Fri. Jul 3rd, 2020

Pentesting Fun Stuff

following the cyber security path…

Tre

Introduction

And yet another challenge from VulnHub created by SunCSR Team
This one has level ‘intermediate’ and no mentioning of a rabbit hole.
Let’s dive in….

Enumeration

Like always, we start with a port-scan to get a good view on what ports are open and what services are running behind them.

It looks like there is a SSH server (port 22) and 2 web-servers (ports 80 and 8082) running.
Let’s start with a nikto scan first.

On the first scan there are some interesting finds.
One of them is a shielded (basic authentication) section with a log-in.

A run with gobuster turns up some additional information, but mostly we already knew.

/cms/ leads to a SOLMUSIC webpage with a lot of dead ends.
According to exploit-db there are a lot of issues with the Mantis program.
But for some I need an additional path (which I haven’t found yet).
So we run another gobuster scan, but with another wordlist.

Now this is more like it!
Another application (Adminer 4.7.7), which according to exploit-db has only 1 verified exploit and that’s for an earlier version.
So skipping that one for now.

Our focus is on Mantis and with the additional folder (/mantisbt/), there is an exploit from exploit-db that can get us in.
(http://127.0.0.1/mantisbt-2.3.0/verify.php?id=1&confirm_hash=)

After a while there are no real options here to help me further along.
I was hoping for a way to upload a PHP file maybe, but moving on and back to the gobuster findings.
Let’s run a focused scan on /mantisbt/.

When looking at the findings in this scan, there is one folder that is interesting to followup on: /config/
In that folder, there is a text file with the credentials of the database (handy!).

This combined with the adminer program we found earlier, we can see if we can log in with these creds.
And we can!

Now to find the users table check for more credentials.

Funny to see, the exploit from earlier did leave its trace on the system.
There is also another set of credentials, namely ‘tre:64c4685f8da5c2225de7890c1bad0d7f’.

Because this is a MD5 hash, I check crackstation first to see if these hashes are already known.

hmmmmm…..looks like the password I gave during the previous exploit also got saved in the database.
Strange I couldn’t log in as admin. Oh well. It looks like there is no known plaintext of the tre password.
There is on the other hand a very strange realname placed in the database.

Not the same…..still going to try it anyway.

Well it worked.
Time for some recon.

When checking sudo, there is an entry where user tre can use the system binary ‘shutdown’  with superpower.
Shutdown itself is not very interesting. When you look at the help menu, you see there are only a few options.
And all are aimed on the task to shutdown or reboot the system. So why is this interesting?

When we use the following command:

We can sort all running processes.
Now let’s give the call (with /sbin/shutdown) to reboot the system.

You can see here that the system gives a timestamp.
That means it will call on a system to give the current time (we can track this).
And when you look closely, then there are a few that stand out.

First the system starts a process to get the timestamp (for the shutdown output), then it start a process for rsyslog (not interesting).
But then it starts a process where it runs a script. We know it’s not an executable because of the /bin/bash in front.
It needs bash to execute the check-system script.

From the process we can tell this script will be executed by root.
Also the file is world-writable. If that’s not a recipe for disaster then what is?
Let’s add a piece to this script.

And restart the system.
Let’s find out if it worked…

Nice. Now for the final step.

And there you have it.

Conclusion

Outstanding challenge from SunCSR Team.
They really did a very nice job with this one.
There were many options to enumerate and you really needed to create some kind of method so you didn’t got lost in all the information.

Very cool. Can’t wait for the next one.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.