Friday 20 May 2016

VulnHub -- VulnOS: 2 -- Writeup

Cracking VulnOS: 2
So trying my hand at another VulnHub VM.. after having failed miserably at Gibson, which was awesomely busted by THS bud ch3rn0byl, I was hoping for an easy 'pick-me-up' ..
Yah.. didn't happen..

The more I think I know, the more I realise I don't.. sometimes annoying, but mostly fueling the fire :D  *roar!*

Getting target(s)
netdiscover -i eth0 -P -r

And then the obligatory nmap;
nmap -T4 -A

Open up the webpage to see a link to the company's webserver;

After a bit of browsing and learning about text fillers (grrrrr...) found a link to the 'documentation' ;
/jabcd0cs/  cunningly obscured with same colour as background..sneaky..
We are advised we can log in as guest with guest/guest

Alright, this looks promising, a document management system called OpenDocMan, logging in as guest and looking around, we see it allows uploads, sweet lets give it a shot !!

Lets try uploading a php reverse shell to see if we can get lucky!

Booo... can't upload shells

hmm.. OK, so it is limited, but it also shows that admin can edit the file list.. OK, target acquired..

I can has admin ?
The version is nicely printed at the bottom of the screen, so we do a searchsploit to see if any possible vulnerabilities.

Nice and clear version info

searchsploit opendocman 1.2.7

Ooohh... Multiple..

cat /usr/share/exploitdb/platforms/php/webapps/32075.txt

Alright, an sqli vulnerability as well as an exploit to get admin access/rights on the opendocman system.
Guest does not have admin privs and I want to try to upload a reverse shell and need admin privs to do that, so decide to try to get admin privs.

no admin privs :(

I copy the form information and create an html file accordingly, edit to reflect guest's user ID, upload with my guest account, view it, click on "Run".. and check guest's credentials again..

Game on! admin privs..

But wait... still can't alter allowed filetypes..  Booo..

Putting my thinking cap back on; despite other accounts being admin, maybe the only admin user allowed access is user #1 ?
I go to update users, find webmin account and update password to 12345.

Awesome, admin privs allow guest to edit another user's password

Then see whether I can now log in as webmin with better access control.

FuckYeah... I has full admin..

Teh Failz
So now when heading over to the admin panel I see I can alter the allowed filetypes, lets get php up in there and try to get a reverse shell going..
Hmm uploads fine, but it won't execute..

OK, just for shits and giggles, lets see if imagemagick is used in any way allowing an ImageTragick attach when uploading a malicious png..
Nope..image is not displayed. Bah.

OK, well since the webform worked OK, how about some java ?
I make a test html file with some simple java, upload it and view it, well that worked OK,

This test works, but failed to weaponize it :(

how about trying to make a java reverse shell ?

This is where I spent way to much time messing about, I tried to somehow weaponize the java but simply lack the skills needed for this.
I had found what was reportedly a java reverse shell, but failed miserably in trying to get this to run from within the html.
(Any pointers from teh pr0z on what I could have done greatly appreciated!)

So after a while (ok, a fu*kin long time) decided that this is probably not going to be the way in, after googling my arse off I could find no reference in leveraging uploaded files in opendocman to get shell, so it was time to move on..

What a waste of time..pfff, oh well I'm sure (or rather hopeful.. lol) I learned something..

Getting a foot in the door - SQLi
So the 1st item in the list of opendocman exploits was an SQLi vulnerability;

1) SQL Injection in OpenDocMan: CVE-2014-1945
The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The exploitation example below displays version of the MySQL server:

Alright, lets do some quick checks..
The exploit example makes use of the 'add_value=odm_user' parameter for an sql injection attack so let's see what information can be found with sqlmap;
sqlmap -u ''

Alright, that seems to show a positive return..

