【WriteUp】VulnOS1 - 明日は明日の風が吹く

新しいVMに挑戦

使用ツール

偵察

% sudo nmap -sS -sV -A -p 1-20000 192.168.3.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-04 01:23 EDT
Nmap scan report for 192.168.3.10
Host is up (0.0011s latency).
Not shown: 19975 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 43:a6:84:8d:be:1a:ee:fb:ed:c3:23:53:14:14:8f:50 (DSA)
|_ 2048 30:1d:2d:c4:9e:66:d8:bd:70:7c:48:84:fb:b9:7b:09 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: VulnOS.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2020-04-04T05:24:58+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.7.0-P1
| dns-nsid:
|_ bind.version: 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 *1
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: index
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL PIPELINING STLS SASL RESP-CODES CAPA TOP
|_ssl-date: 2020-04-04T05:24:57+00:00; -1s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: CHILDREN SORT=DISPLAY I18NLEVEL=1 ESEARCH completed Capability SORT LOGINDISABLEDA0001 ENABLE IMAP4rev1 CONTEXT=SEARCH UIDPLUS OK ID IDLE SEARCHRES ESORT QRESYNC SASL-IR THREAD=REFERENCES LOGIN-REFERRALS CONDSTORE THREAD=REFS LIST-EXTENDED STARTTLS NAMESPACE WITHIN UNSELECT MULTIAPPEND LITERAL+
|_ssl-date: 2020-04-04T05:24:58+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
| http-auth:
| HTTP/1.0 401 Authorization Required\x0D
|_ Basic realm=SWAT
|_http-title: 401 Authorization Required
993/tcp open ssl/imaps?
|_ssl-date: 2020-04-04T05:24:59+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
995/tcp open ssl/pop3s?
|_ssl-date: 2020-04-04T05:24:57+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
| mysql-info:
| Protocol: 10
| Version: 5.1.73-0ubuntu0.10.04.1
| Thread ID: 311
| Capabilities flags: 63487
| Some Capabilities: IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, LongColumnFlag, Speaks41ProtocolOld, SupportsCompression, Support41Auth, FoundRows, IgnoreSigpipes, InteractiveClient, LongPassword, ODBCClient, SupportsLoadDataLocal, ConnectWithDatabase, SupportsTransactions
| Status: Autocommit
|_ Salt: 0iEZt\LIgL(#q5R{8D+I
3632/tcp open tcpwrapped
6667/tcp open irc IRCnet ircd
| irc-info:
| users: 1
| servers: 1
| chans: 15
| lusers: 1
| lservers: 0
| server: irc.localhost
| version: 2.11.2p1. irc.localhost 000A
| uptime: 0 days, 0:04:05
| source ident: NONE or BLOCKED
| source host: 192.168.3.27
|_ error: Closing Link: wisjlfego[~nmap@192.168.3.27] ()
8070/tcp open ucs-isc?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:43:06:19 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
Service Info: Hosts: VulnOS.home, irc.localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: VULNOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT ADDRESS
1 1.11 ms 192.168.3.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.76 seconds

結果、生きているサービスは

22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 *2
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
3632/tcp open tcpwrapped
6667/tcp open irc IRCnet ircd
8070/tcp open ucs-isc?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
10000/tcp open http MiniServ 0.01 (Webmin httpd)

正直、ドン引きするほど空いている感じですね

かなり多くのルートが考えられるのではないかと思います

次、dirb

% dirb http://192.168.3.10

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Apr 4 01:31:10 2020
URL_BASE: http://192.168.3.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

結果、以下のURLが生きていることが判明しました

+ http://192.168.3.10/.htaccess (CODE:200|SIZE:501)
+ http://192.168.3.10/cgi-bin/ (CODE:403|SIZE:288)
+ http://192.168.3.10/index (CODE:200|SIZE:745)
+ http://192.168.3.10/index.html (CODE:200|SIZE:745)
+ http://192.168.3.10/index2 (CODE:200|SIZE:1066)
==> DIRECTORY: http://192.168.3.10/mediawiki/
==> DIRECTORY: http://192.168.3.10/phpldapadmin/
==> DIRECTORY: http://192.168.3.10/phpmyadmin/
==> DIRECTORY: http://192.168.3.10/phppgadmin/

さらに、niktoを使って確認

% nikto -h 192.168.3.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.10
+ Target Hostname: 192.168.3.10
+ Target Port: 80
+ Start Time: 2020-04-04 01:29:12 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1062203, size: 745, mtime: Sat Mar 29 20:35:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3268: /imgs/: Directory indexing found.
+ OSVDB-3092: /imgs/: This might be interesting...
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.23
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3093: /.htaccess: Contains configuration and/or authorization information
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie 5d89dac18813e15aa2f75788275e3588 created without the httponly flag
+ /phpldapadmin/: Admin login page/section found.
+ Cookie PPA_ID created without the httponly flag
+ /phppgadmin/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8877 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time: 2020-04-04 01:29:44 (GMT-4) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

さらに、nmapの結果を受けてポートを変更して実行

% nikto -h 192.168.3.10 -p 8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.10
+ Target Hostname: 192.168.3.10
+ Target Port: 8080
+ Start Time: 2020-04-04 01:38:59 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ Cookie JSESSIONID created without the httponly flag
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 8221 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2020-04-04 01:39:31 (GMT-4) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

侵入

権限昇格

*1:Ubuntu

*2:Ubuntu