Monday, March 27, 2017

Orcus VM

Orcus vm                                   

Hello all. I am working on a project from Http://vulnhub.com called "Orcus"

This is as far as i have gotten. Maybe it will help someone out. I am asking for help at this point.
Lets see how this goes...

ZENMAP SCAN=intense scan -T4 -A -v

OUTPUT:


Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-27 17:42 Central Daylight Time

NSE: Loaded 143 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 17:42

Completed NSE at 17:42, 0.06s elapsed

Initiating NSE at 17:42

Completed NSE at 17:42, 0.00s elapsed

Initiating ARP Ping Scan at 17:42

Scanning 192.168.244.134 [1 port]

Completed ARP Ping Scan at 17:42, 3.14s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 17:43

Completed Parallel DNS resolution of 1 host. at 17:43, 0.24s elapsed

Initiating SYN Stealth Scan at 17:43

Scanning 192.168.244.134 [1000 ports]

Discovered open port 111/tcp on 192.168.244.134

Discovered open port 80/tcp on 192.168.244.134

Discovered open port 22/tcp on 192.168.244.134

Discovered open port 110/tcp on 192.168.244.134

Discovered open port 143/tcp on 192.168.244.134

Discovered open port 443/tcp on 192.168.244.134

Discovered open port 53/tcp on 192.168.244.134

Discovered open port 995/tcp on 192.168.244.134

Discovered open port 139/tcp on 192.168.244.134

Discovered open port 993/tcp on 192.168.244.134

Discovered open port 445/tcp on 192.168.244.134

Discovered open port 2049/tcp on 192.168.244.134

Completed SYN Stealth Scan at 17:43, 0.14s elapsed (1000 total ports)

Initiating Service scan at 17:43

Scanning 12 services on 192.168.244.134

Completed Service scan at 17:43, 11.04s elapsed (12 services on 1 host)

Initiating OS detection (try #1) against 192.168.244.134

NSE: Script scanning 192.168.244.134.

Initiating NSE at 17:43

Completed NSE at 17:43, 31.85s elapsed

Initiating NSE at 17:43

Completed NSE at 17:43, 0.02s elapsed

Nmap scan report for 192.168.244.134

Host is up (0.00050s latency).

Not shown: 988 closed ports

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)

|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)

53/tcp   open  domain      ISC BIND 9.10.3-P4-Ubuntu

| dns-nsid:

|_  bind.version: 9.10.3-P4-Ubuntu

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

| http-robots.txt: 30 disallowed entries (15 shown)

| /exponent.js.php /exponent.js2.php /exponent.php

| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php

| /exponent_version.php /getswversion.php /login.php /overrides.php

| /popup.php /selector.php /site_rss.php /source_selector.php

|_/thumb.php

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Site doesn't have a title (text/html).

110/tcp  open  pop3        Dovecot pop3d

|_pop3-capabilities: UIDL STLS AUTH-RESP-CODE TOP SASL PIPELINING RESP-CODES CAPA

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Issuer: commonName=localhost/organizationName=Dovecot mail server

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2016-10-09T03:44:10

| Not valid after:  2026-10-09T03:44:10

| MD5:   ad50 6e67 26f1 7969 4bcd 2696 5347 a592

|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f

|_ssl-date: TLS randomness does not represent time

111/tcp  open  rpcbind     2-4 (RPC #100000)

| rpcinfo:

|   program version   port/proto  service

|   100000  2,3,4        111/tcp  rpcbind

|   100000  2,3,4        111/udp  rpcbind

|   100003  2,3,4       2049/tcp  nfs

|   100003  2,3,4       2049/udp  nfs

|   100005  1,2,3      41663/tcp  mountd

|   100005  1,2,3      46138/udp  mountd

|   100021  1,3,4      33067/tcp  nlockmgr

|   100021  1,3,4      34945/udp  nlockmgr

|   100227  2,3         2049/tcp  nfs_acl

|_  100227  2,3         2049/udp  nfs_acl

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

143/tcp  open  imap        Dovecot imapd

|_imap-capabilities: Pre-login more LOGIN-REFERRALS have STARTTLS SASL-IR post-login ENABLE capabilities IDLE IMAP4rev1 listed LOGINDISABLEDA0001 LITERAL+ ID OK

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Issuer: commonName=localhost/organizationName=Dovecot mail server

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2016-10-09T03:44:10

| Not valid after:  2026-10-09T03:44:10

| MD5:   ad50 6e67 26f1 7969 4bcd 2696 5347 a592

|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f

|_ssl-date: TLS randomness does not represent time

443/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)

|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)

445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

993/tcp  open  ssl/imap    Dovecot imapd

|_imap-capabilities: Pre-login AUTH=PLAINA0001 LOGIN-REFERRALS more have post-login ENABLE capabilities IDLE IMAP4rev1 listed LITERAL+ SASL-IR ID OK

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Issuer: commonName=localhost/organizationName=Dovecot mail server

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2016-10-09T03:44:10

| Not valid after:  2026-10-09T03:44:10

| MD5:   ad50 6e67 26f1 7969 4bcd 2696 5347 a592

|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f

|_ssl-date: TLS randomness does not represent time

995/tcp  open  ssl/pop3    Dovecot pop3d

|_pop3-capabilities: UIDL PIPELINING AUTH-RESP-CODE TOP SASL(PLAIN) USER RESP-CODES CAPA