Now to check out which databases we can see;
sqlmap -u '' --dbs

Then check out the tables of the jabcd0cs database;
sqlmap -u '' -D jabcd0cs --tables

And then check what can be found in the odm_user table ;
sqlmap -u '' -D jabcd0cs -T odm_user --columns

ooohhhhhh.. username AND password.. that' ll do me just fine..
let's dump it !
sqlmap -u '' -D jabcd0cs -T odm_user --dump

yay hashes..

Gaining Access
OK, so what are these password hashes

Cool, MD5

For MD5, there are great online crackers which are truly hard to beat..
Sure you can do it hardcore yourself, but there are so many hashes already online and cracked, that sometimes a simple google search will actually already turn up the answer.
In this case google doesn't.. so onto ..
(Thanks H4v0K for the hint on that site, I had tried others with no success!)

Sooooo can we use these passwords to log in ?

I try to log into ssh with guest | guest ;
ssh guest@

failed with password 'guest'  :(

trying with webmin | webmin1980;
ssh webmin@

whaaa ! I'm in !

First thing that catches my eye is the Ubuntu 14.04.04 LTS
This I have seen before and have used a local exploit on with success using one of the ofs exploits..
Anyway I have a quick browse around but find nothing of interest.

So lets spawn a terminal, find a writeable directory and try a couple of the good 'ol ofs exploits;
python -c 'import pty; pty.spawn("/bin/bash")'

I precompiled the exploit-db ofs exploits 37292 & 39166 and have them sitting in my exploitz directory along with the ofs exploits from
No success with the compiled exploit_db exploits, however I have learned that one should try them all !
So I uploaded the trusty ofs_32 from and gave that one a whirl..


After reading the writeup by the author, (found here
I noted that he did use the 37292.c exploit by compiling it on the actual victim.. n00b as I am I thought that using precompiled would be easier.. now I know that its also possible (better?) to compile on victim..
But as a trusty THS member asked me the other day; has the pre-compiled exploit from failed where the exploit-db ones have succeeded.. Not sure but think not..
Still, valuable lesson learned.

Now.. this is where it gets embarassing... In the past couple of VMs I have done where root was the goal, flags were often found in the /root directory.. so I have no idea why I first decided it would be a good idea to check the /home/vulnosadmin directory..  but I did..

and found the file r00t.blend

My first reaction was; this is it, this is an extra step to the flag,..
But what is r00t.blend..
file r00t.blend

it's a Blender3d file
OK, wtf is that..

> Googled
> Downloaded blender
> opened the file

> got a tantalising glimpse of what appeared to be a sequence of letters when slightly moving the cube

> spent 15 minutes watching youtube videos on how the hell this proggy is supposed to work when using a touchpad..

> With some keyboard mashing and some vague touchpad movements was able to get this beauty..

Uhh, OK.. 
Doesnt read much like a flag.. is it a password for another file ?

Time to check around the other directories for files of interest which may be password protected?!

ls -la root/
uhh.. flag.txt ?? God dammit TAPE .. lol :D

double facepalm

I just wasted more time on either a random lost file, or a cunningly placed red herring :)

cat root/flag.txt

Job Done :)

So.. lessons learned;
1. If an exploit says something is vulnerable to SQLi, see whether you can dump databases before going batshit crazy on other hypothetical entry points..

2. Carefully check your SQLi / sqlmap syntax.. missing quotes, slightly-off parameters will ruin your day..

3. By all means note interesting files for future reference, but check other directories for interesting files as well before going all out on checking a single file when possibly others are out there.. lol..

4. I dig Anime chicks :D

kusanagi.jpg from the OpenDocMan file manager

Big thanks to c4b3rw0lf for the time invested in creating this fun challenge and big Up to for hosting these challenges.

