Pentesting: h2/h3

EDIT: This is a homework report for Tero Karvinen’s penetration testing course. The page was password protected earlier because of Hack The Box’s policy. The machine has now retired, so the page is now all public.

h2 e) Hack The Box: OpenAdmin @ 10.10.10.171

Nmap -A scan revealed Apache web server version 2.4.29
10.10.10.171 serves just the default web page that comes along with Apache installation. The version is old, so I looked at known vulnerabilities on this version:

https://www.cvedetails.com/vulnerability-list/vendor_id-45/Apache.html

There are 18 vulnerabilities listed… The CVE-2019-0211 gives access all areas, so I’ll check that first.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211
https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html

Looking at these, it looks like they are only useful once I get access to the server. So far I don’t, so lets start to look a way in.

I found apache-users tool, that enumerates common user directories. I’ll use a wordlist supplied by metasploit. I’ll run with error code 403 (Forbidden). The tool goes through a word list trying to access ‘10.10.10.171/~<name>’. If a response comes, tool notifies about it.

$ apache-users -h 10.10.10.171 -l /usr/share/wordlists/metasploit/unix_users.txt -p 80 -e 403

There are more wordlists in ‘/usr/share/wordlists/’, and I tested apache-user-enum.2.0.txt, with no luck. Going through wordlists takes quite a lot of time.

I also scanned all ports with nmap, no extras were found besides 22 and 80. Apache creates user ‘http’ by default. How about:

$ ssh http@10.10.10.171

Screenshot_2020-04-12_20-48-12

But no, I can try whatever username and it still lets me to guess the password. This tells something about SSH configuration at least. Or does it? The SSH version might have some vulnerabilities? From previous scans we know the version: ‘OpenSSH 7.6p1 Ubuntu 4Ubuntu0.3’.

Well. Lets go back to the Apache. It is a default installation, so reading how it is when unpackaged might reveal something.

It turns out we can do at least OPTIONS request on default, there seems to be an exploit with that around, not sure if it’s on this version. Looking into this next…

Screenshot_2020-04-12_21-37-21

https://www.cisecurity.org/advisory/a-vulnerability-in-apache-web-server-a-k-a-optionsbleed-could-allow-for-information-disclosure/

https://www.exploit-db.com/exploits/42745

Looks like 2.4.27 is the last version that is affected by this CVE-2017-9798.

Access control?

Entering the following address to browser gives me 403 Forbidden error.

10.10.10.171/.htaccess

This is an authentication file. I wonder if I could get my hands on that file somehow… The web server accepts POST… There is a method where you can smuggle HTTP requests, and maybe get something without authentication?

https://portswigger.net/web-security/request-smuggling

curl -H “chunked” -d “something” IP address…

h3 b)+c) Recon HTB machines with web services, use new tools

New tool from 0xdf journals: Gobuster

Gobuster is a brute-forcing tool to find directories, files and DNS subdomains from a web site. I already found the (inaccesible) .htaccess file, so this tool could give me some more information.

Gobuster tool is similar to apache-users I tried before, but a lot faster! On the outside they seem to do the same thing, and it would make more sense to enumerate user homepages just by appending a tilde (~) to the wordlist used.

Screenshot_2020-04-16_20-48-37

Already some progress! HTTP Status code 301: Moved Permanently. Someone abandoned their cultural hobbies? Lets see how the web pages look, and what happens in the network traffic… ‘/sierra’ was also found on later stage: it took 10 minutes to go through 81k directories, and the list was the small version.

Screenshot_2020-04-16_20-58-40

The ‘music’ page has interesting qualities: Lorem ipsum, and NOT LIVE/NOT FOR PRODUCTION USE in the site title. I do live music, occasionally it’s even production grade!

Hitting the login button on the music screen gets me to OpenNetAdmin view:

Screenshot_2020-04-16_21-14-42

We have openadmin.htb domain and some more information revealed. And the head on the User Info window contains a link to ‘homestarrunner.com/sbemail152.html’ with ‘Detailed info about network managment’ hover-on text… author’s diversion?

Well. OpenNetAdmin v18.1.1 has vulnerabilities. Remote code execution ones. I found bash code that exploits it from https://vuldb.com/?id.146798.

Took a while to find the right command to work with the tool. I looked at a python3 version of the exploit, and turned out I was missing a trailing slash:

Screenshot_2020-04-16_22-15-04

I’m in as ‘www-data’ user. Testing few commands… oh dear, how did this happen?

Screenshot_2020-04-16_22-21-52

Jimmy and Joanna. A MySQL server. What happened? How am I viewing ‘/etc/passwd’?

The shell that exploit provided was limited: not possible to navigate like one would normally do in a Linux system. Here is a short version what happened: cat didn’t work, less did!

$ cat htaccess.example
$ ls /home
jimmy
joanna
$ ls /
...this looks familiar...
$ ls /etc
...so much interesting stuff...
$ cp /etc/passwd .
$ less passwd

User enumeration: check. Lets take a look at the group file too:

$ less /etc/group

Screenshot_2020-04-16_22-56-44

Someone has been doing user management! Neither Jimmy nor Joanna had any administrative or special privileges, but an ‘internal’ group? I feel like an insider already. sshd configuration is worth a look too. X11 forwarding is on? Is this Ubuntu default? This draws attention: ‘AcceptEnv LANG LC_* ‘. And sftp subsystem is on.

Do Jimmy and Joanna have ultra-secure passwords? SSH Key could also be useful… Oh and that mysql dude… There is a swap.img file sitting at /

But the server becomes unresponsive, and some weird files start appearing. Hackers around? Most likely. Time for bed anyway.

Continues on this password protected page.

Published by:

Tuomo Kuure (tqre)

A professional double bassist and a ICT infrastructure student with good Linux skills. Coding skills include Python, shell scripting and Java. C and asm bubbling under. Main interests are Linux-related: cloud, configuration management, security and kernel programming.

Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s