BREACH VulnHub (Full Report)

— — — — — — — — — — — — — — —

{Part 1}

[+] So at the very beginning, I ran the xmas scan because Stealth scan was firewalled/filtered

Open ports found
— — — — — — — — — — — — — — —
Nmap scan report for 192.168.110.140
Host is up (0.00031s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
80/tcp open|filtered http
4444/tcp open|filtered krb524
8443/tcp open|filtered https-alt

and futhur more enumerate, enumerate, enumerate!!!!!

Deep Scan reveals
— — — — — — — — — — — — — — — — — — -

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to Breach 1.0
4444/tcp open ssh DrayTek Vigor ADSL router sshd EKQA (protocol 20)
8443/tcp open ssl/https-alt?
| ssl-cert: Subject: commonName=Unknown/organizationName=Unknown/stateOrProvinceName=Unknown/countryName=Unknown
| Not valid before: 2016–05–20T17:51:07
|_Not valid after: 2016–08–18T17:51:07
|_ssl-date: 2021–09–02T23:22:14+00:00; +5h30m09s from scanner time.

By the time of port scans, i fired up for web enums..

Gobuster reveals these directories
— — — — — — — — — — — —
/images (Status: 301) [Size: 318] [ → http://192.168.110.140/images/]
/server-status (Status: 403) [Size: 295]

Nikto doesn’t smiled much ;-)
— — — — — — — — — — — — — — — — — -
OSVDB-3233: /icons/README: Apache default file found.
+ /.gitignore: .gitignore file found. It is possible to grasp the directory structure.

— — — — — — — — — — — — — — — — — — —

Manual inspection of web app(http://192.168.110.140)
Possible users:-Bill Lumbergh,Peter Gibbons (pgibbons),admin@breach.local

Found link /initech.html
-found base64 encoded string in the source of /initech.html page
+Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo
-Double encoded base64
Found creds:- pgibbons:damnitfeel$goodtobeagang$tapgibbons

Login Name:- pgibbons
Display Name:- Peter Gibbons
Email:- peter.gibbons@initech.com

Found using ‘search’ in impressCMS
— — — — — — — — — — — — — — — —
Searched for ‘peter’
Found 1 entry
Interesting intel found
+ “the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful??”

Since we got pcap file, it was all encrypted, we need a key to decrypt, after enumeration we found a keystore which is a java war file, generate the key using keytool

keytool -importkeystore -srckeystore keystore -destkeystore breach.p12 -srcstoretype JKS -deststoretype PKCS12

Authorization: Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC
base64 decoded: tomcat:Tt\5D8F(#!*u=G)4m7zB

GET /_M@nag3Me/html HTTP/1.1
Host: 192.168.110.140:8443

This url is the access portal to apache tomcat
Used the credentials above to gain access
Here’s the version info

Apache Tomcat/6.0.39 1.7.0_101-b00 Oracle Corporation Linux 4.2.0–27-generic amd64

So I uploaded the war file which is actually the payload which will help to get reverse shell!!!!:-))

So i ran privy.sh out of mentioned scripts for enumerating the fruits.

Privilege Escalations
===============================

ran privy.sh
[+] was able to log in to MySQL without password

Found username/pass in mysql database
milton | 6450d89bd3aff1d893b85d3ad65d2ec2

milton’s password cracked
[+] milton:thelaststraw

Breach user credentials
— — — — — — — — — — — — —
root:x:0:0:root:/root:/bin/bash
milton:x:1000:1000:Milton_Waddams,,,:/home/milton:/bin/bash
blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash

world writeable
— — — — — — — — — —
/etc/init.d/portly.sh
/home/milton/some_script.sh

So during recon I found the path http://192.168.110.140/images/bill.png.

Hidden data inside the image reveals strange text, i for no reason used that as a password for bill, and it worked!!!. Along with that after checking sudo permissions, Abusing the sudo permission allowed me to create the reverse shell and got root privileges(you have to wait 3 min, as per victim’s script runtime) , as shown

AND NOW IT’S BREACHED!!!!!, WE ARE ROOT!

That’s all for this machine,

Until Next Time,

Stay Lovely..

--

--

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.