wanderer/pv_0x05
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Activity
This repository has been archived on 2021-12-18. You can view files and clone it, but cannot push or open issues or pull requests.
development
pv_0x05/pv_0x05.tex

248 lines
7.4 KiB
TeX
Raw Permalink Normal View History

initial commit
2021-12-18 02:27:55 +01:00
% vim: tw=0 wrap
\documentclass[12pt,a4paper]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage{amsmath}
\usepackage[pdftex,pdfsubject={Protocol 5},]{hyperref}
\usepackage{url}
\usepackage{hyperxmp}
\usepackage[affil-it]{authblk}
\usepackage{enumitem}
\usepackage{graphicx}
\graphicspath{ {./img/} }
\date{\today}
\title{Protocol 5 - \textbf{Information gathering}}
\author{Adam Mirre}
\begin{document}
\affil{FAI UTB, Zlín}
\maketitle
\tableofcontents
\paragraph{Task}
\textit{Find out what operating systems and what services are running on given
IP addresses.\\Enclose screenshots of the scans and create tables with
information on the services running and exploits found. You may also add more
details on the type and ramifications of particular exploits. You must also
attach the website, on which you have found the exploit.\\Use \texttt{gobuster}
with the \texttt{big.txt} dictionary for HTTP services, document the learnt
directory layout.}\\
IPs:
\begin{enumerate}[nosep,topsep=2pt,itemsep=2pt]
\item 10.53.26.42
\item 10.53.27.125
\item 10.53.27.182
\item 10.53.27.164
\end{enumerate}
\newpage
\section{Information gathering}
\subsection{10.53.26.42}
The figure~\ref{h1_80} shows the result of running gobuster against host 1.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{gobuster-h1-80}
\caption{gobuster on h1, port 80}
\label{h1_80}
\end{figure}
\newpage
Nmap scan documented partly in figure~\ref{h1_nmap} allows us to determine the
OS of the host as \texttt{Microsoft Windows Server 2008 R2 - 2012}, probably
meaning the most recent update of the software occured in 2012. No
vulnerabilities were found for the services on this host.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{h1-nmap}
\caption{h1 \texttt{nmap} scan revealing IIS websever and samba yielding OS version
string.}
\label{h1_nmap}
\end{figure}
\newpage
\subsection{10.53.27.125}
The figure~\ref{h2_22} shows \texttt{(deb7u2)} as part of the version string of
the SSH daemon package running.
\begin{figure}[!hbt]
\centering
\includegraphics[width=.75\textwidth]{h2-22-ssh}
\caption{\texttt{SSH} daemon on h2}
\label{h2_22}
\end{figure}
Based on
\url{https://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu-changelog}
Debian developer's reference page, the "number" in \texttt{deb<number>} is supposed
indicate the Debian version the package is intended for, which in this case
would mean the OS running can be determined as \texttt{Debian 7}.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{h2-80-msf-joomla}
\caption{Web server/framework + OS id as shown in \texttt{msfconsole}}
\label{h2_jomla}
\end{figure}
The \texttt{Joomla!} Open Source Content Management software version 1.5.15 has
been found vulnerable to a multitude of vulnerabilities, including Directory
Traversal, SQL Error Information Disclosure, XSS and Token Remote Admin Change
Password:
\begin{itemize}[nosep,topsep=2pt,itemsep=2pt]
\item \url{https://www.exploit-db.com/exploits/34955}
\item \url{https://www.exploit-db.com/exploits/46710}
\item \url{https://www.exploit-db.com/exploits/6234}
\end{itemize}
\newpage
Figure~\ref{h2_80} shows directory listing on host 2 using gobuster.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{gobuster-h2-80}
\caption{\texttt{gobuster} on h2, port 80}
\label{h2_80}
\end{figure}
\newpage
\subsection{10.53.27.182}
Based on data in figure~\ref{h3_445_msf}, in which a metasploit scanner
\texttt{smb\_version} was used, as well as an nmap scan (90\% certainty), the OS
