The challenge is rated as very hard and indeed it was. It requires a lot of enumeration and very easy to fall into rabbit holes…

About the challenge:

British Internet Service Provider GreenOptic has been subject to a large scale Cyber Attack. Over 5 million of their customer records have been stolen, along with credit card information and bank details.

GreenOptic have created an incident response team to analyse the attack and close any security holes. Can you break into their server before they fix their security holes?

Lets see if we can:)

As always running netdiscover to find the valid IP and start enumerating the machine.

This time I wanted to use another tool then Nmap, which is called Sparta for enumeration phase:

As you can see most of the common initial enumeration have been done by Sparta…

To find more available tools in Sparta, right click on top of the specific service you want to enumerate further and check the options:

Since no FTP anonymous login option is enabled, port 80 is the best candidate to start enumerating with:

An initial look at this port didn’t gave away to much.

Next port to enumerate is port 1000, usually used for Webmin application.

Browsing to port 10000 returns an error message. Since the browser is redirecting the request to a host name, adding that name to the /etc/passwd is necessary to be able to visit the website:

Enumerating this page didn’t led to any further findings. I tried this CVE-2019–15107 but it didn't work. I found out later why it didn't work.

After a more thorough enumeration of port 80, a login page was found:

Submitting passwords within a GET request is a risky method and the first idea was to brute force that login request but before doing that, the second request which is where the redirecting occurs, caught my attention:

First thing to do was enumerating these two fields:

Cookiewarning and Include

Starting with cookiewarning but no more valid values was found.

Fuzzing the include parameter:

Also include parameter is the only valid parameter to be found!

wfuzz — hl 102 -L -c -w /usr/share/wordlists/dirb/big.txt -w /usr/share/wordlists/dirb/big.txt -u ‘http://$IP/account/index.php?FUZZ=test' (-L for follow redirection)

Several directory lists were tested but the “include” parameter was the only valid parameter.

The first thing that came to my mind is the PHP file inclusion vulnerability.

Get Babak’s stories in your inbox

Join Medium for free to get updates from this writer.

There is several methods to find the LFI vulnerability and the image below is one of them:

Copy the base64 encoded string and run: echo “$EnocdedData” | base64 -d to get the content of /etc/passwd

or this one:

What OS version is running:

I tried to see if its possible to access the webmin´s configuration files:

No interesting files was found that could be useful.

Since I already got that subdomain name for port 1000, I thought that maybe that hostname was the only one but since port 53 is open, I went back to enumerate more by querying the DNS :

Browsing to all subdomains and this one is the most interesting:

This page requires authentication and I haven’t found any credentials. Not yet…

.htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. More information can be found here.

Using the LFI vulnerability to find the right directory took some time because the file is not located where it should be, but after some enumeration I was able to recover the .htpasswd file:

Using hash-identifier to find the password format:

Apache is using different password formats and more information can be found here.

John was able to find the password and its time to login. Despite a successful login, there is another login function:

During the enumeration I was able to read emails with LFI and found a username and password which turned out to be valid to login with:

As you can see Webmin is disabled, hence the reason why I couldn’t attack that application.

Running searchsploit will list several vulnerabilities for phpBB, but before I try any of them I looked for more information inside the application and there I found a .zip file:

Since this file is password protected, trying to crack the zip file with fcrackzip took to long without getting anywhere so I decided to get back to the application and enumerate more.

The users of the applications have email conversations and there seems to be some important info to be found:

Someone have sent the password of the .zip file in this email!

Now that I have the password, I can unzip the file and see what that .pcap file contains.

Inside the pcap file I found someones FTP session captured by Wireshark:

Unencrypted FTP service and the passphrase is sent in clear-text!

I could login to the FTP and transfer the only file existing on that service to my machine:

I used the same credentials to access the SSH service:

Root part:

During the enumeration I found a lot of data but it was some kind of rabbit holes, like this db file:

Its always a good idea to have a look at what groups the current user belongs to:

To be able to fire up wireshark from the ssh terminal, I need to reconnect with x11 forwarding:

ssh -X USER@$IP

Firing up wireshark and start capturing traffic on each interface. Some interfaces are dead but there is a specific interface that generates a lot of data.

Listening for a while and there is a gray colored package which stands out among all the data traffic.

Looks like someone(root) is trying to connect to a certain service:

Press enter or click to view image in full size

Since root is trying to access an unencrypted service, I was able to capture the credentials:

Thanks!

GreenOptic Vulnhub Writeup

Get Babak’s stories in your inbox