Vulnhub - CHEESEY: CHEESEYJACK
Introduction
Cheeseyjack aims to be an easy to medium level real-world-like box. Everything on this box is designed to make sense, and possibly teach you something.
Enumeration will be key when attacking this machine.
Hint: A cewl tool can help you get past a login page.
This is CHEESEY: CHEESEYJACK from vulnhub.
Ports
We have quite a few ports here:
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 139/tcp open netbios-ssn
- 445/tcp open microsoft-ds
- 2049/tcp open nfs
- 33060/tcp open mysqlx
- 33693/tcp open unknown
- 34577/tcp open unknown
- 38839/tcp open unknown
- 57011/tcp open unknown
So we’ve got SSH, HTTP, what looks like an NFS share, SMB and some other stuff. Let’s investigate.
SMB
No anonymous login; moving along …
NFS
We can mount the share:
And we’ve got a /home directory belonging to ch33s3m4n.
In the /Downloads directory is a file called qdPM_9.1.zip. We can copy this to our local machine and extract the archive; it’s a set of files for a webapp called qdPM, presumably version 9.1. Checking searchsploit, we can see there are a number of exploits:
Presumably this is our target.
HTTP
Turning to the website, we can run a gobuster and turn up a couple of interesting things - /it_security, which contains a note:
Cheese you complete idiot. You hired me to ensure your webapp project stayed secure and you use a weak password like that? What’s wrong with you? A baby could guess that!
-crab
And /project_management, which has a login page for the qdPM 9.1 installation. The home page of the website is a countdown to launch type thing.
Now, the login wants an email address and password, presently we don’t have either of those things - or do we?
On the homepage there is a contact email address: info@cheeseyjack.local. So presumably that is the format we’re looking for. But who is the user? Entering the credentials:
info@cheeseyjack.local:password
returns a message:
Error: No match for Email and/or Password
So that’s not helpful. There is an option for Password forgotten which takes us to http://192.168.1.134/project_management/index.php/login/restorePassword
Entering our ‘info’ address there gives this message:
Error: No records found
What if we use our username we found earlier, i.e. ch33s3m4n@cheeseyjack.local? Well, we get this message instead:
A new password has been sent to your e-mail address
So, we know this email address is valid, and is probably what we want. Unfortunately it does also seem to reset the password on the box! So now we’ve got to reset our VM. Whoops. Oh well, at least this isn’t a real machine.
Now, we got a hint about cewl and about a weak password, so we should listen to that. There aren’t actually many pages (/, /it_security, /project_management) so we can build a small-ish list. I tried running it with Hydra like so:
but it didn’t tell me when I found the right password. Burp Intruder does, but only by the length of the response - the correct password gives a longer response than incorrect ones, but it’s the same HTTP Status Code.
The password we end up using is qdpm, and we can log in.
One more thing
One more note about the website - if we refer to the qdPM_9.1.zip file we downloaded from the NFS share earlier, we can see the directory structure of the qdpm installation. From that, we can find there is a directory (as an example) called /core/config, and if we go to http://192.168.1.135/project_management/core/config/ then we can get a directory listing and access the files without being logged in.
With this we can find databases.yml which contains some credentials:
qdpm:chucktaylors4lyfe
But ultimately this doesn’t help us because MYSQLX on port 33060 won’t accept connections from external IPs. Still, it’s worth noting.
qdPM Exploit
I grabbed one of the exploits from searchsploit and tried to run it as-is (it was a python script) but it didn’t seem to work. A quick flick through the code revealed it was very simple anyway - the concept was just setting a profile picture for the user account to some arbitrary PHP code. It’s literally as simple as using the webapp GUI to upload a PHP shell as the profile picture and then navigating to http://192.168.1.135/project_management/uploads/users/ with a listener open and clicking on the uploaded shell. Easy peasy.
On the box
On the box we find a couple of potentially interesting users in crab and (of course) ch33s3m4n. We can look in crab’s home and find this:
Which leads us to this:
This is the SSH private key for crab. Copying it to our machine, we can chmod 600 it and SSH in as crab.
Privesc
Once we’re in as crab, we find he can run things in his /.bin directory as root. So we can make ourselves a file and execute it.
So here we go:
In this instance test was just a bash script that started bash.