Penetration of An Vulnerable OS

Penetration Testing OSes: https://drive.google.com/open?id=0B1EqmTkdyXnUcHJ4QjN4aWZLc2c

Before Report: This is the final project of my Penetration Test Course of Master Degree.

Executive Summary

After making the engagement rules with EWT, I started the penetration test from verifying the known vulnerabilities of DVWA similar website, after which I performed the service discovery against the server host and found my target service — SSH. By exploiting the Command Injection vulnerability of DVWA similar website, I got the existing users and guessed passwords for these users using THC-Hydra tool. Although I just got the password for “webadmin” user, I can login SSH after all. All the rest passwords including passwords for root were successfully cracked after I exploited the misconfiguration of privilege of “cat” command to get the content of “shadow” file. Until this step, I had full privilege and then got 5 flags as private data.
Then, I used proxychains to pivot to internal client. After setting up pivot environment, firstly I probed the opening ports on the client host and found open port 80, on which the Apache service was running. When I explored the website, I found the possible Shellshock vulnerability, by which I got a shell/meterpreter of client host. Then, due to the misconfiguration of “/home/storm/fun.sh” in the “/etc/sudoers” file, I got a shell as root by adding “/bin/bash” command into “/home/storm/fun.sh” file. Again, I had the full privilege and found 2 flags as private data eventually.

Introduction

HW.T was asked to conduct a penetration test for Empire Web Tools(EWT), who has lost much private data in the recent security breach, with the goals of:

  • Identify the vulnerabilities their system has and give recommendations to fix them;
  • Assess the risk of their private data.

The test should be conducted as an outside attacker against 2 hosts, one of which is server host and can be directly accessed by attackers and the other one locates in the internal network and can NOT be directly accessed, to simulate the circumstances in the real world, which means the EWT did not provide any credentials can be used for penetration test. In addition, the tester was forbidden to break/DoS anything in systems and change system configurations or passwords. For this test, the report of Web Application is out of scope because the EWT has known exactly what vulnerabilities their web application has.

By this test, it is found that EWT is vulnerable to outside attacks due to the simple passwords, misconfiguration of script and commands and some application vulnerabilities, which will be given more details in the following section.

Attacks against Server Host (10.10.66.66)

Gathering Information About Server Host (10.10.66.66)

In order to know more about the target, especially running service on that host, I used NMAP to scan the server host using command “nmap -n -A -p- 10.10.66.66”, which also finds the version of service and OS and starts some NSE against target. The result is presented as figure 1.

Figure 1. NMAP result against server host (10.10.66.66)

The Apache-2.4.25 service and Domain-9.10.3 service have no popular vulnerabilities for me. However, for SSH, it is possible to guess password if I know some of existing users.

Exploit SQL Injection and Command Injection

I exploited the SQL Injection and Command Injection vulnerabilities on some of web pages, which have been already known by EWT, to explore filesystem and MySQL database to find useful information. By exploring the filesystem, I found the existing users — webadmin, storm and nyu, when I explored “/home” directory and look through “/etc/passwd” file, which is shown in Figure 2.

(a) Inject “; cat /etc/passwd” Command

 

(b) Inject “; ls /home” Command

Figure 2. The Result of Command Injection

Then, by exploiting SQL Injection vulnerability, I found some usernames and passwords, which are shown in Figure 3.

Figure 3. The Result of SQL Injection against user Table

These passwords can be decoded to clear text easily on https://crackstation.net, then I considered them as possible passwords for SSH connection and will try in the next section. Besides, the “flag” record is one of the private data, whose password is “starwars” in clear text.

Guessing Password to Login SSH

I have got some existing users on the host and some of combinations of usernames and passwords from previous section. In this step, I tried to guess password to login SSH. First, I tried every password found in MySQL database with each existing user account because there may be password-reuse vulnerability. However, it failed. Then, I used THC-Hydra to guess the combination of username and password, whose result is shown in Figure 4. The command I use is “sudo hydra -l webadmin -P /usr/share/wordlists/rockyou.txt ssh://10.10.66.66:37015”.

