Monday, September 10, 2018

VulnOS 1


VULNOS 1


- Layout for this exercise:







1 - INTRODUCTION

- The purpose of this exercise is the study of the hacking process for the vulnerable machine VulnOS 1.

- VulnOS 1 can be downloaded from here:


https://www.vulnhub.com/entry/vulnos-1,60/


- Once VulnOS 1 downloaded and  extracted with VirtualBox:





 - In this vulnerable machine it happens that the number of potential vulnerabilities is very large, because there are many open ports and the corresponding associated services running.

 - According to the author's suggestion all the vulnerabilities should be found.

- However, in this exercise we have limited ourselves to the search of a root shell and eventually the capture of the flag, just by exploiting the mininum amount of essential vulnerabilities to achieve our goal.




2 - ENUMERATION

- Discovering the IP with netdiscover, we learn that VulnOS 1 is assigned with 192.168.1.11:







 - Scanning with Nmap the great amount of services running:






- Browsing the web:








- dirb helps to discover some of the available folders:








3 - PHPMYADMIN


- Let's go first with phpmyadmin, which default login is root plus blank password.


- However these credentials don't work in our case, probably because of the configuration:






- Using Medusa to find a valid password for username root:








- Medusa discovers root:toor, let's check whether it is correct:




- Yes, Medusa was right:





- Now, the first thing to notice is the great amount of available databases, each one with its corresponding list of usernames and password hashes. 


- Let's go with the main databases one bye one.


- dolibarr:





- drupal6:




- dvwa (interesting):





- mysql:





- nowasp:





- weberp:





 - CrackStation helps to decrypt most of the hashes:


https://crackstation.net/















- Gathering all these credentials we create two text files:

  • users.txt: containing all the usernames and logins
  • passwords.txt: containing all the decrypted passwords



4 - EXPLOITING WEBADMIN

- Now, let's focus our attention on port 10000:




- MiniServ 0.01 has got some exploits associated, for instance this Perl script that allows File Disclosure:





- Locating exploit 2017 at Kali:





- As expected, it is an executable Perl script:





- Opening the script there is an usage example line:







- Also, running the script without arguments we can learn how to use it:





- For instance let's use the script 2017.pl to read remotely /etc/sudoers available at VulnOS 1:






- Later (point 6.2 of this exercise) this Perl script will be used for achieving essential information about passwords for relevant users.


5 - EXPLOITING DVWA


DVWA is the well-known Damn Vulnerable Web Application, basically a web application that is vulnerable on purpose:


http://www.dvwa.co.uk/





- The fact that DVWA is present at VulnOS 1 is an unvaluable gift, because it provides us with a lot of potential ways for exploitating the vulnerable machine.


- As seen before the valid credentials for DVWA are admin:password:






- Some of the recently released versions of DVWA are 1.9, 1.0.8, 1.0.7, etc ...

- Trying all of them, finally we have access to the DVWA web server:









- Let's notice that the default Security Level is set to high:





- Levering down to low:






 



- Taking advantage of the Command Execution vulnerability let's try to submit this PHP script:




 - Before that, don't forget to set a Netcat listener at port 4444:





- Now, submitting the script:






- As a consequence a low privilege shell is succesfully achieved:




- Improving the shell:





6 - PRIVILEGE ESCALATION

6.1 - HTPASSWD

- htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. 

- Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd

- htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine. 

https://httpd.apache.org/docs/2.4/programs/htpasswd.html

- Let's try to find any htpasswd file across Vulnos 1:






- Reading the file:





- Also, looking for htpasswd.users:









- John The Ripper helps to decrypt the second password:










- However this path does not lead us to anything, let's try another way.


6.2 - vulnosadmin

- Let's focus our attention on the interesting user vulnosadmin:







- Going to his home directory we find that vulnosadmin has been a successful sudoer in the past:





- Now, taking advantage of the webmin exploit at port 10000 used at point 4 of this exercise, we can get both /etc/passwd and /etc/shadow for vulnosadmin:





- Copying output to files a and b:




- Preparing the password hahes with unshadow command:




- Applying John The Ripper over file u:




- Finally we have been able to decrypt vulnosadmin user's password.


6.3 - SSH

- Using our lists from point 3 users.txt and passwords.txt (where canuhackme has been added) Medusa finds the right credentials for SSH remote shell connection:








- Now, entering SSH credentials vulnosadmin:canuhackme let's connect to Vulnos 1





- The good news are that vulnosadmin is an (ALL)ALL sudoer:







- Changing the password for user root:




- Finally a root shell is succesfully achieved:





- Also this would be equally valid:




7 - CAPTURING THE FLAG

- Reading hello.txt: