% vim: tw=0 wrap \documentclass[12pt,a4paper]{article} \usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage{amsmath} \usepackage[pdftex,pdfsubject={Protocol 5},]{hyperref} \usepackage{url} \usepackage{hyperxmp} \usepackage[affil-it]{authblk} \usepackage{enumitem} \usepackage{graphicx} \graphicspath{ {./img/} } \date{\today} \title{Protocol 5 - \textbf{Information gathering}} \author{Adam Mirre} \begin{document} \affil{FAI UTB, Zlín} \maketitle \tableofcontents \paragraph{Task} \textit{Find out what operating systems and what services are running on given IP addresses.\\Enclose screenshots of the scans and create tables with information on the services running and exploits found. You may also add more details on the type and ramifications of particular exploits. You must also attach the website, on which you have found the exploit.\\Use \texttt{gobuster} with the \texttt{big.txt} dictionary for HTTP services, document the learnt directory layout.}\\ IPs: \begin{enumerate}[nosep,topsep=2pt,itemsep=2pt] \item 10.53.26.42 \item 10.53.27.125 \item 10.53.27.182 \item 10.53.27.164 \end{enumerate} \newpage \section{Information gathering} \subsection{10.53.26.42} The figure~\ref{h1_80} shows the result of running gobuster against host 1. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{gobuster-h1-80} \caption{gobuster on h1, port 80} \label{h1_80} \end{figure} \newpage Nmap scan documented partly in figure~\ref{h1_nmap} allows us to determine the OS of the host as \texttt{Microsoft Windows Server 2008 R2 - 2012}, probably meaning the most recent update of the software occured in 2012. No vulnerabilities were found for the services on this host. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{h1-nmap} \caption{h1 \texttt{nmap} scan revealing IIS websever and samba yielding OS version string.} \label{h1_nmap} \end{figure} \newpage \subsection{10.53.27.125} The figure~\ref{h2_22} shows \texttt{(deb7u2)} as part of the version string of the SSH daemon package running. \begin{figure}[!hbt] \centering \includegraphics[width=.75\textwidth]{h2-22-ssh} \caption{\texttt{SSH} daemon on h2} \label{h2_22} \end{figure} Based on \url{https://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu-changelog} Debian developer's reference page, the "number" in \texttt{deb} is supposed indicate the Debian version the package is intended for, which in this case would mean the OS running can be determined as \texttt{Debian 7}. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{h2-80-msf-joomla} \caption{Web server/framework + OS id as shown in \texttt{msfconsole}} \label{h2_jomla} \end{figure} The \texttt{Joomla!} Open Source Content Management software version 1.5.15 has been found vulnerable to a multitude of vulnerabilities, including Directory Traversal, SQL Error Information Disclosure, XSS and Token Remote Admin Change Password: \begin{itemize}[nosep,topsep=2pt,itemsep=2pt] \item \url{https://www.exploit-db.com/exploits/34955} \item \url{https://www.exploit-db.com/exploits/46710} \item \url{https://www.exploit-db.com/exploits/6234} \end{itemize} \newpage Figure~\ref{h2_80} shows directory listing on host 2 using gobuster. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{gobuster-h2-80} \caption{\texttt{gobuster} on h2, port 80} \label{h2_80} \end{figure} \newpage \subsection{10.53.27.182} Based on data in figure~\ref{h3_445_msf}, in which a metasploit scanner \texttt{smb\_version} was used, as well as an nmap scan (90\% certainty), the OS appears to be \texttt{Windows XP with SP3}.\\ \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{msfconsole-3} \caption{\texttt{msf} smb\_version module executed against h3} \label{h3_445_msf} \end{figure} \newpage The figure~\ref{h3_445_nmap} shows vulnerabilities found automatically by nmap for the given SMB service version. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{h3-445-smb-vulns} \caption{\texttt{nmap} w/ vulns scanning} \label{h3_445_nmap} \end{figure} \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{gobuster-h3-8080} \caption{\texttt{gobuster} on h3, port 8080} \label{h3_8080} \end{figure} \newpage Figures \ref{h3_8080} and \ref{h3_jboss} indicate a jboss websocket server is running on the host on port 8080 under Tomcat in version 5.5, which according to \url{https://www.exploit-db.com/exploits/12343}, is vulnerable to a remote information disclosure vulnerability. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{h3-8080-jboss} \caption{\texttt{jboss} under \texttt{Apache Tomcat} on h3} \label{h3_jboss} \end{figure} \newpage \subsection{10.53.27.164} \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{h4-22-ssh} \caption{\texttt{SSH} daemon on h4} \label{h4_22} \end{figure} Based on host information found in fig.~\ref{h4_22}, the SSH package version string yielded \url{https://ubuntu.com/security/notices/USN-3885-2}, which in turn revealed the OS as \texttt{Ubuntu 18:04}. The subject SSH daemon version is listed in ExploitDB (\url{https://www.exploit-db.com/exploits/45939}) as vulnerable to user enumeration attacks. \newpage \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{gobuster-h4-80} \caption{\texttt{gobuster} on h4, port 80} \label{h4_80} \end{figure} Gobuster scan of port 80 on host 4 yielded a couple of interesting folder names like "phpmyadmin" and "test" (figure~\ref{h4_80}). \newpage \begin{figure}[!hbt] \centering \includegraphics[width=.90\textwidth]{h4-443-gitea} \caption{\texttt{Gitea} version 1.9.3 on h4} \label{h4_443_gitea} \end{figure} Next, a Gitea service v1.9.3 was found on the host. A recently released stable Gitea version bears the number \texttt{1.15.7} (\url{https://github.com/go-gitea/gitea/releases/tag/v1.15.7}), so this instance should probably be updated soon. A gobuster scan has only shown standard Gitea paths. \begin{figure}[!hbt] \centering \includegraphics[width=.90\textwidth]{gobuster-h4-443-gitea} \caption{\texttt{gobuster} on h4, port 443, no TLS} \label{h4_443} \end{figure} \newpage \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{msf-gitea-rce} \caption{\texttt{msfconsole} - Gitea RCE} \label{h4_gitea_rce} \end{figure} Further, the subject Gitea version can be assumbed to be vulnerable (tested on slightly newer versions) to an RCE exploit (\url{https://www.exploit-db.com/exploits/49571}) if \texttt{git hooks} are enabled, as documented in figures \ref{h4_gitea_rce} and \ref{h4_gitea_rce_descr}. Only authenticated users would be able to exploit this, though, which could be controlled by disabling auto/self-registration. Instead, user accounts would manually be created by an instance administrator for trusted people only. This obviously does not scale very well and is not suitable for a public instance. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{msf-gitea-rce-descr} \caption{\texttt{msfconsole} - Gitea RCE description} \label{h4_gitea_rce_descr} \end{figure} \newpage \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{gobuster-h4-8080} \caption{\texttt{gobuster} on h4, port 8080} \label{h4_8080} \end{figure} No more gobuster scans revealed anything interesting on host 4. \begin{figure}[!hbt] \centering \includegraphics[width=1.00\textwidth]{gobuster-h4-9090} \caption{\texttt{gobuster} on h4, port 9090} \label{h4_9090} \end{figure} \end{document}