-
Notifications
You must be signed in to change notification settings - Fork 0
/
hacking-photographer-vulnbox.html
225 lines (203 loc) · 13.2 KB
/
hacking-photographer-vulnbox.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
<!DOCTYPE html>
<!--[if IEMobile 7 ]><html class="no-js iem7"><![endif]-->
<!--[if lt IE 9]><html class="no-js lte-ie8"><![endif]-->
<!--[if (gt IE 8)|(gt IEMobile 7)|!(IEMobile)|!(IE)]><!--><html class="no-js" lang="en"><!--<![endif]-->
<head>
<meta charset="utf-8">
<title>VulnBox - Photographer — Nixfreak Journal</title>
<meta name="author" content="NiX">
<link rel="canonical" href="./hacking-photographer-vulnbox.html"/>
<meta property="og:site_name" content="Nixfreak Journal" />
<meta property="og:type" content="article" />
<meta property="og:title" content="VulnBox - Photographer" />
<meta property="og:url" content="./hacking-photographer-vulnbox.html" />
<meta property="og:description" content="How to hack the vulnbox photographer" />
<meta property="article:published_time" content="2020-08-26 12:03:00-05:00" />
<!-- http://t.co/dKP3o1e -->
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="./favicon.png" rel="icon">
<link href="./theme/css/main.css" media="screen, projection"
rel="stylesheet" type="text/css">
<link href="//fonts.googleapis.com/css?family=PT+Serif:regular,italic,bold,bolditalic"
rel="stylesheet" type="text/css">
<link href="//fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic"
rel="stylesheet" type="text/css">
<script src="./theme/js/modernizr-2.0.js"></script>
<script src="./theme/js/ender.js"></script>
<script src="./theme/js/octopress.js" type="text/javascript"></script>
</head>
<body >
<header role="banner"
>
<hgroup>
<h1><a href="./">Nixfreak Journal</a></h1>
</hgroup></header>
<nav role="navigation"><ul class="subscription" data-subscription="rss">
</ul>
<ul class="main-navigation">
<li><a href="/pages/about.html">About</a></li>
<li><a href="/pages/Glossary-of-terms.html">Terminology</a></li>
<li class="active">
<a href="./category/hacking.html">Hacking</a>
</li>
</ul></nav>
<div id="main">
<div id="content">
<div>
<article class="hentry" role="article">
<header>
<div id="qr-code-hacking-photographer-vulnbox.html" class="qr-code-image-block"></div>
<script src="./theme/js/qr.min.js" type="text/javascript"></script>
<script>
var img = qr.image({
value: './hacking-photographer-vulnbox.html',
level: 'L',
size: 4
});
document.getElementById('qr-code-hacking-photographer-vulnbox.html').appendChild(img);
</script>
<h1 class="entry-title">VulnBox - Photographer</h1>
<p class="meta">
<time datetime="2020-08-26T12:03:00-05:00" pubdate>Wed 26 August 2020</time>
</p>
</header>
<div class="entry-content"><h2>VulnBox Photographer</h2>
<p>My journey continues of what I want to accomplish. My ultimate goal is to be the best. </p>
<p>Right now I have subscribed to <a href="https://pentesteracademy.com">PentesterAcademy</a>, <a href="https://www.hoppersroppers.org">Hoppersroppers</a>, <a href="https://www.vulnhub.com">Vulnerable By Design</a>, <a href="https://lab.pentestit.ru">Pentestit</a>.<br>
I am going to go through the Vulnerable Hub box first. The reason why I picked this box is because, eventually I want to take the OSCP and OSCE exam to get my certificate. So first things first download a Vulnerable Hub Box. I have picked the <a href="https://www.vulnhub.com/entry/photographer-1,519/">Photographer</a>. The reason why is because if you do a search for "OSCP" you can find multiple boxes that pertain "or at least what people think pertain to the OSCP exam. </p>
<h4>Instructions for downloading the "Photographer box"</h4>
<ol>
<li>Download the vulnbox NOTE: From here on out I will refer to any vulnerable hub box as "vulnbox" here: <a href="https://www.vulnhub.com/entry/photographer-1,519/">VulnBox</a> </li>
<li>The Vulnbox is an .ova file , so you can open it with KVM, VirtualBox or VMware. I will be using VirtualBox for my VirtualMachine. (I will use VirtualBox for all of this tutorial) </li>
<li>I won't tell you how to download and setup a lab environment , there are plenty of tutorials and step-by-step guides to do that. HINT: search on the net.</li>
<li>Open up VirtualBox and go to File --> Import Applicance , Import Vulnbox "Photographer" into VirtualBox </li>
</ol>
<p><img alt="Applicance to Import" src="./images/photographer/pic1_import_vulnbox_appliance.png"> click open and click on Continue.</p>
<p>On the next screen change your settings to your fit , for instance I picked 1024 MB of ram, thats "1 Gb" of ram. Then click on "Import", if all goes ok , your applicance should be importing into the VirtualBox, WARNING: This might take a minute or two depening on your machine. (I will create a full tutorial later on how to create your own "secure" lab).
