BREACH VulnHub (Full Report)
— — — — — — — — — — — — — — —
{Part 1}
[+] So at the very beginning, I ran the xmas scan because Stealth scan was firewalled/filtered
Open ports found
— — — — — — — — — — — — — — —
Nmap scan report for 192.168.110.140
Host is up (0.00031s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
80/tcp open|filtered http
4444/tcp open|filtered krb524
8443/tcp open|filtered https-alt
and futhur more enumerate, enumerate, enumerate!!!!!
Deep Scan reveals
— — — — — — — — — — — — — — — — — — -
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to Breach 1.0
4444/tcp open ssh DrayTek Vigor ADSL router sshd EKQA (protocol 20)
8443/tcp open ssl/https-alt?
| ssl-cert: Subject: commonName=Unknown/organizationName=Unknown/stateOrProvinceName=Unknown/countryName=Unknown
| Not valid before: 2016–05–20T17:51:07
|_Not valid after: 2016–08–18T17:51:07
|_ssl-date: 2021–09–02T23:22:14+00:00; +5h30m09s from scanner time.
By the time of port scans, i fired up for web enums..
Gobuster reveals these directories
— — — — — — — — — — — —
/images (Status: 301) [Size: 318] [ → http://192.168.110.140/images/]
/server-status (Status: 403) [Size: 295]Nikto doesn’t smiled much ;-)
— — — — — — — — — — — — — — — — — -
OSVDB-3233: /icons/README: Apache default file found.
+ /.gitignore: .gitignore file found. It is possible to grasp the directory structure.
— — — — — — — — — — — — — — — — — — —
Manual inspection of web app(http://192.168.110.140)
Possible users:-Bill Lumbergh,Peter Gibbons (pgibbons),admin@breach.local
Found link /initech.html
-found base64 encoded string in the source of /initech.html page
+Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo
-Double encoded base64
Found creds:- pgibbons:damnitfeel$goodtobeagang$tapgibbons
Login Name:- pgibbons
Display Name:- Peter Gibbons
Email:- peter.gibbons@initech.com
Found using ‘search’ in impressCMS
— — — — — — — — — — — — — — — —
Searched for ‘peter’
Found 1 entry
Interesting intel found
+ “the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful??”
Since we got pcap file, it was all encrypted, we need a key to decrypt, after enumeration we found a keystore which is a java war file, generate the key using keytool
keytool -importkeystore -srckeystore keystore -destkeystore breach.p12 -srcstoretype JKS -deststoretype PKCS12
Authorization: Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC
base64 decoded: tomcat:Tt\5D8F(#!*u=G)4m7zBGET /_M@nag3Me/html HTTP/1.1
Host: 192.168.110.140:8443
This url is the access portal to apache tomcat
Used the credentials above to gain access
Here’s the version info
Apache Tomcat/6.0.39 1.7.0_101-b00 Oracle Corporation Linux 4.2.0–27-generic amd64
So I uploaded the war file which is actually the payload which will help to get reverse shell!!!!:-))
So i ran privy.sh out of mentioned scripts for enumerating the fruits.
Privilege Escalations
===============================
ran privy.sh
[+] was able to log in to MySQL without password
Found username/pass in mysql database
milton | 6450d89bd3aff1d893b85d3ad65d2ec2
milton’s password cracked
[+] milton:thelaststraw
Breach user credentials
— — — — — — — — — — — — —
root:x:0:0:root:/root:/bin/bash
milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash
world writeable
— — — — — — — — — —
/etc/init.d/portly.sh
/home/milton/some_script.sh
So during recon I found the path http://192.168.110.140/images/bill.png.
Hidden data inside the image reveals strange text, i for no reason used that as a password for bill, and it worked!!!. Along with that after checking sudo permissions, Abusing the sudo permission allowed me to create the reverse shell and got root privileges(you have to wait 3 min, as per victim’s script runtime) , as shown
AND NOW IT’S BREACHED!!!!!, WE ARE ROOT!
That’s all for this machine,
Until Next Time,
Stay Lovely..