Figure 4. The Result of THC-Hydra against User webadmin

Wonderful that the password of “webadmin” user is weak and I can login SSH now.

Privilege Escalation on Server Host (10.10.66.66)

First I logged in SSH as “webadmin” to server host (10.10.66.66). Then, I try to exploring running processes and filesystem to find useful information to escalate to root privileges. Also, I tried to “cat” passwd and shadow files with “sudo”. Finally, I found that “cat” command can be executed as root without password, which is the result of misconfiguration in “/etc/sudoers”, shown in Figure 5.

Figure 5. Misconfiguration in “/etc/sudoers” on Server Host (10.10.66.66)

Thanks for this misconfiguration, I can use “sudo cat /etc/shadow > ~/shadow” command as root to extract shadow file to home directory of “webadmin”. Then just use “scp” to copy this file to my Kali machine. After copied passwd file and shadow file to my Kali machine and used “unshadow” to combine them, I used “John the Ripper” to crack all the passwords with “rockyou.txt” wordlist in a few minutes. The result is shown below in Figure 6.

Figure 6. The Result of Cracking Passwords of Server Host (10.10.66.66)

Looking for Private Data

Now, I can login the server as root through SSH, which gives me the chance to check every corner of the server. So, I explored the filesystem to look for the private data, which is named like “flag*.txt/jpg”. Eventually, I found 5 flags in the server, which will be shown in the “Findings” section of this report.

Besides, by looking through PHP codes in “/var/www/html” directory, I found all connection information about MySQL database, shown in Figure 7. Using these information, I can control the database as I want.

Figure 7. MySQL Database Connection Information

Attacks against Client Host (172.16.1.2)

Pivoting and Scan Client Host (172.16.1.2)

Now that I have compromised the server host, I can pivot from it to attack internal machines. I used SSH to connect to the server host (10.10.66.66) as root and set it as a SOCKS proxy by using “ssh –D 127.0.0.1:8888 root@10.10.66.66” command. I also modified the “/etc/proxychains.conf” to add a proxy server.

Then, I used “auxiliary/scanner/portscan/tcp” module in Metasploit to scan the client host and find only the port 80 is open, which means there may be a web site running on that port. So I tried to request in browser, which opens the door of attacking into client machine.

Shellshock Vulnerability on Client Host

When I explored the web site on the client host, I found some information which looks like working notes but leaks some insecure inspect of that host, just like in Figure 8.

Figure 8. Insecure Working Note about Shellshock

It seems that the client host (172.16.1.2) was vulnerable to Shellshock Vulnerability and was compromised after I used “exploit/multi/http/apache_mod_cgi_bash_env_exec” module in Metasploit to exploit Shellshock on the client host (172.16.1.2, which led me to a meterpreter as “www-data” user (Figure 9).

Figure 9. The Proof of Attacking into Client Host

Privilege Escalation on Client Host (172.16.1.2)

Now that I have a meterpreter, I explored the filesystem to find something I can use to escalate to root. Eventually in “/home/storm” directory, I find the “fun.sh” file with 777 privileges, which is weird and always insecure. So, I check this file and find there is a comment in the file: “Please don`t edit this, or any script, that can run as root without password”, which means maybe there is misconfiguration for this file in “/etc/sudoers”. So, I add a command, “/bin/bash”, into this file to get a shell with root privilege. The content of “fun.sh” file and running result is shown in Figure 10.

  

Figure 10. Exploit fun.sh File to Escalate Privilege

Then, I just checked “/etc/sudoers” file to verify my conjecture. The misconfiguration is shown below.

Figure 11. Misconfiguration for /home/storm/fun.sh File

Get Passwords and Private Data

Now that I have got the root privilege, I can get the passwd file and shadow file as usual. Then, I used John the Ripper to crack all the passwords for this host, whose result is shown in Figure 12. Last step, I found 2 flags in this host, which will be shown in the “Findings” section of this report.

Figure 12. The Result of Cracking Passwords of Client Host

Findings and Recommendations

Private Data (Flags)

Name: flag

Location: user Table, MySQL database, Server Host (10.10.66.66)

Clear Test: starwars

Description: Encoded by MD5.