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Issuer: commonName=localhost/organizationName=Dovecot mail server

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2016-10-09T03:44:10

| Not valid after:  2026-10-09T03:44:10

| MD5:   ad50 6e67 26f1 7969 4bcd 2696 5347 a592

|_SHA-1: 01e5 ecc7 994a a19d 45e8 f4c2 b4cf 98b5 10a4 771f

|_ssl-date: TLS randomness does not represent time

2049/tcp open  nfs_acl     2-3 (RPC #100227)

MAC Address: 00:0C:29:2A:B0:D5 (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.6

Uptime guess: 0.014 days (since Mon Mar 27 17:22:59 2017)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=258 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel



Host script results:

|_clock-skew: mean: -5h00m02s, deviation: 0s, median: -5h00m02s

| nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| Names:

|   ORCUS<00>            Flags: <unique><active>

|   ORCUS<03>            Flags: <unique><active>

|   ORCUS<20>            Flags: <unique><active>

|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

|   WORKGROUP<00>        Flags: <group><active>

|   WORKGROUP<1d>        Flags: <unique><active>

|_  WORKGROUP<1e>        Flags: <group><active>

| smb-os-discovery:

|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)

|   Computer name: \x00

|   NetBIOS computer name: ORCUS\x00

|   Workgroup: WORKGROUP\x00

|_  System time: 2017-03-27T13:43:18-04:00

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

|_smbv2-enabled: Server supports SMBv2 protocol



TRACEROUTE

HOP RTT     ADDRESS

1   0.50 ms 192.168.244.134



NSE: Script Post-scanning.

Initiating NSE at 17:43

Completed NSE at 17:43, 0.00s elapsed

Initiating NSE at 17:43

Completed NSE at 17:43, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 75.88 seconds

           Raw packets sent: 1023 (45.806KB) | Rcvd: 1021 (41.606KB)

My firts hint i found was under "smb-security-mode" where message_signing: Disabled (dangerous, but default)
I looked up the samba version "4-3-11 -ubuntu" and found an exploit :
libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3.11, and 4.4.x before 4.4.5 allows man-in-the-middle attackers to bypass a client-signing protection mechanism, and consequently spoof SMB2 and SMB3 servers, via the (1) SMB2_SESSION_FLAG_IS_GUEST or (2) SMB2_SESSION_FLAG_IS_NULL flag.

So with a mitm attack i can bypass client-signing protection mechanism and spoof SMB2 and SMB3 servers. This will be an option. lets look further.

lets try smbclient -L 192.168.244.134

 Here is an apache 2.4.18 vulnerability:::::    CVE-2016-4979     284         Bypass     2016-07-06     2016-11-28     5.0
    None     Remote     Low     Not required     None     Partial     None
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.

  OK i did some digging and found that there is a python script called "jexboss.py" that will scan apache for the vuln and execute code to get a shell.
here is the address for jexboss.py :https://github.com/joaomatosf/jexboss

ok so that was a flop:* --- JexBoss: Jboss verify and EXploitation Tool  --- *
 |  * And others Java Deserialization Vulnerabilities * |
 |                                                      |
 | @author:  Jo├Ășo Filho Matos Figueiredo                |
 | @contact: joaomatosf@gmail.com                       |
 |                                                      |
 | @update: https://github.com/joaomatosf/jexboss       |
 #______________________________________________________#

[31m @version: 1.2.3
[0m
[94m * Checking for updates in: http://joaomatosf.com/rnp/releases.txt **
[0m
[32m
 ** Checking Host: http://192.168.244.134 **

[32m [*] Checking admin-console:               [0m [32m  [ OK ]
[32m [*] Checking Struts2:                     [0m [32m  [ OK ]
[32m [*] Checking Servlet Deserialization:     [0m [32m  [ OK ]
[32m [*] Checking Application Deserialization: [0m [32m  [ OK ]
[32m [*] Checking Jenkins:                     [0m [32m  [ OK ]
[32m [*] Checking web-console:                 [0m [32m  [ OK ]
[32m [*] Checking jmx-console:                 [0m [32m  [ OK ]
[32m [*] Checking JMXInvokerServlet:           [0m [32m  [ OK ]
[32m

 * Results:
   The server is not vulnerable to bugs tested ... :D
[0m
[0m * Info: review, suggestions, updates, etc:
   https://github.com/joaomatosf/jexboss

Ok well checked the /tmp/ dir in url and found this link:
0c7aa37c1e5b7386c5d18dba80bb5d3b^118e4111302d35936b445390f58fb9f006cda2dd_0.file._maintenance.tpl.php    2017-03-27 13:38     4.2K   

no direct access allowed

 I looked at /backups/ and got a downloadable directory.
got some mysql creds ::::::: dbuser
                                    ::::::: dbpassword

  This works in the /phpmyadmin/ login screen. That is where i take a break. I have been digging for any sign of a flag or enumeration but it seems that i am hitting a wall. I will post any new findings asap! The link for this vm is ::::::https://www.vulnhub.com/entry/hackfest2016-orcus,182
Posted by at No comments:
Subscribe to: Posts (Atom)