Wednesday 11 May 2016

VulnHub -- SecTalks: BNE0x00 - Minotaur -- Writeup

So I had a crack at another VM from called minotaur and thought I would post
my processes and failures on it !
It's a fairly long an detailed post (image heavy!) but that's the way I like reading these things.. soo.. ;)

Hints given ;
  1. This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
  2. One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

So starting off with the usual, using netdiscover to find host IP address ;
(as before I use a homebrewed script to save those valuable seconds wasted on a few extra keystrokes.. ;) )
netdiscover -i eth0 -p -r

Run a quick test for robots.txt (a simple curl request would also do, or viewing output results from an nmap scan, but hey..)
bash tools/

Nothing to see there, so move along to running an nmap scan using zenmap
(I simply prefer the output view in a separate window that having it in another terminal window..)

Alright, so 3 open ports;
22     --> ssh
80     --> http (Apache 2.4.7)
2020 --> vsftpd ftp service with anonymous login authorized

Nothing to see on port 80 but a standard Apache welcome page, no robots.txt either, I run a quick check with dirb to try some forced browsing but a quick dirb turns up empty handed ..

A tad disappointed, I decide to run a more detailed check by firing up, the in my case sorely underutilised, OWASP ZAP.
I enter the IP details for a quick scan which doesn't show much too interesting.

So I then start up start a forced browsing attack with the dirbuster directory list wordlist.
(standard wordlist can be edited from; Tools -> Options -> Forced Browse)

After a couple of minutes I see the subdirectory "bull" pop up. Yay ! something new to poke at.

Checking out the webpage I am presented with a wordpress blog showing a rather disturbing furry and some seriously roided up cattle..

Ho Lee Fuk.

As the pictures were pretty prominent I decided to first have a quick look there.
The images are rotating so I dig around with inspect element to find the directory where I can grab the images;

So the pictures are all located at;

Let's download the pics for further analysis;
wget -nd -r -l 1 -A jpg
ls -l *.jpg

Brief checks on file info / basic stego / extraneous info / exifdata did not turn up anything significant;
checking file information;
for i in $(ls *.jpg) ; do file $i ; echo ; done

Nope, nothing shocking here..

checking for interesting data with exiftool;
for i in $(ls *.jpg) ; do exiftool $i ; echo ; done
Nope, nothing interesting there.

checking if any extraneous info at the end of the files;
for i in $(ls *.jpg) ; do hd $i | tail -n2 ; echo ; done

Nope.. all ending with the expected FF D9 file trailer

So checked if only 1 file trailer.. just to make sure no jpgs pasted together ;)
for i in $(ls *.jpg) ; do echo $i ; hd $i | egrep -i 'ff d9|ff  d9' ; echo ; done

Seems like all files only have one JPG file trailer, so would appear no jpg pasting going on..

checking if any info hidden with steghide without password;
for i in $(ls *.jpg) ; do echo $i ; steghide extract -sf $i -p "" ; done


checking files for steghide info with worst 500 password list;
for x in $(ls *.jpg) ; do bash tools/ -i $x -w lists/501.txt ; done

Bah.. Nope..
So although very basic checks at this point, the only thing out of the ordinary is the comment " * " in the pakistani-bull1905608220146652615.jpg file, but nothing further identified on that or any of the other files.

Enough time spent looking at the images for the time being. so time to move on..

As it is a wordpress site and wordpress quite frequently is in the news with vulnerabilities, lets
try wpscan on the site and see what it spits out;
wpscan -u

Oh yeah, this looks more like it..!

Looking through the information and the named vulnerabilities, the arbitary file upload vulnerabilities look interesting, but still need an existing user & password.. boo.. :(

Well, let's enumerate the site for users;
wpscan -u -e u

This info can also easily be found by simply browsing through the blog.

Great! we see user 'bully', a starting point to hacking a way in.
wpscan also has a bruteforce option, so lets run a few wordlists on it..

wpscan -u -U bully -w /root/list.txt

After trying several wordlists, I was constantly presented with similar results.. Booo !
Time to try harder..

hmm, no joy with the usual suspects :(  hang on.. the hint did mention that a particular password would not be able to be found in the usual wordlists.. OK, time for plan B.
With the great tool CeWL we can make a focussed wordlist based on all text, found on the wordpress site including filenames etc.
cewl -d 5 -a -e -w kewl.txt
Let's go and kick ass with our new found awesome wordlist!
wpscan -u -U bully -w /root/kewl.txt

aaah, still no joy..

