/html_section/tar_49.html


- It reminds us that one the Information Security text file present at /home/langman is actually titled with wildcard * related information:




- Actually the document is public:

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt


- Reading this document we learn an interesting way to escalate privileges. Going to the tar section 4.3:







 - The document provides even an example:





- Now, let's try to replicate this example at our vulnerable machine Milnet.

- Going to /var/www/html:





- Creating these 3 files:




- The purpose of the script myexploit.sh is to change or update the root password to abcd, using the command chpasswd:




- Now, these 3 files are part of the folder /var/www/html and all of them are going to be "tar" every 1 minute, according to the crontab task:




- Waiting for 1 minute until the cron task is run, we can successfully connect to Milnet via SSH using root:abcd as credentials:




- Finally we have achieved a remote root shell.

- An alternative myexploit.sh script would be to assign sudoers privileges with no password to user www-data:






- Now we can get another remote root shell in this  way:




5 - CAPTURING THE FLAG

- Reading credits.txt: