Seppuku

Always, Always run nmap -p- -Pn (legion was faster?)

Use creds(ssh key/password list, passwords) everywhere!!!!!

Nmap Result: 

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http        nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
8088/tcp open  http        LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: seppuku
|   NetBIOS computer name: SEPPUKU\x00
|   Domain name: \x00
|   FQDN: seppuku
|_  System time: 2022-03-02T12:30:31-05:00
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: SEPPUKU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-03-02T17:30:31
|_  start_date: N/A


22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
7080/tcp open  empowerid
7601/tcp open  unknown
8088/tcp open  radan-http

all port scans
7080/tcp open  ssl/http LiteSpeed httpd
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
|_http-title:  404 Not Found
|_http-server-header: LiteSpeed
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
7601/tcp open  http     Apache httpd 2.4.38 ((Debian))
|_http-title: Seppuku
|_http-server-header: Apache/2.4.38 (Debian)

Port 21

cannot login anonymously

Port 22

Port 80

12:33:58] 200 - 79KB - /info.php

Port 139

Port 445

S-1-5-32-543 unknown*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group)\nob

address NetBIOS Name Server User MAC address

192.168.198.90 SEPPUKU SEPPUKU 00:00:00:00:00:00

Port 8088 HTTP LiteSpeed httpd

dir;

[12:35:39] 200 -    5KB - /docs/
[12:35:42] 200 -  171B  - /index.html
[12:35:43] 200 -  159KB - /index.php
[12:35:43] 200 -  159KB - /index.php/login/

Version:

OpenLiteSpeed Web Server 1.6

Searchsploit:

Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
OpenLitespeed 1.3.9 - Use-After-Free (Denial  | linux/dos/37051.c
Openlitespeed 1.7.9 - 'Notes' Stored Cross-Si | multiple/webapps/49727.txt
Openlitespeed Web Server 1.7.8 - Command Inje | multiple/webapps/49483.txt
Openlitespeed WebServer 1.7.8 - Command Injec | multiple/webapps/49556.py
---------------------------------------------- ------------------------------

Found a web console.

We have a source code for this.

index.php/login page asks for login

======================================== | OS information on 192.168.198.90 |

Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.198.90 from smbclient: [+] Got OS info for 192.168.198.90 from srvinfo: SEPPUKU Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03

----

More http 

7080/tcp open  ssl/http LiteSpeed httpd
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
|_http-title:  404 Not Found
|_http-server-header: LiteSpeed
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
7601/tcp open  http     Apache httpd 2.4.38 ((Debian))
|_http-title: Seppuku
|_http-server-header: Apache/2.4.38 (Debian)

port 7601:

[17:30:30] 200 -    7KB - /ckeditor/
[17:30:30] 200 -    7KB - /ckeditor/samples/
[17:30:32] 200 -  749B  - /database/
[17:30:36] 200 -  171B  - /index.html
[17:30:46] 200 -    2KB - /secret/

secret/

seppuku

pass list 

123456
12345
password
password1
123456789
12345678
1234567890
abc123
computer
tigger
1234
qwerty
money
carmen
mickey
secret
summer
internet
a1b2c3
123
service
canada
hello
ranger
shadow
baseball
donald
harley
hockey
letmein
maggie
mike
mustang
snoopy
buster
dragon
jordan
michael
michelle
mindy
patrick
123abc
andrew
bear
calvin
changeme
diamond
withme
withyou
matthew
miller
tiger
trustno1
alex
apple
avalon
brandy
chelsea
coffee
falcon
freedom
gandalf
green
helpme
linda
magic
merlin
newyork
soccer
thomas
wizard
asdfgh
bandit
batman
boris
butthead
dorothy
eeyoree
fishing
Football
george
happy
iloveyou
jennifer
jonathan
love
marina
master
missy
monday
monkey
natasha

passwd.bak

sync:x:4:65534:sync:/bin:/bin/sync
lightdm:x:110:115:Light Display Manager:/var/lib/lightdm:/bin/false
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:113:119::/nonexistent:/bin/false
hplip:x:119:7:HPLIP system user,,,:/var/run/hplip:/bin/false
debian-tor:x:120:126::/var/lib/tor:/bin/false
thpot:x:122:65534:Honeypot user,,,:/usr/share/thpot:/dev/null
rabbit-hole:x:1001:1001:,,,:/home/rabbit-hole:/bin/bash

All these are prob useless except for the password list.

intercepted the traffic with burp found pass

In our home directory, we find a “.passwd” file containing a hopefully valid password to an unknown account. If we list the users on this box by examining the “/etc/passwd” file, we can pare down our targets to “root,” “samurai” and “tanto.” From there, we can try logging in as these users with this new password.

We get a hit with the “samurai” user, though we aren’t lucky enough to get another easy password handed to us. The output from sudo -l looks promising, but we find the “/home/tanto/.cgi_bin/bin” file does not seem to exist. When we reach a dead-end, we take a step back and take inventory of what we have. We remember we have a private key from our enumeration phase, so let’s put it to work.

After configuring permissions on the private key file, we can log in as the “tanto” user without knowing their password. We’ll spend a minute looking around for obvious vulnerabilities, but our real intention is to create the file that the “seppuku” user can then run with superuser privileges.

We are in the restricted shell rbash; many normal shell functions such as output redirection are unavailable. We can escape this limitation by spawning bash by using Python, which lets us finish our work in creating a script that, when run with sudo, will drop into a root bash shell.

PreviouswpwnNextKevin Bof

Last updated