OK, before we lose faith lets beef up (lol pun intended) the wordlist in stages.
(correctly or incorrectly, I prefer starting with small lists and gradually going larger and larger instead of starting off with a huge list).
As we are starting with a small wordlist, we can make certain string manipulations easily without creating a monster;
- Letter case manipulation
- Basic 'leetspeek' alterations
(Depending on how many character alterations you consider, that can however massively increase wordlist size, see an example of permutation possibilities with Gitsnik's awesome script here)

Letter case manipulation can be done with simple sed / tr commands;
cat kewl.txt > new.txt
cat kewl.txt | sed -e 's/^./\u&/' >> new.txt
cat kewl.txt | sed -e 's/.$/\u&/' >> new.txt
cat kewl.txt | tr '[:lower:]' '[:upper:]' >> new.txt
cat kewl.txt | tr '[:upper:]' '[:lower:]' >> new.txt
cat kewl.txt | tr 'a-z A-Z' 'A-Z a-z' >> new.txt
cat new.txt | sort | uniq > new1.txt

Alright lets run the new and improved wordlist ! 
wpscan -u -U bully -w /root/new1.txt


OK, let's include some basic leetspeak alterations based on the most used 
leetspeak permutations of a / e / l / o / t ;
cat new1.txt | sed -e 's/a/4/g' -e 's/A/4/g' >> new-leet.txt
cat new1.txt | sed -e 's/e/3/g' -e 's/E/3/g' >> new-leet.txt
cat new1.txt | sed -e 's/l/1/g' -e 's/L/1/g' >> new-leet.txt
cat new1.txt | sed -e 's/o/0/g' -e 's/O/0/g' >> new-leet.txt
cat new1.txt | sed -e 's/t/7/g' -e 's/T/7/g' >> new-leet.txt
cat new1.txt | sed -e 's/a/4/g' -e 's/A/4/g' -e 's/e/3/g' -e 's/E/3/g' -e 's/l/1/g' -e 's/L/1/g' -e 's/o/0/g' -e /O/0/g' -e 's/t/7/g' -e 's/T/7/g'
cat new-leet.txt | sort | uniq > new.txt

This method of 'leetifying' is not perfect, but its a decent start.

Alright ! Now this wordlist is pretty pimped, surely now more success will be granted!
wpscan -u -U bully -w /root/new1.txt


well that was a letdown.

I was rather disappointed I wasn't getting anywhere with this approach as it means that we now need to consider adding/modifying common characters/phrases which starts getting pretty theoretical.
Anyway, time for a new plan..

When bruteforcing a hash using hashcat, you can use a set of rules which do word manipulations on the fly. This prevents the creation of enormous wordlists and has proven very successful in cracking passwords.
But.. no luxury of not having to create large wordlists in this case, so I need to get the stdout from the hashcat rules.
This option is not possible using cudaHashcat or oclHashcat, so I run it on the cpu based hashcat version installed on Kali.
In this case as the usual suspects (case and basic leetify options) yielded nothing I decide to go for the T0XlC ruleset that will do some pretty heavy word mangling.
As a last ditch effort I can always look at the other rulesets, including for instance the d3ad0ne ruleset which I know will massively increase wordlist size.. and then, well, back to the drawing board.

hashcat -r /usr/share/hashcat/rules/T0XlC.rule kewl.txt --stdout > t0xic.txt
wc -l t0xic.txt
lemme sort and check for duplicates
cat t0xic.txt | sort | uniq > big.txt

still an ooff sheet moment but managed to remove over 600k passphrases.
I would normally cut out short passphrases as well, but since I want to go for broke, I decide to discard my usual methods, leave everything in and just run it.
Oh dear Lord its slow.. 40 minutes in and it has only done 100,000 passphrases.. reportedly over 7 hours to complete.. omg.. being on VM's certainly does have some disadvantages.
(I would be interested to hear what other wordpress bruteforce tools you pros use, please leave a comment if you have a favourite!)