<img alt="Start Appliance" src="./images/photographer/pic2_start_vulnbox_appliance.png"> </p>
<ol>
<li>
<p>Now that "Photographer" is running in a VirtualMachine we need a box (Operating System) to use in order to "Hack it". Well I know I said in the beginning of the first Blog post that I use <a href="https://blackarch.org">BlackArch Linux</a> and thats true Its my favorite pentesting OS. Although since the <a href="https://offensivesecurity.com">OSCP</a> uses <a href="https://kalilinux.org">Kali Linux</a>. Maybe in future journal entries I will use BlackArch instead, but for now we use <em>Kali Linux</em>. Also WARNING: I did install Kali Linux so I am able to do updates and use it for an attacher machine without having to actually boot it off a USB/ISO image every time. </p>
</li>
<li>
<p>Scan the photographer box via port scanning, So there are many different ways to port scan, most everyone uses a tool called <strong>nmap</strong> (network mapper). Netmap is a network mapper and much more since nmap now has the "NSE" Network scanning engine now. </p>
</li>
</ol>
<p>So how do we use nmap for scanning a network or even finding the correct box?
<code>nmap -sV -T4 -O -p- 192.168.12.1-255</code> Now I know the IP address of the subnet because that is what I have setup for the virtualbox network I created.
This command will Scan Services using a fast method (no need to use <code>-sS</code> stealth mode here) scan every port meaning (65,535) and try to tell us the operating system being used.
so it should look like this. </p>
<p><img alt="Find Photographer" src="./images/photographer/run_nmap_scan_photographer.png"></p>
<p>We see from the output we have four ports that are open.</p>
<p><strong>80/tcp open http Apache httpd 2.4.18 (Ubuntu)</strong></p>
<p><strong>139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup)</strong></p>
<p><strong>445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup)</strong></p>
<p><strong>8000/tmp open Apache httpd 2.4.18 (Ubuntu)</strong></p>
<p>Lets look more at tcp/80 and tcp/8000 , we see both ports are open and they are both running the Apache Server version 2.4.18
If you read the manual pages for nmap (<code>man nmap</code>) we can see that nmap has an option to run scripts.
lets look at a script called http-enum (which is Hyper text Transport Layer enumeration). </p>
<p>This script enumerates or tries to find out more information about a web server.
lets run the command <code>nmap --script=http-enum 192.168.12.5 -p80,8000</code> and look at the output from nmap.
<img alt="nmap http-enum" src="./images/photographer/nmap-http-enum.png">
So this give us the enumeration of the web server. Plus the scripts does even more than that . If you look at the scan for tcp/8000 you will see directories like /admin/. So what does this mean? Since a web server acts like a file manager you can add whatever you want. Like a admin login page or debug page. </p>
<p>Lets take a look at tcp/80000
I will open up a web browser for this (Any of them will do) </p>
<p>Open up a web browser and type in <code>192.168.12.5:8000/admin</code>
<img alt="enumerate admin page" src="./images/photographer/enumerate_port_8000.png">
Ok... so we see a web page called Koken? So what is that?
Lets search for that name (a little search-Fu). So I found this <a href="http://koken.me/">Koken Image managment</a>, so its a image management platform or a (CMS) customer management service.</p>
<p>So what can we do with this page? Well since its a HTML page and you can HTTP-POST to the page using the email and password field.
Lets leave this for now and look at another address we have enumerated.
<code>192.168.12.5:80/images</code>
Wow ok so we have full access to view all the images for this CMS ... interesting.
I wonder .. can we upload our own image? Lets try looking for page that has a upload form.
Lets try <code>192.168.12.5:80/content/</code></p>
<h3>info: At this point in time I need to skip for this web app for now , its killing my VM for some reason.</h3>
<p>Lets look at tcp/445 which is smb or (Server message block) is a file sharing protocol (SMB) allows applications on a computer to read and write to files. Refer to {Glossary} for more information.</p>
<p><img alt="Enumerate banner smb" src="./images/photographer/pic3_smb_enumeratio_banner.png"></p>
<p>As you can see we have quite a bit of information on this one service. We even see authentication guest/guest can be used to access. SMB2.0 is being used for protocol version.