appears to be \texttt{Windows XP with SP3}.\\
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{msfconsole-3}
\caption{\texttt{msf} smb\_version module executed against h3}
\label{h3_445_msf}
\end{figure}
\newpage
The figure~\ref{h3_445_nmap} shows vulnerabilities found automatically by nmap
for the given SMB service version.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{h3-445-smb-vulns}
\caption{\texttt{nmap} w/ vulns scanning}
\label{h3_445_nmap}
\end{figure}
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{gobuster-h3-8080}
\caption{\texttt{gobuster} on h3, port 8080}
\label{h3_8080}
\end{figure}
\newpage
Figures \ref{h3_8080} and \ref{h3_jboss} indicate a jboss websocket server
is running on the host on port 8080 under Tomcat in version 5.5, which
according to \url{https://www.exploit-db.com/exploits/12343}, is vulnerable to a
remote information disclosure vulnerability.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{h3-8080-jboss}
\caption{\texttt{jboss} under \texttt{Apache Tomcat} on h3}
\label{h3_jboss}
\end{figure}
\newpage
\subsection{10.53.27.164}
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{h4-22-ssh}
\caption{\texttt{SSH} daemon on h4}
\label{h4_22}
\end{figure}
Based on host information found in fig.~\ref{h4_22}, the SSH package version
string yielded \url{https://ubuntu.com/security/notices/USN-3885-2}, which in
turn revealed the OS as \texttt{Ubuntu 18:04}.
The subject SSH daemon version is listed in ExploitDB
(\url{https://www.exploit-db.com/exploits/45939}) as vulnerable to user
enumeration attacks.
\newpage
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{gobuster-h4-80}
\caption{\texttt{gobuster} on h4, port 80}
\label{h4_80}
\end{figure}
Gobuster scan of port 80 on host 4 yielded a couple of interesting folder names
like "phpmyadmin" and "test" (figure~\ref{h4_80}).
\newpage
\begin{figure}[!hbt]
\centering
\includegraphics[width=.90\textwidth]{h4-443-gitea}
\caption{\texttt{Gitea} version 1.9.3 on h4}
\label{h4_443_gitea}
\end{figure}
Next, a Gitea service v1.9.3 was found on the host. A recently released stable
Gitea version bears the number \texttt{1.15.7}
(\url{https://github.com/go-gitea/gitea/releases/tag/v1.15.7}), so this
instance should probably be updated soon.
A gobuster scan has only shown standard Gitea paths.
\begin{figure}[!hbt]
\centering
\includegraphics[width=.90\textwidth]{gobuster-h4-443-gitea}
\caption{\texttt{gobuster} on h4, port 443, no TLS}
\label{h4_443}
\end{figure}
\newpage
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{msf-gitea-rce}
\caption{\texttt{msfconsole} - Gitea RCE}
\label{h4_gitea_rce}
\end{figure}
Further, the subject Gitea version can be assumbed to be vulnerable (tested on
slightly newer versions) to an RCE exploit
(\url{https://www.exploit-db.com/exploits/49571}) if \texttt{git hooks} are
enabled, as documented in figures \ref{h4_gitea_rce} and
\ref{h4_gitea_rce_descr}. Only authenticated users would be able to exploit this,
though, which could be controlled by disabling auto/self-registration. Instead,
user accounts would manually be created by an instance administrator for
trusted people only. This obviously does not scale very well and is not
suitable for a public instance.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{msf-gitea-rce-descr}
\caption{\texttt{msfconsole} - Gitea RCE description}
\label{h4_gitea_rce_descr}
\end{figure}
\newpage
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{gobuster-h4-8080}
\caption{\texttt{gobuster} on h4, port 8080}
\label{h4_8080}
\end{figure}
No more gobuster scans revealed anything interesting on host 4.
\begin{figure}[!hbt]
\centering
\includegraphics[width=1.00\textwidth]{gobuster-h4-9090}
\caption{\texttt{gobuster} on h4, port 9090}
\label{h4_9090}
\end{figure}
\end{document}
Reference in New Issue Copy Permalink