A walkthrough
- Lookup the network for your virtual machine's NAT adapter with the
ifconfig
command. - Perform a host scan with the most common ports on the network (ex:
nmap -v -sN 10.0.0.1/24 -F
). - Note a webserver running on port 80, ssh on port 22, mysql on port 3306 and an unknown service on port 25565.
- Make a request to the webservice and notice it is an instance of phpBB, a discussion forum application.
- Notice the board's name is minecraft.
- Check the version numbers and search the web for it, no vulnerabilities exist by default in this version.
- Read the messages on the forum, enumerate (find out) that there is a user called webadmin who has administrative privileges.
- Discover the bad access control vulnerability by weak password policy and find out the password of webadmin is webadmin.
- Use your administrative privileges to identify (enumerate) other users on the platform.
- Check the mysql server on port 3306, try to enumerate the users or to login with a default password (this fails), check the version for vulnerabilities (no public exploits found).
- Check the unknown service on port 25565 by searching the web for the service associated with the port: minecraft.
- Connect to the minecraft service using a cracked client, notice the message: You are not whitelisted on this server.
- Look up about minecraft and whitelists, notice that cracked servers have the vulnerability that anyone can set a username and login (bad access control).
- Identify a player from the previously enumerated users on the forum, set the username in the client and log in to the service.
- Check your privileges by issuing the /op command: Notice you are an operator.
- Check out the server version information with /version: notice it is the latest version of paper, a custom minecraft server.
- Identify the plugins on the server with /plugins: look up their usage in the commandline.
- Look at the functionality of the plugins, try to figure out which of them could potentionally hold a vulnerability and notice it is the ImageMaps plugin as it deals with files and downloads.
- Find out that the checks on the content type are too weak to block other file types as only the extension is checked, but not the magic of the file.
- Discover a path traversal vulnerability in the name of the image in the imagemaps download command.
- Learn about the directory structure of this plugin (from bukkit documentation) and exploit the server by downloading a malicious plugin with the path traversal into the plugins directory.
- With the connect-back shell or other backdoor you uploaded, read the flag from flag.txt in the Minecraft directory.
- From the backdoor, enumerate users and privileges.
- Discover a backup.sh file and a minutely cron-job that backups the minecraft data.
- Notice that this backup.sh has group write permissions and that the group is minecraft but that the executor is almighty.
- Modify the backup.sh script to gain code execution as almighty.
- Read the flag from almighty's home directory.
As the vulnerability is a path traversal vulnerability, the following CWE-ID is associated with it: CWE-22.
See https://cwe.mitre.org/data/definitions/22.html.
Because the permissions on the script file are incorrectly set, the following CWE-ID is associated with this vulnerability.
CWE-732.
See https://cwe.mitre.org/data/definitions/732.html
- Unknown environments with the latest versions of software do not always mean that the environment is secure.
- Enumeration and research are an important part of penetration testing and make the difference between a human audit and a software scan.
- Privileges on Linux are easily misconfigured, generic scans can help identify misconfigurations.
- CWE-ID's are helpful to standardize vulnerabilities and to aid in giving advice to corporations you audit for.