Lets see if we can use guest/guest to log in. <code>smbclient -L \\192.168.12.5 -U=guest</code></p>
<p><img alt="Login using guest smb" src="./images/photographer/pic4_login_smb_guest.png"></p>
<p>I wonder if there is an exploit for this version of smb? Lets check using a nmap script called (smb-vuln)</p>
<p><code>nmap --script=smb-vuln* 192.168.12.5 -p 445</code></p>
<p><img alt="SMB vuln scan nmap" src="./images/photographer/pic5_smb_vuln_nmap_script.png"></p>
<p>So the only exploit we can find is a (DOS) which is a "Denial of service" attack, which we don't want to exploit because it will crash the system.</p>
<p>Lets try something different , we will use smbclient to connect and show us which shares are available.</p>
<p><code>smbclient \\\\192.168.12.5\\sambashare -U=guest</code>
Enter the password for user guest which is the same (guest)</p>
<p><code>smb: \></code> we see a prompt now , awesome. Time to look whats in this samba share.
<code>smb: \> ls</code></p>
<p><img alt="smb password sambashare" src="./images/photographer/pic6_smb_pass_sambashare.png"></p>
<p>So the two files we see are mailsent.txt and wordpress.bkp.zip
lets get the file mailsent.txt
<code>smb: \> mget mailsent.txt ./</code></p>
<p>Now open a new shell and lets look at this file </p>
<p>HINT: file mailsent.txt will be in the same directory we connected to the sambashare using smbclient.
<code>cat mailsent.txt</code></p>
<p><img alt="open mailsent.txt" src="./images/photographer/pic7_open_mailsent.txt.png"></p>
<p>Wow look at this , its an email from photographer.com to a user named Daisa, oh, and look we have a login email address and password. Hmm, could this be credentials for the photography site
192.168.12.5:8000/admin ? </p>
<p>Lets try it , open up a browser to 192.168.12.5:8000/admin
Put in the email address as <code>[email protected]</code> and password <code>xxxxxxx</code> WARNING: You will have to do the work yourself</p>
<p>So it works!!! we now have admin access to a users account. </p>
<p>Bottom right hand side of the webapp has "Import Content" click on it. </p>
<p>We now have the ability to upload content ... sweet !!! </p>
<p>So lets upload a webshell to the content site </p></div>
<footer>
<p class="meta">
<span class="byline author vcard">
Posted by <span class="fn">
NiX
</span>
</span>
<time datetime="2020-08-26T12:03:00-05:00" pubdate>Wed 26 August 2020</time> <span class="categories">
<a class='category' href='./category/hacking.html'>Hacking</a>
</span>
</p><div class="sharing">
</div> </footer>
</article>
</div>
<aside class="sidebar">
<section>
<h1>Recent Posts</h1>
<ul id="recent_posts">
<li class="post">
<a href="./hacking-photographer-vulnbox.html">VulnBox - Photographer</a>
</li>
<li class="post">
<a href="./Hacking VulnBoxes.html">Hacking VulnBoxes</a>
</li>
</ul>
</section><section>
<h1>Categories</h1>
<ul id="recent_posts">
<li><a href="./category/hacking.html">Hacking (2)</a></li>
</ul>
</section>
<section>
<h1>Blogroll</h1>
<ul>
<li><a href="https://getpelican.com/" target="_blank">Pelican</a></li>
<li><a href="https://ipfs.io/" target="_blank">ipfs.io</a></li>
<li><a href="https://fleek.co/" target="_blank">fleek.co</a></li>
<li><a href="https://pentesteracademy.com/" target="_blank">Pentest Academy</a></li>
<li><a href="https://www.hoppersroppers.org/" target="_blank">HoppersRoppers</a></li>
<li><a href="https://www.vulnhub.com/" target="_blank">VulnHub</a></li>
<li><a href="https://lab.pentestit.ru/" target="_blank">Pentestit Lab</a></li>
</ul>
</section>
<section>
<p>Follow <a href="http://twitter.com/nixfreakz">@nixfreakz</a></p>
</section>
</aside>
</div>
</div>
<footer role="contentinfo">
<p>
Copyright © 2020 NiX —
<span class="credit">Powered by <a href="http://getpelican.com">Pelican</a></span>
</p> </footer>
</body>
</html>