 

Name: flag1.jpg

Location: /var/www/html/hackable/users/flag1.jpg  ,  Server Host (10.10.66.66)

Clear Text: You are our only hope

Description: This is a two-dimensional barcode and the content is encoded by Base64.

 

Name: flag2.txt

Location: /var/www/html/vulnerabilities/exec/flag2.txt  ,  Server Host (10.10.66.66)

Clear Text: The force is strong with you

Description: Encoded by Base64.

 

Name: flag3.txt

Location: /home/webadmin/flag3.txt   ,   Server Host (10.10.66.66)

Clear Text: Sudo help us, you’re our only hope

Description: Encoded by Base64.

 

Name: flag4.txt

Location: /root/flag4.txt   ,   Server Host (10.10.66.66)

Clear Text: Your feeble skills are no match for the power of the Dark Side.

Description: Encoded by Base64.

 

Name: flag5.txt

Location: /home/storm/flag5.txt

Clear Text: That’s no moon…

Description: Encoded by Base64.

 

Name: flag6.txt

Location:/root/flag6.txt

Clear Text: Great kid! Don’t get cocky!

Description: Encoded by Base64.

 

Weak Passwords

Description: The user “webadmin” of server host is extremely weak, it took me just several seconds to guess. In addition, it took me not so much time to crack other passwords on server and client host.

Impact: Because SSH service has been started on server host, if the passwords is weak, the attacker can easily get the password and log in the server host to perform other attacks.

Recommendation: Modify passwords. It`s better to include uppercase character, lowercase character, digits and special characters in the password.

Login SSH as Root

Description: It has been allowed to login SSH as root to server host (10.10.66.66).

Impact: If the attacker knows the password of root, he/she can login SSH as root and has full privilege to perform any action, even get private data and make damage to system.

Recommendation: Disallow logging in SSH as root by modifying “PermitRootLogin” to no in the “/etc/ssh/ssh_config” file.

Privilege Misconfiguration

Description: On both server and client host, there is misconfiguration in “/etc/sudoers” file. It allows some commands or files to be run as root without password.

Impact: If any command or file can be run as root without password, it is possible for attackers to escalate privileges to root or perform some actions which should only be done by root.

Recommendation:

  • Just set user privileges as “XXX ALL=(ALL)ALL” and let them run as root by “sudo” command. DO NOT set any command or script to be run as root without password.
  • If it is not necessary, DO NOT give any script “777” privilege.

Shellshock Vulnerability

Description: The version of bash on client host (172.16.1.2) is 4.2.37 thus has Shellshock vulnerability, which can be exploited to run arbitrary commands even get a shell. For mod_cgi module of Apache service, it will format user requests to bash environment variables and call bash to deal with requests.

Impact: Remote attackers can exploit this vulnerability to execute arbitrary code via a crafted environment and get a shell to perform further attacks. In this penetration test, I exploit this vulnerability through Metasploit and further explore filesystem to find other vulnerabilities.

Recommendation: Upgrade Bash over 4.3 version by using command “sudo apt-get update && sudo apt-get install –only-upgrade bash”.

Username and Passwords

Server`s Username&Password

root: falcon12

webadmin:abc123

storm: trooper3

MySQL database Username&Password

root: trooper4

Client`s Username&Password

root: starkiller

storm: deathstar

Conclusion

EWT has suffered a serious data leaking problem recently thus asked for a penetration test towards their system with the goals of:

  • Identify the vulnerabilities their system has and give recommendations to fix them;
  • Assess the risk of their private data.

The testing targets are 2 hosts coming from their company`s images, one of which is exposed to outside network and the other one is only internally accessed system.

Through this test, I compromised both hosts as root privilege by exploiting the vulnerabilities of their passwords, misconfiguration and Shellshock and eventually got some private data.

The simple passwords are the entrance for attackers. They can access to the host through SSH once the attackers successfully guess one of the passwords. However, the main security problems locate in the configuration of running privileges of scripts and commands. If the configuration is fully correct, even the attacker can attack into their system, they can perform limited actions and can NOT get many private data.

Leave a Reply

Your email address will not be published. Required fields are marked *