We continue with the Lab by using the credentials we found to gather more information, gain access to the internal network, and further exploit the network.
Next we visit TCP/8080 using the IP on the url and this leads us to a site hosting Roundcube Mail default user login page. Since we have some information about the admin darthvader, and a email address(admin@test.lab) from VTiger CRM, we will try to brute force a login using those credentials and a star wars password list as he seems to be a star wars fan.
Using the credentials at hand, we find that the username is the email: admin@test.lab and the password is the username: darthvader. We successfully login and find one unread email from postmaster. The email contains a RSA key for the “Office 2” location and a username “tech” which should gives us access to the 192.168.101.11 gateway using port 2222 per the nmap scan we initially ran.
We change the permissions of our private key and use it to log in to the 192.168.101.11 Gateway's port 2222.
Using the dpkg-query -l command to see what tools are installed, one caught my eye as I can use it to vpn into the 192.168.101.10 network: "openvpn 2.3.4-5+deb8 amd64 virtual private network daemon" ... /etc/openvpn/server.conf. Looking into the server configuration file "/etc/openvpn/server.conf", I find a OpenVPN certificate. Details on the server configuration file confirm that it is for connecting Office 2 with Office 1 on 192.168.101.10 using OpenVPN on port 1194.
We then get a openvpn brute force script from github "https://github.com/galkan/tools/blob/master/openvpn-brute/openvpn_brute_force.sh", edit it by removing the kill openvpn pid command and also edit our server configuration file then run both with a starwars list I found online.
After a while we successfully login with the retrieved password "starwars". The terminal with the OpenVPN bruteforce should be left in place so as not to close/lose the connection. We then access the Main Office and get internal access via VPN to the 172.16.0.0/24 network. We start with an nmap scan to see what ports and services are running.
Looking at the nmap scan results, one IP seems interesting as it has lots of services running and looks like 172.16.0.10 is the AD Server. We will skip it for now since we don't have any credentials.
Next we move on to 172.16.0.11 as it has an open HTTP port. Upon browsing to the site with this IP, we find that it's running the same WordPress site that has a KittyCatfish SQL Injection Vulnerability as shown by the html source code.
I used sql queries to enumerate the SQL vulnerability using commands "union select 0x6b635f61645f637373,(select @@version)" to check the sql version and "union+select+0x6b635f61645f637373,%28SELECT%20GROUP_CONCAT%28table_name%29%20FROM%20information_schema.tables%20WHERE%20table_schema=database%28%29%20GROUP%20BY%20table_name%20LIMIT%200,1%29" to dump the tables. Since we are injecting the SQL Commands via a PHP parameter, we utilize hex to encode data as it passes through. 0x6b635f61645f637373 is just the hex encoding of kc_add_css found on the Kittycatfish plugin code.
And finally, we find the token!
Comments
Post a Comment