Anyway I let it run and revisit the other ports and google to see whether any other entry method might suddenly jump out at me.
Nothing did, so time for a beer and mindless izismile/imgur browsing..

Suddenly I hear the fan of my lappy quietening down.. oooh.. it hasnt yet been 7 hours..does this mean the crack has stopped with success?!



So now we basically can go down 2 roads ;
Either use the metasploit exploit;

And we're in :)

or manually create shell.php, upload, start listener and open php file in browser;

And again, we're in :D

Spawning terminal with ;
python -c 'import pty; pty.spawn("/bin/bash")'

Usually my feeling is simply; don't over-complicate things if a solution is readily available, use it for quick access..Metasploit is great for quick and easy shells.
On the other hand, I like having Plan B's C's D's etc.. so knowing how to do things in another way is imperative and having a backup plan is always a must..

So now we are in, lets see what a quick poke around can get us.
 Awesome! a list of users and a flag along with a shadow backup file..
and apparently *My milkshake brings all the boys to the yard*..OK.. :D

Let's get a crackin on the found users..
I transfer the shadow file to the attacker with netcat ;

I do a bit of stripping to make sure hashcat can understand the hash correctly and run an attack using the best64 ruleset on a smallish wordlist;
cat shadow.bak | egrep 'minotaur|heffer|h0rnbag|root' | cut -d : -f 2 > hashes.txt
hashcat -a 0 -m 1800 hashes.txt -r /usr/share/hashcat/rules/best64.rule lists/password.lst 

heffer turns up a password pretty quickly; Password1
minotaur follows not too long after; obiwan6
root and h0rnbag remain elusive..

I like hashcat & cudaHashcat but I have to give props to JohnTheRipper for the unix hashes, the above stripping and 'complicated' use/choosing of rulesets is not necessary with John and the cracking process could also be done with a simple;
john hashes.txt

Let's switch user and see what else can be found with heffer's creds!
sudo -u heffer

Alright! heffer's flag obtained: Th3 fl@g 15: m0000 y0

Now lets switch users to minotaur and poke around a bit;
su minotaur
--> enter retrieved password when promted
check out home directory of user minotaur
cd /home/minotaur
ls -lah 
cat flag.txt

Yep flag retrieved; M355 W17H T3H 8ULL, G37 73H H0RN!

Hmm.. a message taunting us whether we can find /root/flag.txt..
The audacity! :D

cat /root/flag.txt
ah, no privs, well we kinda expected that..

2 methods found for getting root ;

1. overlayfs exploit;
I downloaded the ofs_32 file and transferred to the /tmp directory with netcat
Then made the file executable with chmod and ran the exploit;

root baby !

2. administrative privileges 
So what privs do we actually have ?

sudo -ll
ahhh... I spy with my little eye.. something that rhymes with boot ;)
sudo su
Enter minotaur's password and we have the coveted hashtag instead of dollar sign.. yup.. we have root privs !

From here its an easy road to the final flag.

cd /root
cat flag.txt
Final flag: 5urr0und3d bY @r$3h0l35

Job Done !

It is mentioned that the users for which passwords were found were able to run
/root/ as root.
When root I had a look for the file without success, perhaps it's one of the mentioned red herrings as that would possibly have been an other way in.

Until I finally get the h0rnbag's password I wont consider this VM totally busted..
considering the frequent use of leetspeek here, its possible the password has some of that as the O is replaced with a 0 in h0rnbag as well..

If/When I crack it I will post it up ;)

Thanks to Robert Winkel for the creation and to VulnHub for hosting these awesome VMs :D
Google Analytics Alternative